This article can also be found in the Premium Editorial Download "Information Security magazine: Exposed: Why your AV software is failing to protect you."
Download it now to read this article plus other related content.
Everyone should applaud last month's arrest of Sven Jaschan, the German wunderkind who created the Sasser worm. It's a tremendous victory, to be sure, for digital G-men who rarely get their malware-creating man.
Without a doubt, there's no justification for creating and releasing malicious code like Sasser. The standard defense of "I was only trying to improve security by showing companies how weak their security is," is bunk. Viruses and worms cost corporations hundreds of millions of dollars each year in AV defenses and inflict billions of dollars in damages.
Nevertheless, we're compelled to recognize the benefits for the enterprise community of the rapid-fire release of new viruses and worms.
Many security teams are paying more attention to vulnerability announcements, intelligence reports and patch releases than in years past.
Gone are the days when security crews could leisurely update their defenses. Last summer's Blaster worm appeared just 26 days after the release of the RPC-DCOM vulnerability. Jaschan's Sasser was in the wild 17 days after the announcement of the LSASS buffer overflow. And the Witty worm was out in two days.
According to security vendor Foundstone, the average time between vulnerabilities being publicly disclosed and malware appearing in the wild has shrunk from an average 9.5 months in 1999 to a mere 10 days this year. Enterprises simply have no choice but to immediately update their AV, implement interim protections and patch their systems. The consequences for inaction are lost revenue, resources, productivity and reputation.
Enterprises know they can't rely on AV scanners alone to defend them against infections. In fact, Information Security's bakeoff of 10 leading AV solutions found that most aren't providing the protection we think they are.
As a result, enterprise malware vigilance is spiking. Many security teams are paying more attention to vulnerability announcements, intelligence reports and patch releases than in years past. They have contingency plans for quickly deploying patches--although some are sacrificing testing in favor of speed. They're rapidly implementing synergistic defenses, such as traffic monitoring tools, automated network segmentation and endpoint security products.
Malware writers are contributing to enterprise AV defenses by rushing to release immature, unsophisticated code. Most initial malware releases are sloppy and more remarkable for just working than for what they do or intend to do. State-of-the-art malware writing hasn't advanced all that much since Code Red and Nimda. But, the rapid appearance of immature worms gives software vendors motivation for expediting the development of patches and signatures before more sinister stuff is devised. The antibodies are usually in place by the time the really dangerous variants appear.
This is a continuation of the arms race in which we've engaged with these Mountain Dew-swilling hackers for the past 20 years. But it's forcing us to produce better security solutions, develop better policies and procedures and maintain a high state of awareness--which will even help against the dreaded zero-day exploit.
Would more arrests like Jaschan's and an end to malware be better? Naturally, yes. But let's relish the other unintentional benefits--malware writers are keeping us on our toes for the better.
Lawrence M. Walsh is the executive editor for Information Security magazine.
This was first published in June 2004