CTO Roundtable: Malware Defense Overview
The Internet has enabled malware to progress to a much broader distribution model and is experiencing a huge explosion of individual threats. There are automated tools that find vulnerable sites, attack them, and turn them into distribution sites. As commerce and the business of daily living migrate online, attacks to leverage information assets for ill-gotten benefit have increased dramatically. Security professionals are seeing more sophisticated and innovative profit models on par with business models seen in the legitimate world.
Often a machine's infection signature is unique and completely different from any other, making effective defense all the more difficult to achieve. Some studies have shown that 12 percent of all PCs on the Internet are malware infected, while the infection rate of the consumer-facing PC sector is closer to 25 percent. This difference reflects successful security efforts by IT professionals to secure the nonconsumer PC sector and shows that there are mechanisms to reduce overall infection risk. Though not intended to replace the in-depth discussion of malware defense by the ACM CTO Roundtable, the following overview should help readers understand the basic scope of the threats in play today and provide a framework to address them and minimize the overall risk of compromise. —Mache Creeger
Many types of malware and payloads exist, but two types in particular cause concern in the consumer and enterprise space. Both capture personal information; some are opportunistic in nature, do not target any specific individual, and are designed to go after anyone who happens to be ensnared, while others focus on specific "high-value" targets. By far the majority of common security issues for end users are the former, and these types of threats typically try to make money by stealing information or resources from the end-user machine. Standard practices such as patching, an up-to-date security suite, and strong passwords go a long way toward protecting against these threats.
As in any other business, attackers attempt to extract the highest value available from the computers they compromise. As the supply of raw Social Security numbers or credit card numbers increases, the demand drops and those assets become less valuable on the open criminal market. Refining stolen assets from their raw, low-value state to high-value, specialized content is a growing trend requiring a great deal of additional context. A full set of medical information for a specific individual is an example of high-value, specialized content.
While security awareness is becoming more of a background issue, paradoxically the actual threat space is increasing. A common perception is that malware is not a problem because end users do not see direct evidence of its effects. Malware writers have learned that if they minimize direct impact to computing platforms so the effects of an attack are not directly visible to the user, then they can extract maximum value from compromised machines over a longer period of time.
Obvious security risks
infection avoidance practices that are no longer valid
A basic hygiene set of security practices
Small to mid-market companies typically spend less than one hour per month on security and do not perceive it to be a priority. Businesses with fewer than 50 employees usually work with a single-stop, local IT provider; those with more than 250 employees have many viable alternatives for security services; but those in the 50- to 250-employee range have very limited security options from IT providers.
Small business-owned Web sites are increasingly being compromised and used to attack Web-site visitors, making it not just the desktop owner's problem but also the Web-site owner's. Because small businesses usually have no idea what Web-site security entails, fixing this problem is a major challenge. Some hosting companies will do security scans as a service for Web sites run by small business, but these products face significant challenges and most likely will not be comprehensive.
Security investments should be governed by the business you are in and the impact of having a breach. If you handle valuable user information such as Social Security numbers, bank information, medical records, gaming information—anything of value on the open criminal market—you should address those security issues immediately.
In protecting against the loss of valuable enterprise assets, it is important to remember that you are defending against a highly adaptable and dynamic adversary. This makes assessing risk very difficult. When one hole is plugged, attackers can move to new areas. You are trying to plug as many leaks as you can with a fixed budget, and there's no real guarantee that what you leave out isn't the critical item that will cause major damage.
A security policy has many fragmented and specialized pieces and does not lend itself to a single comprehensive approach. For the home you should implement what most client-side security suites already have: antivirus, firewall, and intrusion prevention. For stricter enterprise security, determining the level of risk you are willing to take and the amount of time and money you are willing to spend to minimize that risk is really hard to do. You need to do a risk/reward security analysis to determine which holes are really worth plugging.
Security is very different from other more predictable areas of computing. In the technology world people tend to look for definitive fixes to problems. Security and malware, however, are more like influenza, where every year there's another strain no matter what you do, and you can never implement a fully comprehensive solution to resolve the problem definitively.
Cloud Computing and Security
Commodity-based clouds will provide an inexpensive and available platform with a base level of security. For more security, you will either go to a more specialized public vendor or build a private cloud on your own.
Check SAS 70 certifications when shopping for public cloud vendors. If your industry specifies certain types of security, you will need to ask more specific questions before running your application on a particular public cloud environment.
Emerging interest areas
The argument for the greater good of the Internet community is: What are the set of economic and regulatory policies that will motivate users to align their decisions more closely with the cost impact on the rest of the community? It's the same argument that surrounds public health.
LOVE IT, HATE IT? LET US KNOW
© 2010 ACM 1542-7730/10/0200 $10.00
Originally published in Queue vol. 8, no. 2—
see this item in the ACM Digital Library