Keep Employees from Downloading Malicious Code
The story isn’t unique.
An employee was going about his business, surfing the Net during an off-peak time at work. He started thinking how his screensaver was kind of boring, so he decided to scrounge around some Web sites until he found something that piqued his interest, and he downloaded the file.
That’s when the trouble began — unbeknownst to the employee, that Web site harbored malicious code, and now the trouble is under way.
“The concern used to be a few files would be deleted. Now that’s a best-case scenario,” said Paul Judge, chief technology officer at Secure Computing. “Today’s viruses are quiet killers.”
Wherever there are computers that are hooked up to the Internet, the potential exists for employees to download malicious code — nearly every company is vulnerable.
Malware such as spyware and network bots can linger in an operating system, buried deep and undetectable for a long time, all the while sending potentially confidential and valuable information to the attacker, said Lenny Zeltser, practice leader for information security at Gemini Systems, an IT consulting firm headquartered in New York.
“Spyware is a huge problem, especially when you think of software employees often download,” he said. “Network bots, too — they allow attackers to remotely control an affected system. Bots are certainly a problem because they’re attractive as part of an arsenal for an attacker. “Employees download bots the same way as other spyware and code. For example, if they wanted to download a cool screensaver, or they were exploring the Web and inadvertently clicked on a malicious code, or they opened an e-mail message that took advantage of a vulnerability.” Zeltser also cited rootkits — a category of malicious software that’s difficult to detect once it gets into the server —as another potential problem.
“It’s stealthy, and it embeds deep into an operating system,” he said. “This software would have serious repercussions for the confidentiality of material.”
There are things an organization can do to minimize the risk of employees downloading malicious code, and Judge and Zeltser said prevention begins with employee awareness.
“Over the last few years, there’s been much more emphasis on user education,” Judge said.
Zeltser said a security policy must exist, and organizations must ensure it is clear in regard to what is and isn’t allowed. Further, there should be mechanisms in place to enforce the security policy.
Despite all this, though, there is no guarantee the policy will work. Zeltser said it’s just a first step.
“It’s important to have an employee-awareness program,” he said. “We’re all human — we’re all vulnerable to mistakes. A program that relies on just employee awareness is bound to fail. There are various other aspects companies need to consider.”
One thing to keep in mind, Judge said, is that most people who download malicious code don’t realize they’ve done so — many don’t think before they click, he said.
“There are different levels of awareness,” Judge said. “There are people who are naïve, and other people who know better. I think there are very few people who, before pressing click, think, ‘I wonder if this is a bad thing to click?’ and there are few people who think, ‘Oh, I bet this is bad, but I’m going to download it anyway.’”
The first move an organization should make, Zeltser said, is take a step back to understand the problem.
“There are three questions a company should ask,” he said. “‘What are we trying to protect — is it confidentiality, integrity, availability or a combination?’ The second is, ‘What is the nature of the threat?’ Some malicious code is more prevalent than it was in the past. The third question is, ‘What pathways exist for malware to be downloaded?’
Zeltser said these include Web browsers, e-mail clients and instant-messaging clients.
“The company must establish what it needs to fight,” he said. “Once the company understands that, it needs to look at technological measures that will make it very difficult or impossible to download malicious code.”
There are many locations from which employees can download malware, including the perimeter of the corporate network, an employee’s home computer, a traveling employee’s laptop, an internal desktop and the internal network’s “fabric.”
Zeltser said protection at the perimeter of a corporate network can entail a firewall, content filtering and antivirus software. For employees’ computers and the internal desktop, he recommended three measures: antivirus software, Network Admission Control (NAC) client, personal firewall and the option for a system lock-down. In regard to an internal network’s “fabric,” Zeltser said intrusion-detection and intrusion-prevention systems are key. He said, though, none of these are foolproof.
“Protective measures do fail, so you need to keep track of firewalls, antivirus software, etc.,” Zeltser said. Judge said it’s critical to try to stay one step ahead of attackers and hackers, whose strategies continuously evolve.
“For the security industry, that’s a huge to-do: moving toward a more proactive stance, getting away from reactive, human-based approaches,” he said. “We need more automated, real-time approaches.”
Zeltser agreed, and he also said security monitoring is essential.
“You need to be able to detect the attack early, before it spreads widely,” he said.
Additionally, he offered several tips for implementing a system lockdown that offers a big bang for the buck: users can log in with non-administrative privileges, access to sensitive OS areas can be restricted, unnecessary software or OS components can be removed or disabled and the system should be kept up to date on security patches.
Organizations’ needs vary, Zeltser said, so prevention approaches will differ. Every organization, though, must diversify its measures and not rely on just one program and/or employee awareness.
“In-depth defense remains an effective architecture approach,” he said. “The number and type of protective layers depend on the company’s risk profile.”