Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/20/2017
11:00 AM
Raj Rajamani
Raj Rajamani
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Talk to the C-Suite about Malware Trends

There is no simple answer to the question 'Are we protected against the latest brand-name malware attack?' But there is a smart one.

WannaCry scared the world with its massive disruption. NotPetya reminded everyone why they can't forget about exploits after the first time they are used. Mirai irritated consumers for a full day with record-breaking distributed denial-of-service levels from its infected botnet. The good news is that headlines from all of these attacks caught the attention of executives who suddenly started asking if they were vulnerable to these attacks. The bad news? They started asking the wrong questions.

Security is not a one-and-done project; it is a constant battle against creative hackers evolving new and improved threats. But top executives and board members are still learning about security practices, so when they stop at their CISO's desk they only know to ask "Are we protected against WannaCry?"

The only job-preserving answer to that question is "Yes," but that omits so many other factors that leave the executive with a false sense of security. A smart CISO can take advantage of the executive's attention to explain how blocking specific malware variants is only a stopgap measure.

The reality is that malware changes so rapidly that blocking any single variant will provide only a day or two of relief before it comes back just different enough to slip through those defenses again. SentinelOne's Enterprise Risk Index released this April found that less than 50% of malware detected is included in malware repositories. This shows how quickly new threats come and go and the sheer volume of threats to monitor.

Instead, companies need to focus on the underlying vulnerabilities in their systems that leave them open to these kinds of attacks. That could involve finding a SQL injection vulnerability in their databases or reworking a poorly configured network that allows malware to jump from insecure Internet of Things devices to mission-critical systems.

Navigating Internal Team Dynamics
The job of the CISO is to understand these vulnerabilities and to have the knowledge required to close them. Despite the skills shortages that have made finding experienced cybersecurity professionals difficult, most companies have found very competent people to fill these roles. These vulnerabilities remain when CISOs meet roadblocks imposed by the limited resources they have available and by their inability to convince other teams of the necessity of these changes.

Many technology departments resist change. As recently as five years ago, many antivirus users failed to update signature lists on a weekly basis. When it comes to more effective changes such as software updates, IT teams can be even slower. That is not to say they do not sometimes have good reasons; the longer a legacy system is in use, the harder it is to be sure it is compatible with the latest software updates. CISOs may know that these updates are part of the framework that protect vital corporate systems, but without executive backing they don't have the power to force IT teams to keep a regular patching schedule.

The Shifting Malware Landscape
Today, hackers no longer need to invest time in targeted attacks because there are a vast number of unsecured, vulnerable systems that are accessible to them. Instead, they have adopted a "spray and pray" mentality. The end result is that every Internet-connected device —router, server, mobile phone, computer, coffee maker — is under constant threat from constantly evolving malware issued by hackers who don't really care who they infect, as long as it is profitable.

This constant bombardment across all possible attack vectors means that CISOs must be even more vigilant than ever in identifying and closing potential vulnerabilities, not just relying on standardized filters to catch malware as it tries to infect the network. It may seem like a hopeless predicament fighting a never-ending battle against an ever-growing list of unknowns. But the upside is that the executive attention these branded malware attacks have captured brings a new opportunity.

A savvy CISO will take advantage of that momentary attention to say, "Yes, we are protected against WannaCry… today. But we have some vulnerabilities in our systems that need immediate attention." Then, she can impart the expertise she is being paid to have, and convince the executive of the need for a real change in protecting the underlying vectors that leave companies exposed.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Raj Rajamani is the vice president of product management at SentinelOne. He joined SentinelOne from Cylance, where he was part of the original executive team. Raj has been developing security solutions for over a decade through his time at McAfee and Solidcore. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...