Two years ago, U.S. retailer TJX spent some US$130 million – including US$65 million to two credit card companies – to clean up the mess after the online theft from its computers of consumer data.
Had the company followed basic wireless security procedures the breach wouldn’t have happened, Derek Manky, project manager for cyber security and threat research for security vendor Fortinet, told the IT360 technology conference Wednesday in Toronto.
It’s an example, he said, of how defending against the ever-increasing malware threats can be effective and not expensive.
“The reality is breaches and infections will happen,” Manky said. A layered defence based on unified threat management rather than end point products will help blunt the attacks, he said.
But some actions don’t involve spending a penny. For example, it costs nothing to create and stick to a patch management policy, he said. Proof that many organizations don’t do that was the large number of servers and PCs infected by the Conficker worm two months after Microsoft released a patch. Disabling any autorun capabilities in the operating system is another free fix that’s forgotten, as well as forbidding the use of simple passwords.
Still, Manky offered no easy fixes. “The barrage of these threats is not going away,” he said. There was an explosion of malware in 2007, and since then “it’s getting worse.”
Malware creators are recruiting software writers, he said, and with an increasing number of IT people being laid off because of the global recession, there’s lots of talent being tempted. Threats range from mass e-mails and file infections – the oldest forms of attacks, but still going strong – Web-based attacks, including drive-by downloads and malware aimed at social networking sites such as FaceBook, intrusions from portable devices such as USB sticks and smartphones, and targeted attacks which lift a Web site’s template and replace the links.
The Conficker worm is an example of how fast the malware’s developers adapt, he said. The first version was seen last August. Variations appeared in November and December. In March a new version included change the way it communicated with hosts to include a peer to peer protocol.
There isn’t one weapon that will defend against all these threats, Manky emphasized. The first line of defence is at the gateway, where a hardened firewall, intrusion detection, Web filtering, anti-virus and anti-spam software are needed. AV and anti-spam at the desktop are also needed.
Some organizations choose best of breed solutions, but Manky urged a unified threat management approach, which brings a number of these capabilities into one firewall, as the best solution largely because they can all be managed through one interface.
Another official from a security vendor who spoke at the conference was Ryan Naraine, security evangelist for Kaspersky Lab, who warned an audience that malware creators are exposing the “ecosystem of trust” in social networking sites such as FaceBook and MySpace.
The sites contain thousands of personal links which can be hijacked for unsuspecting people to click on. Some viruses are even programmed to look for FaceBook or MySpace pages. These two sites are “putting up some roadblocks,” he acknowledged, but it’s not very effective.” In the last three months there’s been a “full-blown explosion” of social-site malware.
In an interview, Narine echoed some of the simple defences that can be take against these attacks that Manky made, such as having strong passwords, a properly configured firewall and a strong patch management policy. But he went further, saying organizations should forbid staffers from going to social networking sites unless absolutely necessary, just as they block access to instant messaging. “There’s no real way to police it unless you invest heavily in user education to get people to spot malicious links.”
For his part, Manky repeated the cliche that time is money, and when it comes to security it’s still true: The faster an organization can meet and defeat an online threat, he said, the less damage it will cost.