Staying one step ahead of hackers

As malicious programmers become more sophisticated, they can generate code that renders today's security tools instantly obsolete. How can you protect yourself?

commentary Though the term is new, "blended" security threats aren't. These types of threats target several areas of network vulnerability simultaneously. What is new and unique, however, is what the malicious code within them is doing.

In a blended threat, malicious code can take many forms and can attack your enterprise in a number of different ways. It can also do more than one kind of damage while it's in your system.

You might, for example, find a piece of malicious code that can attack your company's computers through e-mail attachments, infected Web sites, or even through direct attacks on your routers and servers. Once inside your firewall, these threats can spread through everything from shared disks to internal Web servers. And they can spread to the rest of the world through e-mail and file transfers, for example.

Vendors say the blended threat problem is just getting rolling. Symantec's Carey Nachenberg says he expects to see malicious code that can morph itself each time it replicates, making some antivirus software useless. He sees greater threats on the horizon. Key to preventing tomorrow's blended threats are such items as layer 7 firewalls, which examine the contents of packets as they pass through. He also thinks companies need vulnerability management software, intrusion detection, and something new called behavior blocking.

Behavior blocking software is still in its infancy. In general, the software looks for certain operations that are carried out by inappropriate applications. For example, the software might alert the security staff if it detects an application that's erasing or changing other applications, or trying to use the Internet in conjunction with such activities.

According to Nachenberg, behavior blocking software runs on a separate server, with drivers on each computer. The drivers watch for suspicious behavior by software installed on the computer, and alert the server if it spots something. What might constitute suspicious behavior? Perhaps an application that accesses the Internet, deletes or changes files, or creates new applications. But for behavior blocking to be useful, of course, you already need to be infected.

The tools to fight blended threats already exist. The first line of defense is applications that reside on your servers and look for malicious code. A good example of this is Mail Security from GFI. Likewise, it's important to make sure you have adequate firewalls, and that you keep them and all your security software up-to-date. And, of course, you need to keep your operating systems and Internet server software patched and updated.

Don't forget about the single most important tool of all: training. Teaching your staff not to open attachments, download things from Web sites not related to your specific business activities, and bring in software from home are all critical to keeping your enterprise secure. Unfortunately, training takes time and costs money, and that means it's usually the first thing axed by the accountants.

Most companies don't have to worry about terrorists as much as they have to worry about random strikes by self-propagating malicious code, hackers, and disgruntled employees. That means you have to take precautions against blended threats, or malicious code, now. If you don't, the next round of e-mail and Web-propagated worms will surely find your servers. And you know what your life will be like if that happens.

Have you been the victim of a blended threat? How did you squash it? TalkBack to me below.