Anti-Malware Strategy Crucial for Businesses

By Steven Fox, Founder of SecureLexicon

This is the first part of my Black Hat interview with Andrew D. Hayter, Anti-Malcode Program Manager for ICSA Labs.  In this installment, Mr. Hayter highlights the challenges businesses face in mitigating malware-related risks.

Malware is a serious business threat.

While I am certain that doubt lingers in the minds of some users, the recent Heartland Payment System (HPS) breach illustrates the related risks.

According to an Information Week January 2009 article, a keylogger was instrumental in compromising an organization that “handles 100 million transactions per month for more than 250,000 businesses.”

HPS is not alone.  According to the Verizon Business 2009 Data Breach Investigations report, malware “contributed to nearly one-third of data breaches.”

The report noted that malware distribution has evolved from “self-replicating emails and network worms … [to] emphasize stealth and smaller, more directed distribution.”

This signals a shift from annoyance attacks toward targeted infections designed to gather intelligence on, or take control of, a target.

According to the report, Personal Identifying Information and Payment Card Data represented 36% and 81% of data types compromised, respectively.

The HPS breach was a teachable incident for most companies that leverage similar technologies to conduct business.

Testing and certification organizations like ICSA Labs, an anti-virus and anti-malware software evaluator, have publicized the business risks associated with malware.

However, integrating this information into the business has been challenging.  ICSA’s Andrew Hayter highlighted two of these challenges.

Patch Management

Software controls that address any enterprise risk must be updated frequently.

Patch management, according to Hayter, “is one of the biggest challenges that IT Security folk face.”

Mr. Hayter stresses that the rate of malware innovation makes these patches critical to the functioning of these controls. These updates must be part of a configuration management plan appropriate to the needs of the business.

Not surprisingly, a 2002 Gartner whitepaper highlighted patch management as an attractive attack target.  Below are some best practices to mitigate this risk and promote effective patch management

• Classify the assets in your environment
• Test all patches before deployment
• Accept only signed, official patches
• Patch management security must match, or exceed, the security of web-facing servers.

Social networking sites

SearchSecurity.com’s UK Bureau Chief Ron Condon characterized social networking sites as “the new battleground for malware.”

His article discusses how the mechanisms that facilitate social functionality are being leveraged to deliver viruses and malware.

Mr. Hayter shares this concern.

“Corporations need to worry about their employees accessing social websites through company computers,” said Hayter. “There is so much malware on social websites that could infect business assets – it is a huge business risk.”

He recognizes that there may be a business case for such usage, but that it must be conducted with that case in mind.

The enterprise must draft security policies and procedures that take this risk into account.

The next installment will discuss Andrew Hayter’s recommendations for building a business case for anti-virus and anti-malware software controls.

Originally published at CIO

Steven Fox is an independent information security consultant. He holds a Masters in Business Information Technology from Walsh College, an NSA recognized Center of Excellence. He serves on the board of the Detroit ISSA chapter and is a columnist for the ISSA Journal. He is also the founder of SecureLexicon , a security advisory firm addressing the unique security concerns of nonprofit organizations.

He can be contacted at sfox@securelexicon.com
Follow him on Twitter - @SecureLexicon
Join Steven’s LinkedIn Network

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Government, Insider Threat, PCI, Sarbanes-Oxley, Steven Fox, Uncategorized, hackers, identity-theft, malware, national security, privacy 

Comments

• ISR Headline Index

  • Perplexities of Enterprise Privacy Policies
  • Sorting Out Social CRM Options for Business
  • Police Make Arrests In ATM Skimming Ring
  • Insurance Industry Fights Liability Claims
  • More Talks with Anti-Jihadi Hacker The Jester
  • Avoiding Enterprise Software Vendor Lock-In
  • The FCPA Role In International Acquisitions
  • Vigilante Hackers as Heroes, but at What Cost?
  • China: Internet Freedom Is Culturally Relative
  • Advantages of Data-Focused Risk Assessments
  • WireHead Security Partners With NCICU
  • FaaS: The Emergence of Fraud as a Service
  • Pet Lovers are Target of Latest Online Scams
  • Behavioral Based Email Security Systems
  • Web Security From A New Perspective

• Recent Comments

  • James C. Roberts III on The FCPA Role In International Acquisitions
  • LH on Q & A With Anti-Jihadi Hacker The Jester
  • Some Sun Tzu quotes… | D90 Tools & Techniques on Sun Tzu: PCI-DSS and Situational Awareness
  • JT on More Talks with Anti-Jihadi Hacker The Jester
  • j35t3r on Q & A With Anti-Jihadi Hacker The Jester
  • Albert Lea Tribune | Military News | Military Fitness Wisdom on Sun Tzu: PCI-DSS and Situational Awareness
  • ravenwaver on Q & A With Anti-Jihadi Hacker The Jester
  • badgamon on Q & A With Anti-Jihadi Hacker The Jester
  • How th3j35t3r And Other Hackers Are Using Their Skills To Bring Real World Bad Guys To Book on Q & A With Anti-Jihadi Hacker The Jester
  • “We want heroes” – at what cost? « jpskaar on Patriot Hacker Hits Jihad With DDoS Attacks
• 
  

  Information Security Resources

  Top network security blogs

• Categories

  • Anthony M. Freed (28)
  • Bill Brenner (2)
  • Bob Violino (1)
  • Bozidar Spirovski (22)
  • Breach (492)
  • Britt Womelsdorf (5)
  • By Dr. InfoSec (2)
  • Cara Garretson (7)
  • CCCNews (1)
  • Chorey Taylor & Feil (8)
  • Christophe Veltsos (2)
  • Christopher Burgess (7)
  • CIOZone (24)
  • Class Action Lawsuit (109)
  • Cloud computing (68)
  • Coby Royer (5)
  • CTO Forum (8)
  • D&O Liability (541)
  • Daniel Wallace (5)
  • Danny Lieberman (11)
  • DataLine (10)
  • David Alexander (2)
  • Derek Crawford (1)
  • Doug Pollack (6)
  • due diligence (251)
  • Fame Foundry (1)
  • FEATURE ARTICLE (398)
  • Financial (526)
  • Fred Leland (7)
  • Gene Kim (3)
  • Government (334)
  • Greg George (3)
  • H1N1 (15)
  • hackers (481)
  • healthcare (94)
  • Heather Bourgoin (1)
  • HomeATM (8)
  • identity-theft (478)
  • IDExperts (16)
  • Ike Z. Devji (1)
  • Insider Threat (435)
  • Internet Crime Complaint Center (1)
  • Internet Security Alliance (40)
  • ISR News (315)
  • Jacqueline Herships (1)
  • Jenni Hesterman (3)
  • John M. Salomon (2)
  • John Watkins (7)
  • John-Patrick Skaar (1)
  • Kaliber Data Security and Compliance Consultants (3)
  • Kat Sanders (2)
  • Ken Leeser (3)
  • Kevin L. Jackson (10)
  • Kevin M. Nixon (22)
  • Laton McCartney (6)
  • Laura Wilson (14)
  • Lauren Taylor (1)
  • Linda McGlasson (1)
  • malware (446)
  • Mark Wright (1)
  • Mel Duvall (3)
  • Michael Eggebrecht (2)
  • Michael Lohr (1)
  • Michael O'Conner (4)
  • Mike Duncan (3)
  • Mike Meikle (3)
  • Mike Spinney (1)
  • Military (174)
  • national security (402)
  • PCI (268)
  • PCI Security Standards Council (30)
  • Physical Security (11)
  • privacy (496)
  • Rachel James (10)
  • Rebecca Herold (16)
  • Richard Stiennon (27)
  • Robert Siciliano (30)
  • Sarbanes-Oxley (443)
  • ScamStop (2)
  • Sean Wilkins (2)
  • Semyon Dukach (1)
  • Simon Heron (14)
  • Software Associates (11)
  • Steven Fox (19)
  • SUPERAntiSpyware (3)
  • Sybase (6)
  • Symplified (5)
  • The Jester (4)
  • The Privacy Professor (16)
  • Thomas R. Fox (4)
  • Tom Groenfeldt (2)
  • Tom McLain (2)
  • Trefis (6)
  • Tripwire (18)
  • Uncategorized (579)
  • virtualization (57)
  • Webcast (31)