Traditional reactionary anti-virus measures are no longer adequate
for business.
After several years of increasingly high-profile worm attacks,
culminating in MyDoom, Blaster, Sasser and Slammer over the past 12
months, we are finally at the point where business is starting to
take IT security seriously.
The Department of Trade & Industry's latest security survey
shows that well over 90% of corporate desktops have anti-virus
software, but also states that 42% of UK businesses have had to
deal with a virus infection in the past 12 months.
The traditional remedy of combating viruses and malicious code by
keeping up with anti-virus patches would seem to be inadequate as
the gap between vulnerabilities being discovered and hackers
finding ways of exploiting them is narrowing.
Because anti-virus software relies on signatures, it can only be
effective after a new virus has been released. Only once a virus
has been released can a new signature be written, and then it has
to be distributed to all client PCs. This reliance on a signature
leads to a new description of an exploit being a "day zero" attack
- that is an attack that will be successful on the day it is
released.
It has reached the point where day zero threats are a reality.
Vulnerabilities are routinely discovered in security devices and
applications, from firewalls and routers to anti-virus and e-mail
applications. When we are lucky, it is the suppliers who discover
these vulnerabilities first, and users only hear of them when a
patch is released to protect against potential threats.
Reshaped battefield
Unfortunately, patches are usually made reactively in response to
an exploited vulnerability. In the days when viruses had to
propagate on rogue files and floppy discs, users had the luxury of
time. The internet and e-mail, however, has reshaped the
battlefield, and today's fastest propagating viruses can infect
thousands of hosts in a matter of minutes, and many of the new
worms can do this without using e-mail.
There has also been a remarkable growth in variety and
sophistication of viruses, and innovations in their delivery and
payload mechanisms - which include the use of compromised "zombie"
computers for mass-launching viruses, spam and even distributed
denial of service attacks.
The compromised PCs are referred to as "bots", and a collection of
bots is referred to as a botnet. As well as online threats,
end-users with USB memory devices, iPods and mobile devices that
move in and out of the security of the Lan environment provide
routes in for viruses.
Multi-layered defence
Increasingly companies are taking a multi-layered
approach to security, beginning at the network and finishing at the
desktop, instead of simply relying on anti-virus software. Advanced
security at multiple points throughout the network is a necessity,
and some additional effort must be made to protect against the two
most substantial threats - day zero exploits and mobile
workers.
Day zero exploits require a new approach to monitoring and blocking
rogue network activity. Anti-virus systems, which require "pattern
matching", are unable to do this. Suppliers have developed
technologies such as host-based software that monitors for
malicious behaviour, and that can block potential damage both from
end-user error and from unknown Trojans such as keystroke loggers.
Although not infallible, this behaviour-checking software adds
another layer to network security - virus patterns change on a
daily basis, but malicious behaviour is relatively constant. For
instance, an executable that has been downloaded by e-mail should
not modify a system file, nor should it edit the registry, or try
to access a user's address book. These actions are malicious and
are blocked, and yet they describe what a virus does from a
behavioural point of view.
Mobile workers
Mobile workers, on the other hand, pose a different
threat. Machines outside the confines of the corporate Lan
environment are vulnerable to infection at several levels. These
machines can then be brought back into the Lan to spread their
payload behind the business' defensive line.
This has led suppliers to develop network security initiatives that
operate by checking mobile devices as they come onto the network
and permit or deny access depending on their security and patch
status.
Cisco has developed Network Admission Control (NAC) and Microsoft
has developed Network Access Protection (NAP). On 18 October Cisco
and Microsoft announced that they would work together to ensure
compatibility and develop interoperability between their respective
security architectures. Standards are vital, and both companies
have said they believe in the need to work towards standards in the
network admissions and access control space to help promote
widespread adoption.
Network security is an ongoing concern, however, through
intelligent host-based anomaly-checking systems, a defence-in-depth
policy, and through industry wide initiatives such as NAC and NAP,
IT managers can give the network a certain ability to defend itself
against assault.
The day zero threat is there, but if adequate defences are set up,
companies should be able to withstand its assault with limited
casualties.
Paul King is senior security consultant at Cisco Systems
UK