Another week, another virus. This time, a whole series
of variants of Zotob, and as usual, a few headaches for affected
companies.
The attacks reminded me of a recent IDC report, which suggested
that most organisations in Western Europe have a lacklustre
approach to IT security, hoping that if they ignore the problem it
will pass them by. As a result, the majority still have relatively
weak security protection mechanisms in place.
The good news is that IDC sees companies making major efforts to
improve their existing ecosystem. The bad news is that it might
take five years to achieve.
"Securing digital assets presents significant challenges to most
European organisations, many of which are now realising that a
holistic approach to security is paramount and an integral part of
any successful business strategy," said Thomas Raschke, programme
manager of IDC's European Security Products and Strategies
research.
"Successful companies can move from reactive security to a
comprehensive, integrated, and forward-looking approach to IT
security,” he added.
The latest virus attacks have once again provided a wake-up call
for the corporate world.
Security monitoring remains IT’s responsibility, but is still
largely a bolt-on extra. Eventually, however, it will be integrated
into the infrastructure. Five years ago, antivirus software was
largely an add-on, but has now become integrated into many
enterprise applications.
The integration is important because having an array of
unintegrated, point solutions means problems can occur ‘between the
gaps’, leaving holes for attackers to target.
Richard Archdeacon, director of technical services at Symantec
has a few ideas on how the future might develop.
He believes three elements need to be present in a security
structure:
• information
• integration, and
• education
Taking information first, you need to know what’s going on and
what’s being done about it. That means you have to have good
information sources, so you can see where the trends are.
“The scenario should be like a dealing environment in financial
services,” says Archdeacon. “Like a dealing floor, you need to know
what the attack trends are and make a decision in terms of types of
threat, and how to deal with them. 18 months ago, we started to see
more attacks being made on confidential data, rather than big
attacks, hitting lots of people. But recently, the focus has been
on stealth attacks and getting extricating confidential information
for financial gain.”
Archdeacon believes organisations need to know what is happening
strategically, and they can then do risk assessments in terms of
what are new threats, which ones are confirmed, and which ones are
ongoing.
“These latest attacks are being made on Windows 2000, a more
dated technology. So there is a need for organisations to ask
themselves what their risk assessment is for older technologies.
Where does the organisation have them? Will Scada – Supervisory,
Control and Data Acquisitions - systems be affected, such as
process control, pumping stations, because they are often based on
Windows 2000 technology?” asks Archdeacon.
Archdeacon believes the security successful companies will be
those that are best able to integrate the reporting of their
disparate security technologies, and take strategic, analytical and
tactical decisions to benefit the organisation.
For example, if there are seven threatening versions of Zotob
out there, which one should you tackle first? Which one carries the
greatest risk? By adopting threat management concepts and doing
effective risk assessment, you can put into practice measures that
minimises risk to critical areas. By making these assessments, you
can then utilise the best way of committing corporate
resources.
There is little doubt that the ‘flash to bang’ cycle – the time
between a vulnerability being spotted, and when it has been
exploited - has rapidly been coming down. It used to be weeks, now
it’s days. With the Zotob outbreak, the window was three days,
making it the fastest exploit announcement to worm outbreak to
date. This emphasises the absolute necessity to have technology in
place that can protect against ‘zero-day’ threats without a
delay.
The trouble is that even when antivirus definitions have been
created to cope with threats, there may still be a window of
anything from 24, 48, or 72 hours, before all machines on the
corporate network have been updated and protected. One of the
simple problems is companies’ ‘moving population’, with staff using
laptops ‘on the road.’ Typically, these systems are the ones that
may not have had their definitions updated. And making sure staff
are not complacent, is an ongoing education process.
One area to consider is outsourcing. Although the words security
and outsourcing don’t easily fit together, areas such as firewall
monitoring which involve huge overheads for an organisation trying
to do monitoring 24 x 7 with 5 people can be outsourced more cost
effectively.