How can you be sure your organization doesn't have insidious viruses or other malware lurking within systems and applications, waiting to inflict damage? You can't.
Malware has grown sophisticated to the point where there's no guarantee that it's actually gone, even when you've applied the latest antivirus software. Making matters worse, IT infrastructures are becoming much more complex -- with an ever-growing population of devices that give malware even more possible entry points.
[ Your executives are big, fat, juicy targets for spearphishing attacks. Learn how to protect them from being harpooned. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]
These days, you have to assume there are some infected PCs or other devices on the corporate network.
Get used to it: Malware is everywhere you go The malware problem is getting worse. According to the Ponemon Institute's 2011 State of Endpoint Risk study, 43% of the 782 U.S.-based IT and IT security professionals surveyed reported a "dramatic uptick" in malware in 2010. Fully 98% of the organizations surveyed by Ponemon experienced a virus or malware-based network intrusion, and 35% said they had experienced 50 malware attempts within a span of just one month, or more than one intrusion per day.
"The current batch of malware we're seeing is very sophisticated and well written, and it hides itself well and avoids detection well," says Fred Rica, principal in the information security advisory practice at the PricewaterhouseCoopers consulting firm.
The good news is that this "living with malware" scenario doesn't have to lead to lost data, unavailable systems, or other problems. Companies can and do function despite these intrusions.
Here are some approaches that can help minimize the effect of malware on your network and in your systems so that your company can carry on with business despite the nagging presence of these troublesome programs.
Malware survival tip No. 1: Practice good data governance You can help minimize the damage caused by malware by more effectively protecting the specific types of data that many of the malware programs are going after in the first place. In a lot of cases, they're looking to exploit sensitive data such as personal information, trade secrets, research and development findings, and other intellectual property, Rica says.
PricewaterhouseCoopers is working with many of its clients to create a strong data governance model that helps the organizations better understand what their most critical data is, where it's stored, how it moves on the corporate networks, and how they can put the right controls in place to maximize the security of that information.
An audit of the information assets at many companies will show that sensitive data such as customer credit card numbers is initially well-guarded, Rica says. But eventually it ends up in less-protected applications such as spreadsheets or emails, where it is more susceptible to malware.
"We've seen clients lose tens of millions of credit card or Social Security numbers because they're in spreadsheets somewhere outside the HR system," Rica says. "Our approach is to use better data governance models so that this data has the same [security] controls around it regardless of where it resides. Make sure the data is protected through all stages of its lifecycle."
Because all data is not equal, a key part of data governance involves categorizing information so that you can identify which data is most critical to the company and its customers. From there, you can apply more stringent access controls.
"Start to separate the infrastructure based on what are your crown jewels versus what's costume jewelry," says Patricia Titus, chief information security officer at technology services provider Unisys. Titus says Unisys uses guidelines created by the National Institute of Standards and Technology (NIST) designed to help organizations characterize the importance of their data and select the right security controls.
Malware survival tip No. 2: Deploy technologies and tactics that can help keep malware from spreading Even when some of your systems are infected with a virus to the point where nothing seems to remove it completely, that doesn't mean the virus has to spread to other systems in your organization.
When you discover or suspect such a virus, take the infected systems offline as soon as possible to reduce the chance of spreading the malware or compromising other systems. Next, reapply a known, clean image, says Andy Hayter, the antimalcode program manager at ICSA Labs, a testing and certification firm.
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
Putting in a layered defense that includes technologies such as firewalls, antispam, intrusion prevention systems, intrusion detection systems, and antivirus software -- plus keeping systems up to date with the latest patches -- should help prevent the malware from infecting an entire organization, Hayter says.
"Control gateways between network segments and apply greater monitoring and control over internal networks," adds Richard Zuleg, a consultant at security consulting firm SystemExperts.
Encrypt traffic and data whenever possible, Zuleg advises, and use technology such as server and desktop virtualization both to quickly redeploy systems or even reset them to clean images and to separate data from the system.
"Companies need to be controlling who has advanced privileges on systems and strictly control access to data," Zuleg says. "If infected PCs are to become an accepted part of a network segment, then you will have no trust in that segment and must consider it to be like the public Internet."
New network analysis tools will soon emerge that let you better identify where malware exists on the network and how to best contain viruses, says Marc Seybold, CIO at the State University of New York at Old Westbury. When such technology becomes available, "if devices that Jane Smith uses to access the network are persistently trying to transmit data to outside domains that are in some way anomalous compared to other traffic on the network or her long-term patterns, then additional attention would be focused on such a user's devices and remedial action taken," he says. Among the companies working on such technology are Alcatel-Lucent, Riverbed, and SonicWall.
At the same time, Seybold says, network traffic flows will start to be more compartmentalized and insulated from each other as network access control and policy-based management are combined with application flow monitoring. "As these are linked up, full behavioral analysis based on end-to-end application flows bound to specific users will become possible," he says. Eventually there might be predictive analytics that could preemptively intercept malware transmissions based on past user behavior, "but that is still science fiction," he says.
Malware survival tip No. 3: Diversify your IT infrastructure to decrease reliance on one or two OSes or browsers It might make sense to move away from the Windows monoculture, which can be more quickly and easily attacked, and bring in other operating systems and devices so that you know a malware infection can never take down everyone in the organization. Maybe some people who handle critical systems or data can use a Linux PC or a Mac OS X PC so that they're not as likely to be hurt by a virus aimed specifically at a common Windows vulnerability.
Along these lines, consider avoiding a browser monoculture, because a lot of current malware invades systems via the browser. Evaluate browsers such as Internet Explorer, Firefox, Chrome, Safari, and Opera to see which fit best with your enterprise applications and user base.
"Diversity is always good to prevent your entire infrastructure from coming down," says B. Clifford Neuman, director of the University of Southern California's Center for Computer Systems Security. "But there is the flip side to this strategy in that it gives an intruder many different possible choices of attacked system in which to get a foothold into your organization." You trade potentially limiting infection for having more possible infection entry points.
Of course, whenever you make a move to switch operating systems, you might encounter resistance from some quarters. Tony Hildesheim, senior vice president of IT at financial services firm Redwood Credit Union, says his company is reviewing the use of alternative operating systems, browsers, and some business applications. But "none of these options appear to be all that popular with the business units," he notes.
Technology diversity is not always an effective defense per se. ICSA Labs' Hayter points out that malware infections are not limited to desktop PC environments. "There are many serious pieces of malware that can infect other [operating systems] and devices, be they desktop-based or mobile," he says. "Additionally, malware can cross platforms from one OS or device to another, further requiring a layered defense plan."
Malware survival tip No. 4: Be sensible about using consumer devices in the workplace If you believe in allowing lots of data access for everyone and from every conceivable type of device, it might be time to rethink your data management and access strategy. Limit network access via mobile devices to those users who really need this access, and put in place controls so that those who can get in to the network can only reach certain parts of it.
Personal portable devices such as tablets, laptops, and Wi-Fi-equipped smartphones are becoming ever more popular in the workplace, and users will want to be connected to the corporate network.
But using diligence when granting access -- considering that these devices might be sources of malware -- makes sense. "What we've noticed is that once devices reach a certain threshold of consumer acceptance, malware appears for those platforms," says SUNY Old Westbury's Seybold. "Witness [recent] iPhone and Android attacks."
According to the Ponemon study, the rise of mobile and remote workers, PC vulnerabilities, and the introduction of third-party applications onto the network are the greatest areas of endpoint security risk today. This is a shift from last year's survey, when endpoint security concerns were mainly focused on removable media and data center risks.
Even without the "bring your own device" and "use your own apps" trends to consider how to manage, IT could reduce the ability of malware to spread by rethinking how many apps it deploys for users. "In looking at our line staff, there is no reason they need all the tools loaded on all the systems," says Redwood Credit Union's Hildesheim.
A report released in April 2011 by PandaLabs, Panda Security's antimalware laboratory, showed that the first three months of the year have seen "particularly intense virus activity," including a major attack against Android smartphones and intensive use of Facebook to distribute malware.
The beginning of March saw the largest ever attack on Android to date, the PandaLabs report stated. The assault was launched from malicious applications on Android Market, the official Google app store for the mobile OS. In just four days, these Trojan applications racked up more than 50,000 downloads: "The Trojan in this case was highly sophisticated, not only stealing personal information from cellphones, but also downloading and installing other apps without the user's knowledge."
Malware survival tip No. 5: Build a solid security foundation to protect the organization, rather than to protect devices Sure, you need antimalware software on PCs and other devices to help prevent infections. But to create an environment where your company can continue to function without malware-related problems even with the existence of malware on some systems, you have to deploy a secure system architecture rather than a security architecture for a system, says USC's Neuman.
"You need to determine issues such as placement of data with an understanding of the application and the risks of compromise of the data, rather than just bolting security solutions onto an existing system," Neuman says. "Good architecture will define multiple protection domains, with successive layers of protection deployed, and fewer users legitimately able to access data as it becomes more and more sensitive."
Along these lines, processor manufacturer Intel has embarked on an ambitious multiyear effort to redesign its information security architecture, which the company hopes will allow it to better keep up with the rapid evolution of malware.
"We believe that compromise is inevitable, and in order to manage the risk, we need to improve survivability and increase our flexibility," says Malcolm Harkins, vice president of the IT group and chief information security officer at Intel.
The redesign is based on four pillars:
- A "dynamic trust calculation" that adjusts users privileges as their level of risk changes
- A segmentation of the IT environment into multiple "trust zones"
- A rebalancing of prevention, detection, and response controls
- A clear recognition that users and data must be treated as security perimeters and be protected as such