Attacks/Breaches
1/17/2014
04:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Malware: More Hype Than Reality

Sure, malware exists, but is it really as bad as the news suggests?

In any given year, there are approximately 100 shark attacks worldwide. Of those 100, only 16 of these attacks end in a fatality. Funny then, that we humans have such irrational fears about being attacked by a shark while swimming in the ocean. Clearly, the odds of an attack are incredibly small. Our fears are simply fueled by movies and television shows that make the danger seem far more common.

The case against malware is very similar: Malware exists, but it consumes a lot of resources unnecessarily. And despite the danger, IT security professionals place far too much emphasis on data loss through malware than they should.

First, let me say that malware can indeed be a huge problem and time must be spent on a defense-in-depth strategy that reduces a company's exposure significantly. But once that's done, it's time to move on to the next security hole in your organization.  Unfortunately, we're often so focused on malware that we end up with a security posture that's heavily protected against electronic attacks, but lacking in other areas -- specifically social engineering.

What Target tells us
The Target store breach is a perfect example of this. As details of the breach emerge, it’s starting to look as if malware was indeed used to steal customer financial information. What we don’t know is whether Target has a security posture in place that could have prevented the attack. We also don't know if the malware used was known and could have been initially blocked. If the malware was new and highly sophisticated, tools like an IPS and antivirus software would have been rendered useless. What can be controlled is how the malware was installed on Target store systems. As the New York Times bits blog pointed out:

To pull it off, security experts said a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gives cybercriminals a foothold into a company’s point-of-sale systems.

At DefCon 21, for instance, a capture-the-flag competition set about to see just how easy it is to obtain sensitive business information using social engineering methods. The contest targeted ten Fortune 500 companies. Suffice it to say the results were chilling. It's far too easy for regular, untrained people to simply pick up the phone, call an employee, and glean important information from him or her while pretending to be a student, vendor, or a fellow employee.

Information such as OS patch versions, WiFi SSIDs, and even information regarding physical security was happily handed over. Additionally, this year's contest presenters noted that simple Internet searches of companies and their employees garnered far more sensitive information than in years past. The reason for the increase in company leaks on the public Internet? Social networking sites such as Facebook, LinkedIn and Twitter. The problem I see is twofold.

  1. Cyber spies engaged in corporate espionage who are seeking information about a company -- such as a potential merger, new product, or market -- are likely to find it much easier to use the phone to steal the information using non-technical methods.

  2. Hackers can use the information obtained though social engineering to find weaknesses in a network infrastructure and be able to attack a company using targeted malware.

Either way, the chances of information leaks and other security breaches goes up significantly because your IT security team tends to ignore employee education.

It's not the malware, it's the people 
By education, I'm talking about training sessions that teach people about common pitfalls that most social engineers use. It's important to demonstrate that a caller-ID is easy to spoof -- or manipulate to show anything the caller wants. Just because the call comes from a known and trusted caller-ID, doesn't mean you should believe it.

Organizations also need to show employees on how to determine that the person is who they say they are. For example, when you get a phone call ask the caller to follow up with an email, or call him or her back at the caller-ID number to verify the person's identity. Instill into employees that sensitive information should never be transmitted over the phone and that fellow employees will never ask for it. Train them to become highly skeptical of who's on the other end of the line.

The truth is, malware can be contained if the proper security plans are in place -- and it's likely that your organization already has a decent hold on this issue. But security professionals can't stop here. Once the threat of most malware attacks is removed, we can move onto much more serious threats to data loss. 

Andrew Froehlich has well over a decade of enterprise networking experience under his belt through his consulting practice, which specializes in enterprise network architectures and datacenter build-out.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
1/17/2014 | 4:20:57 PM
Education
The security community has been advocating better user education as a defense against threats for decades. It hasn't really taken.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/17/2014 | 4:35:38 PM
Re: Education
The most effective lesson is experience. I recall a story from a CIO who "tested" employees by sending out an email that contained some relatively benign malicious code. The security team was very surprised that so many people (who should have known better) actually opened the email! Point made.
ChrisMurphy
100%
0%
ChrisMurphy,
User Rank: Apprentice
1/17/2014 | 6:38:12 PM
Re: Education
Sure, malware isn't likely to kill us, but if IT ignores it and lets it run rampant, won't our PCs get so cluttered and crudded up with malware that they're hopelessly slow and killing productivity? Maybe malware's less like a shark and more like kudzu.   
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
1/18/2014 | 2:46:06 PM
Re: Education
 

@Chris... I think you are missing the point of this article. IT needs to spend time on Malware detection but there is only so much you can do. What if someone calls an employee and asks them some questions and gets info on your network? IT can't do anything about that except train people on the risks of giving any info out unless you absolutely know who you are talking to.
Andrew Froehlich
50%
50%
Andrew Froehlich,
User Rank: Apprentice
1/21/2014 | 12:33:35 PM
Re: Education
To reiterate...in no way do I think that the use of malware prevention and mitigation tools should be cast aside. They are clearly beneficial. My point is that so many in IT security are laser focused on these tools that we often forget that most malware can be easily prevented with proper end-user education.
melgross
50%
50%
melgross,
User Rank: Apprentice
1/20/2014 | 7:51:39 PM
Re: Education
Look at your own site. The posts are filled with these junk posts of people making money. Who knows what will happen if someone responds. But is anyone e removing these? No. On the front page, right now, every post highlighted on the right is a junk post. Why? There is no excuse. There's one right below mine. How can you talk about security if you people here care so little about it? And if you say that they're not malware, well, they are at least scams. And you can't know if they haven't been hijacked by malware producers without finding out. Have you done that?
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
1/21/2014 | 6:54:35 AM
Re: Education
That's a fair point. Malware is often dependent on the user heading to a less than repuitable site, but if links to those sites are spammed on safe ones, it's harder to avoid. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/21/2014 | 8:32:19 AM
Re: Education
This is a great thread -- and I'm glad the headline (in the wake of the Target breach) captured everyone's attention. Of course malware need to be taken seriously. But users -- even sophisticated one -- are also very vulnerable to many other kinds of attacks -- attack that require constant education and re-education. 

I read, edit and write about security every day and I know how easy it is to become jaded and complacent about best user security practices, so it's incumbent upon management to constantly remind employees of the risks -- and how to avoid them. 
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
1/21/2014 | 9:08:56 AM
Re: Education
To melgross's point about the comment spam, we're on the case. It seems to be particularly egriegious over the weekend, when there are fewer editotrs to spot it and remove it. We're seeking an automated solution. 
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
1/18/2014 | 2:39:42 PM
Users are the weak link
 

Great article Andrew. When I first started reading this I thought "What is he talking about?... Malware is hype?"

As I read on I see what you are talking about. User education is vital in the fight against malware. You can only safeguard your computer systems so much. If info is given out over social channels and phone calls then all the work you put in to protect your network is out the window.
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/20/2014 | 12:50:19 PM
Re: Users are the weak link
You're obviously correct, Paul, you have to try and educate. But I just think of that quote from that comic Ron White: You can't fix stupid.

Even worse, I don't think you can fix curious either. Our CFO here, who is as intelligent as anyone you'll ever meet, got a phishing email from (supposedly) Pacific Gas & Electric talking about what he owed them and to click on this embedded link to get more info. Even though we live in Wisconsin, he tried to click link. Thankfully our proxy server malware filter blocked him, the link was trying to go to some South American ISP hosted site.
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
1/20/2014 | 6:24:11 PM
Re: Users are the weak link
Good point, @TerryB. Even IT pros can fall victim to a really well-written email or carefully crafted and scripted phone call. You can't fix, or train away, stupid. What you can do is make sure you have a multi-pronged approach that includes user security training and technical security tools. Both are important, and there's probably more involved to make sure you have a well-rounded and comprehensive plan in place.
Andrew Froehlich
50%
50%
Andrew Froehlich,
User Rank: Apprentice
1/21/2014 | 12:37:38 PM
Re: Users are the weak link
I agree 100% @jagibbons - But it's been my experience that much more focus on prevention tools and very little on education.  While it's true that people will make mistakes, the more education regarding malware and social engineering they receive, the less likely they'll make stupid mistakes that let malware in.
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
1/21/2014 | 7:19:22 PM
Re: Users are the weak link
You can never go wrong with higher awareness and more training. Most people learn by repetition, so keep drilling it into their heads. That can also be a lot less expensive than expanding the set of technical security tools to protect the network.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
1/21/2014 | 12:37:07 PM
It pays to be paranoid
I've very rarely had problems with malware on any computer I've owned or operated, I think probably because I'm reasonably paranoid about clicking on links or downloading software from unfamiliar sources. I know drive-by attacks are supposed to be possible, but I haven't experienced them. (Should I say, "that I know of"?)

Of course, it also pays to be paranoid enough to run scans on your computer regularly and particularly when it's acting strangely in case something evil has taken root.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
1/21/2014 | 12:46:30 PM
Related: Target, Neiman Marcus Malware Creators Identified
Update on the biggest malware story of the day: Target, Neiman Marcus Malware Creators Identified
Somedude8
50%
50%
Somedude8,
User Rank: Apprentice
1/21/2014 | 4:01:49 PM
Protected Against 12,543,654,654 threats
I always find it funny how anti Malware programs go way out of their way to let you know that they have protected your system against {insert ludicrous number here} threats since the date it was installed. And how almost every single one of those 'threats' is a cookie.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/22/2014 | 9:04:02 AM
Re: Protected Against 12,543,654,654 threats
Totally agree somedude8 - those notices go beyond funny, they are downright annoying & counterproductive -- just like a nagging spouse (mine totally excepted from that characterization). I so appreciate the warnings that something in my AV software is out of date, but not when it's a thinly veiled attemped to get me to upgrade to a more expensive package. Those kinds of activities work against the anti-malware industry, especially companies selling to consumers, who will get frustrated and not adopt the security practices necessary to prevent an attack. We all know that consumers are bringing their devices into enterprise networks in drove. So everyone is at greater risk....
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.