Recent virus outbreaks only hint at an even more dangerous future, say two security company CEOs I sat down with recently. One was the CEO and co-founder of Zone Labs, Gregor Freund; the other was John Patzakis, CEO of Guidance Software, publisher of computer forensics and incident response applications.
While some of todays viruses have been serious problems, Freund said they are not nearly as evil as whats possible if the bad guys really try. So far, weve seen evil viruses and fast-moving ones, but what if? Well, heres how the Zone Labs boss describes the scenario:
“Imagine the destructive power of the Witty worms payload, which progressively destroyed disk contents, sector by sector, combined with the transmission vector of an MS Blast or a Sasser,” Freund said. But if that isnt bad enough, it gets worse. “Not to give anyone ideas, but what if such a combo targeted the security infrastructure or something like anti-virus updates?”
That scenario was as bad as Freund was willing to discuss during our talk, which took place on-stage during a conference I recently hosted for the Software and Information Industry Association. Freund and Patzakis spoke with consultant Rob Enderle and myself. By the end of the half-hour chat, I think Rob joined me in wanting to rush home and completely disconnect the computers from the Internet and the increasingly dangerous outside world.
Freund said the security model we use today needs to move from reactive defenses, like patches and signature-based protection (such as current anti-virus software), to more proactive defenses capable of defending a system against previously unknown threats.
This matters, he said, because the time lag between publication of a newly discovered vulnerability and the discovery of a new virus ready to exploit the vulnerability has dropped to 24 hours or less. That means the bad guys are moving more quickly than before and are using the good guys efforts to improve security against everyone who doesnt immediately get the patch or signature update.
Patches, according to Freund, have problems all their own. “Often they are the least-tested software because they have to ship so quickly. Or they can be reverse-engineered to uncover the vulnerability that sparked the patch” allowing the bad guys to quickly target unpatched machines.
Guidance Softwares Patzakis said that while traditional defenses are doing a decent job against standard attacks, such as garden-variety viruses and script kiddies, “sophisticated hackers are causing extensive damage and are routinely compromising high-profile targets.”
To address this, greater executive awareness and urgency are needed at the highest levels of businesses and government, Patzakis said. This, he warned, may come about through increased regulation as companies are required to show they meet a standard of protection required by future legislation or contract terms.
“From the CIO/CISO standpoint, organizations must be committed to the complete security process,” Patzakis said. “On the technology side, this means addressing measures spanning proactive preventative to reactive mitigation/containment. On the human side, people, policies, training and executive awareness are all essential.”
Tooting his own horn a bit, Patzakis said a critical component of the information security equation that has been traditionally neglected is the response and investigation process. “Important developments in computer forensics and incident response technology have made the implementation of an incident response and investigation process far more effective and cost-feasible than they have been until very recently.”
It was on that note that our conversation ended. I am not sure what I learned, but what I gained was an appreciation for how hard the opposition is working and how much more damage they could actually do. I was also frightened enough to rethink my whole security infrastructure. I dont think Ive dealt with all my vulnerabilities yet, but security is always an ongoing process. One that I hope this column will help you commit (or recommit) to.