In any given year, there are approximately 100 shark attacks worldwide. Of those 100, only 16 of these attacks end in a fatality. Funny then, that we humans have such irrational fears about being attacked by a shark while swimming in the ocean. Clearly, the odds of an attack are incredibly small. Our fears are simply fueled by movies and television shows that make the danger seem far more common.
The case against malware is very similar: Malware exists, but it consumes a lot of resources unnecessarily. And despite the danger, IT security professionals place far too much emphasis on data loss through malware than they should.
First, let me say that malware can indeed be a huge problem and time must be spent on a defense-in-depth strategy that reduces a company's exposure significantly. But once that's done, it's time to move on to the next security hole in your organization. Unfortunately, we're often so focused on malware that we end up with a security posture that's heavily protected against electronic attacks, but lacking in other areas -- specifically social engineering.
What Target tells us
The Target store breach is a perfect example of this. As details of the breach emerge, it’s starting to look as if malware was indeed used to steal customer financial information. What we don’t know is whether Target has a security posture in place that could have prevented the attack. We also don't know if the malware used was known and could have been initially blocked. If the malware was new and highly sophisticated, tools like an IPS and antivirus software would have been rendered useless. What can be controlled is how the malware was installed on Target store systems. As the New York Times bits blog pointed out:
To pull it off, security experts said a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gives cybercriminals a foothold into a company’s point-of-sale systems.
At DefCon 21, for instance, a capture-the-flag competition set about to see just how easy it is to obtain sensitive business information using social engineering methods. The contest targeted ten Fortune 500 companies. Suffice it to say the results were chilling. It's far too easy for regular, untrained people to simply pick up the phone, call an employee, and glean important information from him or her while pretending to be a student, vendor, or a fellow employee.
Information such as OS patch versions, WiFi SSIDs, and even information regarding physical security was happily handed over. Additionally, this year's contest presenters noted that simple Internet searches of companies and their employees garnered far more sensitive information than in years past. The reason for the increase in company leaks on the public Internet? Social networking sites such as Facebook, LinkedIn and Twitter. The problem I see is twofold.
- Cyber spies engaged in corporate espionage who are seeking information about a company -- such as a potential merger, new product, or market -- are likely to find it much easier to use the phone to steal the information using non-technical methods.
- Hackers can use the information obtained though social engineering to find weaknesses in a network infrastructure and be able to attack a company using targeted malware.
Either way, the chances of information leaks and other security breaches goes up significantly because your IT security team tends to ignore employee education.
It's not the malware, it's the people
By education, I'm talking about training sessions that teach people about common pitfalls that most social engineers use. It's important to demonstrate that a caller-ID is easy to spoof -- or manipulate to show anything the caller wants. Just because the call comes from a known and trusted caller-ID, doesn't mean you should believe it.
Organizations also need to show employees on how to determine that the person is who they say they are. For example, when you get a phone call ask the caller to follow up with an email, or call him or her back at the caller-ID number to verify the person's identity. Instill into employees that sensitive information should never be transmitted over the phone and that fellow employees will never ask for it. Train them to become highly skeptical of who's on the other end of the line.
The truth is, malware can be contained if the proper security plans are in place -- and it's likely that your organization already has a decent hold on this issue. But security professionals can't stop here. Once the threat of most malware attacks is removed, we can move onto much more serious threats to data loss.
Andrew Froehlich has well over a decade of enterprise networking experience under his belt through his consulting practice, which specializes in enterprise network architectures and datacenter build-out.