The term ‘blended threats’ has become synonymous with viruses in the last year.
Viruses such as Nimda, Goner, Klez and Code Red, which have caused havoc in the last twelve months, are raising their heads with alarming regularity.
The fact is, virus writers have got smarter. Authors have come a long way from simple mass mailers and have created malicious code that is capable of ‘evolving,’ with dozens of different ways of spreading. Viruses which can distribute themselves via open network shares, email, or the Internet are now commonplace, meaning security vendors have to work doubly hard in order to protect networks.
The Nimda virus is a classic example. Striking in September 2001, Nimda is one of the most complex viruses to date, using five techniques to spread in 19 different ways including open network shares. Even just one virus slipping through the firewall can mean an immense headache for the IT department. There’s no question that viruses have come a long way, the question is what is the next step in their evolution? And how can enterprises defend themselves?
It is a fact that despite this new wave of blended threats, businesses haven’t seen a truly widespread destructive virus for some time. There are mixed views on this amongst business and security communities. While some may feel anti-virus vendors have finally got it right, others feel complacency is creeping into businesses because of this quiet period of virus activity. The truth is probably somewhere in between. Can we expect a blended threat to form the basis of the next big attack that puts viruses back on the agenda of world business?
The complexity of blended threats is what has really got vendors working overtime to develop solutions. In addition to the multiple spreading methods, blended threats can do far more than simply attack a host PC or network. Often spreading without human intervention, these viruses can continually scan the Internet looking for vulnerable servers against which to launch denial-of-service attacks, deface web servers, or even simply plant Trojan horse programs for later execution.
Equally worrying is the fact that this malicious code has evolved to morph itself each time it replicates, making some anti-virus software useless. Businesses need to start looking at solutions that combine vulnerability management software, intrusion detection and anti-virus protection at every level of their network to offer a comprehensive and tiered level of protection. The real jump will come when vendors finally develop an intelligent defense that looks at the behavior of a piece of code and deals with it accordingly.
Vendors have gone some way to doing this already with the use of heuristic and generic detection to effectively stop some viruses before they are even written. However, developers need to take this software to the next level. The real hurdle to overcome is for researchers to perfect a defense that looks for certain operations that are carried out by inappropriate applications and alerts the IT manager accordingly. For example, software that can identify applications that are changing or erasing other applications – or trying to use the Internet for unsolicited activity – could effectively stop a virus before it becomes a menace.
As great a technological leap as this kind of intelligent software would be, it still needs to be a last line of defense. The fact is, if these solutions are looking on the network for suspicious activity – then the business is already infected.
While there is the fear that blended threats have the potential to terrorize businesses on a global scale, the encouraging fact is that security vendors are increasingly working together to halt these viruses, worms and Trojans in their tracks. It is certainly starting to become a case of co-operation, rather than competition.
Anti-virus companies have been working together for some time to share information on virus threats. The next step that has been embraced by many is to take this relationship to the next level. As well as simply sharing information, intrusion detection and anti-virus vendors are working together to develop software that works on both levels to stop viruses – whatever their method of propagation.
Only half the battle is won through the technology however. The next big challenge for vendors is to educate businesses on the dangers of blended threats and get them to act accordingly. It is true that complacency is creeping into IT departments. Historically we’ve seen a three-month cycle in the behavior of viruses and businesses. First, a virus strikes, causing millions in damage and lost productivity; second, a business puts security back to the top of the agenda; third, virus activity tails off because up-to-date defenses are in place; fourth, the business gets complacent – not updating as frequently, or letting the management of security slip; then another virus strikes causing millions in damage and lost productivity. And so the cycle goes.
This trend has been bucked recently with businesses not experiencing a truly damaging virus since the Goner attack in 2001. It is a sad fact, however, that we cannot put this down to businesses becoming self-aware of their own complacency and maintaining their focus on security. It is more likely that they have become increasingly complacent and, as months go by, will let security slip down their to-do lists. In a recent study, conducted by Vanson Bourne for Network Associates, 92 per cent of the IT directors and managers surveyed believed that they had enough resources to properly deal with their network security but 82 per cent of them had still been hit with viruses within the last 18 months. The worry is that when the next strike comes, especially if it is a blended threat, the consequences could be on a par with the estimated one trillion dollars damage caused by the LoveLetter virus.
The virus community needs to work at educating businesses about these threats. Until products which are directly focused on blended threats become available, businesses need to ensure they are employing protection at every layer of the network – desktop, gateway and internet. Businesses also need to be made aware of the dangers of not staying up to date with virus protection and other bugs and fixes.
One possible solution is that if IT managers do not have time to deal with security then simply take the management headache away from them. A number of traditional security vendors are moving towards offering managed services and solutions, whereby the experts take control of desktop firewall, perimeter firewall and anti-virus management, hosting the services remotely. Although not widely embraced by all types of companies, it is certainly a method for ensuring that protection is up-to-date and defenses are as watertight as possible. After all, the first people to know about new viruses are inevitably the virus researchers. If they can develop a fix for a new blended threat, then it is equally inevitable that the first people to receive protection will be the customers whose security they control.
It is widely acknowledged that blended threats provide the single biggest security risk on the horizon for businesses, and the single biggest challenge for security vendors. There needs to be an appreciation, however, that it will take more than simply technology to stave off this danger. Businesses need to recognize that the human factor will play an increasingly important part. IT managers need to keep security as a priority and work closely with vendors of all kinds to make their defenses impenetrable. The fact that security businesses are looking less at competition and more at co-operation in developing alliances to combat blended threats should encourage customers that their network security is the priority.
Sal Viveros is the U.K. director of the McAfee ASaP managed services division of security software vendor Network Associates ( www.mcafeeb2b.com).