McAfee Avert Labs recently announced statistics that demonstrate the scale of the problem. Based on the 135,885 unique threats indentified in 2007, Avert Labs found that:
- 372 new detections were identified per calendar day.
- 527 new detections were identified per business day.
- One driver was written every four minutes.
- 38 percent of all detections ever made were added last year.
- 25,438 more detections were added in 2007 than in 2005 and 2006 combined.
Two of the most popular malware objectives are stealing confidential information and setting up the computer as a bot. That's the goal of the Silent Banker Trojan, which has built-in support for over 400 banks and can circumvent two-factor authentication. While such a Trojan may be less of a worry in the corporate sector, it's important to point out that if malware runs on an employee's computer it will have access to all of the employee's files -- local ones plus the ones on the servers that the employee can access via network shares. Virtually all employees have access to some confidential information, and one compromised computer is often all it takes.
As soon as a rogue application is started it can try to transfer data outside the organization. The most common techniques involve tunneling data through some other protocol:
- HTTP tunneling -- The Trojan hooks a DLL into Internet Explorer and sends data encoded into HTTP to a rogue web site. Most modern firewalls should be able to detect an anomaly in such traffic.
- SSH tunneling -- As this traffic is encrypted it is harder to detect whether we are dealing with rogue traffic or not. If you Google “SSH Tunneling” you will see many resources -- including security products -- that show how to set a SSH tunnel.
- DNS tunneling -- Data can also be encoded into traffic that looks like outbound NDS queries. The messages are larger and, depending on the amount of data to be sent, also more frequent and can therefore be detected.
- ICMP tunneling -- Allows SSH over ICMP.
In a layered security strategy you can reduce the risks of data leakage. One of the best strategies is to ensure that employees can only access confidential information on a need-to-know basis. This is easier said than done, but lately a few products have appeared that do a fair job of scouting your network for keywords inside documents to locate and classify confidential information.
Another strategy involves proxy servers with application layer filtering. By forcing all outbound traffic through such servers you can detect and stop the most common attacks. The proxy servers can control traffic based on a particular protocol (e.g., IM), search for given strings and prevent the “packets” from leaving the organization when there is a match.
The final area to examine is the desktop. Enforcing strict control over which applications can be executed can prevent unknown applications from running. The downside is it requires substantial resources to set up and maintain. While there are a good number of security solutions that will protect the desktop, many are still used in environments where end-users run with full administrative rights – the same rights that malware needs to install itself. While the trend seems to be shifting from kernel rootkits to user-mode exploits, reducing the end-user privileges will reduce the malware attack surface and should be part of your overall layered security strategy.