So why is that? Why aren’t the defences we’ve been putting in place for the last twenty years effective? Let’s look at why.
Malware creation is no longer in the hands of expert hackers
Anybody with a computer can make their own custom malware, given the prolific rise in malware-creation kits. Buy the software, point, click, and you have your own custom malware. You can hide it in a PDF, a Word document or ZIP file. The challenge comes in mastering sufficient grasp of the English language to get your target to execute said malware. But with a bit of time and research, it’s straightforward to come up with a realistic looking email, from a realistic looking domain, with the realistic probability of somebody opening it.
It takes more time for anti-malware vendors to respond
Due to the huge increase in malware variants, anti-malware vendors are struggling to keep up. Much as their marketing teams may beg to differ, it’s a matter of numbers. They simply do not have the resources to respond to each and every virus. By the time an antidote is developed, a new mutation is in the wild. Pharmaceutical companies have the same challenge with viruses, and make a fortune in the process. Needless to say, security vendors do too.
The key is in the delivery
Malware can be created that will avoid detection by all those expensive colourful bits of kit in your server rack. It’s a done deal. Don’t try and think about blocking malware at the perimeter. Assume it has somehow found its way onto a user’s device. Be this via a spoof email, rogue USB stick or an Act of God. It will get there.
It’s common knowledge that malware will happily evade detection and analysis, as that’s exactly what criminals will be paying expert software developers to do. So what should we be doing about this?
Beware BYOD
Some companies have hit the self-destruct button already it seems, by permitting users to access company resources using their own devices, with limited protection in place. Whilst all your machines in the office might have the latest and greatest malware protection available, Mrs Trellis from her holiday home in North Wales is unlikely to even know what this is.
Remember the two-click rule
Users should not be able to double click and open an untrusted file. They should be prompted with a warning message, before being allowed to open untrusted files. This is a basic Cyber Essentials control that most small companies fail when I go in and assess them, yet remarkable simple and effective once in place. Do it. No excuses.
Block executables
Building on the two-click rule, it’s a good idea to stop users executing anything. In a trusted environment, that’s been carefully thought out and planned, there will be no need to. Do not let users install anything or run executables. That way, they can’t execute malware.
Install anti-virus
If a user can’t execute anything untrusted, then anti-virus doesn’t really give you much benefit. Security vendors have expanded their offerings to include host firewalls, host intrusion prevention, VPN capability, white listing, file integrity, event logging – the lot. Whilst security bloatware might seem a happy compromise, you have to question the benefits. You should be looking to simplify security, and not complicate it.
Evolve
Concepts of least privilege and bare minimum build standards go a long way. It’s worth looking at the thin terminal model and re-centralising control over user systems, as half the problem has been users being able to do whatever they want. Ransomware is on an exponential rise. On one hand it’s very damaging for companies with no incident response ability or backups, but on the other hand it’s raising awareness. Users aren’t so trusting anymore and awareness is on the uprise.
The last, and most important piece of advice, is to be in a position where you can respond when you DO get hit by malware. And you WILL. Be prepared to have to trash any single one of your assets and restore it within a timeframe acceptable to the business. Malware should no longer been seen as a security threat. It’s an inconvenience. Don’t let it get on top of you. With careful preparation you can easily get out of the potential mess that malware can cause.
Article written by Tim Holman for Computer Weekly – Security Think Tank