Malware menace growing – and what you can do about it

Large businesses using social networking tools are vulnerable to far greater security attacks than their systems are equipped to handle, say Internet security experts.

In addition Web-based technologies such as VoIP (voice over Internet Protocol) and online collaboration tools are introducing new risks to the network, according to Peter Evans, vice-president of Internet Security Systems (ISS) for IBM.

Conventional point security products aren’t adequate to deal with the situation, he said.

“The firewall alone is no longer an effective weapon against these attacks,” Evans said in an IBM hosted Webcast last week titled: Evolving Threat Landscape.

He said the malicious code that security administrators deal with on a daily basis has more than doubled in the past 20 years. Nearly 75 to 80 per cent of such code can be classified as Trojan malware.

Companies are drawn Web 2.0 technologies because of the marketing and collaboration opportunities they offer could boost productivity, business profile and profits.

But Evans said many firms appear to have neglected security concerns.

“They’ve been so concerned with asking: can we do it? that they’ve forgotten to ask: should I do it?”

This line of thinking, he said, has left many firms stuck with “siloed” security frameworks that can no longer handle today’s threats.

For example, he said many companies deploy different systems to deal with spam, viruses, malware and spyware. “Some businesses have upwards of 30 different technologies stacked on top of one other and the number is growing each year.”

The result is an increased complexity that prevents many security administrators from effectively monitoring the applications, he said.

One Ottawa-based security specialist agrees with Evans’ assessment that growing collaboration has opened corporate networks to countless threats.

“Before, the business network was generally closed to the public. But with social networking almost everyone is being invited in,” said Brian O’Higgins, chief technology officer at Third Brigade Inc., an IT security firm in Ottawa.

“Various applications – some of them user-generated – are allowed to run across the firewall boundary and enter different sectors of the network”.

In such a scenario, it’s very easy for a would-be attacker to introduce malicious code into the system, O’Higgins said.

Rather than deploy a single firewall to protect the entire perimeter, O’Higgins recommends a “layered approach” to security. This strategy will ideally cover security for the desktop, network and server environments.

For example, he said, a network can deploy basic URL filtering to guard against malicious Web sites. This type of tool filters out invalid Web certificates.

Another layer of protection can be provided by applications that examine HTTP headers and search for malicious content embedded in legitimate Web sites.

Tools that scour known and unknown threats that may be injected into executable and binary files entering the network can also be deployed as additional protection.

The Ottawa-based security expert said some companies are moving away from a single perimeter security model.

“They are beginning to install protection at the host computer level or on every critical server”.

Organizations should also periodically re-asses applications to determine if they are adequately protected against current threats, the Third Brigade exec said.

This could include updates and patch management, as well as regular vulnerability assessment tests.

Such vulnerability assessments can be conducted either by an in-house team, or a third party specializing in this field.

Once an assessment is done, a plan must be created to cover identified vulnerabilities and develop process and practices that will support an enhanced security posture, he said.

Paying close attention to industry security regulations and compliance issues are also a must.

For example, O’Higgins urges businesses that conduct credit card transactions to stay up-to-date with the latest Payment Card Industry (PCI) data security regulations

Ongoing education of all users is also important to instill a culture of security, he said.

At the same time, he said, a certain perspective is required on security issues.

Organizations must realize that “perfect security” is impossible to achieve.

“You don’t want to go overboard. Protection always has to be appropriate to the value of what is being protected.”

Share on LinkedIn Share with Google+