EICAR struggles for better IT Security Information
New problems with malware, advantages and side effects of network forensics tools and, above all, two important projects to improve European communication practices and structures on information security were the core topics of the European Institute for Computer Antivirus Research (EICAR) conference in Copenhagen, Denmark last week. About ninety international information security specialists attended the conference, listened to high-level presentations and discussed important issues of network and application security.
One of the results of the conference was the sense that programming antivirus tools to the needs of the users has become more and more troublesome for today's vendors. One reason for this is the existence of network surveillance and examination tools, which are used and sometimes even commercially sold as administration tools, but at the same time spread illegally as hackers' devices.
Antivirus software can't simply stop and delete those tools, even if they are commonly found in the shape of Trojan horses. "We have similar problems with spyware," explained Jakub Kaminski, Virus Research Manager Computer Associates Australia. "In some cases software of this kind is used for legal collection of data." Because of these problems, antivirus software can't be distributed or updated with signature lists ready to use for anyone any more. Administrators will have to spend more time on configuring antivirus programs to the needs of their own organization.
Businesses and noncommercial institutions desperately need to be better organized and more comprehensive information on vulnerability issues to be able to survive hacker attacks and other threats. This topic was discussed by some of the presenters and also by EICAR officials. EICAR currently runs two projects to improve security information in Europe: CAMDIER (Cyber Attack Methods Detection & Information Exploitation) and CASES (Cyberworld Awareness and Security Enhancement Structure). EICAR tries to associate both projects with official E.U. projects.
According to Professor Urs Gattiker PhD, Scientific Director of EICAR, CAMDIER brings together people from various disciplines, organizations and countries within the E.U. to develop a framework for the classification and categorizing of various types of attacks.
One of the basic objectives is to develop a unified naming convention for malicious codes and attacks. This topic was subject to lively debate at the conference, because some of the antivirus vendors are not completely convinced that they should give up the existing naming methods which result in names that don't describe a virus in details, but instead are easy to remember.
In a separate presentation, Sarah Gordon of Symantec Corp. stressed the importance of developing a standardized name scheme. "The new names must include basic information on the nature of the virus, " she said, "to help users to start immediately with the right countermeasures." CAMDIER will also focus on finding new techniques for fast automatic and semiautomatic classification of new attacks.
CASES is a project to develop an European information exchange network in order to share information about vulnerabilities and threats. CASES will interact with international CERTS and similar information providers, and will help to raise awareness among users.
The loss of privacy to network forensics and surveillance tools was the main topic of one panel discussion. Many agreed that the fight for privacy is nearly lost.
Specialists have to focus on rules for the appropriate use of collected data, they explained. Robert Niedermeier pointed out that even a strong logging tool can be modified to meet strong European privacy rules by making most of the collected data anonymous. "I don't believe that we can educate the users so much that we can drop surveillance tools," said Herv