Wednesday, May 26, 2010

Existance of Malware = Vulnerable to Targeted Attacks

I have came across a couple of companies that tend to focus most of their security strategy in trying to mitigate targeted attacks on their network and given little attention in protecting their businesses from malware (automated attacks) other than a futile reliance on an updated antivirus. It is true that the impact of targeted attacks on a company is far more greater than existence of automated or commercially spread malware, for an example some computer got infected with a Zlob trojan. However, if your security vendor's management console reported a single existance of a malware file in any computer in your network, then sadly, the fact is, your business is an easy target of a potential targetted attack regardless of all the security measures or security software/hardware at your business has put in place. With exception to viruses, the existence of malware in the form of a worm, bot, trojan, exploit, rootkit, keylogger, backdoor, spyware, adware, etc. are all indicators that your business is unprotected against spear attacks.

The reason for this is that targeted attacks use the same techniques as malware to compromise a system but at a more complex level. If it's the purpose of information theft, financial theft, espionage or whatever reason, a professional hacker would attempt to gain access of a business resource either through a vulnerability or by social engineering. Since both techniques are also used by malware, we can compare by examples how targeted attacks and malware utilize these techniques as a vector for accessibility.

Internal Vs. External Attacks Myth

After encountering a lot of IT representatives from different companies, I am surprised to find that the majority of them still believe that most of the security breaches originate from inside the company.
Michael Kassner has written an excellent article, definitely worth reading, at the Tech Republic last year on why such a belief no longer applies today. Kassner references the CSI/FBI Computer Crime and Security Survey which asks organizations to estimate the percentage of internal attacks they encountered. The results of survey is displayed in the following graph:After doing some statistical analysis, the estimated overall average of security breaches that originate from internal attacks is less than 16%. The difference is overwhelmingly significant that likely any margin of error such as the "different point of view" 's in Kassner's article would still have little effect in proving contrary beliefs.
Hence, allocating your IT security budget of your organization can be calculated by a simple risk management formula. Let,
E = the average financial impact including losses that may result due to an external attack on your organization. The impact may include financial or information thefts, reputation, loss of productivity, recovery, etc.
I = the average financial impact including losses that may result due to an internal attack on your organization.


Further readings:
http://www.pcworld.com/businesscenter/article/147098/insider_threat_exaggerated_study_says_.html