Eliminating the threat of malware on the desktop
14 February 2006
Spyware, malware, crimeware, whichever name
you pin on it, the threat is very real and it has been infiltrating networks
on a global scale at an increasing rate over the last six months. This new
breed of viruses arrives through email, over the web and can even be
inadvertently introduced by poorly educated users.
Fully funded organisations work around the
clock, developing ever-stealthier and more destructive code with which to
sneak into corporate networks, causing havoc and gathering sensitive data.
Once collated, this information is disguised and transmitted using the
standard computer port for outbound web traffic — port 80, hiding its tracks
and supplying the perpetrators with passwords, login details, email
addresses or credit card numbers from the infected comuter. This information
can be worth millions of pounds and is sold and traded on the Internet by
organised crime outfits profiting from those with the technical know-how.
Losing corporate information can be extremely
costly in itself with latest reports showing an average cost to recover from
a severe attack being around £100,000. However losing customer or supplier
information puts not only the company brand and reputation at risk, but can
contravene regulatory and compliance laws, leading to significant fines and
loss of market confidence.
Fooled you!
Anti-virus vendors and service providers have
their work cut out in meeting the challenges set by the criminals. Because
of the way in which it is developed, Malware fools many anti-virus solutions
into thinking it is harmless traffic or email. Once inside, it can attack
anti-virus software first, by turning off detection systems, leaving it free
to roam networks and desktops without raising an alarm.
Another alarming trait of today's virus is the
use of Root Kits. These tools are intended to conceal running processes,
files or system data, which helps a potential intruder maintain access to a
desktop without alerting a user to its purpose. Root Kits can affect systems
at the kernel level or application level, spoofing regular processes and
tricking users into entering what they think are secure environments, but
which are in fact very convincing fakes. The potential for loss of
information is huge, as is the sharp drop in productivity associated with
the cleaning and remediation of infected systems.
Moving the goal posts
Historically, security has been dealt with at
the perimeter of a business — in theory an easy approach of keeping
everything out until its integrity has been validated. While not entirely
foolproof, this method worked well for a number of years with high profile
breaches few and far between. Nowadays, as threats have evolved, this is
becoming a harder task in itself, but to add to the pain, the modern
enterprise no longer conforms to a perimetered model. Employees are no
longer bound to their desks and will regularly take laptops and devices out
into the field. At this point protection becomes extremely difficult to keep
tabs on and begins to put an onus on the user to take responsibility for
their own system integrity — not something which can be relied upon! If a
user picks up a virus whilst checking webmail at a coffee shop or even at a
customer site, it is all too easy to return to the corporate LAN, skip
through the firewall and begin to infect the network from the inside out.
This "perimeterless" environment raises a
number of questions within the IT department; how can we lock down users'
desktops once they have left the network? How can we spot and stop viruses
while a user is on the road? How can we get a PC to reverse any miscreant
configuration changes?
How to stop the rot
The most effective way of tackling the
problems faced by IT departments is to proactively manage the desktop
environment; identify and block viruses and unauthorised applications before
they have a chance to act; protect local system settings and configurations,
ensuring they remain aligned to preset policies and preserve installed
security software.
Application management at the point of
inception is vital and should include prohibiting all unwanted and
unauthorised applications through trusted administrator ownership and the
creation of a whitelist of fully approved exceptions. This means that
desktops in the field or within the network will no longer be at risk from
unrecognised self-executions including .exe's, batch files, ActiveX controls
and DLL's.
In addition, desktop environments must be
safeguarded so that innocent and malicious alterations are reversed. This
prevents additions to such areas as the Windows Registry that Malware uses
to alter applications like Internet Explorer or to ensure it is loaded as
Windows starts. Self healing any alterations to commonly exploited registry
keys such as Browser Helper Objects and UrlSearchHooks prevents spyware
masquerading as useful items such as search assistants or extra toolbars.
In conclusion
As mobile working, together with Internet and
e-mail use make the network perimeter less relevant, the securing of
endpoints across the enterprise is becoming more vital. Stopping new and
previously unseen threats as well as the existing Spyware, Trojans and other
forms of malware is the next big title in the world of IT Security. Clearly
there is no way to stop the production of malware but by augmenting what a
firewall, intrusion detection system or anti-virus client does, application
and environment management offers a tiered approach to security that gives
organised virus writers a little something extra to think about.
Peter Rawlinson, Security Product Marketing
Manager, AppSense Ltd
AppSense Ltd. is exhibiting at Infosecurity
Europe 2006 which is Europe's number one information Security Event. Now in
its 11th year, Infosecurity Europe continues to provide an unrivalled
education programme, new products & services, over 300 exhibitors and 10,000
visitors from every segment of the industry. Held on the 25th - 27th April
2006 in the Grand Hall, Olympia, this is a must attend event for all IT
professionals involved in Information Security.
Website: www.infosec.co.uk
To top
|