Content
The Expert View: Prevention is the Cure
The threat from viruses is lessening, but the danger from phishing and Trojan horses is rising. Monty Ijzerman, Manager of Security Content at McAfee, is part of an elite team of security researchers who identify, assess and evaluate server threats. Ijzerman shares his acumen into the evolution of threats and how corporations can effectively protect themselves against blended threats through prevention.
Security Spotlight: What’s on the horizon for network and host attacks and exploits, such as worms, Trojan horses and viruses?
Monty Ijzerman: Viruses are less prevalent, but phishing and Trojan horses with malware are rising. According to the Anti-Phishing Working Group, phishing sites grew 24% from July to December 2004, with more than 1,700 active phishing sites reported in December 2004.
Blended threats using more than one type of exploit have been increasing over the past year. In the past, malware might have been sent via e-mail and launched when a user opens an attachment. Now malware uses more than one vulnerability. If your machine is protected against vulnerability A, the malware then tries vulnerability B and C.
For example, the initial target may be the corporate e-mail server, and once it is compromised, the attack continues. The attacker finds its way into the perimeter, and once there, installs a bot (a remotely controllable tool) that starts to attack machines of different types. So the attacker may go from an e-mail server to a desktop and back to Web servers. The impact to the corporation is that your protection needs to be able to handle blended attacks.
Security Spotlight: Do you expect to see another major zero-day attack in 2005?
Ijzerman: In the past three or four years, one worm using a single vulnerability has spread globally per year. In all likelihood, we will have at least one attack this year.
When these worms came out, the underlying vulnerabilities were known by Microsoft and patches were available. However, if you don’t apply these patches, these worms can spread quite easily.
Security Spotlight: Is it getting any better?
Ijzerman: Customers have been better at protecting themselves against viruses in the second half of 2004. IT organizations are getting better at applying Microsoft patches by synchronizing their internal processes with Microsoft’s Patch-Tuesdays.
An Evolving Threat
Security Spotlight: How is today’s security threat changing? What types of attacks are now most common?
Ijzerman: Spyware, adware and phishing attacks are major. Protecting against phishing requires educating users about the dangers of potentially unwanted programs as well as having good tools to prevent the threat. Some of these scams are very sophisticated. Even a security-aware user may accidentally download unwanted software or be fooled by a scam.
The types of attacks are also changing. Nowadays, most attacks are found in media files like
WAV or images like GIF. Recently there was a problem where if you downloaded a play list in Windows Media Player, it could be an attack. The good news is McAfee® VirusScan® 8.0i
will protect your desktops against malware hidden in images or media files.
Attacks in images or media files try to overflow a buffer in memory. If the buffer overflows, the data is written elsewhere in memory, and if an attacker does it the right way, malicious code can be executed. McAfee Entercept® will protect host systems and servers against execution of malicious programs as a result of buffer overflows, and it will see these attacks even if they are zero-day.
Security Spotlight: Who is writing or unleashing the attacks? Are the worm authors different than the adware and spyware writers?
Ijzerman: Only the Sasser and Blaster worm writers were caught. Most virus writers remain unknown. There is almost no reporting on organized cyber-crime. The spyware and adware writers are more financially motivated.
With spyware and adware, they install software onto your desktop system that you may or may not want. This is potentially unwanted software. Sometimes you are presented with a pop-up box out of the blue asking, "Are you OK with installing this software?" If you make a mistake and click "OK," it means you consent to installing this software. That’s not illegal.
Other spyware and adware companies install software stealthily. There are tricks to combining the vulnerabilities in Microsoft Internet Explorer to move software to your machine. It becomes spyware when you have not given your consent. Spyware can be harmless like pop-up ads or harmful if it tries to harvest credit card numbers.
To protect yourself, you should run anti-spyware software like McAfee AntiSpyware. McAfee AntiSpyware will detect and eliminate applications like key loggers, remote-control programs and browser hijackers that can be used for identity theft. It also stops adware programs that trigger those annoying pop-ups and drain your systems’ resources.
A Porous Perimeter
Security Spotlight: Is a multi-layer defense sufficient against these attacks? How do protecting information assets change as the notion of a corporate network perimeter loses its meaning?
Ijzerman: The corporate network perimeter as it was ten years ago no longer exists. People plug in their laptops at home or at airport kiosks and then bring them back into the company and the perimeter can be breached. It means a multi-layer defense system becomes more important than just relying on a firewall and anti-virus solution.
Protection by blocking attacks is most important. Blocking attacks can be done using network intrusion prevention systems like McAfee IntruShield® or host intrusion prevention systems like McAfee Entercept. If companies use IntruShield, malicious traffic will be intercepted and blocked at the network. If an attack reaches past the network and tries to do something on the server or if an attack is launched locally, Entercept will block the attack.
Corporate IT departments should scan their systems for vulnerabilities. IT managers should know their own network and what applications their servers and desktops run. They should make sure their systems are patched. McAfee Foundstone is one of the best solutions to do this. Foundstone enables IT managers to continuously measure and actively protect their valued corporate assets, allowing them to focus their limited resources on protecting what matters most.
Companies should strongly enforce usage policies for computers. Make sure your employees are safe when surfing the Internet. Here at McAfee, if I go to a shady Web site, the company policy will block me. Nor can I install software on my corporate machine.
Companies also need an incident response process so they can contain a problem and get rid of it in a safe and organized manner.
Security Spotlight: What solutions can corporations adopt to protect their networks and systems?
Ijzerman: The best strategy is to have a multi-layer defense and to block attacks when they occur. Choose a vendor that offers a comprehensive security solution, from anti-virus and anti-spyware software to network and host intrusion prevention systems. It’s really difficult to have many different vendors’ products and be sure you are protected.
Resources
View the Encrypted Threats Demo.
