More than antivirus pt. 3: recent changes on the cyberfront

August 21, 2015

Businesses today have to face a much greater challenge regarding cybersecurity than a few years ago, mainly because there are more “possible attack vectors” to be kept in mind. And definitely more of those who would like to help themselves to other people’s money and data with tools of crookery ready off-the-shelf. For instance, just three years ago, few had heard of “advanced persistent threat,” while today this term, among many others, is firmly rooted in the IT security vocabulary. In this post, we’re going to look at what “threat landscape” (a new term too, by the way) is comprised of today for businesses. But first…

Time it was and what a time it was…

The “Small” malware family: Standard resident viruses are added at the end of .com files (except for Small-114, -118, -122, which are written at the beginning) when loading files into memory. Most of the family viruses use commands POPA and PUSHA of 80×86 processors.

Konstantin Goncharov pulled that quote from the “Computer viruses in MS-DOS” book by Eugene Kaspersky, published in 1992.

A glorious time when all of the then-extant viruses could be described in a reasonably thin book, and were actually the main – if not the only – cyberthreat. As shown in the previous post, viruses are far out of the cybercrime world’s focus, and they are not the primary problem today. Perhaps, everyone would feel better if they were – except for the criminals, of course, who turned the malicious software into a source of profit.

2

Threat Landslides: mobile

The primary change that took place over the last five years or so is the wide introduction of mobile devices into the business processes, which brought with it a lot of trouble. While Bring Your Own Device has become an accepted practice almost everywhere, there are issues.

First, there is lot of malware for mobiles, especially for Android (up to 99% of mobile malware targets this OS today). Mobile banking is very popular too, and of course this draws the attention of criminals, who have developed a sheer number of “thievery tools” to extract banking credentials and get access to others’ accounts, both personal and corporate.

What is more troubling, is that just a minority of mobile device users choose to install any security solutions on their smartphones and tablets. Becoming a part of corporate infrastructure – i.e. being used for working needs – they also become a potential risk source: risk of both sensitive data loss and/or hostile infiltration into the corporate infrastructure.

Besides, if a mobile device previously used to store working data and credentials is lost or stolen, a burning question of retrieval or remote wiping emerges so that the sensitive data doesn’t “change hands”.

Counter-action: A “just antivirus” won’t do much good here, even if it is installed on the mobile device (which is rarely a case). What is necessary is a centralized Mobile Device Management solution that  keeps the IT staff informed of everything that is going on with the mobile devices within the network. A more detailed description of the technology can be found here.

Threat Landslides: targeted attacks and APT

A rather new concept of APT is somewhat vague. Initially, it referred to sustained hackers groups  involved in continuous and persistent attacks towards a specific victim. Now, it is generally referred to as a specific kind of malicious cyber campaign that involves a series of diverse activities with the intent to cause harm or steal important and sensitive information. The groups behind such attacks are now called “APT groups”.

While initially attacks/campaigns of an APT level were targeted at various large organizations, including non-commercial and governmental (check out the latest addition, by the way, BlueTermite), this year there has already been a purely criminal bank-targeting APT, Carbanak, as well as a cyberespionage campaign called Grabit hitting specifically small-to-medium companies, and it doesn’t look like it will take long before APTs become a common problem for businesses of smaller size.

In fact, APT attackers use the same initial attack methods as other criminals – phishing, Trojan, exploits for common and 0day vulnerabilities, etc., but, up to the name, they are very persistent.

Take a look at our recent post “What is APT and why is it called that?”.

Counter-action: First of all, it is necessary to plug all possible holes, namely software vulnerabilities,  on PCs, servers, and mobiles. Employees should be educated on phishing, how to recognize it, and how not to fall prey to it. Aside from this, a comprehensive security solution is necessary that is capable of blocking phishing attempts, detecting intrusion attempts, and preventing exploits from being ran in the systems, even if there are totally new software vulnerabilities being exploited.

Threats aren’t going away

Mentioned above are just a handful of regular issues that businesses have to face; there are also many others: not-so-harmless spam, fraud, DDoS attacks, encrypting ransomware, which also deserve a “threat landslide” status.  Most likely, new and still unknown threats will emerge during the further development of IT. However, a large portion of those are predictable as they depend on software vulnerabilities.

Unfortunately, it doesn’t look like the software flaw – the actual source of a large part of cyberthreats – can be beaten any time soon. Keeping track of all of the business software installed within a company may be a burdensome task, and unless there is an automated solution in place the time lag between the release of an urgent critical patch and its actual installation may be quite large. And for the criminals it is a window of opportunity.

An automated patch management tool boosted with automatic updates are a must here, otherwise the infrastructure is exposed for too long.

There are still individuals and businesses who believe “a good antivirus” will solve all potential security problems. But the security threats are growing not just in numbers, but also in complexity. Organizations around the world have to set up equally complex, multilayered defenses to protect themselves. A single-purpose security product wouldn’t be enough.

Antivirus isn’t going away, it is, again, still in the core. But there’s no reason to call “an antivirus” modern business-oriented multipurpose security suites created to protect from a wide range of threats, related and unrelated to malware. Aside from being plain wrong, it creates confusion: Would anyone expect protection from spam and phishing or patch management tools in an “antivirus”? Barely. Would anyone expect “an antivirus company” to provide decent multilayered protection for business infrastructure, which today is so volatile? Nay. That is why today, the more appropriate names are “security solution” and “security vendors”.

It doesn’t mean antivirus is gone. It’s still there, and plays a major part, but it’s no longer the only part of any modern security solution. There a many more, equally important ones. An appropriate solution comprises them all.