Interview

Outlook 2007: Image spam, mobile malware rising

Bill Brenner
Several security vendors, most notably Symantec and McAfee, have voiced concern about the PatchGuard kernel protection feature in Windows Vista. But Sophos has actually come out in support

    Requires Free Membership to View

of PatchGuard. Why is the kernel protection less of a problem for you?
What we were saying is that it's good for the industry as a whole if Microsoft makes its operating system more secure. We think locking down the kernel is a logical extension of that. We anticipated that Microsoft would do it. We were kind of surprised some vendors had not expected this. Microsoft locked down the 64-bit version of XP some time ago, so I think the writing was on the wall that this would happen. We haven't relied on kernel-level access to detect unknown threats for a long time. How is Sophos' approach different?
A lot of software today is geared toward finding threats we haven't seen before. The approach a lot of security vendors take is to wait for code to execute to see if bad things are happening on the operating system. We approach it differently by looking at the DNA of the code pre-execution to determine if it's likely to execute and do something bad before it starts to attack the kernel. I think our industry has taken unnecessary potshots at Microsoft for doing something it should do. In a recent interview, Sunbelt Software President Alex Eckelberry said PatchGuard is of particular concern to vendors who offer host-based intrusion prevention (HIPS) products. Is it that Sophos simply isn't offering as much on the HIPS front as other vendors; that your focus is in other areas?
The industry has done a pretty good job at confusing the term HIPS. Gartner has talked about nine different legitimate kinds of HIPS. For us, HIPS is preventing access that exploits the host and there are different ways to do it. We think our approach is as good as other vendors. We absolutely do HIPS, just in a different way that doesn't require us to have kernel access. Talk about the evolving malware landscape as you see it.
We've seen a huge increase in image spam. It now accounts for up to 70% of all spam. The image spam has gotten much more effective at morphing and changing itself during the lifecycle of a spam campaign, making it much more difficult for traditional antispam vendors to block. We've had to update the speed of our spam products. We're also seeing a lot more stock-based scam spam, part of the larger trend of people using spam to get money. On the more traditional malware side, targeted Trojans -- particularly banking Trojans -- are on the rise. We saw a 50% increase in that in the first half of 2006 and that will increase to a higher rate [in the coming year and beyond]. It gets back to the overall trend where malware is more targeted, sophisticated and financially motivated.
Whether it's a mobile phone or another roaming device, how to lock down anything connected to infrastructure is something CIOs are starting to look at.
Steve Munford,
CEOSophos
How much of the spam uptick is related to the increase in botnets?
Our stats indicate that it's all coming from a botnet somewhere, though not necessarily from one host. Botnets are very sophisticated and very hard to pick up on. What can IT professionals do to combat these threats?
Creating awareness is key. A lot of this is social engineering and most outbreaks are triggered by people doing something [to let the malware in]. Click this and get that. People need to be made aware that they shouldn't click on links if they don't know who the trusted source is. You need to have a standard set of policies and educate the users because most people just don't know. It's also important to have policies on what applications and devices can and cannot get attached to the network. If you don't know what applications and devices are on your network, you can't start to manage vulnerabilities. At the end of the day, you have to manage vulnerabilities and know what's on your network. You also need tools to enforce your policies about what machines can access the network and under what conditions. Having application control products to lock down P2P or block IM is also important. Finally, you need a multi-layered approach, with security at the perimeter, on the desktop and really all places on the network. Another trend is the growing threat to mobile devices, specifically phones. Where do you see the threat headed?
People are starting to look at how they secure non-traditional points to the network. Laptops that go beyond the network are something we've talked about for some time. Whether it's a mobile phone or another roaming device, how to lock down anything connected to infrastructure is something CIOs are starting to look at. With mobile phones, one good thing we have going for us is that writing malware for it is not easy because of all the operating system versions out there. But as more transactions happen over mobile phones, people will need security software on them. For corporations, any mobile device that attaches to the network will have to be addressed in management policies as far as what's allowed in. Having security software on the phones should be part of those policies. What is Sophos' strategy for dealing with mobile phone security?
When people look at mobile phone protection, they need to know if it's integrated in with their management console so they can leverage the policies they have. IT managers don't want yet another security product to deploy for mobile devices, so our focus is to get a product out there that is integrated with the management console using the same agent we have on the desktop so we don't solve the problem by creating another management headache. Sum up what you see as the threat landscape for 2007.
It will keep moving down the path of targeted attacks. More threats will come from botnets and via email, relying on attachments from the outside world. People have to get tighter about what they allow in and out for traffic. The proliferation of USB devices is a bigger threat than companies realize. A lot of these devices are becoming more common, as well as plug-in devices like iPods and Zune. More viruses will be coming by way of these devices. More VoIP threats are likely and it'll be interesting to see what kinds of exploits and targeted attacks are directed at Vista. In the next three years, companies will be looking to see if using Microsoft alone is good enough or if they'll still need the third-party specialized security firms.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: