Johannesburg, 30 Apr 2010
Despite best efforts by enterprises and security vendors, recent news stories and the prevailing opinion of executives I talk with indicate a growing concern over information theft from malicious activity. Is this concern justified?
Data from the threat assessments we have carried out across the globe would certainly seem to indicate that it is. Based on 130 assessments worldwide, 100% of enterprises had active malware infections of which they were not aware, and over 70% of those were bots or information-stealing malware.
It's well-known that the criminal underground is geared up for the theft of valuable corporate and personal information, with form-grabbers, men in the browser, bot and VNC capabilities, automated exploit modules and mature partner delivery platforms. So why aren't the security industry and the enterprise facing up to the challenge effectively?
Criminals smarten up
Securing the enterprise environment is increasingly problematic as the environment becomes ever more fragmented. Increased mobility, a more dynamic application landscape, cloud adoption and social networking all offer valuable opportunities to the enterprising criminal.
Alongside this, IT professionals are struggling to deal with the unending tide of patches required to fend off critical vulnerabilities, particularly those that are actively exploited as soon as, or often before, the patch is made available.
Lewis Carroll was way ahead of his time; I can only think he was talking about patching when he wrote: “Well, in our country,” said Alice, still panting a little, “you'd generally get to somewhere else - if you run very fast for a long time, as we've been doing.”
“A slow sort of country!” said the Queen. “Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!”
Another factor that disadvantages the good guys is that we are mostly obliged to play with an open hand. Common operating environments are a known quantity to criminals, as is the common security and application portfolio.
This means they can focus their efforts on uncovering high value vulnerabilities that offer the most return on investment. Their own application environment though is much more closed and they can (and do) test their creations against all the known security vendors to make sure they are undetected.
Changing mindset
It's not sufficient to base layered security on the layers in the infrastructure or the layers of user behaviour. When considering security technologies, think about the layers on which modern threats operate: the exposure layer, the vulnerability layer, the infection layer and the execution layer.
Remember that malicious activity is not only inbound, and deploy mechanisms that work on the assumption that the protected asset is already compromised, technologies that offer out-of-band monitoring and detection.
We need to combat the complacency that sometimes prevails in our industry. The way that things have always been done may no longer be the “right way” to do things. Just because your incumbent security system tells you everything is rosy, it doesn't mean you're clean, as many corporations are discovering to their cost.
* Rik Ferguson is a solutions architect at Trend Micro. He will deliver a talk on “Why in-the-cloud security technologies are the answer” at next month's ITWeb Security Summit, which takes place from 11-13 May at the Sandton Convention Centre.
Related story:
Cloud-nomics - utility computing goes criminal