Rethinking Desktop Security

There isn’t a week that goes by that we don't hear about a significant data breach or new exploit. For years, the focus was on Windows, but increasingly this is no longer the case. Leopard, Apple’s new OS, has already been identified as having exposures -- and it is only a few weeks old. And evidently, some botmasters prefer Linux as a target over Windows.

Each operating system has its own unique exposures, and if it is prevalent enough, it will be targeted and exploited.

What's scary is that the attackers are as skilled and well-funded as the defenders, if not more so. In fact, Kaspersky Labs has stated that the defenders are losing the technology race; firms simply cannot keep up with the attackers' rate of advancement.

One of the biggest problems is that the malware itself is becoming intelligent. It is capable of changing and evolving as it moves from machine to machine, much like a traditional virus does as it moves from person to person. And as with a biological virus, cures that worked for the initial outbreak of malware don’t seem to work for the evolved versions.

Rootkits are one of the nastiest of the malware types. They actually change the OS by embedding the malware into it so that anti-malware products can’t differentiate it from the OS. Rootkits are likely the closest thing we have to a cancer for a PC.

Finally, we still have a problem with outright theft. As notebooks get smaller and more portable, they get vastly easier to forget and steal. Recently, the industry has seen a large number of high-profile laptop losses and thefts. These losses are costly to the companies involved, requiring the disclosure of the type of data lost, and in the instance of customer data, there are the additional costs of ID theft insurance and credit monitoring services.

Turn on your TPM
The Trusted Platform Module (TPM) is probably the most widely-available desktop security product that is almost never used. It has been built into virtually every business laptop -- if your installed base is mostly less than 2 years old, you probably have more laptops with TPM than you have without it.

TPM assures a trusted data pipe, but the only company that I’ve run into that has consistently been able to turn on and manage this feature is Wave Systems. Wave has integrated TPM with the biometric security that is also available on many laptops. Unfortunately, it still doesn't offer a way to ensure that the data on the laptop is secure.

Seagate and Hitachi are now offering encrypted drives that are connected to TPM. The encryption key is controlled by IT and not by the user. This means that IT can certify that the key has not been compromised, while also coupling TPM with a strong user access technology, such as RSA(or biometrics. The result should be a vastly better way to ensure that the data on the laptop is not compromised if the laptop is compromised.

To make all of this work, however, you need to ensure user authentication, a trusted pipe, and that the encrypted drive is where the data is stored and secure.

Rise of the anti-bot
One of the scariest stories I've heard recently was relayed to me just before Halloween. It was the story of a botmaster who spent two and a half years taking over virtually every PC in a large corporation, gradually getting access to virtually every piece of secure communications. Then, in the end, he used his access to convince the employees they were being laid off, and encouraging them to post all of their financial information to a bogus outplacement Website.

The level of damage caused by such an exploit can’t be accurately estimated. The insider was operating underneath all of security software and monitoring tools the company had, with a clear focus on a long-term strategic attack and gaining as much personal information as possible. He was not caught.

To catch an attack like this, you need intelligent security software. The first I’m aware of is Norton Anti-Bot, which will likely form the benchmark for preventing this sort of attack.

Interestingly, botmasters appear to be increasingly focused on compromising Linux machines -- probably because they are the least likely to be protected by tools of this kind, and tbecause the community approach to tools and drivers lends itself to phishing attacks.

The virtualization game
One of the big problems with the latest attack vectors, particularly rootkits, is that the attacker can alter the system by tricking users into installing something they shouldn’t, or by disabling security applications or features in the OS.

This month, Phoenix Technology launched Computrace that can call home if a laptop is stolen. The product was hard, if not impossible, to remove and was proven successful. But it never caught on, despite the public embarrassment caused by lost laptops over the past few years.

Phoenix Technology has also released a BIOS level solution called Failsafe. This OEM solution works with both the virtual solution above and with TPM-based offerings to not only call home if the laptop is stolen, but to ensure that the data on the device is either destroyed or better secured.

Championed by a BIOS vendor like Phoenix should allow this technology to become more ubiquitous and help form the foundation for a truly next generation security solution.

Act now
Norton Anti-Bot is on the market today. TPMs and Wave Systems have been around for some time, and the Phoenix security solutions are due out in hardware mid-2008.

The combination of these emerging technologies should result in laptop and desktop computers that are vastly more secure than anything we have ever seen in the PC market. When these features are coupled with Vista SP1 and an adequate biometric authentication system, enterprises should be able to provide an unprecedented level of data security.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading.