3 Questions: An End to "Patch and Pray"
This interview with Bruce Hughes, director of malicious code research at TruSecure's ICSA Labs, originally appeared in the IT Business Edge weekly report on Fortifying Network Security. To see a complete listing of IT Business Edge weekly reports or sign up for this free technology intelligence agent, visit www.itbusinessedge.com.
Question: You've said that attacks by "perimeter killers," that is, worms that circumvent e-mail and directly attack networks through software vulnerabilities and open ports to the Internet, increased by 200 percent in 2003. What's your forecast for the continued threat in 2004?
Hughes: I believe we will see another increase this year. There are two reasons that I base this on. One is that corporations are doing a better job of blocking threats at the e-mail gateway. Corporations are installing security-filtering products on their e-mail servers or blocking executable attachments altogether. The bad guys now have to find other ways in, so they are attacking vulnerabilities in software or operating systems of machines that are sitting on the perimeter. The second is the growth of broadband Internet connections in users' homes. The bad guys target these computers because they are always on and use their high-speed connections to spread to other users. They can also send spam through the networks of PCs they infect or perform dedicated denial of service (DDOS) attacks against specific targets.
Question: Trying to protect against these kinds of security issues often ends up with users and hackers playing leapfrog—bit by bit, each side gets a little craftier in its methods. Will this same trend play itself out with perimeter killers?
Hughes: I think this game will play on and on forever. Always remember that the bad guys can download almost every software solution that we can and make sure that their malicious creations will work against them. Many viruses this year used AVKill technology, which is simply a way to turn off a users' security software (antivirus, PC firewall). Every day, we also see new vulnerabilities discovered, new places for the bad guys to attack, new patches for us to rush to install.
Question: How can enterprises best protect themselves against these sorts of threats? Where's the smartest place to spend that security budget?
Hughes: The "best" place to spend that security budget is where it will do the most good and where the enterprise will realize the most gain with the least pain. Today, most companies have already accomplished some preliminary work at fortifying the perimeter, installing firewalls, routers, and e-mail gateways. The next step is to implement an information security risk management program. Developing an effective program helps an enterprise understand what the "real risk" is and what measures to implement to protect the enterprise. An effective risk management program will include an asset inventory of devices that are exposed to the Internet and devices that are not (or should not be) exposed to the Internet; an assessment of the risk posed by the devices in that inventory; a process to assess the risk and vulnerability of those devices; recommendations on how to minimize that risk; and a regular and repetitive process to identify when the risk or the assets change, and to maintain an effective security posture. When faced with the alternatives, such as "patch and pray" or endless vulnerability testing and retesting, only an effective enterprise risk management program makes sense for enterprises that are truly serious about protecting their information security.
TechRepublic originally published this article on 5 February 2004.