There are literally thousands of malware variants in the wild of Cyber Space and any one of them could take down your company, steal your identity or the identities of all of your customers!
We are all aware of the multitude of solutions being offered to counter these attacks, so the question arises: while CSOs and CTOs together with their teams of professional security and systems engineers defend the enterprise armed with the multitude of tools available to them, how is it that this threat continues to grow?
Those tasked with company security and charged with trying to find safe harbor for their company’s information and infrastructure have to deal with the unarguable fact that information assurance has not improved.
Two decades after the introduction of the PC and the Internet, computing prevalence has made every company a target of invisible attackers with intent to do harm.
These attackers are no longer the "script kiddies" of the past. They are organized, funded, trained, and in no mood to be deterred.
While the role of CSOs will forever be entrenched in the global business economy, there are new approaches emerging which will put them back in control of their infrastructures. New technologies are now providing systemic answers to the problem of malicious software (malware), both present and future – technologies like Savant™.
Savant Protection™ has leapt ahead of traditional approaches by taking a far more encompassing view that accounts for the realities of present day chaos by introducing Savant, the first solution which eliminates the spread of any known or unknown malware without the need for inoculations, scanning, or rules. This new approach passively protects a computing system from new attacks regardless of strategy.
Gone are the days of corporate-wide outages due to previously undiscovered vulnerabilities. With Savant, the days of spread are over.
Companies are now recognizing that while they concentrate on daily business, cybercrimes are being plotted by "technically sophisticated" teams driven to infiltrate and exfiltrate the enterprise.
A recent study conducted by Braun Research on behalf of IBM reflects this new reality, the results of which were drawn from 600 CIO’s located both domestically and internationally;
"The IBM survey reveals that 84 percent of IT executives of U.S. businesses believe that organized criminal groups possessing technical sophistication are replacing lone hackers in the world of cybercrime. The threat from unprotected systems in developing countries is a growing challenge, according to almost three-quarters of respondents." 1
The problem is that these attackers know more about a company’s system flaws better than the company itself. How can this be possible? The answer is a bit unnerving in its simplicity; the invaders are consumers.
The products companies employ to build their hard and soft infrastructures are readily available for purchase or download by anyone, at any time. The hackers clearly have the advantage. They have the drive, motive, and time to create new intrusion approaches. Approaches, as of yet, unknown.
Present day solutions rely on prior knowledge as an indicator of future tactics and mandate a CSO to deploy more patches, fatter inoculation files, and further add to the depth of rules that are outdated before even written. It is a sacrificial approach, providing a band aid like fix in a global business environment that is quickly running out of patience and resources.
Are Patches and Inoculations the only solutions?
The solution set a CSO has to work with, their virtual holster of cyber bullets, is perhaps the clearest indicator of the problem. Patches, inoculations, and rules are all means of reacting to new threats? The existence of these approaches and their inability to extinguish the problem is the most ringing indictment.
No one illustrates the conundrum of patches better than industry stalwarts like Microsoft®. In 2003 company executive Steve Ballmer stated,
"We have been putting out our patches on a very unpredictable schedule. We will now go to monthly patches -- no more than monthly. If we don’t need monthly, we won’t have them. But no more than once a month, except for emergency patches which will be made available essentially immediately."2
Even Microsoft was unable to see the future - infamous ‘Patch Tuesday’ and the flurry of fixes it would encompass. Since 1998, Microsoft has delivered 478 patches of varying magnitude, not including all of the fixes included in service packs.
In fairness, many of the flaws companies fight to close and expose are not all on the shoulders of the operating systems vendors. In Microsoft’s defense, the NIST3 vulnerability database lists over 4500 issues, of which only 159 are attributed to Microsoft. The astute security professional will note that leaves well over 4300 vulnerabilities to deal with. Those inclined to panic will note these vulnerabilities are only those that are known.
Inoculation files have grown to such bloated sizes, many exceeding 2MB, that several leading anti-virus vendors are stopping support for their traditional distribution media and grandfathering virus definitions written only months earlier. Many make mention of the toll on network bandwidth produced by the distribution of inoculation updates and their efforts to reduce distribution sizes. But at what cost to security?
Dr. Johannes Ullrich, chief technology officer at the SANS Internet Storm Center recently stated;
"Two years ago, 80 percent of what we had seen were well-known issues, and now only 30 percent of attacks fall into well-known patterns. The rest are very different kinds of attacks. None of these attacks are getting much attention so they stay at a pretty low level and can continue to penetrate systems unrecognized."4
This begs a potentially overwhelming question; how effective will inoculations be moving forward? If the best defense a company can muster is the constant application of patches and the ever-present scanning of terabytes of information for miniscule, potentially unknown viral footprints, how can a CSO expect to turn the tide?
Corporations do not have the resources to analyze every application deployed for flaws nor can they keep up with the possible injection of new flaws brought on by patching. Hackers, on the other hand, consider this fuel for the fire.
The Threat Multiplies Exponentially
In 1965, Gordon Moore stated "The number of transistors on a chip doubles about every two years."5 It is arguable that "Moore’s Law" is equally applicable to application complexity.
Advancements in technology and their rapid deployment to the laps and desks of every person on the planet have created fertile ground in which attackers can plant the seeds of discontent without any fear of being caught red handed.
The mathematics of chaos, compounded with the growing size of the software sets companies rely on, have made it impossible for the quality assurance departments of software development companies to reproduce the complexity of their customer’s environments. There is simply no way to recreate the intricacies present in a target install base as the permutations are endless.
In addition, regardless of high-level application development and testing procedures, there is no way to eliminate the human factor from the security equation. This is well illustrated in a release by Britain’s National Information Security Coordination Center (NISCC),
"Trojan code arrives attached to e-mails or through links in e-mails, and typically requires an end user to open the attachment or click a link and download and run software, for the Trojan code to infect a PC. Most carrier e-mails utilize some form of social engineering; spoofing addresses to make the attachment or URL appear relevant.
Once installed on a user machine, Trojans may be used to obtain passwords, scan networks, exfiltrate information, and launch further attacks.The software may also replicate to other network PCs automatically."6
Flaws in the Ointment
Adding to human chaos is the fact that: inherent in every one thousand (1000) lines of code are more than seven (7) flaws, as documented in the report from the National Cybersecurity Task Force.7
Some of the world’s leading operating systems, with over 25 million lines of code, posses over 175,000 potential flaws.
Assuming only 10% of these flaws are a high security risk, it is unreasonable to assume that any SQA (software quality assurance) team could rid any release of all potential issues. Asking software companies to rectify every flaw would require years of effort between releases and drive the cost of software beyond reason.
Sum of All Evils
The resulting landscape looks daunting but perhaps all that is needed is a new view, a different approach. The best foundation for an innovative solution is to accept the following facts:
Fact: Humans cannot be taken out of the security equation. They will make mistakes that create openings and they can be socially engineered.
Fact: It is impossible to eliminate every software flaw before releasing a product. Software developers do not have the resources and the customer’s are not tolerant of the time it would take.
Fact: Inoculations and patches only apply to what is known. These reactionary approaches require scanning of all media and are invalid one microsecond after a file has been scanned. Even constant scanning (an unreasonable option) cannot protect against a new virus release.
A New Vision: Savant Introduces Systemic Resilience and Malware Spread Mitigation
Savant Protection’s technology eliminates the spread of known and unknown computer malware without the overhead of costly inoculation downloads, or time consuming scanning.
Savant prevents Production Impacting Events™ with an unprecedented level of security, continuity and resilience, enabling CSOs to successfully execute their primary functions.
Savant plays a critical role in assisting Sarbanes-Oxley compliance by preventing unauthorized or unintended changes to corporate system processes thereby assuring compliance in future audits.
Savant Protection is the only company that provides a proactive systematic solution for the deterrence of malware intrusion and for the elimination of its spread.
Want to learn more? Contact us at: www.savantprotection.com.
1. U.S. Businesses: Cost of Cyber CrimeOvertakes Physical Crime, March, 2006, IBM
2. Internetnews, October 2003, No MoreWeekly Patches
3. http://nvd.nist.gov
5. Intel, http://www.intel.com/technology/silicon/mooreslaw/index.htm
6. NISCC Briefing, August, 2005
7. NCTF, 2004
Building A Kevlar Company
Accepting the reality that mistakes will be made, intrusions will occur and that inoculation and list updates will lag behind any new attack, will guide corporations in the establishment of realistic countermeasures which will allow them to survive systemic attacks, averting the risk of corporate-wide compromise.
Preventing Production Impacting Events Through Preemptive Security
Information Assurance is not about sitting still. True protection comes through innovation and vigilence. As you read this text, hackers are developing new techniques designed to impact your life and your company. Present day solutions put the defense of your livelihood in the hands of third party providers and corporations can only hope that these providers do not fall asleep at the switch!
