Why Are Security Technologies Failing Us?
The year 2003 was the year of the worm—in January “Slammer” brought down Bank of America ATMs and grounded Continental Airline flights. In August the SoBig.F worm replicated 1 million times in the first 24 hours alone. While SoBig.F was a social engineering hack that fooled computer users into opening infected e-mail attachments, Slammer was a tiny piece of code that could replicate itself without human action by transmitting itself through a six-month-old hole in Microsoft software. Both attacks caused widespread damage and worldwide panic among corporate and home users alike. Will 2004 be any different?
In order to understand why Internet attacks are still penetrating our best defenses even though we have multiple security solutions in place, we must examine four critical elements of security: people, policy, procedure and product.
Human error often accounts for the reason why Internet attacks are able to spread very quickly. The SoBig.F worm affected so many computers because network administrators and home users who had security software installed on their computers simply neglected to download updates from their security vendors. Computer users need to take a certain level of responsibility to better educate themselves on computer security and how to prevent Internet attacks. Best practices around how to deal with spam, opening suspicious e-mail from anonymous senders or friends and commonly known virus extensions (i.e., .scr, .pif, .exe) are all very important for users to know. Individual users are typically the last line of defense should a virus get past all other security measures in place.
Security policies are not only unique to each company, but are also unique to each department within a company. One size does not fit all, and security policies must be granular and tailored to address the computer habits of each individual group. These policies should also be revisited on a regular basis to ensure that they are able to address the latest computer threats and common user habits. Clearly defined steps computer users should take when they are hit with a virus or some other kind of Internet attack should also be made very clear to employees at all levels within a company. Companies must take some level of responsibility in educating their employees on how to protect themselves from becoming victims.
The Slammer worm was able to shoot through a hole that was discovered six months earlier in Microsoft, but was still left open by many companies due to poor patch management. Procedures behind how to manage updates and patches in the shortest amount of time possible are important in order to address the latest known vulnerabilities. But keep in mind that updates and patches are still reactive by nature. The time between an initial virus outbreak and the time that your vendor is able to provide a patch to you for download leaves you completely open to attacks. A window of vulnerability exists and is left wide open during the time you are waiting for the latest update. Malicious hackers are using more and more sophisticated methods of attack, and our technology needs to be able to keep up and evolve in the same way.
According to the 2003 CSI/FBI Computer Crime and Security Survey, 82 percent of companies reported virus attacks, even though 99 percent reported having anti-virus software. This is because anti-virus software works by comparing incoming names of code with a database of listed and known viruses. Anti-virus software excels at preventing existing viruses from entering your network, but fails to stop any new Internet threats until they are identified and patched by the vendor.
There are newer technologies that can actually identify code as malicious based on what it does rather than what it is called. This “behavior-monitoring” technology stops code that might try to access your address books or write to your registry, for instance, or any other damaging action you identify. Behavior-monitoring technology can protect against a greater number of threats than anti-virus software alone and keeps your network safe during vulnerable periods between when a virus is identified and when a patch is created by the vendor and from when the patch is created until it is installed at your site.
The benefits we receive from the Internet are great, but the threats coming from it are just as great, especially since more and more mission-critical information is now electronic. The dangers and consequences of an Internet attack can be very damaging, but they are also completely preventable. With the right combination of people, policy, procedure and product, you can greatly reduce your chances of becoming a victim during the next virus outbreak of 2004.
Shlomo Touboul is founder and CEO of San Jose-based Finjan Software Ltd. You can reach him at firstname.lastname@example.org.