04:05 PM
Connect Directly

Malware: More Hype Than Reality

Sure, malware exists, but is it really as bad as the news suggests?

In any given year, there are approximately 100 shark attacks worldwide. Of those 100, only 16 of these attacks end in a fatality. Funny then, that we humans have such irrational fears about being attacked by a shark while swimming in the ocean. Clearly, the odds of an attack are incredibly small. Our fears are simply fueled by movies and television shows that make the danger seem far more common.

The case against malware is very similar: Malware exists, but it consumes a lot of resources unnecessarily. And despite the danger, IT security professionals place far too much emphasis on data loss through malware than they should.

First, let me say that malware can indeed be a huge problem and time must be spent on a defense-in-depth strategy that reduces a company's exposure significantly. But once that's done, it's time to move on to the next security hole in your organization.  Unfortunately, we're often so focused on malware that we end up with a security posture that's heavily protected against electronic attacks, but lacking in other areas -- specifically social engineering.

What Target tells us
The Target store breach is a perfect example of this. As details of the breach emerge, it’s starting to look as if malware was indeed used to steal customer financial information. What we don’t know is whether Target has a security posture in place that could have prevented the attack. We also don't know if the malware used was known and could have been initially blocked. If the malware was new and highly sophisticated, tools like an IPS and antivirus software would have been rendered useless. What can be controlled is how the malware was installed on Target store systems. As the New York Times bits blog pointed out:

To pull it off, security experts said a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gives cybercriminals a foothold into a company’s point-of-sale systems.

At DefCon 21, for instance, a capture-the-flag competition set about to see just how easy it is to obtain sensitive business information using social engineering methods. The contest targeted ten Fortune 500 companies. Suffice it to say the results were chilling. It's far too easy for regular, untrained people to simply pick up the phone, call an employee, and glean important information from him or her while pretending to be a student, vendor, or a fellow employee.

Information such as OS patch versions, WiFi SSIDs, and even information regarding physical security was happily handed over. Additionally, this year's contest presenters noted that simple Internet searches of companies and their employees garnered far more sensitive information than in years past. The reason for the increase in company leaks on the public Internet? Social networking sites such as Facebook, LinkedIn and Twitter. The problem I see is twofold.

  1. Cyber spies engaged in corporate espionage who are seeking information about a company -- such as a potential merger, new product, or market -- are likely to find it much easier to use the phone to steal the information using non-technical methods.

  2. Hackers can use the information obtained though social engineering to find weaknesses in a network infrastructure and be able to attack a company using targeted malware.

Either way, the chances of information leaks and other security breaches goes up significantly because your IT security team tends to ignore employee education.

It's not the malware, it's the people 
By education, I'm talking about training sessions that teach people about common pitfalls that most social engineers use. It's important to demonstrate that a caller-ID is easy to spoof -- or manipulate to show anything the caller wants. Just because the call comes from a known and trusted caller-ID, doesn't mean you should believe it.

Organizations also need to show employees on how to determine that the person is who they say they are. For example, when you get a phone call ask the caller to follow up with an email, or call him or her back at the caller-ID number to verify the person's identity. Instill into employees that sensitive information should never be transmitted over the phone and that fellow employees will never ask for it. Train them to become highly skeptical of who's on the other end of the line.

The truth is, malware can be contained if the proper security plans are in place -- and it's likely that your organization already has a decent hold on this issue. But security professionals can't stop here. Once the threat of most malware attacks is removed, we can move onto much more serious threats to data loss. 

Andrew Froehlich has well over a decade of enterprise networking experience under his belt through his consulting practice, which specializes in enterprise network architectures and datacenter build-out.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
1/20/2014 | 7:51:39 PM
Re: Education
Look at your own site. The posts are filled with these junk posts of people making money. Who knows what will happen if someone responds. But is anyone e removing these? No. On the front page, right now, every post highlighted on the right is a junk post. Why? There is no excuse. There's one right below mine. How can you talk about security if you people here care so little about it? And if you say that they're not malware, well, they are at least scams. And you can't know if they haven't been hijacked by malware producers without finding out. Have you done that?
User Rank: Strategist
1/20/2014 | 6:24:11 PM
Re: Users are the weak link
Good point, @TerryB. Even IT pros can fall victim to a really well-written email or carefully crafted and scripted phone call. You can't fix, or train away, stupid. What you can do is make sure you have a multi-pronged approach that includes user security training and technical security tools. Both are important, and there's probably more involved to make sure you have a well-rounded and comprehensive plan in place.
User Rank: Ninja
1/20/2014 | 12:50:19 PM
Re: Users are the weak link
You're obviously correct, Paul, you have to try and educate. But I just think of that quote from that comic Ron White: You can't fix stupid.

Even worse, I don't think you can fix curious either. Our CFO here, who is as intelligent as anyone you'll ever meet, got a phishing email from (supposedly) Pacific Gas & Electric talking about what he owed them and to click on this embedded link to get more info. Even though we live in Wisconsin, he tried to click link. Thankfully our proxy server malware filter blocked him, the link was trying to go to some South American ISP hosted site.
User Rank: Apprentice
1/18/2014 | 2:46:06 PM
Re: Education

@Chris... I think you are missing the point of this article. IT needs to spend time on Malware detection but there is only so much you can do. What if someone calls an employee and asks them some questions and gets info on your network? IT can't do anything about that except train people on the risks of giving any info out unless you absolutely know who you are talking to.
User Rank: Apprentice
1/18/2014 | 2:39:42 PM
Users are the weak link

Great article Andrew. When I first started reading this I thought "What is he talking about?... Malware is hype?"

As I read on I see what you are talking about. User education is vital in the fight against malware. You can only safeguard your computer systems so much. If info is given out over social channels and phone calls then all the work you put in to protect your network is out the window.
User Rank: Strategist
1/17/2014 | 6:38:12 PM
Re: Education
Sure, malware isn't likely to kill us, but if IT ignores it and lets it run rampant, won't our PCs get so cluttered and crudded up with malware that they're hopelessly slow and killing productivity? Maybe malware's less like a shark and more like kudzu.   
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/17/2014 | 4:35:38 PM
Re: Education
The most effective lesson is experience. I recall a story from a CIO who "tested" employees by sending out an email that contained some relatively benign malicious code. The security team was very surprised that so many people (who should have known better) actually opened the email! Point made.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
1/17/2014 | 4:20:57 PM
The security community has been advocating better user education as a defense against threats for decades. It hasn't really taken.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.