Malware represents one of the biggest, most rapidly changing challenges facing corporate security today. The threat landscape is always evolving and last year was no different. Google reported a doubling of malware sites, and there were troubling reports last summer of a new kind of active, man-in-the-middle (MITM) malware that cost banking customers millions.
In a recent survey of IT professionals, over 32 percent felt that malware installed on PCs will pose the greatest external threat to IT security over the next 12 months. Over 16 percent indicated that malware on mobile devices presented the greatest threat. In total, malware running on PCs and mobile devices was ranked the top threat for 2010 by nearly 50 percent of respondents.
Here is a closer look at the types of malware threats you should be prepared to face this year, as well as four concrete strategies your company can implement to protect against them.
Malware threats
Enterprises have been battling malware for years but the threats continue to evolve. Among the largest problems for enterprises today is credentials harvesting. Criminals are deploying increasingly sophisticated malware designed to steal usernames and passwords from legitimate users. There are numerous ways this can happen, including malware unwittingly installed by users, browser-based malware and eavesdropping attacks.
For example, in November 2009, a security researcher was able to leverage a bug in a Secure Sockets Layer (SSL) protocol to obtain Twitter users’ log-in information in the clear. While a Twitter attack might seem relatively innocuous, consider how many people also use their Twitter password for their online banking or corporate log-in. How many enterprise users use the same password for Twitter as they do on their domain? There are a number of ways that various forms of malware could induce attacks such as this one.
Another attack vector that was recently described against SSL VPNs involves the use of browser-based malware to log all keystrokes typed into a browser. The attack, which leverages the way most SSL VPNs interact with browsers’ same-origin policies, could easily lead to users disclosing passwords as they log into corporate Webmail accounts.
Another malware-related threat involves targeted phishing. Increasingly, we have seen criminals single out individuals or groups within organizations for receipt of carefully crafted phishing e-mail messages. These e-mail messages could contain pieces of malware for installation on users’ computers or could contain links to malicious Websites. Either way, the highly targeted nature of these phishing attempts makes them hard for average users to detect. A recent spear phishing experiment involved fake LinkedIn invites and was highly successful.
Finally, theft of information is one of the actions of most concern by the new generation of malware. Trojans such as Clampi and Zeus are actively stealing information and can be adapted to steal whatever information the maintainers are most interested in. For example, they can steal usernames and passwords for online banking or, worse, they can be instructed to create hidden transactions transferring money to “mule accounts” controlled by the attackers. Traditional authentication solutions such as tokens and smart cards are helpless to prevent these attacks.
Four Steps to Prevent Malware Threats
Four steps to prevent malware threats
Fortunately, there are four concrete steps you can take to prevent malware threats in your organization:
Step No. 1: Have a corporate anti-malware solution
With malware’s continued relevance as a core security problem, no enterprise should be without an anti-malware solution. And since most malware affects user computers, that is where the focus should be: on every user desktop in the enterprise.
Furthermore, since remote access is ubiquitous these days, remote users should have the same kind of protection in place. In fact, a complete endpoint security solution for remote users is a good idea, including patch and firewall management as well as anti-malware software. Finally, consider deploying an intrusion prevention system (IPS) to intercept and prevent certain kinds of attacks originating from remote users.
Step No. 2: Patch!
Because the security arena changes so rapidly, it is important to stay current with vendor software releases. While it would be ideal to have someone in the organization keep tabs on CERT advisories, flaw disclosure mailing lists and so forth, you can get a lot of bang for your security buck just by keeping current with vendor patches. Yes, there will be times when vendors are late with patches but, by and large, you will be in a much safer position.
Step No. 3: Deploy strong authentication
A great many enterprise attacks depend on single-factor authentication. Traditional phishing and keylogging attacks fall into this category, as do attacks such as the Twitter example described earlier. These attacks harvest credentials (for example, user names and passwords), which are later used to gain access to the users’ accounts. Deploying an additional authentication mechanism can protect against these attacks by requiring users to verify their identity using something they own (such as a security device) or something they are (such as a voiceprint or fingerprint). All of them can be defeated by deploying a multifactor authentication system.
Because these attacks can harvest information, such as the answers to your security questions, additional information-based authentication does not provide additional protection. And this also goes for digital certificates; because they are generally easy to copy or steal, they will not help prevent these attacks on their own.
Current best practice when selecting an authentication solution is to look for an out-of-band, two-factor system since malware has been found in the wild that can defeat traditional in-band, two-factor systems. Additionally, consider adding biometric authentication to the mix with a voice-based, fingerprint-based or other three-factor authentication system. By using a separate channel such as the telephone network for the second factor of authentication, you can circumvent malware installed on the user’s device.
Step No. 4: Use transaction verification
If you work for an organization such as a bank that does user-initiated transactions, you should be aware of a new malware threat that, essentially, waits for the user to log in and then sends chosen transactions through the SSL tunnel without the user’s knowledge.
These attacks are easy to mitigate with an out-of-band transaction verification system. Whenever a user submits a transaction (or perhaps only for selected transactions), the bank makes an automated phone call to the user’s registered phone number, playing back the exact details of the proposed transaction to the user. The user must approve the transaction before it takes place. This makes it impossible for a piece of malware to sneak something by.
Steve Dispensa is co-founder and Chief Technology Officer of PhoneFactor. Steve is a leader in the field of data security and device driver development technology, holding numerous patents in the fields of computer science and telecommunications. Steve also hosts Security Break Live, an Internet radio talk show, as well as a blog of the same name. Visit it at securitybreaklive.com. He can also be reached at dispensa@phonefactor.com.