[NYTr] Internet Criminals: Are You Really Protected?

[All the News That Doesn't Fit]

Security ProNews - Dec 6, 2007
http://www.securitypronews.com/news/securitynews/spn-45-20071206AreYouReallyProtected.html

Are You Really Protected?

by Ryan Sherstobitoff
Contributing Writer

The threat landscape is evolving and changing more rapidly than many
traditional security companies can cope with - especially given that
the bulk of threats discovered have been developed and orchestrated by
highly sophisticated groups with a focus on financial gain.

For the first time in the history of the Internet we are seeing the
establishment of a "virtual" mafia of organized criminals taking
advantage of the anonymous nature of the Internet.

A good number of these "faceless" attacks are going un-noticed by
authorities until it's too late, and malware is becoming much more
targeted towards specific entities as well as specific information.

Take, for example, several recent high-profile security breaches with
well-known retailers. In all instances, hackers had apparently been
coming and going for nearly two years until the attacks were finally
noticed by the appropriate authorities.

In addition, more and more online consumers are falling victim to
identity theft via malicious code than by any other means versus a few
years ago. At that time people became victims not primarily by
malicious code, but by other means such as dumpster diving, shoulder
surfing and various other methods.

The unsettling reality is that in today's world the rate of infected
users is occurring faster and in greater volume than traditional
security companies can detect and respond to. Unfortunately, this puts
consumers and corporations at greater risk than all previous years
combined.

According to the recent quarterly report provided by PandaLabs, the
predominant category of malware detected is Trojans (over 75 percent).
Trojans are comprised of password stealers, worms, banker Trojans, and
various other forms of malicious code. 

Nevertheless the goal is the same - financial or economical gain
through unethical means.

Furthermore; in order to maintain their invisibility and harvest the
personal details of their victims, cyber criminals are doing three
things:

1. Developing and releasing malware at an overwhelming rate to saturate
anti-malware labs with the intention of rendering traditional
anti-malware solutions ineffective. The sad truth is that it's working
and current security solutions may reflect only 65 percent of what is
really affecting users.

2. The malware itself has evolved to include a wide range of
sophisticated techniques to evade analysis such as custom packers and
cryptographic algorithms which are types of anti-reversing technologies.

3. The design and development of malware includes QA to ensure that
their creation evades all known products on the market.

With these three things combined, it's evident that users are becoming
more infected then ever; even with up-to-date anti-malware technologies
installed. To further articulate this problem, PandaLabs recently
conducted a research study over the course of three months in order to
obtain an accurate look at the current state of protection.

The study focused on two very real populations: 1.5 million consumers;
and another study against 2,000+ companies. The end result was an
astonishing rate of infection - and even though both groups believed
they were protected - consumers experienced a 22 percent active
infection rate and even more astonishing, 72 percent of those on the
corporate side were infected.

With this being said, traditional anti-malware solutions are failing to
hit the mark in terms of providing adequate protection. Historically,
security has been a signature based world. However, this model is
rapidly failing under the overwhelming rate of infection being
experienced today. In fact PandaLabs receives over 4,000 new and unique
malware samples on a daily basis. This is much more than the previous
15 years combined.

This leaves us with one question - "Are we really protected?"

And more importantly, how do we solve this problem? The solution lies
partly in changing the way security solutions are designed and
deployed. The traditional protection model is simply not working: it
does not reflect the actual reality of what is detected on a daily
basis by security vendors for several reasons outlined below.

1. Signature based solutions capture a small fraction of what we
consider as in "the wild." This is mainly due to the limitations in the
fundamental architecture - i.e. file size, bandwidth limitations,
design of the protection module, etc.

2. The anti-virus labs themselves do not have the manpower to process
100 percent of the samples received. Rather, a small percentage is
included in the daily signature file.

Thus, we are left with millions of users not really protected in the
midst of a rapidly changing dynamic.

So what must the industry do?

The current protection model must change to a model that reflects a
more modern approach. In particular, security solutions must be
developed to reflect the actual reality of malware detected on a daily
basis. Why use a product that detects only a small portion of what is
currently in circulation? Another modern way to address this is via
automated methods and tools - that should be deployed within anti-virus
(AV) labs to analyze malware and reduce the manual burden, thus
increasing visibility into even the most targeted infections.

A new security model known as Collective Intelligence has now emerged
with this new threat in mind. Simply put, Collective Intelligence
automates and enhances the malware collection, classification and
vaccination process by gathering detections from the Internet community
at large, rather than locally. This approach is designed on the basis
of the following principles:

      - ·Creating a truly global malware detection network that
consists of over five million detection nodes strategically placed
throughout the world;

      - Reducing the manual effort required to process the thousands of
samples received daily, thereby increasing the capacity and visibility
the AV lab has in terms of malware. This is done by deploying
technologies within "the cloud," to automate and enhance the malware
collection, classification and remediation involved with a standard
cycle;

      - Allowing a much greater detection ratio by utilizing signatures
within "the cloud," rather than locally through resident protection;

      - Creating one of the largest malware databases ever developed,
with over two million malware signatures and counting;

      - Establishing the ability to perform malware audits from
virtually any location, on any system of any size, without existing
security software conflict; and

      - Detecting and removing sophisticated types of malware that
otherwise go undetected with traditional security solutions.

Summary

The malware landscape has changed so quickly that many consumers and
companies alike are only just now realizing that the security measures
of the past are no longer effective against the new and emerging breed
of highly sophisticated malware.

Research indicates that the percentage of networks that are infected is
much larger than perceived, and certainly far greater than acceptable.

The tools do exist, however, for IT professionals and corporate
decision makers to fully analyze their networks and determine whether
or not they may be infected by these new types of threats. With every
passing day, these decision makers must change the way they think about
security - and understand that to be fully protected, a new approach to
malware must be adopted.


[Ryan Sherstobitoff is the Chief Corporate Evangelist at Panda Security
USA. Ryan lectures across the country on cybercrime trends as well as
corporate risk assessments. In addition, Mr. Sherstobitoff writes a
monthly column for the ISSA Journal, the official publication of the
Information Systems Security Association. He can be reached at
ryans at us.pandasecurity.com. ]