Security takes a wrong turn
Commentary--The U.S. Computer Emergency Readiness Team, as part of the Common Malware Enumeration initiative, is about to roll out a plan that will organize the identification of various worms and other attacks that continually plague enterprise networks. Unfortunately, this is a step in the wrong direction--perhaps even a step backward--for IT security.
In a Sept. 22 article about the program, CNET News.com wrote that "the project assigns a unique identifier to a particular piece of malicious software. When included in security software, in alerts and in virus encyclopedia entries, this identifier should help people determine which pest is hitting their systems and whether they are protected, the initiative's backers said."The key phrase in this description of the initiative is "when included." Therein lays the problem: Organizations can name all the existing worms they want, but what about those that are unknown and being developed by hackers on a daily basis? What about those that will never be distributed "at large" but instead are specifically targeted at a few select victims?
Organizing how worms and other attacks are identified is just another example of enterprises trying to deal with attacks after they occur instead of turning their efforts to what should be priority No. 1: prevention. When an enterprise is attacked by a worm, do C-level executives really care about which worm is attacking, or do they simply care that they are being exploited?
According to the initiative, when there is an outbreak, a CME participant will request an identifier by submitting a sample of the new malicious code to an automated system. Participants eventually receive the designated moniker and insert it into their security technology. During this process, the unknown worm will already be in the wild, infecting computing environments at will.
The basic course of action suggested by this project is almost laughable: A company inserts the agreed-upon directory of worms into its security software, it waits for an attack to happen, it identifies the malicious code that is causing the damage and then the IT staff must deal with it. Again, security vendors are telling companies to sit back and wait for the attack. At least now they will know exactly what to call the worm in the press release they will have to issue announcing the security breach to investors.
Here's an idea that's so crazy, it just might work: Instead of focusing on naming worms based on their unique characteristics and attack methods, how about companies focus on how to prevent worms and other malicious code based on these characteristics?
The truth is, hackers will always be able to locate vulnerabilities and issue new malicious code to exploit them. Unknown worms, viruses, Trojans and spyware will continue to run rampant, wreaking havoc on those systems unfortunate enough to get in the malware's path. Instead of analyzing the commonalities of malware for identification purposes, security vendors should use this analysis to find methods of prevention.
Easier said than done, yes, but certainly possible.
For instance, allowing all the applications you need and denying all other executables is an example of how treating all worms equally--in this case, as executable code--can unearth a means of preventing attacks. This is a simple yet effective way for enterprises to keep even unknown worms and other malware out of their systems.
Identifying worms might be a great way to punch up headlines, but quite frankly, it has no effect on stopping the attacks. We all know that a rose by any other name would smell just as sweet, but are we really expected to be fooled by a worm by any other name?
Surely you jest.
biography
Dennis Szerszen, a former industry analyst, is the vice president of marketing and business development at SecureWave, a provider of endpoint security software. Write to him at denniss@securewave.com.