Unwitting pawns or partly to blame?

ICSA Labs' Bruce Hughes says companies that keep doing the same old thing can't honestly complain about new security breaches--not when they're playing deaf, dumb and blind.

May 10, 2004 8:43 a.m. PT

3 min read

There is an interesting new dynamic to the recent malicious code outbreaks that have plagued corporations.

The methods of infection and propagation haven't changed much--virus writers are still relying on mass-mailing techniques--but the targets of these exploits have changed drastically.

Over the last several years, most malicious code has targeted Internet users in general. Recently, however, the target has shifted. Malicious code is now the preferred weapon in a war between virus writers and corporations--or even between rival groups.

Take, for example, the MyDoom worm that attacked in January. Typical of most malcode, the worm relied on users to click on a file attachment to launch it.

Too many organizations rely on the patching and updating of virus definitions as their primary defense against malicious code.

Contained in the code, however, was a distributed denial-of-service (DDoS) attack aimed at the SCO Group. DDoS attacks hijack hundreds or even thousands of machines and use them to send packets of information to attack and take down a server.

Subsequent variants of MyDoom targeted Microsoft and the Record Industry Association of America with similar DDoS attacks, indicating yet again that there was a single target with a political motive. In all MyDoom variants, infected corporations were unwitting pawns in the attacks; i.e. collateral damage in a war between malcode writers and specific targets.

MyDoom isn't the only example. Two other recent worms that received media attention for the speed with which they spread and the nontraditional motives for their creation were variants of NetSky and Bagle. They have been linked to rival virus-writing groups motivated by little more than bragging rights. Again, corporations and Internet users wound up as the collateral damage.

But while most people would be quick to blame malcode writers or software manufacturers for MyDoom, NetSky and Bagle (and with good arguments supporting their positions), aren't corporations at least a little bit culpable? Are companies doing everything they can to protect their organizations and prevent the spread of malicious code to their customers and partners, and to the Internet community as a whole?

When it comes to malicious code, there are two undeniable security truths:

The inescapable conclusion is that corporations are partly to blame.

Just like their real-world brethren, cybercriminals are here to stay, and as a result, so are malicious code exploits.

In addition, software will contain imperfections and vulnerabilities as long as humans are programming it.

Unfortunately, the third undeniable security truth seems to be that corporations will be infected on a widespread basis by several exploits per year. But why? None of the aforementioned exploits used particularly innovative propagation techniques or new attack vectors. All were preventable by following several easy, essential practices that don't affect the normal course of business at most corporations.

The inescapable conclusion is that corporations are partly to blame. They continue to fail in blocking exploits that use age-old tricks in order to infect and spread. As the old saying goes, "Fool me once, shame on you. Fool me twice, shame on me."

What corporations need to know is that the real, third security truth is that the more proactive the security effort, the more successful they will be in avoiding becoming an unwitting pawn in the information security war.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

A combination of simple steps--like filtering e-mail attachments, closing unnecessary ports and using PC firewalls to better secure corporate laptops--can help reduce security risk dramatically.

Better employee training on the dangers of unsolicited e-mail attachments and communicating that corporate security policies are inflexible can also help cure an employee's insatiable hunger to click.

Too many organizations rely on the patching and updating of virus definitions as their primary defense against malicious code. Unfortunately, these measures are reactive solutions that do nothing to protect organizations against unknown threats.

For example, aggressive patching ranked last of the seven measures that actually worked to protect companies against the SQL Slammer worm in 2002. The other six protective measures were all proactive and generic; what's more, all were much easier, less expensive and more effective against the great majority of malicious code attacks.

Corporations need to take responsibility for their culpability. They also need to be more proactive about security. By reducing the number of pawns at our enemy's disposal, we can significantly reduce the impact of malicious code.