Monday, March 27, 2006

How to deal with this?

It's the second time in this year where we have a known vulnerability that can be used to install malicious code on users' computers without a released patch. Just remember that almost all big companies rely on the "Patch Management + Antivirus" formula to avoid this threats.

What would be a big threat for those companies? Let's suppose, malicious code designed to steal corporate information. If Mr.Criminal creates one of these and spread it through a limited target space (to avoid being identified by antivirus vendors) using one of those unpatched vulnerabilities, he will succeed in stealing a good bunch of information. Will it be detected? Probably not, specially if his code vanishes from the victim's computer after doing the job (and sending the results through proxy-enabled HTTPS or DNS tunneling).

I'm not trying to spread FUD when I show this imaginary scenario. I believe that companies need to understand that the PM+AV formula is not enough to avoid problems caused by infected workstations. Yes, it fits perfectly to combat dumb and simple malware, but not those made by professional criminals. And we are already seeing that this is not science fiction (good example).

There is a need for better workstation protection and better abnormal user behaviour. Users suddenly trying to collect and send out huge amounts of information need to be promptly detected by the Security Team. This is one of the goals of my current Master Thesis. I'm trying to integrate differente forms of Intrusion Detection targeted to the internal networks. Honeytokens will probably play a part.

No comments:

Post a Comment