Attacks/Breaches
1/17/2014
04:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Malware: More Hype Than Reality

Sure, malware exists, but is it really as bad as the news suggests?

In any given year, there are approximately 100 shark attacks worldwide. Of those 100, only 16 of these attacks end in a fatality. Funny then, that we humans have such irrational fears about being attacked by a shark while swimming in the ocean. Clearly, the odds of an attack are incredibly small. Our fears are simply fueled by movies and television shows that make the danger seem far more common.

The case against malware is very similar: Malware exists, but it consumes a lot of resources unnecessarily. And despite the danger, IT security professionals place far too much emphasis on data loss through malware than they should.

First, let me say that malware can indeed be a huge problem and time must be spent on a defense-in-depth strategy that reduces a company's exposure significantly. But once that's done, it's time to move on to the next security hole in your organization.  Unfortunately, we're often so focused on malware that we end up with a security posture that's heavily protected against electronic attacks, but lacking in other areas -- specifically social engineering.

What Target tells us
The Target store breach is a perfect example of this. As details of the breach emerge, it’s starting to look as if malware was indeed used to steal customer financial information. What we don’t know is whether Target has a security posture in place that could have prevented the attack. We also don't know if the malware used was known and could have been initially blocked. If the malware was new and highly sophisticated, tools like an IPS and antivirus software would have been rendered useless. What can be controlled is how the malware was installed on Target store systems. As the New York Times bits blog pointed out:

To pull it off, security experts said a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gives cybercriminals a foothold into a company’s point-of-sale systems.

At DefCon 21, for instance, a capture-the-flag competition set about to see just how easy it is to obtain sensitive business information using social engineering methods. The contest targeted ten Fortune 500 companies. Suffice it to say the results were chilling. It's far too easy for regular, untrained people to simply pick up the phone, call an employee, and glean important information from him or her while pretending to be a student, vendor, or a fellow employee.

Information such as OS patch versions, WiFi SSIDs, and even information regarding physical security was happily handed over. Additionally, this year's contest presenters noted that simple Internet searches of companies and their employees garnered far more sensitive information than in years past. The reason for the increase in company leaks on the public Internet? Social networking sites such as Facebook, LinkedIn and Twitter. The problem I see is twofold.

  1. Cyber spies engaged in corporate espionage who are seeking information about a company -- such as a potential merger, new product, or market -- are likely to find it much easier to use the phone to steal the information using non-technical methods.

  2. Hackers can use the information obtained though social engineering to find weaknesses in a network infrastructure and be able to attack a company using targeted malware.

Either way, the chances of information leaks and other security breaches goes up significantly because your IT security team tends to ignore employee education.

It's not the malware, it's the people 
By education, I'm talking about training sessions that teach people about common pitfalls that most social engineers use. It's important to demonstrate that a caller-ID is easy to spoof -- or manipulate to show anything the caller wants. Just because the call comes from a known and trusted caller-ID, doesn't mean you should believe it.

Organizations also need to show employees on how to determine that the person is who they say they are. For example, when you get a phone call ask the caller to follow up with an email, or call him or her back at the caller-ID number to verify the person's identity. Instill into employees that sensitive information should never be transmitted over the phone and that fellow employees will never ask for it. Train them to become highly skeptical of who's on the other end of the line.

The truth is, malware can be contained if the proper security plans are in place -- and it's likely that your organization already has a decent hold on this issue. But security professionals can't stop here. Once the threat of most malware attacks is removed, we can move onto much more serious threats to data loss. 

Andrew Froehlich has well over a decade of enterprise networking experience under his belt through his consulting practice, which specializes in enterprise network architectures and datacenter build-out.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
melgross
50%
50%
melgross,
User Rank: Apprentice
1/20/2014 | 7:51:39 PM
Re: Education
Look at your own site. The posts are filled with these junk posts of people making money. Who knows what will happen if someone responds. But is anyone e removing these? No. On the front page, right now, every post highlighted on the right is a junk post. Why? There is no excuse. There's one right below mine. How can you talk about security if you people here care so little about it? And if you say that they're not malware, well, they are at least scams. And you can't know if they haven't been hijacked by malware producers without finding out. Have you done that?
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
1/20/2014 | 6:24:11 PM
Re: Users are the weak link
Good point, @TerryB. Even IT pros can fall victim to a really well-written email or carefully crafted and scripted phone call. You can't fix, or train away, stupid. What you can do is make sure you have a multi-pronged approach that includes user security training and technical security tools. Both are important, and there's probably more involved to make sure you have a well-rounded and comprehensive plan in place.
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/20/2014 | 12:50:19 PM
Re: Users are the weak link
You're obviously correct, Paul, you have to try and educate. But I just think of that quote from that comic Ron White: You can't fix stupid.

Even worse, I don't think you can fix curious either. Our CFO here, who is as intelligent as anyone you'll ever meet, got a phishing email from (supposedly) Pacific Gas & Electric talking about what he owed them and to click on this embedded link to get more info. Even though we live in Wisconsin, he tried to click link. Thankfully our proxy server malware filter blocked him, the link was trying to go to some South American ISP hosted site.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
1/18/2014 | 2:46:06 PM
Re: Education
 

@Chris... I think you are missing the point of this article. IT needs to spend time on Malware detection but there is only so much you can do. What if someone calls an employee and asks them some questions and gets info on your network? IT can't do anything about that except train people on the risks of giving any info out unless you absolutely know who you are talking to.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
1/18/2014 | 2:39:42 PM
Users are the weak link
 

Great article Andrew. When I first started reading this I thought "What is he talking about?... Malware is hype?"

As I read on I see what you are talking about. User education is vital in the fight against malware. You can only safeguard your computer systems so much. If info is given out over social channels and phone calls then all the work you put in to protect your network is out the window.
ChrisMurphy
100%
0%
ChrisMurphy,
User Rank: Apprentice
1/17/2014 | 6:38:12 PM
Re: Education
Sure, malware isn't likely to kill us, but if IT ignores it and lets it run rampant, won't our PCs get so cluttered and crudded up with malware that they're hopelessly slow and killing productivity? Maybe malware's less like a shark and more like kudzu.   
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/17/2014 | 4:35:38 PM
Re: Education
The most effective lesson is experience. I recall a story from a CIO who "tested" employees by sending out an email that contained some relatively benign malicious code. The security team was very surprised that so many people (who should have known better) actually opened the email! Point made.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
1/17/2014 | 4:20:57 PM
Education
The security community has been advocating better user education as a defense against threats for decades. It hasn't really taken.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.