Multi-layered security is vital to stop new wave of day zero attacks and mobile threat

Traditional reactionary anti-virus measures are no longer adequate for business.

Traditional reactionary anti-virus measures are no longer adequate for business.

After several years of increasingly high-profile worm attacks, culminating in MyDoom, Blaster, Sasser and Slammer over the past 12 months, we are finally at the point where business is starting to take IT security seriously.

The Department of Trade & Industry's latest security survey shows that well over 90% of corporate desktops have anti-virus software, but also states that 42% of UK businesses have had to deal with a virus infection in the past 12 months.

The traditional remedy of combating viruses and malicious code by keeping up with anti-virus patches would seem to be inadequate as the gap between vulnerabilities being discovered and hackers finding ways of exploiting them is narrowing.

Because anti-virus software relies on signatures, it can only be effective after a new virus has been released. Only once a virus has been released can a new signature be written, and then it has to be distributed to all client PCs. This reliance on a signature leads to a new description of an exploit being a "day zero" attack - that is an attack that will be successful on the day it is released.

It has reached the point where day zero threats are a reality. Vulnerabilities are routinely discovered in security devices and applications, from firewalls and routers to anti-virus and e-mail applications. When we are lucky, it is the suppliers who discover these vulnerabilities first, and users only hear of them when a patch is released to protect against potential threats.

Reshaped battefield

Unfortunately, patches are usually made reactively in response to an exploited vulnerability. In the days when viruses had to propagate on rogue files and floppy discs, users had the luxury of time. The internet and e-mail, however, has reshaped the battlefield, and today's fastest propagating viruses can infect thousands of hosts in a matter of minutes, and many of the new worms can do this without using e-mail.

There has also been a remarkable growth in variety and sophistication of viruses, and innovations in their delivery and payload mechanisms - which include the use of compromised "zombie" computers for mass-launching viruses, spam and even distributed denial of service attacks.

The compromised PCs are referred to as "bots", and a collection of bots is referred to as a botnet. As well as online threats, end-users with USB memory devices, iPods and mobile devices that move in and out of the security of the Lan environment provide routes in for viruses.

Multi-layered defence

Increasingly companies are taking a multi-layered approach to security, beginning at the network and finishing at the desktop, instead of simply relying on anti-virus software. Advanced security at multiple points throughout the network is a necessity, and some additional effort must be made to protect against the two most substantial threats - day zero exploits and mobile workers.

Day zero exploits require a new approach to monitoring and blocking rogue network activity. Anti-virus systems, which require "pattern matching", are unable to do this. Suppliers have developed technologies such as host-based software that monitors for malicious behaviour, and that can block potential damage both from end-user error and from unknown Trojans such as keystroke loggers.

Although not infallible, this behaviour-checking software adds another layer to network security - virus patterns change on a daily basis, but malicious behaviour is relatively constant. For instance, an executable that has been downloaded by e-mail should not modify a system file, nor should it edit the registry, or try to access a user's address book. These actions are malicious and are blocked, and yet they describe what a virus does from a behavioural point of view.

Mobile workers

Mobile workers, on the other hand, pose a different threat. Machines outside the confines of the corporate Lan environment are vulnerable to infection at several levels. These machines can then be brought back into the Lan to spread their payload behind the business' defensive line.

This has led suppliers to develop network security initiatives that operate by checking mobile devices as they come onto the network and permit or deny access depending on their security and patch status.

Cisco has developed Network Admission Control (NAC) and Microsoft has developed Network Access Protection (NAP). On 18 October Cisco and Microsoft announced that they would work together to ensure compatibility and develop interoperability between their respective security architectures. Standards are vital, and both companies have said they believe in the need to work towards standards in the network admissions and access control space to help promote widespread adoption.

Network security is an ongoing concern, however, through intelligent host-based anomaly-checking systems, a defence-in-depth policy, and through industry wide initiatives such as NAC and NAP, IT managers can give the network a certain ability to defend itself against assault.

The day zero threat is there, but if adequate defences are set up, companies should be able to withstand its assault with limited casualties.

Paul King is senior security consultant at Cisco Systems UK

Read more on Hackers and cybercrime prevention