The zombie's bite: Avoiding a botnet

Share this article:
The zombie's bite: Avoiding a botnet
Some advice from pros for keeping your infrastructure out of the snares of a botnet.

Unlike, the ghastly creatures of film, botnet zombies may look and act like normal, uncompromised machines. The two key challenges are preventing a machine from being compromised in the first place, and detecting and thwarting botnets or their components if they get past defenses. 

“The majority of the botnet instances I encountered over a six-year period as a security engineer for a mid-sized hospital were based on poor user decisions,” says Andy Hubbard, senior security consultant for Neohapsis, a provider of mobile and cloud security services. Hubbard explains that the trouble often starts while the user is outside of the corporate network – for example, using their laptop at home. However, some of the users who caused problems managed to become infected even with the defenses the hospital had in place – for example, by directly interacting with malware while running as “admin.”

“With use of internet access control (IAC) and threat-monitoring tools, we could detect a botnet before the device managed to synch with a command-and-control (C&C) system,” he says. “Our threat monitoring and IAC solutions detected and blocked outbound communication attempts allowing us to identify the infected host and clean it.”

Hubbard's experience underscores the nature of the threat. “It isn't a sexy answer but the truth is that a lot of malware and botnets just go after the low-hanging fruit,” says Rick Holland (left), principal analyst, security and risk management at Forrester Research. He says that when he has asked audiences at his talks questions such as, “How many of your end-users are also local administrators on machines,” invariably at least half the hands go up. Even at a SANS event, where people are focused on security, the results are similar. 

He says he has also observed that many organizations have little or no visibility other than at the perimeter. “This wasn't a scientific study, but it seems like most of these companies within their networks have no Layer 7 visibility – or even Layer 3 and 4,” he says. The point, he emphasizes, is that organizations need to start with basics. “Failing to do these basics allows botnet herders to compromise more machines,” he says. “In one of our recent reports we pointed out that there's no need to fire a cruise missile when the screen door is wide open.”

While botnet herders are more “commodity oriented,” Holland says advanced attackers can take advantage of the same low-hanging fruit. “Using Slash or Acrobat they can leverage the same vulnerabilities, so when organizations don't do the basic ‘hygeine,' it puts them at risk for mass malware

Taking a similar tack, Tom Gorup, security operations center manager at Rook Security, a provider of IT security solutions and services, says that the big culprit that allows botnets in is poor configuration and patch management. “That is the root cause of a lot of these botnets,” he says. “Web and server admins, unfortunately, do a poor job of ensuring their content management system and services being used by that system are properly updated. Your website is the glass door to your iron-clad network.”

Page 1 of 2
Share this article:
close

Next Article in Features

Sign up to our newsletters

More in Features

Case study: Big LAN on campus

Case study: Big LAN on campus

A university rolled out a wireless network, but was hampered with a user-support problem...until a solution was found. Greg Masters reports.

2014 Women in IT Security: Stacey Halota

2014 Women in IT Security: Stacey Halota

When she stepped into the job of vice president of information security and privacy at Graham Holdings Company in 2003, Stacey Halota had to carve out new territory because her ...

What's sex got to do with it?

What's sex got to do with it?

Harassment has no place in the security industry. Neither do sexism or discrimination. But, there they are. It's time for infosec to just say no, reports Teri Robinson.