Scareware And Bots Require Layered Defenses

Defense in depth is not a new idea in security, but the importance of taking a layered approach is more important than ever. The current rise in infections by bots and scareware, along with recent reports on anti-malware endpoint protection, demonstrate how we need to be doing more at every layer.Maybe you're one of the lucky ones, but nearly every IT person I know has seen a considerable increase in malware infections. The majority of the infections are bots and scareware that have come through a Web-based infection vector -- sometimes exploits against the browser, and sometimes taking advantage of users through social engineering. So what's going on?

I think the first problem is an increase in the number of bad guys out there looking to make money using malware. Unfortunately, there's not much we can do about that, so we have to focus on both proactive measures to prevent the infections and reactive measures to deal with the infections as they occur.

Why both? If we put in preventive measures, then why do we need reactive ones? It's simple. Security controls fail. Something will get through. As I've said before, when it comes to security, failure is inevitable so you must plan for it.

The recent testing by NSS Labs of anti-malware products for consumers and enterprises is pretty disheartening -- especially if you're one of those folks still clutching your antivirus under the covers and whispering to yourself that it's all going to be OK. It's not. Take off the blinders because the report clearly shows the products we are paying to protect our users are not completely effective.

Another factor I've seen recently is that malware is better adapting to the environments it's infecting. The groups I've seen with increased malware infections are in both the "everyone is an admin" and "everyone is a user" environments. While I'm still a big proponent of keeping your users as "Users" (and not "Power Users" and "Administrators"), that isn't helping as much. Malware authors have taken the tact that if they can't infect the entire system, then let's infect at least the user profile.

Rick Moy, president of NSS Labs, said it best: "With so many zero-hour attacks out there, you're going to need multiple layers of protection. Secure Web gateways, Microsoft User Account Control, and whitelisting are just a few of the accompanying layers that users should be looking into." Thanks, Rick. I couldn't have said it better. I'll be taking a deeper look at some of these technologies in upcoming blogs. Stay tuned.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.