The recent Zotob attacks remind me of an IDC report, which suggested that most organisations in Western Europe have a lacklustre approach to IT security, hoping that if they ignore the problem it will pass them by. As a result, the majority still have relatively weak security protection mechanisms in place.
The good news is that IDC sees companies making major efforts to improve their existing ecosystem. The bad news is that it might take five years of work, mostly by IT developers, to achieve.
"Securing digital assets presents significant challenges to most European organisations, many of which are now realising that a holistic approach to security is paramount and an integral part of any successful business strategy," said Thomas Raschke, programme manager of IDC's European Security Products and Strategies research.
"Successful companies can move from reactive security to a comprehensive, integrated, and forward-looking approach to IT security,” he added.
Security monitoring remains IT’s responsibility, but remains largely a bolt-on extra, and developers will be asked to integrate monitoring into infrastructures. Déjà vu you may think: five years ago, antivirus software was largely sold as an add-on product, but such technology is now integrated into many enterprise applications.
The integration is important because having an array of unintegrated, point solutions means problems can occur ‘between the gaps’, leaving holes for attackers to target.
Richard Archdeacon, director of technical services at Symantec has a few ideas on how the future might develop.
He believes three elements need to be present in a security structure: information, integration and education.
Taking information first, you need to know what’s going on and what’s being done about it. That means you have to have good information sources, so you can see where the trends are.
“The scenario should be like a dealing environment in financial services,” says Archdeacon. “Like a dealing floor, you need to know what the attack trends are and make a decision in terms of types of threat, and how to deal with them. 18 months ago, we started to see more attacks being made on confidential data, rather than big attacks, hitting lots of people. But recently, the focus has been on stealth attacks and extricating confidential information for financial gain.”
Archdeacon believes organisations need to know what is happening strategically, and they can then do risk assessments in terms of what are new threats, which ones are confirmed, and which ones are ongoing.
“These latest attacks are being made on Windows 2000, a more dated technology. So there is a need for organisations to ask themselves what their risk assessment is for older technologies. Where does the organisation have them? Will Scada [supervisory, control and data acquisitions] systems be affected, such as process control, pumping stations, because they are often based on Windows 2000 technology?” asks Archdeacon.
He believes that companies have to be able to integrate the reporting of their disparate security technologies, and then take strategic, analytical and tactical decisions to benefit the organisation.
For example, if there are seven threatening versions of Zotob out there, which one should you tackle first? Which one carries the greatest risk? By adopting threat management concepts and doing effective risk assessment, you can put into practice development measures that minimises risk to critical areas. By making these assessments, you can then utilise the best way of committing corporate resources.
There is little doubt that the ‘flash to bang’ cycle – the time between a vulnerability being spotted, and when it has been exploited, has rapidly been coming down. It used to be weeks, now it’s days. With the Zotob outbreak, the window was three days, making it the fastest exploit announcement to date. This emphasises the absolute necessity to have technology in place that can protect against ‘zero-day’ threats without a delay.
The trouble is that even when antivirus definitions have been created to cope with threats, there may still be a window of anything from 24, 48, or 72 hours before all machines on the corporate network have been updated and protected. One of the simple problems is companies’ ‘moving population’, with staff using laptops ‘on the road.’
Typically, these systems are the ones that may not have had their definitions updated. And making sure staff are not complacent, is an ongoing education process.