COLUMN

How to use Internet security threat reports

By Eric Ogren 09 Nov 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Melissa worm, one of the most prolific email viruses in history, earned its notoriety by forwarding itself to the first 50 people found in a victim's Microsoft Outlook address book. Security researchers celebrated its 10th anniversary earlier this year, and in the decade since Melissa, the world has seen a boom in viruses, Trojans, SQL injection, spam, phishing and drive-by downloads.

There's no shortage of security threat reports from vendors in the antimalware business highlighting that boom. The latest, published by McAfee Inc. and Symantec Corp.'s MessageLabs, as well as Microsoft's Security Intelligence Report, shed light on malicious activity. But while each of these reports summarizes observed attack activity -- profiles of the types of attacks and geographic profiles -- in my opinion, only Microsoft provides meaningful strategies, mitigations and countermeasures for IT on protecting computing resources.

Eric Ogren's recent security columns: Two-factor authentication, vigilance foil password theft: Password stealing Trojans, keyloggers and other malware are reaping account credentials by the thousands forcing some to rethink password policies and develop new defenses. Chip and PIN adoption serves lesson for U.S. payment industry: As payment processors offer plans for end-to-end encryption, the UK is finding success with chip and pin deployments. The U.S. payment industry should take notice, expert says. Phishing protection begins with training, antiphishing evangelist: IT organizations can take a lesson from marketers by sending three phishing education emails to users before the holiday season.

If security products worked well, we wouldn't need these reports; however, they provide interesting analysis even if they are not always actionable. For instance, we are conditioned to believe parts of Asia and Eastern Europe are relatively lawless when it comes to cybersecurity, but McAfee's research reminds us that the United States hosts 45% of the world's Web servers with malicious reputations and 46% of the world's discovered phishing sites, so there is Web security work remaining. Also interesting is Symantec illustrating the dynamic attack processes by reporting that one-third of websites it blocks are less than a month old, and Microsoft reports that the Windows Vista SP1 infection rate is 62% less than Windows XP SP3, which may be a reflection of Microsoft's SDLC program effectiveness.

Security professionals should read the threat reports with caution. They are vendor marketing documents designed to position vendor research teams as industry experts that bring the vendor a competitive advantage. The reports' findings only represent what the vendor is looking for along with a natural bias towards the vendor's business. Security pros can do better by examining multiple vendor threat reports to get a more complete picture and map the threat classes to the business. For instance, a workforce using Windows isolated at home requires different security mechanisms than a workforce using shared devices on an office LAN.

The reports can be used for your user education series. Symantec reminds us that spam and phishing attacks increase with special events, such as Halloween, Christmas, tax filing and celebrity health issues. Pull timely examples and statistics from the threat reports in a continuous series to educate users on how to recognize human engineered cybersecurity threats. Technology cannot catch all attacks, but an alert user can help thwart an attack with a user interface that breaks through security filters.

SearchSecurity radio:

IT can also use the reports to substantiate budget requests for malware protection and also for vulnerability management and virtualization projects. The threat reports are designed to create demand for vendor offerings for an increasingly dangerous Internet. For example, Microsoft reports that application-level attacks against Microsoft Office leverage vulnerabilities that could have been patched over 3 years ago. IT can use this information to highlight the need for application-level patching and vulnerability management and also to negotiate for help from service providers for home computers or work with a cross-functional team to evaluate IT-controlled virtual desktops.

While there's no shortage in Web-based threats since the Melissa virus a decade ago, let's hope that at some point, the vendor-sponsored threat reports will show classes of attacks subsiding, because security software has done the job it was hired to do. At a minimum, more vendors need to include recommendations on protective actions while the security industry concocts an antidote. For now, every major vendor is producing a threat report that can best be used to evaluate IT security policies and educate the company.

Tags: Security Industry Market Trends, Predictions and Forecasts,  Security Awareness Training and Internal Threats,  Business Management: Security Support and Executive Communications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts Hackers to sharpen malware, malicious software in 2010 Part 1: Marcus Ranum on the state of information security Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security Part 3: Marcus Ranum on the state of information security Part 5: Marcus Ranum on the state of information security Layoffs prompt insider threat fears, cybersecurity survey finds Healthcare security spending remains sluggish, report shows M86 buys Web security gateway vendor Finjan Information Security Decisions 2009: Presentation downloads Security Industry Market Trends, Predictions and Forecasts Research Security Awareness Training and Internal Threats Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Business Management: Security Support and Executive Communications Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds Aligning network security with business priorities RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence New partnerships, creative thinking help security bust recession How to align an information security framework to your business model Service-focused security offers best value to organization Cybersecurity Act of 2009: Power grab, or necessary step?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary