Monthly Archive October 2012

ByDaniel Gottilla

Viruses, Rootkits, Adware and How to Protect Your Tech Environment

As technology use increases due to people using computers and Internet access for business and personal reasons, there has also been an increase in malicious software (or “malware”). Malware is most known for its ability to wreak havoc on both a user’s computer and the network that it has infected.

While some problems caused by malware infection often include such annoyances as computer and network slowness, more serious problems include network breaches facilitated by malware on company computers.

Types of Malware

There are several types of malware, the most common of which are viruses, worms, trojans, and rootkits.

Viruses and Worms: Both viruses and worms are infectious, which means that they can and will spread to other computers. Viruses spread when they are accessed or run, while worms can spread without additional user intervention.

Trojans and Rootkits: These are malware programs that conceal their true identity. Trojans are usually embedded in another program and are installed by a user who does not realize what they are installing is harmful. Rootkits are a means of hiding the malware from the user. A rootkit allows the program the ability to continue by either hiding within the operating system or by thwarting attempts at removal if detected.

How Malware Gets In

Malware can be introduced into a network in a number of different ways. Users are often unaware that they have allowed malware onto their computer and network until it is too late. Common infection scenarios include downloading e-mail attachments from an unknown source, downloading files on the Internet, or visiting untrusted websites.

To ensure and protect the integrity of your network, you need to reduce the threat of malware. Here are some tips to help:

  • Install an antivirus program that runs in the background on all your computers. While not fool-proof, an antivirus program is a great way to protect against known viruses
  • Instruct users not to open email attachments from an unfamiliar source. This is a simple way to protect your network from malware.
  • Limit the sites that users are able to access using a firewall. Certain websites (including illegal software, music download sites, and adult websites) are much more likely to have malware lurking in their coding.
  • Place strict limits on what can and cannot be downloaded from the Internet. Defining what can be downloaded can greatly reduce your business’s risk of being infected with malware.
  • Consider reducing the privilege level of users on their individual computers. Many malware programs require administrator level access to make malicious changes to a hard drive, but most user applications do not need this high level of access.

What does IT Security Risk Management REALLY mean?

The most common misunderstood term seen in the security industry is Risk Management. If you Google the term “Risk Management”, you will find yourself buried in a pile of information ranging from financial risk management to business risk management. And if you happen to fall upon the actual security risk management concept, you may come across a blog post, or online article describing risk management incorrectly. Even when speaking with some corporate decision makers (and some IT professionals), the security term risk is often used interchangeably with other terms such as vulnerability and threat.  I have seen vendors marketing tools that were for “Risk Management” but in reality, they were vulnerability management tools.  I can truly understand why education must be made a priority when talking to decision makers prior to discussing a risk management assessment.

The terms risk, vulnerability and threat are three separate terms that work together:

1. Vulnerabilities – are holes and weaknesses in an organization, which are typically the easiest to find and remediate, usually through penetration and vulnerability tests.

2. Threat – is the possibility that something or someone will find out about the vulnerability and exploit it.

3. Risk – is the probability that a threat can become real, resulting in some form of impact on the business, should that vulnerability become exploited – the unanswered question is how badly will it hurt the organization. This is usually the hardest to calculate.

Some companies think they have a risk management program already in place, but due to the misunderstanding of terminology, will actually have a vulnerability program in place. I have had some companies actually refer to their traditional Enterprise Risk Management (ERM) program when asked if they had a risk management program in place – which is completely different from any security program. ERM includes credit, liquidity, regulatory compliance, and market risk, as well as risk transfer strategies, capital management, and strategy development. However, a solid IT Security Risk Management Program should be an integral part of a holistic ERM – which will cover the organizations risks more efficiently and effectively. After a brief explanation between the differences of the terms, it is quickly understood that their misunderstanding may have caused them to fall short in implementing a solid risk management program. Additionally, if the risk management program  does not include and address all of the layers of the organization that can contain threats – such as administrative, technical, physical, operations, tactical, and strategic  – it is not a risk management program.

Risk Management can be both complex and time consuming. The need to understand business, capital, and human resource issues, as well as management levels are critical during assessment – rather than looking at it solely through a technical perspective. An organization must attempt to read the future, determine what can happen, and how much it can cost.

Risk management should not solely rest on the shoulders of the CSO. It should be a collective effort by including decision makers and department heads throughout the entire organization that are knowledgeable and able to contribute to the process. Not only are they able to fully understand their department and the risks that take place – which are not just technical risks – they are also effectively positioned to enforce the plan, as well as assist in making changes to the culture of the organization starting within their department.

During the assessment, a tremendous amount data will be gathered and the current security component, as well as the business issues than can be affected by the current security in place, will be reviewed. Vulnerability and penetration tests will reveal what needs to be protected and how, and interviews with staff will provide information on gaps in policies and procedures. This process will allow organizations to learn their acceptable risk levels – which will tell them how much security they actually need. An organization’s policies should reflect acceptable risk levels in order to implement the right amount of security.

You can’t address all of your risks, and in many situations, it would not be necessary to do so. Once you associate the vulnerability with the threat, and how that threat can affect the business, this will clarify how to manage your risk. The vulnerability that has the highest threat and will cost the company the most if exploitation occurs will be the order in which risk should be managed.

Understanding what risk management truly is continues to be the best strategy in properly assessing your organization the first time around, which will save you money in the long-term. When this concept is not fully understood, organizations find themselves either spending too much money on security, or not enough money – yet still lacking the right countermeasures implemented for tangible and intangible assets or controls that actually need risk management.


When was the last time you reviewed your Risk Assessment?

With all of the statistics, comprehensive data, and war stories shared from security officer to security officer, I often wonder what is behind the thought process of decision makers declining assistance in implementing a cyber security risk assessment – especially organizations that clearly need it for compliance reasons.

I speak with many technology decision makers of fairly large companies regarding implementing a free cyber security risk assessment for their infrastructure. If I had a dollar for the amount of individuals within these organizations who believed that the assessment done over 2 years ago makes them prepared for the black hat techniques that advance faster than the pace of white hat security initiatives, I could hang up my coat and retire.  There is a false sense of security that is prevalent in companies both large and small that believe if they were not significantly compromised in the last 3 or 4 years, their risk and compliance practices are consistent or above average with best practices in their industry. According to Economist Intelligence Unit Survey, “Ascending the Maturity Curve, Effective Management of Enterprise Risk and Compliance”, at least 87% of respondents agreed with this notion.

However, it is recommended that a review of an organizations security program should be done a minimum of every 2 years. And it is not only to their advantage to outsource this task to a reputable security consulting company in order to provide an objective point of view, something that is difficult to accomplish in-house, but to also use a different consulting company to continue to gain a different perspective each time.  Rotating security consulting companies provides the opportunity to catch risks that may have been missed previously.

Although the financial services field was found to be most likely to have this false sense of security, the health care industry is barely on the map. The health care industry is just now beginning to embark on discovering a consistent risk assessment standard. Standards are underdeveloped as to how assessments and vulnerability remediation should be completed. Although HIPAA developed a requirement, a lot is left for interpretation. Unfortunately, this results in spotty assessments, or horrifically, no assessments done at all.

That’s why I scratch my head at a decision maker who turns down a free risk assessment. They have the opportunity to find out – utilizing a fresh pair of eyes – what may be exposed in their organization…for free. Addressing the risks, of course, is another subject. So, the next time you receive that call from a reputable security consultant about evaluating your risk assessment program that was implemented more than a year ago, reconsider. Hackers are not waiting every 2 years to develop new ways to crack you network – they are advancing each day.