Study finds security software ineffective against growing malicious programs

Further research confirms that security software companies continue to have a difficult time keeping up with an explosion of malicious software programs. A recent independent study showed that a wide range of endpoint security software from top vendors take an average of two days to block a website designed to attack a computer visiting the site. The findings indicate that security companies still need to make vast improvements in their ability to detect the more than 50,000 new malicious programs that are found each day. According to the report:

“The magnitude of these findings should be nothing short of an alarming wake-up call for the security industry.”

The study concluded that today’s enterprises are most at risk from fresh customized malware. Security companies share malware samples, but if no company sees or detects the malware, it could quietly circulate and potentially infect machines, stealing data and leaving clients unaware of new threats. Even if malware is undetected for a short period of time, it still is enough of a window to infect a corporate network.

Modern security threats require defense-in-depth approach

Targeting an organization’s crown jewels, money or infrastructure, today’s more organized cyber criminals are launching attacks that infiltrate company networks and steal data over time without being detected. Unfortunately, traditional perimeter-based solutions are no longer effective in fighting advanced persistent threats and other malware attacks that may already be inside a network.

Rather than focusing on perimeter defenses to stop the next wave of cyber threats, John Wang, security architect at NASA, said understanding hackers’ motivations and determining what information a company wants to protect is an important part of any cybersecurity strategy.

“The fight starts with understanding what you’re trying to protect. Perimeter defenses are no longer effective, if they ever were. It’s harder to fight a war from the inside than maintaining the perimeter. It requires additional resources.

Wang added that organizations need to take a defense-in-depth approach — a strategy that hasn’t received as much attention with all the focus on perimeter defenses. That approach includes log aggregation, application whitelisting, “encryption everywhere,” and a security operations center for incident response.

Cybersecurity bill is a step in the right direction

One of today’s most debated U.S. Senate bills is the Protect Cyberspace as a National Asset Act (PCNAA). Opponents argue the bill gives the president too much power to shut down parts of the Internet in the event of a cyber emergency. Supporters say the bill will strengthen the mechanisms by which the government and private industry protect the safety and security of the Internet. In late June, the bill was approved by the U.S. Senate committee, but currently waits for a vote on the Senate floor.

Many agree that the U.S. is not adequately prepared for a major cyber attack that could disable power grids, essential water and sewage systems, and hamper our financial systems. But while both sides continue to debate on how much control the government should have in a cyber emergency, the fact that Congress is focused on passing legislation that will boost the country’s cyber defense is a step in the right direction.

Zero day flaws found in popular web malware exploitation kits

A team of security researchers found 12 zero day flaws targeting some of the most commonly used web malware exploitation kits such as Eleonore, Neon, Liberty, Lucky and Yes. The use of these vulnerabilities could lead to hijacking of the admin panel or retrieving the admin password, potentially disrupting a criminal campaign and expose the person behind it.

For the security community, such flaws could help efforts to launch offensive attacks against cyber criminals by exploiting the same malware kits they use to infect thousands good users every day. For more collaborative efforts such as the Internet Fraud Service Alert, exploits like these can provide companies with information about compromised credentials that would allow them to take quick, appropriate action to thwart criminal activity and protect their customers.

Thanks for stopping by and reading this blog. I encourage any feedback or comments on these relevant security topics.

Even before Cisco announced CSA’s end-of-life, CSA customers have been interested in CoreTrace’s application whitelisting solution, BOUNCER, because of BOUNCER’s ability to protect endpoints at a fraction of the HIPS administration effort. BOUNCER can do this by:

• Rapidly secure endpoints without requiring manual tuning
• Auto-generate whitelists for each computer
• Protect against even the most sophisticated malware like memory attacks
• Prevent unauthorized applications
• Dynamically update each system’s whitelist for new authorized applications and upgrades

Today, we announced the Cisco Security Agent (CSA) Transition Program to help customers cost-effectively transition to BOUNCER without incurring any additional license fees. Promotional pricing that includes custom professional services and training is available, as well as extended support agreements through December 31, 2010.

To further explain the value of transitioning from CSA to BOUNCER, we are sponsoring a live webinar featuring Eric Ogren, the founder and principal analyst of the Ogren Group and former executive at OKENA, the company whose technology formed the basis of CSA. The webinar, “Transitioning from Cisco Security Agent: The Case for Enterprise-level Application Whitelisting”, will take place Tuesday, June 29th, at 2 p.m. EDT.

With targeted malware attacks posing greater threats to health care institutions, the director of CDPH, Dr. Mark Horton, said ensuring the privacy of patient data is a critical component to the medical industry.

“Medical privacy is a fundamental right and a critical component of quality medical care in California. We are very concerned with violations of patient confidentiality and their potential harm to the residents of California.”

While Federal regulations such as HIPAA have prompted health care organizations to take measures to better protect digital patient records, stopping highly targeted cyber attacks continue to be one of the industry’s top challenges.

With cyber criminals focused on stealing valuable patient information, health care organizations need to go beyond meeting a set of guidelines if they are going to successfully stop more sophisticated malware attacks. They have to take a serious look at how they are currently defending their networks and implement endpoint security solutions that can effectively stop these threats.

With many health care institutions still relying on traditional antivirus to protect their enterprises and multi-user workstations from more targeted attacks, it’s simply not enough. Blacklisting solutions have become ineffective in stopping new forms of malware popping up every day. Instead of relying on reactive methods, health care professionals need to consider more proactive approaches such as application whitelisting, which has been proven to protect private networks from attacks specifically intended to access their enterprise.

While stiff penalties for violating Federal regulations provide clear incentives for health care organizations to take steps to meet the required guidelines, they are nothing compared to the potential long-term impact — which include the loss of patient trust and damage to a health care institution’s reputation — should their patients’ information or data ever be compromised.

1. Profile the target:
   The first step is profiling the employees and choosing the most vulnerable targets. Reconnaissance is done via social networks, mailing list posts, and public presentations. Cyber criminals may also target users that don’t have money because they can serve as valuable resources to create botnets, launch denial-of-service attacks, and collect passwords.
2. Create unique malware:
   The second step is to develop a new and unique malware attack. It doesn’t need to bypass all antivirus, only the one the potential victim is using. In the first quarter of 2010, Kaspersky Lab had a total of 36.2 million unique malicious files in its collection. That’s a significant jump from the two million total unique malware programs from 1992 to 2007.
3. Social engineering:
   Hackers use social engineering to get the victim to click on a link so they can gain control and maintaining access. Once they get someone from the inside to click, the initial exploit drops malware onto the victim’s machine, as networks are usually protected from outside threats.
4. Getting the goods:
   Cyber criminals then find an overseas office server to be used as an internal drop. Data is then quickly moved over the corporate WAN or intranet to the internal drop. All data is then removed at one time to the external drop server. Even if traffic is monitored, it might be too late to react.

Targeted attacks work differently than typical malware attacks. Cyber criminals no longer have to play the numbers game to get a small percentage of users to click on bad emails. By focusing on individuals from specific corporations, Tanase said they’re much more efficient at obtaining the information they’re seeking.

“One e-mail is enough, the cyber criminals don’t need to send tens of thousands. Tracking these attacks is also difficult as targeted companies are seldom eager to share the attacks and details, making it hard to get samples for analysis. These attacks stay under the radar.”

Unfortunately, today’s targeted attacks pose a greater threat to company security. As cyber criminals focus on specific corporate information, Ryan Rubin, associate director at Protiviti, a global consulting and internal audit firm that specializes in risk and advisory services, said the stakes are much higher because a successful attack could result in the theft of intellectual property or corporate espionage.

“Security threats, vulnerabilities and privacy exposures challenge every organization today, creating risks that can result in a range of issues, including revenue loss and reputation damage, if they’re not managed proactively. For most businesses, such intangible assets as customers, systems and information provide the foundation for corporate value, so businesses that don’t address their information security and privacy risks are taking a tremendous gamble with their very livelihood.”

Defending a network against targeted attacks is more complicated because signature-based antivirus solutions are useless against them. Because of this, corporations need to take a proactive approach to ensure these and other highly sophisticated malware threats do not execute in the first place. As organizations are forced to defend their networks from targeted attacks that take advantage of every known and unknown vulnerability in their system, it’s critical to have a solution such as application whitelisting that prevents any unauthorized application or malicious code from executing, no matter how it enters the system.

Our new SVP of sales is Jim Reiss. Jim comes from NetIQ and brings a wealth of senior management experience in the software industry. That experience will be invaluable as he helps drive CoreTrace’s sales strategy and revenue growth across all product lines and channels.

Our new SVP of product development and delivery is Jim Weakley. Jim’s impressive resume includes executive roles with companies like Dell, Mirage Networks and Compaq. In those companies, Jim has led almost every aspect of product delivery including engineering, global SaaS onboarding, technical operations and customer delivery efforts.

Ron Clarkson is our new VP of product management. Ron will be responsible for designing all aspects of CoreTrace’s product strategy and defining market-leading requirements. Ron’s background includes leading a global team of product managers responsible for the Endpoint Security product line at Trend Micro.

We are extremely fortunate to have such highly experienced, accomplished and knowledgeable business leaders join our staff. The growth of our team reflects the growth in awareness and adoption of application whitelisting solutions in the market place. More than ever, companies are turning to whitelisting solutions to address the shortcomings of legacy endpoint security applications. CoreTrace is growing to meet this need and lead the charge toward addressing today’s security threats.