Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

11/21/2007
04:38 AM
50%
50%

Rethinking Desktop Security

New and built-in security technologies could soon make the PC safer than ever

There isn’t a week that goes by that we don't hear about a significant data breach or new exploit. For years, the focus was on Windows, but increasingly this is no longer the case. Leopard, Apple’s new OS, has already been identified as having exposures -- and it is only a few weeks old. And evidently, some botmasters prefer Linux as a target over Windows.

Each operating system has its own unique exposures, and if it is prevalent enough, it will be targeted and exploited.

What's scary is that the attackers are as skilled and well-funded as the defenders, if not more so. In fact, Kaspersky Labs has stated that the defenders are losing the technology race; firms simply cannot keep up with the attackers' rate of advancement.

One of the biggest problems is that the malware itself is becoming intelligent. It is capable of changing and evolving as it moves from machine to machine, much like a traditional virus does as it moves from person to person. And as with a biological virus, cures that worked for the initial outbreak of malware don’t seem to work for the evolved versions.

Rootkits are one of the nastiest of the malware types. They actually change the OS by embedding the malware into it so that anti-malware products can’t differentiate it from the OS. Rootkits are likely the closest thing we have to a cancer for a PC.

Finally, we still have a problem with outright theft. As notebooks get smaller and more portable, they get vastly easier to forget and steal. Recently, the industry has seen a large number of high-profile laptop losses and thefts. These losses are costly to the companies involved, requiring the disclosure of the type of data lost, and in the instance of customer data, there are the additional costs of ID theft insurance and credit monitoring services.

Turn on your TPM
The Trusted Platform Module (TPM) is probably the most widely-available desktop security product that is almost never used. It has been built into virtually every business laptop -- if your installed base is mostly less than 2 years old, you probably have more laptops with TPM than you have without it.

TPM assures a trusted data pipe, but the only company that I’ve run into that has consistently been able to turn on and manage this feature is Wave Systems. Wave has integrated TPM with the biometric security that is also available on many laptops. Unfortunately, it still doesn't offer a way to ensure that the data on the laptop is secure.

Seagate and Hitachi are now offering encrypted drives that are connected to TPM. The encryption key is controlled by IT and not by the user. This means that IT can certify that the key has not been compromised, while also coupling TPM with a strong user access technology, such as RSA(or biometrics. The result should be a vastly better way to ensure that the data on the laptop is not compromised if the laptop is compromised.

To make all of this work, however, you need to ensure user authentication, a trusted pipe, and that the encrypted drive is where the data is stored and secure.

Rise of the anti-bot
One of the scariest stories I've heard recently was relayed to me just before Halloween. It was the story of a botmaster who spent two and a half years taking over virtually every PC in a large corporation, gradually getting access to virtually every piece of secure communications. Then, in the end, he used his access to convince the employees they were being laid off, and encouraging them to post all of their financial information to a bogus outplacement Website.

The level of damage caused by such an exploit can’t be accurately estimated. The insider was operating underneath all of security software and monitoring tools the company had, with a clear focus on a long-term strategic attack and gaining as much personal information as possible. He was not caught.

To catch an attack like this, you need intelligent security software. The first I’m aware of is Norton Anti-Bot, which will likely form the benchmark for preventing this sort of attack.

Interestingly, botmasters appear to be increasingly focused on compromising Linux machines -- probably because they are the least likely to be protected by tools of this kind, and tbecause the community approach to tools and drivers lends itself to phishing attacks.

The virtualization game
One of the big problems with the latest attack vectors, particularly rootkits, is that the attacker can alter the system by tricking users into installing something they shouldn’t, or by disabling security applications or features in the OS.

This month, Phoenix Technology launched Computrace that can call home if a laptop is stolen. The product was hard, if not impossible, to remove and was proven successful. But it never caught on, despite the public embarrassment caused by lost laptops over the past few years.

Phoenix Technology has also released a BIOS level solution called Failsafe. This OEM solution works with both the virtual solution above and with TPM-based offerings to not only call home if the laptop is stolen, but to ensure that the data on the device is either destroyed or better secured.

Championed by a BIOS vendor like Phoenix should allow this technology to become more ubiquitous and help form the foundation for a truly next generation security solution.

Act now
Norton Anti-Bot is on the market today. TPMs and Wave Systems have been around for some time, and the Phoenix security solutions are due out in hardware mid-2008.

The combination of these emerging technologies should result in laptop and desktop computers that are vastly more secure than anything we have ever seen in the PC market. When these features are coupled with Vista SP1 and an adequate biometric authentication system, enterprises should be able to provide an unprecedented level of data security.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-7505
PUBLISHED: 2020-02-18
Stack-based buffer overflow in the gif_next_LZW function in libnsgif.c in Libnsgif 0.1.2 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LZW stream in a GIF file.
CVE-2015-7567
PUBLISHED: 2020-02-18
SQL injection vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary SQL commands via the "passwordreset&token" parameter.
CVE-2012-0718
PUBLISHED: 2020-02-18
IBM Tivoli Endpoint Manager 8 does not set the HttpOnly flag on cookies.
CVE-2019-10791
PUBLISHED: 2020-02-18
promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization.
CVE-2009-5146
PUBLISHED: 2020-02-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.