The methods of infection and propagation haven't changed much--virus writers are still relying on mass-mailing techniques--but the targets of these exploits have changed drastically.
Over the last several years, most malicious code has targeted Internet users in general. Recently, however, the target has shifted. Malicious code is now the preferred weapon in a war between virus writers and corporations--or even between rival groups.
Take, for example, the MyDoom worm that attacked in January. Typical of most malcode, the worm relied on users to click on a file attachment to launch it.
Too many organizations rely on the patching and updating of virus definitions as their primary defense against malicious code.
Subsequent variants of MyDoom targeted Microsoft and the Record Industry Association of America with similar DDoS attacks, indicating yet again that there was a single target with a political motive. In all MyDoom variants, infected corporations were unwitting pawns in the attacks; i.e. collateral damage in a war between malcode writers and specific targets.
MyDoom isn't the only example. Two other recent worms that received media attention for the speed with which they spread and the nontraditional motives for their creation were variants of NetSky and Bagle. They have been linked to rival virus-writing groups motivated by little more than bragging rights. Again, corporations and Internet users wound up as the collateral damage.
But while most people would be quick to blame malcode writers or software manufacturers for MyDoom, NetSky and Bagle (and with good arguments supporting their positions), aren't corporations at least a little bit culpable? Are companies doing everything they can to protect their organizations and prevent the spread of malicious code to their customers and partners, and to the Internet community as a whole?
When it comes to malicious code, there are two undeniable security truths:
The inescapable conclusion is that corporations are partly to blame.
In addition, software will contain imperfections and vulnerabilities as long as humans are programming it.
Unfortunately, the third undeniable security truth seems to be that corporations will be infected on a widespread basis by several exploits per year. But why? None of the aforementioned exploits used particularly innovative propagation techniques or new attack vectors. All were preventable by following several easy, essential practices that don't affect the normal course of business at most corporations.
The inescapable conclusion is that corporations are partly to blame. They continue to fail in blocking exploits that use age-old tricks in order to infect and spread. As the old saying goes, "Fool me once, shame on you. Fool me twice, shame on me."
What corporations need to know is that the real, third security truth is that the more proactive the security effort, the more successful they will be in avoiding becoming an unwitting pawn in the information security war.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
Better employee training on the dangers of unsolicited e-mail attachments and communicating that corporate security policies are inflexible can also help cure an employee's insatiable hunger to click.
Too many organizations rely on the patching and updating of virus definitions as their primary defense against malicious code. Unfortunately, these measures are reactive solutions that do nothing to protect organizations against unknown threats.
For example, aggressive patching ranked last of the seven measures that actually worked to protect companies against the SQL Slammer worm in 2002. The other six protective measures were all proactive and generic; what's more, all were much easier, less expensive and more effective against the great majority of malicious code attacks.
Corporations need to take responsibility for their culpability. They also need to be more proactive about security. By reducing the number of pawns at our enemy's disposal, we can significantly reduce the impact of malicious code.
Bruce Hughes is the director of malicious-code research at TruSecure's ICSA Labs.
2 commentsJoin the conversation! Add your comment