Security breaches on servers not linked to malware

Enterprises must look beyond dependence on antivirus tools and focus instead on series of simple tweaks to build stronger resistance against server attacks, IT security expert urges.
Written by Tyler Thia, Contributor

Unlike computers where majority of viruses can be captured by antivirus software, server attacks are highly sophisticated and enterprises will need to do more than simply relying on a one-stop defense.

In an interview with ZDNet Asia, Peter Tippet, vice president of security solutions and enterprise innovation at Verizon Business, explained that while malware remains a key element in security attacks, it is often not the trigger point. Rather, the lack of a secured infrastructure is typically the reason hackers are able to gain access to enterprise servers and from there, implant malware to launch an attack.

Tippet explained: "These criminals get in through unsafe passwords, SQL injections or other simple remote controls that are usually ignored. While these [security] practices may seem less effective than antivirus software, they are critical in reducing attacks, as each of these controls add up to form a critical resistance."

According to a new study by Verizon Business, only 3 percent of large-scale security breaches and attacks enterprises suffered last year were triggered by malware. The survey assessed only large-scale system attacks resulting in losses of US$10 billion or more in an incident.

The report also discovered that 48 percent of attacks involved "privilege misuse", while 98 percent of data breaches originated from servers.

Elaborating on the data, Tippet noted that unlike consumer PCs and laptops, where malware infections are usually triggered by malware and 99 percent of viruses can be captured by antivirus software, attacks targeting servers are highly sophisticated and security software can only "do so much".

"It's a case of diminishing returns," he said. "No matter how powerful the solution is, servers are still vulnerable to attacks and even the best software can only provide it with 60 percent coverage."

To improve their security "countermeasure effectiveness", companies should include user education, enable servers to "talk" to each other and change IP addresses, he recommended.

While these controls are relatively easy to execute, Tippet shared that IT executives usually are not convinced to do so and prefer to buy expensive security software in the hope of having a one-stop stronger defense against server attacks.

He also pointed to the practice of patching which is one of the most commonly applied security controls to prevent malware attacks. According to the Verizon study, none of its cases studies involved a missed patch and the record remained the same for the previous two reports.

Checklist to better security
Tippet noted that like other security measures, deploying patches is important as it reduces the risk by leaps and bounds but like other controls, it too experiences a diminishing return on effectiveness.

He added that Verizon's security business unit, which has some 1,000 enterprise customers, observes a "checklist" of security controls which was developed through years of study to help reduce the risk of attacks. This checklist is akin to that used to support commercial plane operations, where it is said to reduce the risk of mishaps by up to 5,000-fold, he said.

Tippet noted: "While engineering plays a big part, feedback is what teaches us to avoid those mistakes, even if they are simple instructions such as filling the plane with enough fuel. The checklist is by far the most effective solution to reduce deaths in flying, bar none."

Quizzed about suggestions that a malware attack caused the crash of a Spanair flight in 2008, Tippet brushed off the link as "silly".

"The virus may cause some systems to malfunction but it certainly cannot move the location of the plane on the radar," he said. "Systems are also not linked so this makes it impossible for malware to be the single cause of the crash."

A pioneer in the security solutions industry, Tippet created the first commercial antivirus product which later became Symantec's Norton Antivirus.

Editorial standards