Attacks/Breaches
1/17/2014
04:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Malware: More Hype Than Reality

Sure, malware exists, but is it really as bad as the news suggests?

In any given year, there are approximately 100 shark attacks worldwide. Of those 100, only 16 of these attacks end in a fatality. Funny then, that we humans have such irrational fears about being attacked by a shark while swimming in the ocean. Clearly, the odds of an attack are incredibly small. Our fears are simply fueled by movies and television shows that make the danger seem far more common.

The case against malware is very similar: Malware exists, but it consumes a lot of resources unnecessarily. And despite the danger, IT security professionals place far too much emphasis on data loss through malware than they should.

First, let me say that malware can indeed be a huge problem and time must be spent on a defense-in-depth strategy that reduces a company's exposure significantly. But once that's done, it's time to move on to the next security hole in your organization.  Unfortunately, we're often so focused on malware that we end up with a security posture that's heavily protected against electronic attacks, but lacking in other areas -- specifically social engineering.

What Target tells us
The Target store breach is a perfect example of this. As details of the breach emerge, it’s starting to look as if malware was indeed used to steal customer financial information. What we don’t know is whether Target has a security posture in place that could have prevented the attack. We also don't know if the malware used was known and could have been initially blocked. If the malware was new and highly sophisticated, tools like an IPS and antivirus software would have been rendered useless. What can be controlled is how the malware was installed on Target store systems. As the New York Times bits blog pointed out:

To pull it off, security experts said a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gives cybercriminals a foothold into a company’s point-of-sale systems.

At DefCon 21, for instance, a capture-the-flag competition set about to see just how easy it is to obtain sensitive business information using social engineering methods. The contest targeted ten Fortune 500 companies. Suffice it to say the results were chilling. It's far too easy for regular, untrained people to simply pick up the phone, call an employee, and glean important information from him or her while pretending to be a student, vendor, or a fellow employee.

Information such as OS patch versions, WiFi SSIDs, and even information regarding physical security was happily handed over. Additionally, this year's contest presenters noted that simple Internet searches of companies and their employees garnered far more sensitive information than in years past. The reason for the increase in company leaks on the public Internet? Social networking sites such as Facebook, LinkedIn and Twitter. The problem I see is twofold.

  1. Cyber spies engaged in corporate espionage who are seeking information about a company -- such as a potential merger, new product, or market -- are likely to find it much easier to use the phone to steal the information using non-technical methods.

  2. Hackers can use the information obtained though social engineering to find weaknesses in a network infrastructure and be able to attack a company using targeted malware.

Either way, the chances of information leaks and other security breaches goes up significantly because your IT security team tends to ignore employee education.

It's not the malware, it's the people 
By education, I'm talking about training sessions that teach people about common pitfalls that most social engineers use. It's important to demonstrate that a caller-ID is easy to spoof -- or manipulate to show anything the caller wants. Just because the call comes from a known and trusted caller-ID, doesn't mean you should believe it.

Organizations also need to show employees on how to determine that the person is who they say they are. For example, when you get a phone call ask the caller to follow up with an email, or call him or her back at the caller-ID number to verify the person's identity. Instill into employees that sensitive information should never be transmitted over the phone and that fellow employees will never ask for it. Train them to become highly skeptical of who's on the other end of the line.

The truth is, malware can be contained if the proper security plans are in place -- and it's likely that your organization already has a decent hold on this issue. But security professionals can't stop here. Once the threat of most malware attacks is removed, we can move onto much more serious threats to data loss. 

Andrew Froehlich has well over a decade of enterprise networking experience under his belt through his consulting practice, which specializes in enterprise network architectures and datacenter build-out.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/22/2014 | 9:04:02 AM
Re: Protected Against 12,543,654,654 threats
Totally agree somedude8 - those notices go beyond funny, they are downright annoying & counterproductive -- just like a nagging spouse (mine totally excepted from that characterization). I so appreciate the warnings that something in my AV software is out of date, but not when it's a thinly veiled attemped to get me to upgrade to a more expensive package. Those kinds of activities work against the anti-malware industry, especially companies selling to consumers, who will get frustrated and not adopt the security practices necessary to prevent an attack. We all know that consumers are bringing their devices into enterprise networks in drove. So everyone is at greater risk....
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
1/21/2014 | 7:19:22 PM
Re: Users are the weak link
You can never go wrong with higher awareness and more training. Most people learn by repetition, so keep drilling it into their heads. That can also be a lot less expensive than expanding the set of technical security tools to protect the network.
Somedude8
50%
50%
Somedude8,
User Rank: Apprentice
1/21/2014 | 4:01:49 PM
Protected Against 12,543,654,654 threats
I always find it funny how anti Malware programs go way out of their way to let you know that they have protected your system against {insert ludicrous number here} threats since the date it was installed. And how almost every single one of those 'threats' is a cookie.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
1/21/2014 | 12:46:30 PM
Related: Target, Neiman Marcus Malware Creators Identified
Update on the biggest malware story of the day: Target, Neiman Marcus Malware Creators Identified
Andrew Froehlich
50%
50%
Andrew Froehlich,
User Rank: Apprentice
1/21/2014 | 12:37:38 PM
Re: Users are the weak link
I agree 100% @jagibbons - But it's been my experience that much more focus on prevention tools and very little on education.  While it's true that people will make mistakes, the more education regarding malware and social engineering they receive, the less likely they'll make stupid mistakes that let malware in.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
1/21/2014 | 12:37:07 PM
It pays to be paranoid
I've very rarely had problems with malware on any computer I've owned or operated, I think probably because I'm reasonably paranoid about clicking on links or downloading software from unfamiliar sources. I know drive-by attacks are supposed to be possible, but I haven't experienced them. (Should I say, "that I know of"?)

Of course, it also pays to be paranoid enough to run scans on your computer regularly and particularly when it's acting strangely in case something evil has taken root.
Andrew Froehlich
50%
50%
Andrew Froehlich,
User Rank: Apprentice
1/21/2014 | 12:33:35 PM
Re: Education
To reiterate...in no way do I think that the use of malware prevention and mitigation tools should be cast aside. They are clearly beneficial. My point is that so many in IT security are laser focused on these tools that we often forget that most malware can be easily prevented with proper end-user education.
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
1/21/2014 | 9:08:56 AM
Re: Education
To melgross's point about the comment spam, we're on the case. It seems to be particularly egriegious over the weekend, when there are fewer editotrs to spot it and remove it. We're seeking an automated solution. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/21/2014 | 8:32:19 AM
Re: Education
This is a great thread -- and I'm glad the headline (in the wake of the Target breach) captured everyone's attention. Of course malware need to be taken seriously. But users -- even sophisticated one -- are also very vulnerable to many other kinds of attacks -- attack that require constant education and re-education. 

I read, edit and write about security every day and I know how easy it is to become jaded and complacent about best user security practices, so it's incumbent upon management to constantly remind employees of the risks -- and how to avoid them. 
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
1/21/2014 | 6:54:35 AM
Re: Education
That's a fair point. Malware is often dependent on the user heading to a less than repuitable site, but if links to those sites are spammed on safe ones, it's harder to avoid. 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio