|
We asked a number of customers: “What keeps you awake at night?” In general, those customers that run relatively more controlled, or locked down, information technology (IT) environments sleep better at night. (Burton Group describes a “locked-down IT environment” as one where strict security policies apply, networks are segmented through zoning, and hosts are moderately or heavily managed. For more information on these terms and subjects, see the Reference Architecture Technical Positions, “Perimeters and Zones,” “Malicious Software,” and “Host Security Choices.”)
Those whose network or host environments are less locked down (often due to the presence of large numbers of business partners or mobile users on the network) have considerably more difficulties and describe themselves as “constantly battling malware” or as being in the midst of a “24-hour fight.” In one customer environment, malware is not mitigated through centrally managed IT security mechanisms and processes, creating ongoing remediation challenges. “If you saw an employee walking down the hall with a lit flamethrower, wouldn’t you stop him?” our source vented rhetorically. In still another case, anti-malware levees have completely broken down and entire corporate neighborhoods are rotting, condemned, and just waiting to be torn down.
Malware really does keep some IT security staffs awake at night. Borrowing the U.S. Department of Homeland Security color codes for risk, Figure 1 diagrams the level of maturity of anti-malware controls against risk and assesses the risk level. It also identifies which of three important security objectives (availability, integrity, confidentially) are of greatest concern on different points of the spectrum. Note that even those customers that have heavily managed/less susceptible hosts with zoned and locked-down networks have some residual risk of zero-day attacks targeting the organization via covert channels, such as “low and slow” attacks conveyed through a small number of targeted e-mails with exploits crafted to steal information.
Nearly all of the vulnerability/threats are now coming at the application layer, such as Microsoft Word, Excel, Internet Explorer, or media/picture format vulnerabilities. Some of the network intrusion prevention systems (NIPS) are struggling to keep up. There is less concern of a large-scale worm, but rather more vectors for user-level Trojan horses to be installed unnoticed. One nightmare would be an attack that changed files all over the network, requiring full-blown recovery.
The third financial services company was mainly worried about web browsing and web-based mail introducing viruses and worms through an open/authorized channel. The company allows Yahoo! Mail, Hotmail, etc. (with warnings to users), and it will probably take a major incident to shut down these channels. (Note: Another organization we spoke to on this issue indicated that if one does not allow users to access personal mail via the Web from work, the traffic moves into the corporate mailbox, spawning increased spam threats.) For further discussion of spam and web-based mail issues, see the Security and Risk Management Strategies report, “Combating Spam: Messaging Hygiene Solutions Emerge to Fight Many Fronts.”
Retail Industry Organizations May Be Challenged by Distributed Networks and Cost Issues
A retail company in the restaurant business has a very distributed network. Approximately 60% of the workforce has mobile devices leaving, returning, and plugging back into the network. The company is mostly concerned about availability losses that malware can cause. Spyware has been a challenge; some applications actually stopped working because the browser contained so much spyware and adware. The company is also concerned with the increased cost of software and support of host-based defenses, including anti-spyware.
Medical and Pharmaceutical Organizations Face Worrisome Risks with Hands Tied
One medical organization is very concerned that medical devices running on Windows could be compromised by malware. Body scan images could be lost and feeding devices, transfusion devices, other types of systems could be impacted and care disrupted. In 2004, a U.S. Food and Drug Administration (FDA) deputy director said that medical companies could request decertification of medical devices that did not provide computer security; this would have put strong pressure on the vendors. However, that deputy director has since left the FDA and the FDA guidelines that did get published put the onus on the user organization to convince the vendor that a patch or anti-malware tool constitutes “a change or modification [that] could significantly affect the safety or effectiveness of the medical device.”
|
