Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:14 AM

Tech Insight: Layering Up For Malware Protection

No one layer of threat detection technology can sufficiently protect the enterprise today from malicious code—a look at five best practices

Malware has traditionally entered the enterprise through two main avenues, Web and email. In the early 2000's, email was the favorite vector for malware writers: controls were low, email was everywhere, and it was easy to convince someone to open an email and run the attachment. Attackers still use email to infect machines, of course, but also have moved to more sophisticated drive-by downloads. They inject their malware into legitimate websites through advertising networks or by compromising the site, and unsuspecting visitors download the malware unknowingly and join the malware creator's army of infected systems.

The most cost-effective method of preventing and detecting this type of malware is a Web filter. Using an open-source system such as Squid, or purchasing an enterprise offering from Barracuda, Websense, Webroot, or others provides the ability to block known malware distribution sites and in some cases, analyze traffic for malicious content, such with M86's offering. Some tools let you provide filtering to your users even when they are off the corporate network.

Desktop detection is the next most common step, and the one more organizations have invested some time and money to set up. If the Web filter misses a threat, hopefully the desktop protection will catch it. Stand-alone anti-virus is becoming a thing of the past, as desktop protection suites complete with buffer overflow prevention, anti-virus, anti-malware, and intrusion prevention are becoming more the standard. These suites allow enterprises to prevent malware from exploiting the system even if the product doesn't detect it as malware.

Complex malware kits such as those for Zeus leverage multiple exploits in the OS and products to gain rights, inject malware into the system, and carry out data-stealing tasks. Utilizing a desktop protection suite, which detects known malware as well as prevents known attacks, can increase an organization's chances of avoiding exploitation that much more. But these tools are generally not as effective when it comes to catching unknown, or zero-day malware threats.

Email attacks still employ infected attachments or open an email with malicious VBS, and increasingly direct users to URLs of sites controlled by the attacker. Web filters can help block the known malware distribution URLs, but in some cases they are behind the email-filtering systems that are able to flag the email as spam and not even deliver it to the user. Email-filtering capabilities have improved drastically in the past few years and enterprises now have both on-premise and cloud offerings from companies like Barracuda, Symantec, Postini (Google), and AppRiver. These services and products prevent the malicious URL from reaching the user in the first place, and thus work no matter where the user is, or from what device the user is reading his email.

Mobile phones are the newest target for attackers. Always on, always connected, and lacking security controls, these are an attacker's dream. Some platforms, such as BlackBerry, are closed and designed to be secure. The iPhone is a closed platform, but users can jailbreak it and decrease the security. The Android line of devices is considered to be the most open and also regarded as having the most risk. Products such as Lookout, Zenprise, and MobileIron provide security features and management for phones.

Network monitoring using intrusion detection or network analysis tools provides insight into malware that may run rampant on your network. Snort is a free IDS that has virus, malware, and spyware signatures. By monitoring and alerting on network traffic, enterprises have a way to tell that malware has invaded the enterprise, and even though other controls may have failed, the enterprise can react and has some insight into where the malware resides. But IDS and IPS tools also can miss unknown threats.

As malware has become one of the largest threats to organizations, single offerings can't keep up with all threats and protect organizations. A layered approach—although not foolproof—to protecting your organization from data theft, identity theft, and intrusion, provides the best results.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.