| The future of malicious
code
17 April, 2006
By Dave Chappelle
AV and personal firewalls are necessary, but no longer sufficient
for adequate protection.
"This entire market space is under massive convergence
pressure," said Neil MacDonald, Information Security
and Privacy team, Gartner. "Be prepared for vendor flux
and licensing changes."
Microsoft is making an across the board push into security.
Its entry puts pressure on other vendors.
"It's not best of breed, but it's good enough, which
is what Microsoft generally does," said Macdonald.
More "bad stuff" is making its way past the perimeter.
One reason for this is that contractors and mobile employees
can make their way around the perimeter.
Another potential threat is that of encrypted traffic from
the worker at home accessing the company network via VPN.
"You have no idea what state their computer is in or
what is passing thru your network, because the traffic is
encrypted," MacDonald said.
Back doors to the network, especially wireless, pose more
perimeter security. For $60 any worker can connect a wireless
access point, and it's likely to go undetected unless specifically
looked for.
Spyware is a social engineered attack that comes right thru
port 80, which the firewall is set to let through.
Unpatched vectors represent another threat. "You can
never patch fast enough," said MacDonald.
"Unknown vectors are more dangerous, including a zero
day attack that was for sale on eBay. It took Microsoft several
months to develop a patch."
The traditional anti-virus model breaks down under zero day
attacks. If you target a single victim the AV companies have
no incentive to develop signatures. Industrial espionage is
one reason for such attacks.
"If you don't have a signature, who's going to see it?"
asked MacDonald. "If it's just one company is being targeted,
chances are nobody will ever know. It completely breaks the
signature model. It's time to get away from that."
MacDonald thinks that protection should not require lots
of point solutions. The current model is firewalls, anti-virus,
anti-spyware, behaviour blocking, and network access control
(NAC).
However, security is moving towards host-based intrusion
prevention. You can choose to buy best of breed third party
applications; and all of the accompanying issues of trying
to make various aspects (firewall, AV, AS, IPS, etc) work
together. Most firms will likely take the path of least resistance
and use what comes with the platform of choice or what is
built into the OS.
Some suggestions:
Firewalls should be on every laptop and desktop. MacDonald
expects every system to have a personal firewall by 2010.
AV and AS have been commoditized, and will be displaced be
free protection offered by Microsoft or ISPs.
NX-Flag is a hard fix for one class of worm, which should
be on desktops and servers. It prevents code from running
in data and memory areas.
"If there's one thing you want to take away form this
presentation today, it is get NX-Flag and install it right
away," said MacDonald.
The convergence that is taking place on the desktop is also
happening at the network edge, combining firewall, IDS or
IPS, and AV.
"By late 2006 Microsoft will offer Windows Client Protection,
offering enterprise AV and AS with a console," said MacDonald.
"They're not new to this; they've been doing it for
a while, thru acquisition. They will have desktop and server,
and email protection."
Network access control is scanning a computer before it is
allowed to connect to the network. This is one area in which
third party solutions will continue to prevail. OS vendors
have no plans to include NAC in their products.
End user security policies can be enforced with locking out
or blocking actions that control what users are allowed to
run or not run.
"Telling people they can't change the background on
their desktops is draconian; it's extreme," said MacDonald.
"I'm starting to get more calls about "flexible
lockdown" technology. It's there, and I expect to see
more of this in the future."
|
