Blended Threats
In the next of his weekly series for Cambridge Network members, BS7799 and IT governance expert Alan Calder explains the ABCs of business security and compliance. This week he looks at Blended Threats.
The Problem
Information security is very much like warfare. Defensive weapons evolve to deal with the new offensive weapons, which have evolved to deal with the previously successful defensive weapons. Defensive weapons are, by definition, designed to defend against known – or imagined – threats. Sometimes, like France’s Maginot line, they are kept in place long after they are no longer any use, defending against threats that are no longer there. The point is
- A new offensive weapon will have the edge until an effective defence is deployed, and
- As soon as (if not sooner than) an effective defence is deployed, new methods of attack will be developed.
Anti-virus software is defensive software. It deals very effectively with known threats, as long as they’re known about – that’s why you need to download new virus definitions every day. As virus writers have got trickier, so AV software has evolved: ‘heuristic’ AV software looks for the characteristics of viruses and tries to eliminate them before you’ve even downloaded its signature. Most reputable AV software these days has a heuristic capability.
Organized online criminals have two simple objectives:
- Theft of your data/use of your data to steal your money;
- Use of your computer/network in a ‘botnet’/as a ‘zombie’ to attack and blackmail legitimate web businesses.
Hackers, virus writers and spammers have joined forces in order to do this better. Today’s ‘blended threats’ combine all the most effective components of worms, Trojans and key loggers; they usually have more than one payload (ie they can launch of denial of service attack, install a Trojan or a key logger), they can spread in a number of ways (via email, Instant Messages, file sharing, etc), and they multiple attack methods (including infecting files, modifying registry keys, etc).
The Risks
A blended threat could not only evade whatever defences you currently have in place, it could evolve and change once it is inside your system, destroying and stealing information as it spreads and then moves on to attack other systems. If your defences are inadequate to prevent the attack, they will almost certainly be inadequate to catch it before it has severely compromised your systems and your information.
The Impacts
Loss of bandwidth, loss of customer service capability and workforce downtime – spread sometimes over several days - are all standard results of a worm attack. The costs –usually indirect - to victim organizations can be substantial. Loss of proprietary information, covert (and malicious) remote access to or control of your computer system, and theft of confidential data, such as passwords, can all lead to financially significant damages.
What do we do about it?
You need a layered defence to deal with blended threats. The essential components of such a defence are to have, at both the network and the individual machine level:
- A first class firewall, kept up to date, and configured for minimal Internet passage;
- An anti-virus software package that includes heuristic detection and that has daily updates;
- Anti-spam filters that are configured to deal with the changing nature of spam;
- An always-on antispyware application;
- Automated vulnerability management (all SANS Top 20 vulnerabilities patched and automatic patching of new vulnerabilities, including all Microsoft patches and Service Pack 2), and
- An update service that warns you of the appearance of new blended threats so you can take appropriate action.
Anything else?
Make sure you have a clear policy on downloading adware (shareware, freeware, etc) and that all your users know they shouldn’t download or execute files that they did not ask for and which they have any reason for doubting – particularly files that have an .exe file extension.
Next week: Social Engineering
Alan Calder’s company provides businesses with consultancy support and advice on governance and information security. Visit www.itgovernance.co.uk/page.service, e-mail alan@itgovernance.co.uk or telephone + 44 845 070 1750