Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Guest Blog // Selected Security Content Provided By Sophos
What's This?
8/13/2013
02:45 PM
Maxim Weinstein
Maxim Weinstein
Security Insights
50%
50%

The More Things Change

Today's malware is more complex than ever, yet it's still based on three basic hacks

I've been working in the tech field for a bit over 15 years now. It's amazing to see how the industry and the technology has changed during that time. In my first job out of grad school, I taught corporate employees how to use Netscape Communicator on their Pentium II desktop PCs, which had just been migrated to Windows NT 4.0. I was the only person in my family with a cell phone -- a large, clunky object with a telescoping antenna and a belt holster. And IBM had just announced a new hard drive for notebook PCs that broke barriers by providing 6.4 GB of storage, three times the average in those days.

Malware has changed a lot, too, since 1998. Back then, floppy disks were just giving way to email as the infection vector of choice. Money was rarely a motivating factor for malware authors and distributors. The stereotype of the nerdy, young man wreaking havoc from his mother's basement probably wasn't too far off in many cases. The volume of new malware was so low that security experts could name and analyze each new sample.

Things look very different now, of course. Our multicore, always-connected devices can be infected via the network, email, SMS, USB, or the Web. Social engineering has advanced well beyond asking users to open a picture of Anna Kournikova naked (though variations of that trick still work). Behind the scenes, malware has "matured from a cottage industry to a Henry Ford style production line funded by organised crime," as my colleague Peter Szabo put it. Analyzing every piece of malware now would be impossible, with several new samples arriving each second of the day. Simon Reed, who runs SophosLabs, describes his team's work as a big data processing and mining operation.

With all the new technology and the rapid growth of "mass market" cybercrime, it may be easy to overlook one constant: Malware depends on finding a way to install or run on its target without the user's informed consent. And, in 15 years in the industry, I've only seen three fundamental ways for that to happen: exploiting a vulnerability, compromising user credentials, and/or tricking the user. That's it. An entire generation's worth of malware -- tens of millions of variants -- reduced to three simple hacks.

Fortunately, as security professionals, we already know how to defend against these three hacks, even if we don't always give them the attention they deserve. We stop exploits by building or buying more secure software, patching vulnerabilities as they arise, and implementing configurations that balance usability and security. We protect user credentials by implementing multifactor authentication, encouraging or enforcing the creation of strong and unique passwords, and securing the credentials in transit and at rest. Users are human, so they'll always be fallible, but security awareness and education -- emphasizing the why, not just the how -- can go a long way in reducing susceptibility to social engineering.

It's easy to describe these defenses, but implementing them properly, consistently, and completely is much harder. Security products help by providing visibility and by leveraging automation and vendors' expertise. They also fill the inevitable gaps in an organization's defenses, detecting threats that slip through. As such, security tools have had to evolve as the threats have evolved. Firewalls have given way to UTMs, antivirus software has developed into multilayer endpoint protection, and Web and email filters have helped users make fewer and better decisions about what to download or open. They may not be perfect, but they're better than their predecessors, and they're a heck of a lot better than nothing.

So, yes, a lot has changed in 15 years. All things considered, I'd rather not go back to my Pentium II and my dumb brick of a cell phone, even if security was simpler then. But going back to the basics of malware protection, with a little help from today's technology? Well, that doesn't seem like a bad idea at all. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
8/24/2013 | 1:05:54 PM
re: The More Things Change
....it may have, although it may be that some software builders are less than totally well-intentioned...

when you link that library how do you know what you are getting ?

remember: "zero defects" ...is a responsibility not a right. Zero Defects is what you do, not what you get.
Maxim Weinstein
50%
50%
Maxim Weinstein,
User Rank: Apprentice
8/23/2013 | 1:24:12 PM
re: The More Things Change
Excellent point, Mike. In the case you describe, the malware probably used one of my three core hacks to get in to the original supplier's build. But there's also the potential for deliberate insertion of a backdoor or spyware component by an upstream supplier, or by an insider within an organization, for that matter.
macker490
50%
50%
macker490,
User Rank: Ninja
8/22/2013 | 11:17:04 AM
re: The More Things Change
you missed one: supply system integration.

defending against malware requires authentications and authorizations. when software is presented it must be authenticated: is this what it claims to be? and then it must be authorized by the system administrator. earlier systems didn't even bother to check they just let anything in. oh well.

in supply system integration a reputable supplier un-knowingly integrates malware as he completes his builds. he then signs for his works and forwards it on the supply system or to the customer, signed and sealed, malware unknowingly included.

only a zero-defect program can control this: each builder along the supply line must take responsibility for validating not only his own work -- but -- other inputs he is incorporating into his product. this seems daunting at first but if you start at the beginning and follow through it can be done. when I compile any module I must assume responsibility for it being what I say it is.

the implications are enormous. but I think we've about had it with the un-checked method.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.