As nature of Malware attacks are changing almost every hour, challenge to manage threats from such attacks are becoming multi-folded and complicated. Industry experts have shared their opinions and expertise to address this growing problem in this article.
Malware is a serious business threat. Recent years have seen some major shifts in the malware and spam area. As the security solutions keep developing, cybercriminals keep inventing methods to circumvent protection of information systems. Older methods of malware propagation are getting abandoned; new sophisticated methods are taking their place. One example may be the shift of malware propagation from electronic mail to website scams. As soon as software producers took effective measures for easy detection and destruction of malicious email attachments, sending malware directly via email became extremely inefficient. Therefore, cybercriminals started to use email in a new way. Instead of trying to push through malicious code right into the mailbox, malicious emails nowadays serve as parts of larger scams. The role of email has changed from malware carrier to malware bait, luring the user to an infected website.
Evolution of Malware
Few people seem to remember the first decades of viruses where they were spread by people exchanging games and pirated software via 5 ¼” and later 3 ½” floppy disks. Viruses did not spread as quickly as they do today, but they somehow made their way around the world.
The mechanism was relatively simple in that the viruses were loaded into the control and information sectors of the disks, and were activated upon being loaded into a disk drive. The viruses then copied themselves to the boot sector of the system hard drive. Whenever a floppy disk was loaded into the computer, it was then infected by the virus. At the time, viruses primarily damaged the hard drives and deleted data, and were highly malicious in nature.
As connectivity increased, floppy drives became obsolete, so malware spread via the Internet. However, USB technology overcame both the storage volume and read write technology and became a viable method for data transfer. In the past, malware was mostly feared for its destructive behaviour, like erasing important data or breaking down computers. However, in the era of permanent internet connection, cybercriminals have made two major observations, upon which they build their current strategy. First, while destruction may serve certain rogue ends, it is much more expedient to keep computers under control than to simply shut them down. Second, in order to prevent the users from trying to break the unwanted control, it is vital to keep malware activities hidden for as long as possible. In effect, there are millions of infected computers worldwide, being occasionally used for rogue activities, with their users having no idea their machine has been infected. Large networks of infected computers, called botnets, are serving their legitimate users, and at the same time waiting for instructions from the bad guys.
Much like malware itself, anti-malware software focused first on preventing PC based infections from floppy drives. As the malware threat moved from the physical transfer of storage devices to the Internet, anti-malware software in the corporate environment moved to server and perimeter based platforms. While many organizations maintained PC based protection, clearly anti-malware software is not as widely distributed as it should be.
Targeted attacks are among the most damaging threats today. Unlike phishing and spam emails, being sent out in huge volumes, targeted attacks are aimed at specific companies and individuals, thus using relatively small volumes of emails. One of the latest advancements, Symantec experts find with regard to anti-malware is the growing prominence of rogue security software. The interesting part about rogue security software is that it is an anti-malware product being pushed as legitimate software. In most cases the product is a malware itself, sometimes installing Trojans or spyware components. Many ready-made threats are in reality a conglomeration of components from other more established malware. For example, Dozer, which contained components from MyDoom and Mytob This trend has also made it more disposable, with a threat vanishing sometimes within just a 24 hour of emergence.
There are a number of drivers for change in the malware problem domain. Firstly and most significantly is the fact that malware is now driven by well funded and intelligent criminal gangs. The malware authors are now trading in an illicit economy – taking advantage of the latest technology trends in a future looking way. As a criminal you can go to a SaaS based malware site and have your targeted malware tested against vendors and receive top tips on how to improve your chances of exploit. With such investment the quality and range of attacks is increasing drastically. Experts from Sophos see over 60k malware samples every day – so over a small number of days there is more malware than all of last year. The focus of malware on stealing confidential data is also a noteworthy element of modern malware. Essentially, malware and hackers have joined forces with the result being a highly targeted, data theft focused and agile threat. Many people may not be aware of it, but everything has changed over the past year and the impact on threat protection delivery is vast.
Cybercriminals are driven by money. The money is primarily found where there is a large monoculture or where applications containing lots of valuable data are found. Today this means PCs and Macs are mainly targeted, but shifts in the technology industry coupled with business and consumer adoption mean that these targets are changing. Trend Micro experts believe that, in the future, mobile devices like smartphones and the public/private cloud will become greater targets for cybercrime. Over the past few years, the threat landscape has shifted; there are no longer any global outbreaks, as were previously experienced with Slammer or CodeRed.
ESET experts believe that malware has evolved in five major areas: bots, rogue security software, generic spyware, targeted malware and attacks on mobile phones and smartphones. Browsers remain a top target for vulnerabilities.
Emerging operating systems and popular platforms, like smartphones, will attract increasing attacks. We can expect Malware attacks on Windows 7. Malware authors will shift their attention to find ways to exploit the new operating system with targeted attacks on Linux, Mac, Google Chrome operating systems as number of user using these operating systems are increasing.
50% of the smartphone users already surf the web from their device at least for 45 min each day and the number of smartphone users are growing at a phenomenal rate. Smartphone’s are becoming more ubiquitous and, as more services involving financial transactions are made available on handsets, exploits that leverage vulnerabilities on Smartphone operating systems are sure to be targets.
Managing Threats – A Real Challenge
|
“Do the basics and keep it simple. Don’t try to define a mass of complex rules on top of weak foundations.”
James Lyne, Senior Technologist, Sophos, UK |
With the emergence of sophisticated, complicated, multi-directional malware, managing the malware threats has become a critical and mammoth challenge to today’s IT heads. The technology countermeasures and procedures required for modern enterprise security have expanded significantly over the past couple of years. Most enterprises are working with fixed resources, or even diminishing budgets and yet the expectations from the business are that they can keep them more secure, comply with regulations and embrace new technologies. There are also a wealth of hype solutions being assessed by the market at the moment, acting as a black hole for key resources and investment. Enterprises cannot afford to layer additional controls on top of struggling foundations. According to James Lyne, Senior Technologist, Sophos, UK, there has to be a drive for simplicity and the operational requirements modernized to deal with the modern threat. The legacy approach to security is visibly not tenable for the today’s enterprises. However, educating the market and driving change to long held concepts is not trivial – we need every enterprise to think carefully about the failings of the present systems.
|
“Businesses now need proactive endpoint security that can protect against zero-day attacks and unknown threats.”
Shantanu Ghosh, VP, India Product operations, Symantec |
Increase in malware-bearing spam – organizations previously thought of spam in the context of an annoyance, but not necessarily dangerous. However, between September and October 2009, on average, more than 2 percent of spam e-mails had attached malware; this represents a nine-fold increase in the number of spam messages actually containing malware. Also, there has been a surge in bot networks which are quickly becoming the foundation of cyber crime. Shantanu Ghosh, VP, India Product operations, Symantec, says, “we observed that the majority of today’s malware contains a bot command and control channel. In 2009, we even saw botnet designers expand their forte by using social networking sites as communication channels.”
Information systems in general are becoming more and more complex. And where there is growing complexity, there is growing potential for nefarious activities. For example, it is not very hard to shut down a freshly started website, hosting tons of malware. On the other hand, malware infection of a legitimate website that has served for years may become a serious problem. Cleaning the system of a malicious code without affecting normal operations of the website is a task that can take months. Numbers of vital websites that cannot be simply shut down are increasing. Think of internet banking for example.
|
“If an organization wants to manage its security well, it needs to promulgate and enforce security protocols.”
Jakub Truschka, Marketing Specialist, TrustPort |
With the ever growing use of portable devices and communications, sensitive company data is more often transmitted through unsecured channels, more often stored on unsecured memory media. People have their habits, and they very seldom change them. It is very hard to make them change, even if they know about potential risks, resulting from their behaviour. Most people think about security only after a serious security incident occurs. To stay safe from malware, a modern company has to cover all devices and technologies, used by its people. And that is not an easy task to accomplish.
The main working tool however remains, at least for a couple of coming years, a personal computer. Jakub Truschka, Marketing Specialist, TrustPort, believes that in a network with a multitude of workstations, it becomes extremely hard to manage security software on all of them, keeping the antivirus updated and running. That is why antivirus producers develop management consoles, enabling supervision of all computers from one single application. In practice, these consoles may encounter many obstacles, hindering their smooth operation. It is however one direction in which security management may become easier for companies.
|
“Businesses should observe the following precautions to avoid new threats and ensure a safer computing experience for all network users.”
Abhinav Karnwal, Product Marketing Manager — APEC, Trend Micro |
In addition to the above reasons, Abhinav Karnwal, Product Marketing Manager — APEC, Trend Micro believes that with the growing popularity of cloud computing and virtualization among companies, industry fully expect cybercriminals to find new methods by which to increase their profit margins. As the number of people from different countries gaining access to the Internet continues to grow, we see more and more non-English content being pushed online. This use of multiple languages increases the potential “market” for malware
A variety of techniques are being used by cybercriminals to penetrate in the systems. The volume of malicious programs, spam emails and infected web pages is increasing day by day. Most of the organizations do not have well managed IT security applications or have unsecured management systems which are mainly targeted by the cybercriminals.
Amit Misra, Country Head, ESET India, ESS Software Distribution & Consulting (P) Ltd also believes that with the rise of cloud-based services inevitably will make users’ choice of operating system less relevant to hackers. Cloud computing brings many benefits, of this there is no doubt, but education and awareness of associated risks is also necessary. Data in the cloud is unprotected, unsecure, and often unrecoverable. With more sensitive data being stored on the internet, and the rise of attacks that spread entirely via the internet without having to touch the user’s desktop computer, there is the potential for more serious security breaches and for more information to be stolen more rapidly than ever before.
|
“Social engineering will continue to play a big role on the Web in the propagation of threats.”
Amit Misra, Country Head, ESET India, ESS Software Distribution & Consulting (P) Ltd |
Last but not the least, careless & untrained employees are duped or fall prey to social engineering type attacks. So it is one of the main reasons why the organization finds it difficult to manage malware threats.
New devices and the growing problem
Besides others reasons why this could be a growing challenge, the emergence of new devices is definitely an added reason. As workforces grow, organizations need to be better equipped to secure the numerous new endpoints, many of which are today mobile. According to the IDC study, the number of worldwide mobile workforce will reach 1 billion by 2011 with Asia Pacific contributing to the maximum numbers. Add to that, the endpoints, whether it is laptops or smartphones are growing.
Twenty years after the first internet worm was discovered, today, the web has become the primary way of attacking a vulnerable system. A perfect case in point was the Downadup/Conficker worm, which left over thousands of computers in India infected during the initial stages of attack. However endpoint security is more than just safe guarding systems against worms and viruses. Enterprises today need to augment traditional antivirus and antispyware solutions with network threat protection that combines state-of-the-art intrusion prevention and sophisticated network communications control. They also need to leverage proactive threat protection solutions, which safeguard against unknown and zero-day threats.
New devices, especially portable devices, are responsible for a significant part of new security troubles. It is however more a matter of malware evolution itself, making protection even more complicated. According to the traditional approach, all an antivirus had to do was to collect samples of malware, and scan data using these samples. With the arrival of polymorphism, producing countless variants of the same basic malware, sample databases started to reach enormous sizes. Because of that, antivirus producers came with a new set of methods, called heuristic, detecting malware by analysis of the structure and conduct of executable code. The pitfalls of these methods are their consumption of computer performance.
According to Jakub Truschka, security management stands in this constant choice between performance and security. The more strict security protocols we will implement, the slower our operations will be. And the faster we want our operations to be, the looser our security will be. This balancing may get a serious challenge. Furthermore, the new methods of cybercrime are slowly surpassing even the heuristic protection. New targeted attacks call for new security protocols. It is shocking to realize that critical business communications still uses unsecured channels. The penetration of electronic signing and strong encryption is deep below current security needs.
The threat is drastically increasing on existing targeted platforms, though other platforms are coming under attack more so than previously. Macintosh systems and mobile devices are receiving particular attention from the bad guys at the moment, with the realization that they too are a good source of confidential information (and that they tend to be less protected in most enterprises!). The devices and applications being used in IT are evolving unbelievably quickly and the bad guys are right on top of those changes. The need of the hour is a solution that seamlessly combines essential security technologies into a single agent to deliver unmatched endpoint protection with simplified management and a lower total cost of ownership.
People or Process or Technology – Who is at Fault?
As organizations continually increase their dependence on IT systems to conduct business, mitigating IT risks like malware has become a top priority. But effectively managing IT risk is no longer a matter of only addressing technology—it's now about integrating people, processes and technology. Symantec experts believe that the effectiveness of even the best technology and processes is frequently undermined if employees do not understand both the value of the organization's information assets and their role in securing these assets.
With so many security threats on the horizon, it's comforting to know that the strongest security asset is already inside the company. Successfully protecting information assets requires employees at every level—from the top down—to obtain a basic understanding of the security risks, policies and technologies implemented to help mitigate those risks, as well as their respective responsibilities in protecting the company's assets.
When it comes to managing IT risk and creating a highly reliable organization—or one that has zero IT failures—technology plays a crucial role. An IDC study had shown that well-trained teams were twice as likely to properly protect their PCs from security threats and were 60 percent more likely to successfully complete backup jobs. This proves that, while processes for routine events are critical and can help ensure that mistakes don't happen, it's the people who help ensure that the right things happen.
According to Sophos, It varies business to business, but frequently it is the process for security decision making which is at fault. There are an innumerable number of security products and controls available, and the people working to secure enterprises are often extremely committed. However, they are doomed to failure when tasked with writing complex rules and trying to knit together solutions from disjointed security products. The CISO needs to use a risk assessment methodology for security decision making, challenging key vendors to reduce hard resource investment so that it can be tasked to support new business activities.
The worst security incidents in a funny way remain on the same basic level. They are a result of ignorance and irresponsibility. For years, it is well known a laptop not protected with a password is a top security risk. Still, there are a significant percentage of users completely oblivious to this fact. For years, it is known an email cannot be trusted, unless electronically signed. Still, unsuspecting people open phishing emails and open whatever links or attachments it contains, believing the email came from someone close. If an organization wants to manage its security well, it needs to promulgate and enforce security protocols. TrustPort experts believe that the only way to be successful in doing so is persistent explaining to the users, why a certain security protocol is more than a pain in the neck, and what its function is. And that is exactly where most organizations will be challenged.
Understanding Solutions
With the rise of polymorphic threats and the explosion of unique malware variants in 2009, the industry is quickly realizing that traditional approaches to antivirus, both file signatures and heuristic/behavioral capabilities, are not enough to protect against today’s threats. We have reached an inflection point where new malicious programs are actually being created at a higher rate than good programs. Today, it no longer makes sense to focus solely on analyzing malware. Instead, approaches to security that look to ways to include all software files, such as reputation-based security, will become key in 2010.
Protecting business requires educating employees about safe cyber security practices. A comprehensive set of IT usage guidelines in organization focusing on Cyber threat prevention and resolution will be helpful in long run.
To reduce risk, web usage must be screened by quality web protection technology, which can detect malware on hacked websites, and respond rapidly to newly emerging malicious domains and URLs. Those who are tempted to try to circumvent the protection should be educated about its value, and prevented from accessing proxies and other security-bypassing systems. Despite user education about safe web practices, some users will always try to find ways around filters. In this scenario, access to proxies should be as carefully monitored and controlled as access to malicious or inappropriate sites.
For end users it is recommended that the users secure their computers with updated security software and stresses the need to stay aware and cautious of the types of threats they may encounter online. Regularly check your bank, credit, and debit card statements to ensure that all transactions are legitimate. Beware of unexpected or strange-looking emails and instant messages (IMs) regardless of sender. Regular reading of security blogs will help you stay ahead.
Endpoint protection is an effective multi-layered solution to address today’s evolving threat landscape. Symantec’s endpoint security solutions, for example, contain proactive technologies that protect customers from both today’s threats and tomorrow’s emerging threats.
Although antivirus, antispyware and other signature-based protection were sufficient to protect organizations in the past, businesses now need proactive endpoint security that can protect against zero-day attacks and unknown threats. They also need to take a structured approach to endpoint security, implementing a comprehensive solution that protects from threats on all levels and provides interoperability, seamless implementation and centralized management.
A new, more holistic and effective approach to endpoint protection combines essential technologies to proactively deliver a significantly higher level of protection against known and unknown threats, including viruses, worms, Trojans, spyware, adware, rootkits and zero-day attacks. In the case of an infected endpoint, security products repair the damage by disinfecting or quarantining the system. The remediation process is then completed by deploying the necessary patch.
It takes multiple solutions to fully protect endpoint systems and data from cradle to grave. An integrated approach that combines management, security and recovery provides organizations with visibility into and control of an entire endpoint environment and can help eliminate exposure to security and compliance risks.
Where is it heading?
Cybercriminals will invent more brazen and uncompromising schemes to extort money from users and organizations. Botnets will increase and there will be a preference for a peer-to-peer (P2P)-type botnet architecture as these are more difficult to take down. Social engineering (manipulating people into performing certain acts or divulging information) will continue to play a big role on the Web in the propagation of threats. USB devices, while offering the convenience of quick connectivity, will be responsible for the spread of autorun malware within networks. Cybercriminals will just continue to abuse Internet-browsing behaviours, platforms, and technologies, finding new and better ways to deliver their different payloads. Scripts will in most ways replace binaries in terms of Web attacks. The usage of scripts in the first level of infection as well as in the execution of malicious routines has been observed in recent Web attacks, and is bound to continue, if not prevail, in the future
In addition to the above Amit Mishra, ESET, believes that malvertisements will continue to be a grave threat to both users and legitimate advertisers. Cybercriminals may also change the nature of the tainted advertisements to more mainstream content. In near future Cloud Computing issue associated would be like cybercriminals may manipulate the connection to the cloud, attack the cloud itself & Cloud vendor data breaches.
According to James Lyne, malware authors will likely focus more on the use of new technology platforms like web applications or social media. The bad guys will ultimately aim where they can find an audience to social engineer and where confidential data can be found. Combining this with consumerisation and other business trends and it is likely that we will see a proliferation of the devices that need to be protected. Expect mobiles and alternative platforms to become more targeted as they continue to become a replacement (or at least equal to) for the corporate laptop. Equally, as the threat grows in numbers and velocity the weaknesses in traditional security technology are likely to be more exposed. The industry has to move beyond content based security – taking advantage more coherently of reputation and behavior as a protection strategy.
Jakub Truschka probably believes to see a further development of security technologies, formerly marginalized, like intrusion detection systems. Security solutions will become more comprehensive, featuring a wider scope of functionalities, while at the same time aiming to simplicity in the user control interface. Much development needs to take place in the field of central management systems, taking care of security software throughout whole networks.
In 2010 and beyond, a continuing concern will be the stability and security of the global routing infrastructure. In context Cybercriminals will continue to increase the speed and efficiency with which they develop and hone new attacks. In short they will use internet and malware attacks to gain commercial, political and economical advantage.
—By: 'InfoSecurity' Bureau. |
