Eliminating the threat of Malware on the desktop

By | April 12, 2006

Spyware, Malware, Crimeware….whichever name you pin on it, these threats are very real and have been infiltrating networks on a global scale at an increasing rate over the last six months. They arrive through email, over the web and can even be inadvertently introduced by poorly educated users.

Peter RawlinsonFully funded organisations work around the clock, developing ever-stealthier and more destructive code with which to sneak into corporate LANs, causing havoc and gathering sensitive data. Once collated, this information is disguised and transmitted using regular outbound Port 80 web traffic, hiding its tracks along the way and supplying the perpetrators with passwords, login details, email addresses or credit card numbers. This information can be worth millions of pounds and is sold and traded on the Internet by organised crime outfits profiting from those with the technical know-who.

Losing corporate information can be extremely costly in itself with latest reports showing an average cost to recover from a severe attack being around Ј100,000. However losing customer or supplier information puts not only the company brand and reputation at risk, but can contravene regulatory and compliance laws, leading to significant fines and loss of market confidence.

Anti-virus vendors and service providers have their work cut out in meeting the challenges set by the criminals. Because of the way in which it is developed, Malware fools many anti-virus solutions into thinking it is harmless traffic or email. Once inside it can set itself in motion and will set its sights on anti-virus software first by turning off detection systems, leaving it free to roam networks and desktops without raising an alarm.

Another alarming trait of today´s virus is the use of Root Kits. These tools are intended to conceal running processes, files or system data, which helps a potential intruder maintain access to a desktop without alerting a user to its purpose. Root Kits can affect systems at the kernel level or application level spoofing regular processes and tricking users into entering what they think are secure environments, but which are in fact very convincing fakes. The potential for loss of information is huge, as is the sharp drop in productivity associated with the cleaning and remediation of infected systems.

Historically, security has been dealt with at the perimeter of a business – in theory an easy approach of keeping everything out until its integrity has been validated. While not entirely foolproof, this method worked well for a number of years with high profile breaches few and far between. Nowadays, as threats have evolved this is becoming a harder task in itself, but to add to the pain, the modern enterprise no longer conforms to a perimetered model. Employees are no longer bound to their desks and will regularly take laptops and devices out into the field. At this point protection becomes extremely difficult to keep tabs on and begins to put an onus on the user to take responsibility for their own system integrity – not something which can be relied upon! If a user picks up a virus whilst checking Webmail at a coffee shop or even at a customer site, it is all too easy to return to the corporate LAN, skip through the firewall and begin to infect the network from the inside out.

This “perimeterless” environment raises a number of questions within the IT department; how can we lock down users´ desktops once they have left the network? How can we spot and stop viruses while a user is on the road? How can we get a PC to reverse any miscreant configuration changes?

The most effective way of tackling the problems faced by IT departments is to proactively manage the desktop environment; identify and block viruses and unauthorised applications before they have a chance to act; protect local system settings and configurations, ensuring they remain aligned to preset policies and preserve installed security software.

Application management at the point of inception is vital and should include prohibiting all unwanted and unauthorised applications through trusted administrator ownership and the creation of a whitelist of fully approved exceptions. This means that desktops in the field or within the network will no longer be at risk from unrecognised self-executions including .exe´s, batch files, ActiveX controls and DLL´s.

In addition, desktop environments must be safeguarded so that innocent and malicious alterations are reversed. This prevents additions to such areas as the Windows Registry that Malware uses to alter applications like Internet Explorer or to ensure it is loaded as Windows starts. Self healing any alterations to commonly exploited registry keys such as Browser Helper Objects and UrlSearchHooks prevents spyware masquerading as useful items such as search assistants or extra toolbars.

As mobile working, together with Internet and e-mail use make the network perimeter less relevant, the securing of endpoints across the enterprise is becoming more vital. Stopping new and previously unseen threats as well as the existing Spyware, Trojans and other forms of Malware is the next big battle in the world of IT Security. Clearly there is no way to stop the production of Malware but by augmenting what a firewall, intrusion detection system or anti-virus client does, application and environment management offers a tiered approach to security that gives organised virus writers a little something extra to think about.

Leave a Reply