Unfortunately, this is a step in the wrong direction--perhaps even a step backward--for IT security.
In a Sept. 22 article about the program, CNET News.com wrote that "the project assigns a unique identifier to a particular piece of malicious software. When included in security software, in alerts and in virus encyclopedia entries, this identifier should help people determine which pest is hitting their systems and whether they are protected, the initiative's backers said."The key phrase in this description of the initiative is "when included." Therein lays the problem: Organizations can name all the existing worms they want, but what about those that are unknown and being developed by hackers on a daily basis? What about those that will never be distributed "at large" but instead are specifically targeted at a few select victims?
Organizing how worms and other attacks are identified is just another example of enterprises trying to deal with attacks after they occur instead of turning their efforts to what should be priority No. 1: prevention. When an enterprise is attacked by a worm, do C-level executives really care about which worm is attacking, or do they simply care that they are being exploited?
According to the initiative, when there is an outbreak, a CME participant will request an identifier by submitting a sample of the new malicious code to an automated system. Participants eventually receive the designated moniker and insert it into their security technology. During this process, the unknown worm will already be in the wild, infecting computing environments at will.
The basic course of action suggested by this project is almost laughable: A company inserts the agreed-upon directory of worms into its security software, it waits for an attack to happen, it identifies the malicious code that is causing the damage and then the IT staff must deal with it. Again, security vendors are telling companies to sit back and wait for the attack. At least now they will know exactly what to call the worm in the press release they will have to issue announcing the security breach to investors.
Here's an idea that's so crazy, it just might work: Instead of focusing on naming worms based on their unique characteristics and attack methods, how about companies focus on how to prevent worms and other malicious code based on these characteristics?
The truth is, hackers will always be able to locate vulnerabilities and issue new malicious code to exploit them. Unknown worms, viruses, Trojans and spyware will continue to run rampant, wreaking havoc on those systems unfortunate enough to get in the malware's path. Instead of analyzing the commonalities of malware for identification purposes, security vendors should use this analysis to find methods of prevention.
Easier said than done, yes, but certainly possible.
For instance, allowing all the applications you need and denying all other executables is an example of how treating all worms equally--in this case, as executable code--can unearth a means of preventing attacks. This is a simple yet effective way for enterprises to keep even unknown worms and other malware out of their systems.
Identifying worms might be a great way to punch up headlines, but quite frankly, it has no effect on stopping the attacks. We all know that a rose by any other name would smell just as sweet, but are we really expected to be fooled by a worm by any other name?
Surely you jest.
Biography
Dennis Szerszen, a former industry analyst, is the vice president of marketing and business development at SecureWave, a provider of endpoint security software. Write to him at denniss@securewave.com.
See more CNET content tagged:
worm, malicious code, initiative, attack, enterprise
While I agree that heuristic intrustion detection systems and virus scan/shield/removal software is the way forward their is still a use for virus signatures.
When they give a virus a signature it looks not just for that virus but for variations of it exploting similar things. It is much less processor intensive to scan traffic for signatures and this can be done in a layer outward of a hueristic based detection device.
Internet->
packet filter->
firewall with signature based scanning->
hueristic based intrusion detection system->
your network.
Hueristic based system currently throw too many false alarms dropping legitamate traffic, or don't catch enough and leave a door open enough for remote access attacks.
More power to you and your company on continued developments in network defense devices and software. Ideally every network admin would take a less is more approach to security and lock down everything not needed.
Even in that scenerio, virus signatures still have a use and to imply that companies should take a huerstic only approach and that signatures have no place in the future or forward looking present is irresponsible.
- What's the REAL problem here?
- by wbenton November 11, 2005 3:39 PM PST
- Is it really Signatures vs. Heuristics?
- Like this Reply to this comment
-
(3 Comments)Is it in naming the culprits?
Is it corporate infection?
Is it not having a name for the culprit?
OR
Is it a combination of Weak Operating Systems that allow these exploits by default AND unskilled IT managers incapable of locking down the system such that many of these exploits could have been avoided?
An ounce of prevention is worth a pound of cure. But the methods which they seem to be going about as described in this article seem to show that people are more concerned with the cure... and less concerned with the prevention bit!
Walt