For the sake of argument, let’s say an anti-malware strategy combining cloud-based malware identification and information sharing capabilities could eliminate the bulk of malware. Even in a perfect world with perfect collaboration, such an approach will fall short of protecting enterprise systems against more sophisticated cyber attacks if it relies heavily on reactive blacklisting technology.
In the article, “IT security industry collaboration could eliminate 90% of malware,” Eugene Kaspersky, co-founder and chief executive of Kaspersky Lab, recently told attendees at Infosecurity Europe 2011 that identifying malware faster would reduce the number of initial infections to the point that it would break the business model of most cyber criminals.
“The number of initial infections will be so low that it will cost cybercriminals more to develop the malware than they are able to recoup.”
In all due respect to Mr. Kaspersky, there are two things that we take exception to in this article. Continue reading this post…
Last week, I read an interesting piece by our friend at Gartner, Neil MacDonald. Neil wrote about how advanced intrusions are becoming increasingly undetected by traditional protection mechanisms like firewalls and antivirus software. In the article, “Advanced Persistent Threats: Finding the Needle in a Haystack,” Neil says spotting cyber threats today is much like searching for a “needle in the haystack.” As a result, security professionals are better off taking a whitelisting approach to remove the known good hay (referred to as “high assurance hay”) from the stack. Once the hay is identified, all you’ve got left are needles that can be discarded.
I really like the metaphor. The simple fact is that security professionals are no longer looking for a single needle, or even a few needles, in the haystack. They’re trying to find hundreds, potentially thousands, of needles in their network, many of which are successfully evading detection or cleverly disguised as good hay. Continue reading this post…
In the recent blog, “Stuxnet Targeting Specific SCADA Configurations,” Danny Lieberman provides a nice, thorough analysis of the high-profiled Superworm in its current state. From what we know, the virus targets plants with a specific configuration, is activated whenever WinCC or PCS7 software from Siemens is installed, and can influence the processing of operations in the control system under certain boundary conditions. And for the time being, Stuxnet can be removed from affected systems by standard antivirus programs with updated signatures as of August 2010.
This is what we know, but unfortunately, it’s what we don’t know that poses the real threat.
As I mentioned when Stuxnet was first discovered, it’s not the actual worm itself that poses the greatest threat, it’s copycat attacks that use the Stuxnet blueprint to take cyberweaponry to the next level. Continue reading this post…
There’s always a way in.
That’s the straightforward, yet disturbing message that hacker-for-hire, Marc Maiffret, made after his team, hired by a large California-based water system to probe the vulnerabilities of its computer networks, took control of the equipment to add chemical treatments to drinking water within one day, hypothetically making the water undrinkable for millions of homes. Continue reading this post…
Coming from an application whitelisting provider, you might think it’s rather odd that we would agree with anyone who says whitelisting is not a replacement for antivirus. Because each solution takes an opposing approach to fighting malware, it’s only natural that people think that you can only use one or the other. But it’s just not true.
In the article, “Whitelisting on its own not a substitute for antivirus,” Network World’s Ellen Messmer writes how whitelisting should be used as a complementary security defense, not a standalone solution. And we absolutely agree. Here’s why. Continue reading this post…