This is the first part of my Black Hat interview with Andrew D. Hayter, Anti-Malcode Program Manager for ICSA Labs. In this installment, Mr. Hayter highlights the challenges businesses face in mitigating malware-related risks.
Malware is a serious business threat. While I am certain that doubt lingers in the minds of some users, the recent Heartland Payment System (HPS) breach illustrates the related risks. According to an Information Week January 2009 article, a keylogger was instrumental in compromising an organization that “handles 100 million transactions per month for more than 250,000 businesses.”
HPS is not alone. According to the Verizon Business 2009 Data Breach Investigations report, malware “contributed to nearly one-third of data breaches.” The report noted that malware distribution has evolved from “self-replicating emails and network worms ... [to] emphasize stealth and smaller, more directed distribution.” This signals a shift from annoyance attacks toward targeted infections designed to gather intelligence on, or take control of, a target. According to the report, Personal Identifying Information and Payment Card Data represented 36% and 81% of data types compromised, respectively.
The HPS breach was a teachable incident for most companies that leverage similar technologies to conduct business. Testing and certification organizations like ICSA Labs, an anti-virus and anti-malware software evaluator, have publicized the business risks associated with malware. However, integrating this information into the business has been challenging. ICSA’s Andrew Hayter highlighted two of these challenges.
Patch Management
Software controls that address any enterprise risk must be updated frequently. Patch management, according to Hayter, “is one of the biggest challenges that IT Security folk face.” Mr. Hayter stresses that the rate of malware innovation makes these patches critical to the functioning of these controls. These updates must be part of a configuration management plan appropriate to the needs of the business. Not surprisingly, a 2002 Gartner whitepaper highlighted patch management as an attractive attack target. Below are some best practices to mitigate this risk and promote effective patch management
- Classify the assets in your environment
- Test all patches before deployment
- Accept only signed, official patches
- Patch management security must match, or exceed, the security of web-facing servers.
Social networking sites
SearchSecurity.com’s UK Bureau Chief Ron Condon characterized social networking sites as “the new battleground for malware.” His article discusses how the mechanisms that facilitate social functionality are being leveraged to deliver viruses and malware. Mr. Hayter shares this concern. “Corporations need to worry about their employees accessing social websites through company computers,” said Hayter. “There is so much malware on social websites that could infect business assets – it is a huge business risk.” He recognizes that there may be a business case for such usage, but that it must be conducted with that case in mind. The enterprise must draft security policies and procedures that take this risk into account.
The next installment will discuss Andrew Hayter’s recommendations for building a business case for anti-virus and anti-malware software controls.
