So why is that? Why arenโt the defences weโve been putting in place for the last twenty years effective? Letโs look at why.
Malware creation is no longer in the hands of expert hackers
Anybody with a computer can make their own custom malware, given the prolific rise in malware-creation kits. Buy the software, point, click, and you have your own custom malware. You can hide it in a PDF, a Word document or ZIP file. The challenge comes in mastering sufficient grasp of the English language to get your target to execute said malware. But with a bit of time and research, itโs straightforward to come up with a realistic looking email, from a realistic looking domain, with the realistic probability of somebody opening it.
It takes more time for anti-malware vendors to respond
Due to the huge increase in malware variants, anti-malware vendors are struggling to keep up. Much as their marketing teams may beg to differ, itโs a matter of numbers. They simply do not have the resources to respond to each and every virus. By the time an antidote is developed, a new mutation is in the wild. Pharmaceutical companies have the same challenge with viruses, and make a fortune in the process. Needless to say, security vendors do too.
The key is in the delivery
Malware can be created that will avoid detection by all those expensive colourful bits of kit in your server rack. Itโs a done deal. Donโt try and think about blocking malware at the perimeter. Assume it has somehow found its way onto a userโs device. Be this via a spoof email, rogue USB stick or an Act of God. It will get there.
Itโs common knowledge that malware will happily evade detection and analysis, as thatโs exactly what criminals will be paying expert software developers to do. So what should we be doing about this?
Beware BYOD
Some companies have hit the self-destruct button already it seems, by permitting users to access company resources using their own devices, with limited protection in place. Whilst all your machines in the office might have the latest and greatest malware protection available, Mrs Trellis from her holiday home in North Wales is unlikely to even know what this is.
Remember the two-click rule
Users should not be able to double click and open an untrusted file. They should be prompted with a warning message, before being allowed to open untrusted files. This is a basic Cyber Essentials control that most small companies fail when I go in and assess them, yet remarkable simple and effective once in place. Do it. No excuses.
Block executables
Building on the two-click rule, itโs a good idea to stop users executing anything. In a trusted environment, thatโs been carefully thought out and planned, there will be no need to. Do not let users install anything or run executables. That way, they canโt execute malware.
Install anti-virus
If a user canโt execute anything untrusted, then anti-virus doesnโt really give you much benefit. Security vendors have expanded their offerings to include host firewalls, host intrusion prevention, VPN capability, white listing, file integrity, event logging โ the lot. Whilst security bloatware might seem a happy compromise, you have to question the benefits. You should be looking to simplify security, and not complicate it.
Evolve
Concepts of least privilege and bare minimum build standards go a long way. Itโs worth looking at the thin terminal model and re-centralising control over user systems, as half the problem has been users being able to do whatever they want. Ransomware is on an exponential rise. On one hand itโs very damaging for companies with no incident response ability or backups, but on the other hand itโs raising awareness. Users arenโt so trusting anymore and awareness is on the uprise.
The last, and most important piece of advice, is to be in a position where you can respond when you DO get hit by malware. And you WILL. Be prepared to have to trash any single one of your assets and restore it within a timeframe acceptable to the business. Malware should no longer been seen as a security threat. Itโs an inconvenience. Donโt let it get on top of you. With careful preparation you can easily get out of the potential mess that malware can cause.
Article written by Tim Holman for Computer Weekly – Security Think Tank