The recent Zotob attacks remind me of an IDC report,
which suggested that most organisations in Western Europe have a
lacklustre approach to IT security, hoping that if they ignore the
problem it will pass them by. As a result, the majority still have
relatively weak security protection mechanisms in
place.
The good news is that IDC sees companies making major efforts to
improve their existing ecosystem. The bad news is that it might
take five years of work, mostly by IT developers, to achieve.
"Securing digital assets presents significant challenges to most
European organisations, many of which are now realising that a
holistic approach to security is paramount and an integral part of
any successful business strategy," said Thomas Raschke, programme
manager of IDC's European Security Products and Strategies
research.
"Successful companies can move from reactive security to a
comprehensive, integrated, and forward-looking approach to IT
security,” he added.
Security monitoring remains IT’s responsibility, but remains
largely a bolt-on extra, and developers will be asked to integrate
monitoring into infrastructures. Déjà vu you may think: five years
ago, antivirus software was largely sold as an add-on product, but
such technology is now integrated into many enterprise
applications.
The integration is important because having an array of
unintegrated, point solutions means problems can occur ‘between the
gaps’, leaving holes for attackers to target.
Richard Archdeacon, director of technical services at Symantec
has a few ideas on how the future might develop.
He believes three elements need to be present in a security
structure: information, integration and education.
Taking information first, you need to know what’s going on and
what’s being done about it. That means you have to have good
information sources, so you can see where the trends are.
“The scenario should be like a dealing environment in financial
services,” says Archdeacon. “Like a dealing floor, you need to know
what the attack trends are and make a decision in terms of types of
threat, and how to deal with them. 18 months ago, we started to see
more attacks being made on confidential data, rather than big
attacks, hitting lots of people. But recently, the focus has been
on stealth attacks and extricating confidential information for
financial gain.”
Archdeacon believes organisations need to know what is happening
strategically, and they can then do risk assessments in terms of
what are new threats, which ones are confirmed, and which ones are
ongoing.
“These latest attacks are being made on Windows 2000, a more
dated technology. So there is a need for organisations to ask
themselves what their risk assessment is for older technologies.
Where does the organisation have them? Will Scada [supervisory,
control and data acquisitions] systems be affected, such as process
control, pumping stations, because they are often based on Windows
2000 technology?” asks Archdeacon.
He believes that companies have to be able to integrate the
reporting of their disparate security technologies, and then take
strategic, analytical and tactical decisions to benefit the
organisation.
For example, if there are seven threatening versions of Zotob
out there, which one should you tackle first? Which one carries the
greatest risk? By adopting threat management concepts and doing
effective risk assessment, you can put into practice development
measures that minimises risk to critical areas. By making these
assessments, you can then utilise the best way of committing
corporate resources.
There is little doubt that the ‘flash to bang’ cycle – the time
between a vulnerability being spotted, and when it has been
exploited, has rapidly been coming down. It used to be weeks, now
it’s days. With the Zotob outbreak, the window was three days,
making it the fastest exploit announcement to date. This emphasises
the absolute necessity to have technology in place that can protect
against ‘zero-day’ threats without a delay.
The trouble is that even when antivirus definitions have been
created to cope with threats, there may still be a window of
anything from 24, 48, or 72 hours before all machines on the
corporate network have been updated and protected. One of the
simple problems is companies’ ‘moving population’, with staff using
laptops ‘on the road.’
Typically, these systems are the ones that may not have had
their definitions updated. And making sure staff are not
complacent, is an ongoing education process.