Rather than buying into the threat du jour marketing hype, organizations can become more threat tolerant by creating and promoting a secure ecosystem.
Malware problems are a widespread issue for both consumers and business. In 2010 alone, we saw Operation Aurora, Zeus, Stuxnet and many other significant malware instances. To enhance the enterprise's malware-defense capability, security professionals need to stop chasing the malware flavor of the month, and instead develop proactive security measures that strengthen the enterprise's fundamental defense DNA. If you have not made “defense against malware” a top priority, it’s high time you do so.
One of the reasons malware defense should be an IT priority is that the incumbent technologies are only effective to a degree against modern malware. Additionally, the growing adoption of social media, both within the enterprise and the consumer market, provides a convenient malware distribution channel, as well as an information reconnaissance platform.
For businesses that conduct transactions over the Web via consumer-facing applications, man-in-the-browser (MITB) malware, such as the Zeus Trojan, which aims to steal a user’s banking credentials by intercepting online banking sessions, is of special concern. If MITB malware exists on a customer’s desktop, the business can’t trust anything sent via the user’s browser, not even when SSL is used. This presents a major challenge for consumer-facing businesses, because it’s impossible for them to exert client-side controls on the consumer's endpoint. In order to understand how to prevent malware attacks of this sort and protect the integrity of your consumer transactions, there are a few things to consider:
- For B2B transactions, implement dual approval. This process stipulates that, for every transaction initiated by a user, a separate approval step involving a different user in the same organization (presumably on a different machine), must take place before the transaction can proceed. The assumption is it’s unlikely that two users’ machines would be compromised simultaneously.
- For B2C transactions, implement second-channel verification. For this type of verification, the second channel must be distinct from HTTP, and the server can only execute a transaction after it has been verified via the second channel. For example, if a consumer requests a fund transfer over the Web, he or she will get an SMS message verifying this transaction. The transaction will only proceed if the consumer consents to the transaction via SMS.
- Strengthen server-side fraud detection. By looking for anomalous patterns, such as unusual location and usual spending patterns, server-side fraud detection is a good defense-in-depth principle, even with second-channel verification or dual approval procedures.
For business-facing malware, the variants today are stealthy, polymorphic, targeted and agile -- and typically exploit several types of vulnerabilities. Client-side vulnerabilities are a major vector by which malware infiltrates businesses. In order to detect malware penetrating the work environment, security professionals should consider the following:
- Offline malware and threat detection. Inline technologies, such as IPS and secure Web gateways, need to keep up with line speed, and therefore are limited in the amount of analysis they can perform. But, offline detection capabilities in products provided by vendors such as FireEye Inc., Damballa Inc. and NetWitness Corp. can conduct much deeper analysis and may catch malware others have missed
- Whitelisitng whenever possible. In a highly controlled environment, whitelisting can be a powerful tool against anomalies, including malware. It can be applied to Web accesses, software installed on servers and endpoints, and server-to-server communication. Organizations using whitelisting, however, must have a fast response capability to handle exceptions and rare cases.
- Browser security. Since many malware problems spread via the Web and exploit browser vulnerabilities, a hardened browser environment should eliminate this major threat vector. With new technologies, such as those provided by products from vendors Invincea Inc. and Quaresso Software Technologies Inc., browser security is almost fully attainable.
While malware defense is and should be an ongoing effort, security professionals don’t have to perpetually play catch-up with the ever-changing malware industry. Rather than buying into the threat du jour marketing hype, organizations can become more threat tolerant by creating and promoting a secure ecosystem, investing in application security to eliminate vulnerabilities in the first place, and strategizing for the long term.
About the author:
Chenxi Wang is Vice President and Principal Analyst at Forrester Research.
This was first published in August 2011