IT

Eliminating the threat of malware on the desktop

14 February 2006

Spyware, malware, crimeware, whichever name you pin on it, the threat is very real and it has been infiltrating networks on a global scale at an increasing rate over the last six months. This new breed of viruses arrives through email, over the web and can even be inadvertently introduced by poorly educated users.

Fully funded organisations work around the clock, developing ever-stealthier and more destructive code with which to sneak into corporate networks, causing havoc and gathering sensitive data. Once collated, this information is disguised and transmitted using the standard computer port for outbound web traffic — port 80, hiding its tracks and supplying the perpetrators with passwords, login details, email addresses or credit card numbers from the infected comuter. This information can be worth millions of pounds and is sold and traded on the Internet by organised crime outfits profiting from those with the technical know-how.

Losing corporate information can be extremely costly in itself with latest reports showing an average cost to recover from a severe attack being around £100,000. However losing customer or supplier information puts not only the company brand and reputation at risk, but can contravene regulatory and compliance laws, leading to significant fines and loss of market confidence.

Fooled you!

Anti-virus vendors and service providers have their work cut out in meeting the challenges set by the criminals. Because of the way in which it is developed, Malware fools many anti-virus solutions into thinking it is harmless traffic or email. Once inside, it can attack anti-virus software first, by turning off detection systems, leaving it free to roam networks and desktops without raising an alarm.

Another alarming trait of today's virus is the use of Root Kits. These tools are intended to conceal running processes, files or system data, which helps a potential intruder maintain access to a desktop without alerting a user to its purpose. Root Kits can affect systems at the kernel level or application level, spoofing regular processes and tricking users into entering what they think are secure environments, but which are in fact very convincing fakes. The potential for loss of information is huge, as is the sharp drop in productivity associated with the cleaning and remediation of infected systems.

Moving the goal posts

Historically, security has been dealt with at the perimeter of a business — in theory an easy approach of keeping everything out until its integrity has been validated. While not entirely foolproof, this method worked well for a number of years with high profile breaches few and far between. Nowadays, as threats have evolved, this is becoming a harder task in itself, but to add to the pain, the modern enterprise no longer conforms to a perimetered model. Employees are no longer bound to their desks and will regularly take laptops and devices out into the field. At this point protection becomes extremely difficult to keep tabs on and begins to put an onus on the user to take responsibility for their own system integrity — not something which can be relied upon! If a user picks up a virus whilst checking webmail at a coffee shop or even at a customer site, it is all too easy to return to the corporate LAN, skip through the firewall and begin to infect the network from the inside out.

This "perimeterless" environment raises a number of questions within the IT department; how can we lock down users' desktops once they have left the network? How can we spot and stop viruses while a user is on the road? How can we get a PC to reverse any miscreant configuration changes?

How to stop the rot

The most effective way of tackling the problems faced by IT departments is to proactively manage the desktop environment; identify and block viruses and unauthorised applications before they have a chance to act; protect local system settings and configurations, ensuring they remain aligned to preset policies and preserve installed security software.

Application management at the point of inception is vital and should include prohibiting all unwanted and unauthorised applications through trusted administrator ownership and the creation of a whitelist of fully approved exceptions. This means that desktops in the field or within the network will no longer be at risk from unrecognised self-executions including .exe's, batch files, ActiveX controls and DLL's.

In addition, desktop environments must be safeguarded so that innocent and malicious alterations are reversed. This prevents additions to such areas as the Windows Registry that Malware uses to alter applications like Internet Explorer or to ensure it is loaded as Windows starts. Self healing any alterations to commonly exploited registry keys such as Browser Helper Objects and UrlSearchHooks prevents spyware masquerading as useful items such as search assistants or extra toolbars.

In conclusion

As mobile working, together with Internet and e-mail use make the network perimeter less relevant, the securing of endpoints across the enterprise is becoming more vital. Stopping new and previously unseen threats as well as the existing Spyware, Trojans and other forms of malware is the next big title in the world of IT Security. Clearly there is no way to stop the production of malware but by augmenting what a firewall, intrusion detection system or anti-virus client does, application and environment management offers a tiered approach to security that gives organised virus writers a little something extra to think about.

Peter Rawlinson, Security Product Marketing Manager, AppSense Ltd

AppSense Ltd. is exhibiting at Infosecurity Europe 2006 which is Europe's number one information Security Event. Now in its 11th year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 10,000 visitors from every segment of the industry. Held on the 25th - 27th April 2006 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security.
Website: www.infosec.co.uk

To top

To top