Toney Jennings, CoreTrace CEO and a former Air Force information warfare officer, recently blogged on the US DoD’s “Strategy for Operating in Cyber-Space”. The main objective of his “DoD Cyberspace Strategy: Is the DoD really ready to embrace new technologies & companies???” post was to openly challenge the US DoD to modify their procurement and evaluation processes to enable small and innovative companies to assist in cyber defense. However, Toney also made a few other key points. Most relevant to this post is that Toney highlighted that the document was extremely high level and highly prone to status quo thinking and actions, e.g.,

“Unfortunately, a significant portion of the document is simply reiterating the government’s ‘business as usual’ tactics. I’ve got to believe that for the five strategic initiatives, the DoD already has active programs in place. Therefore, the first question that comes to mind is how effective are these defenses? I suspect that the fundamental problem with the existing defenses is that the government is using traditional security solutions that don’t measure up against evolving cyber attacks. The root of this problem stems from the fact that the government continues to favor status-quo, ‘no one ever got fired for buying from’ large companies and contractors.”

Which brings me to the Australian DoD. In contrast to the high-level US cyberstrategy document, the Australian DoD’s “Strategies to Mitigate Targeted Cyber Intrusions”” plan is detailed, well-researched and supported, and focused on proactively solving security problems rather than blindly reinforcing outdated and ineffective strategies. There is a nice blend of old and new in the list of thirty-five mitigation recommendations, with a strong recommendation to implement the top four strategies. According to the DoD’s Defence Signals Directorate (DSD):

“While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.”

I strongly recommend reading the whole document, but here are the four key strategies:

1. Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.

2. Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.

3. Minimize the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.

4. Implement application whitelisting to help prevent malicious software and other unapproved programs from running.

I sincerely hope the the US DoD will take a page from their Australian counterparts. Learn, adapt, and survive. It is a far better strategy than simply staying pat.

As I mentioned in last week’s entry, “Latest Microsoft patch illustrates the dilemma and dangers of fire drill patching,” relying on antivirus defenses to protect endpoints ties organizations to fire drill software patching. Reactive software application patching will never provide the level of protection today’s companies need to adequately protect their networks against harmful malware. As Mr. Westervelt goes on to write:

Rootkits are fairly common. They are installed by attackers who first gain access to the machine by exploiting a vulnerability. Once inside, the rootkit is deployed giving the attacker the ability to mask intrusion and gain root or privileged access to the computer. It can also be a package of spyware programs that monitor traffic and record keystrokes. Antivirus vendors typically have trouble detecting rootkits.

What these recent stories point out is that malware infections on these devices only highlights the fact that existing desktop security isn’t working properly. Why else are these companies regularly patching? The desktop security paradigm of antivirus and patching simply isn’t working.

Unfortunately, what we’re seeing is that patching itself is also causing problems with their systems. Organizations are better off focusing on ways to effectively stop Web-malware and malicious code from deploying in the first place than aimlessly reacting to cyber criminals exploiting the known and unknown vulnerabilities within their network. Playing catch up with more patches is not only a losing proposition for IT security professionals, it seems to be compounding the problem.

Relying on antivirus ties companies to fire drill software patching — The side effect of relying on antivirus to protect endpoints is that companies are now tied to reactive software application patching as well. Because we can’t trust our antivirus software to protect the endpoint, we also must remain constantly aware and vigilant about identifying and fixing vulnerabilities in our applications on the endpoint. The resulting combination of rushed patches and signatures is a significant drain on the human resources of an organization.

It’s rare that such a post has supporting evidence appear just days after it is published, but this week, that is exactly what happened. It was reported this week that a Windows XP security update resulted in the notorious Blue Screen of Death (BSOD), locking up many users’ Windows XP PCs. In the article, “Windows patch cripples XP with blue screen, users claim,” hundreds of Windows users expressed their frustrations on the company’s support forum throughout the week.

The problem appears to have originated with one of the 13 updates the company issued on Tuesday to patch a 17-year-old kernel bug in all 32-bit versions of Windows. After users updated and tried to restart their PCs, they ran into the infamous Blue Screen.

Unfortunately, this is yet another example of the growing problems organizations experience when relying on patches to secure their network and the dangers of rolling out patches quickly. This isn’t an isolated case as the article points out:

This was not the first time that a Microsoft update has incapacitated Windows PCs. Two years ago, a set of updates for Vista sent an unknown number of machines into an endless series of reboots. Similar problems stymied users who tried to upgrade to Windows XP Service Pack 3 (SP3) in May 2008, and others attempting to upgrade from Vista to Windows 7 last October.

There was once a time when patching was an effective way of dealing with security flaws and vulnerabilities within their operation system. However, in today’s world the sheer volume of new patches combined with the time is takes to disclose a vulnerability, create and distribute the updated code, systems are practically sitting ducks to new malware and viruses ready to exploit a network at every opportunity. In addition, when the patch finally comes out, smart organizations take the time to ensure that the fix itself won’t cause problems with their systems. That’s where a solution such as application whitelisting can help. Whitelisting gives organizations time to test patches and roll them out on a regular schedule avoiding fire drill patching and more time exposed to attacks.

Later this week, we are launching a fun (and funny) awareness campaign, called Planet Antivirus, highlighting the weaknesses of antivirus and focusing on the need to completely rethink our approach to how we defend endpoints. Today I am kicking this campaign off by highlighting the top five failures of antivirus technology:

• Antivirus is a performance hog — One of the most common complaints we hear about antivirus is its performance impact. This can weigh heavier on the minds of IT managers than its problems with catching new threats. A perfect example of this is a description from CNET Labs on how they test antivirus:

  “Antivirus programs are designed to detect and intercept harmful files downloaded to your computer. In order to monitor incoming files, however, antivirus programs — like all applications — need to use system resources. The degree to which an antivirus program detrimentally affects a system’s performance varies from one application to another. CNET Labs tests three areas of antivirus application performance: how deep-file virus scanning impacts overall system performance, how quickly files can be scanned for viruses, and how system boot time is affected by the antivirus program. We also report on how effective the antivirus programs are at identifying viruses by citing the studies of established industry authorities.”

  It is telling that the majority of their test is concerned with how antivirus detrimentally impacts system performance. The effectiveness of the antivirus solution is almost an afterthought.

• Antivirus is an after the fact cleaner and it doesn’t even do that well — The simple fact is that antivirus can’t protect you from getting infected. This is indisputable and has been empirically proven time and again. So why do we still use it? One reason people continue to use antivirus is that it is used to identify infections and to clean up the mess. Unfortunately it doesn’t even do that well. If you are infected by a particularly nasty piece of malware, many times the best option you have is to completely rebuild your system. There is a great post on this on the Cornell Information Technology site titled, “Rebuilding Your System Is the Safest Road to Recovery after a Malware Attack,” that does a good job of making this case:

  “Dangerous software hides from repair tools: The IT Security Office recommends formatting one’s hard drive followed by a complete software reinstallation in response to a system compromise. Modern malware relies on rootkits to hide itself from antivirus software and administrator analysis. Rootkits use a variety of techniques, such as executable encryption, alternate data streams, innocently-named files or registry keys, concealment in system restore points or patch clusters, or the use of portions of the disk not conventionally accessible to the operating system. These elaborate, and effective, concealment methods make it difficult or impossible to return a computer to a safe, functional state. Often removal of the malware can render the system nonfunctional. Worse yet, incomplete or ineffective removal means the attacker may regain control of the computer.

  strong>Complete reinstallation is necessary: A reinstallation includes not only the operating system, but also application software. It is important to realize that any application software currently on the computer may be tainted by the attacker and only trusted original sources should be used for reinstallation.”

• Antivirus was designed to address a different threat — Despite the addition of heuristics and behavioral models to detect variants of malware, the fact remains that blacklisting is the foundation of antivirus and it was designed to address a different threat than today’s malware. Antivirus originated to protect against propagating threats. These threats either propagated through the sharing of disks and files by individual users or were self propagating worms that identified weaknesses in networked computers and subsequently infected vulnerable systems. Blacklisting in this model was feasible and effective because it was both easy to collect samples of the malware and protect against a limited set of threats.

  Today’s threats are different. Today, online crime hinges on the combination of social engineering and vulnerability exploitation that allows the attacker to place a custom piece of malware on the targeted system. This is a much harder problem to solve by blacklisting. The attacks can be customized for uniquely targeted online businesses or groups of businesses with software that would elude even the most sophisticated antivirus solution. My main concern if I was Google or any of the other companies targeted in Operation Aurora wouldn’t be what data they stole from me, but what malware they left behind to use at another time. Most likely they will have to resort to reinstalling those systems as I mentioned in the previous point.

• Antivirus updates are too frequent and can cause problems — In order to keep up with the exploding world of malware most antivirus applications issue updates at a very regular interval. This can be as frequently as an update a day in some cases. The problem with this is not only does it require regular distribution of these updates to all endpoints with its corresponding performance impact, but the frequency of updates also means that problems from the updates are more likely to occur. The result of a decrease in reliability of signature updates means that many organizations try to test updates before they roll out the new signatures. This simply isn’t practical. The frequency of signature updates means that testing won’t work or even be completed before the next update arrives. Organizations either need to revert to a less frequent update schedule to allow testing, potentially extending the time they are exposed to a new threat, or they need to simply trust that the update files from their antivirus company won’t cause problems. Neither of these options is optimal.

• Relying on antivirus ties companies to fire drill software patching — The side effect of relying on antivirus to protect endpoints is that companies are now tied to reactive software application patching as well. Because we can’t trust our antivirus software to protect the endpoint, we also must remain constantly aware and vigilant about identifying and fixing vulnerabilities in our applications on the endpoint. The resulting combination of rushed patches and signatures is a significant drain on the human resources of an organization.

2010 needs to be the year that we begin a healthy discussion of completely re-evaluating the approaches we use to protect our endpoints.

Without further delay, here are the stories that caught my eye in November:

• Apple issues a massive security patch of its own – In November Apple issued a patch that fixed 58 holes as reported by Threatpost. The days of Apple being immune to security compromise are over. The combination of phishing and browser based attacks should make Mac users concerned and will soon drive security solutions adoption on those systems.
• Microsoft is back with it’s own large security patch – Microsoft fixed 15 separate vulnerabilities with 6 security updates in November. This is the same old story as previous months, but at least it wasn’t the record 13 updates hit in October.
• Microsoft reported an increase in worm infections, but decrease in scareware antivirus – Worm infections were up over 98% since the last Microsoft Security Intelligence report and it appears that Conficker bears a good part of the blame. Researchers believe that it is still being spread by USB keys with autoexecute capabilities. Scareware numbers are down where a user is tricked into visiting a site that says they are infected and then prompted to download “protection” from the malware.
• More news of botnet operators utilizing social networks to avoid detection – Searchsecurity.com reported that botnet writers are turning to Google and social networks. Popular social networking sites like Facebook and Twitter are increasingly prominent in security news for both spreading infection and providing a means of command and control for organized malicious software writers.
• Four people were sentenced in the UK for attacks on online banks – This is something I would like to see more of. It is a rare occurrence when cyber criminals are actually tracked down and brought to justice. Last month four individuals who were syphoning money from online accounts were caught and sentenced.
• CSO online had a nice detailed story about the fight against botnets – CSO published a nice seven page story about the individuals and organizations who research and combat botnets. It’s an interesting and informative read.
• Windows 7 is revealed to have flaw that allows DoS attacks – A flaw in the OSs Server Message Block (SMB) could be used to crash the system and could be activated when a user visits a malicious website.

There were several other interesting stories, but the fact remains that endpoints are under attack and we are in a continual catch up game with our current endpoint security.