I am in danger of pigeon-holing, type-casting myself as The Anti-Virus Guy. That doesn’t bother me too much, when I see how the Heartland and Hannaford Brothers data breaches remained effective and undiscovered due to undetected malware. According to the 2009 Verizon Data Breach Investigations Report, 38% of data theft utilized malware (67% were aided by significant errors). According to the 2009 CSI Computer Crime and Security survey, 74% of companies experinced malware infections in 2005, with that number decreasing to 50% in 2008 but returning to 64% in 2009.
My statistically unsupported speculation (but confirmed by reviews of the Heartland, Hannaford and other breaches): most data theft can be described by the following scenario:
- a mistake was exploited (misconfiguration or vulnerability left unpatched),
- the network was hacked,
- malware was installed and
- data collected.
From this you learn that finding and fixing configuration errors and applying patches are required measures. Finding the intrusions, undetected malware and data exfiltration are also required measures.
If you have a highly mobile workforce, anti-virus software should be considered as an intrusion detection system.
Intrusion detection systems detect anomalies, typically restricting their focus to anomalous network activity. They detect anomalies; anomalies which may have been caused due to an intruder, although they rarely are. Intrusion detection systems rely upon a person to investigate and determine the appropriate action.
Anti-virus software detects malware, typically spyware or Trojan horse software. A virus (malicious code inserted in a host program) is rare. Anti-virus software has expanded its scope to include a broader range of software that you may not want running.
Learning where the detected malware came from helps you to block access to that location and helps you to learn what other programs arrived from that location. Treat malware detection alerts as suspicious activity to investigate and take appropriate action.
In a mobile workforce you cannot rely upon your network monitoring equipment to inform you about anomalous conditions. Your network-based intrusion detection system can scan internal network traffic including traffic on VPN connections. Other network traffic is outside its scope. Nonetheless, you can still gather information about anomalous events through your anti-virus software.
Related links:
November 19, 2009 at 1:35 pm |
I don’t usually comment on blogs but had to on yours. You have a very easy to read writing style. A lot of people don’t have that touch, they just drone on and on in the most boring way. But not you – thanks! I don’t have time to read everything here right now, I found this site when looking for something else on Google, but I’ve bookmarked your homepage and will check back soon to see the latest articles. Please take a look at my site at http://www.ArtRL.com when you have time and please let me know what you think. Thanks again!