ISSA: Traditional controls inadequate

There is a common misconception that because an organisation has anti-virus, it must be safe, writes Raj Samani, vice president of ISSA

There is a common misconception that because an organisation has anti-virus, it must be safe, writes Raj Samani, vice president of the Information Systems Security Association (ISSA). The threat of malicious code cannot be circumvented through traditional controls alone.

Organisational networks have often been compared to M&Ms confectionery: hard and crunchy on the outside, but soft and gooey in the middle. In reality, the security environment changes so rapidly that it is like placing the chocolate ball in a furnace and hoping it withstands the heat.

Low-hanging fruit

With emerging threats increasing in both complexity and quantity, traditional anti-virus controls eliminate only the threat of the low-hanging fruit. Research suggests that an unprotected computer will be infected with malware in 12 minutes (according to Sophos) of connecting to the internet, or 20 minutes, depending on what article you read. Personal experience suggests the duration is considerably shorter than either of these numbers.

Traditional technologies should protect against known threats, but what they won't protect against are very new threats or those that have been modified ever so slightly so as to elude the traditional malware detection test - namely, by checking for specific malware signatures.

Porous frontier

Assuming that internal networks are protected by an impenetrable boundary is optimistic to say the least. Equally worrying are the new channels that attackers are using to plant malicious code on the target. Spam messages direct users to website that look and feel like legitimate sites, but in reality have malicious code embedded. One very well known sports website even had a vulnerability embedded within it that allowed the attacker to hijack victims' web browser - even trusted sites can carry malicious payloads.

So what about mobile users? Is the threat greater or lesser when you take the machine outside the "safety" of the corporate network?

Mobile users are open to more channels of attack, but the threats can also apply to the internal network. Take wireless networks. It is assumed that internal networks are wired, and external networks are likely to be wireless. The default action for many operating systems is to automatically connect to the wireless network a user has linked to before. What this means is that while your users are safely working on your internal networks, they have effectively bridged to a nearby hotspot with the SSID Linksys or the even rarer Belkin!

In short, there are considerably more challenges facing an organisation when it comes to malicious code then are usually considered. Assuming that everything is okay internally leads to a very false sense of security. Essentially, every network is untrusted, and every system is essentially a road warrior!

Raj Samani is vice president of the UK chapter of ISSA

Enforce wireless security >>

Read more expert advice from the Computer Weekly Security Think Tank >>

Read more on IT risk management