Ian Amit, director of security research, Aladdin Knowledge Systems
It used to be easy to be in the security industry. All you had to do is develop products that said “nay” or “yea” on given content deemed secure or not. That is so 2007… As we witnessed during a turbulent 2008, the ability to decide whether given content is malicious or not is much more complicated. Here are some of the elements that used to help us walk down the decision tree of security software logic:
- Source. If the content came from a website that’s no good (catering to hacker forums, storing malicious files, and even hosted in a foreign country – or with a less than appropriate top level domain such as .cn or .ru), security software used to be able to say “nay.” Back to the present – we see most of the malicious content and attacks come from .com sites, hosted in the U.S., and most likely on legitimate sites unknowingly serving malware.
- Looks. Web-based threats used to be a relief for security scanning software – everything is plaintext, and it is easy to figure out what a piece of code is trying to do just by “looking” at it. Reality: Enter obfuscation. Most (if not all) malicious code we see nowadays on the web is obfuscated to a level where a standard language-driven algorithm would just shoot itself. The vast capabilities endowed on browsers these days make it very easy to hide malicious code in a scrambled and dynamic fashion such that standard security software won’t be able to see it.
- Distinction. Back in the days, if something looked suspicious, it was blocked. Reality: Legitimate and malicious content are intertwined and exist in the same context of most modern web attacks. It’s hard to just say “nay” to a page full of legitimate content when it has just a few pieces of malicious content. Simply blocking sites and pages do not work, especially when (as noted above) most of the attacks come from legitimate sites whose content is vital to business.
I’m not writing this to paint a grim picture – just the opposite. We are facing a new era: An era of innovation, of change (I know someone said that before me so I’ll just ride on the wave of success), and of better security. This new reality will transport us as a community and as an industry to new realms, where we no longer have to answer simple-minded yes/no questions. Welcome to the era of enabling, of providing all the new tools, technologies and content to whoever wants them – securely. No longer are these the days of “no Facebook at work” — welcome the days of “Facebook at work is great – but no messaging, chat or game applications between 9 and 5.” Welcome to an era where all web sites are treated equally, and access is “always on” (but we’ll keep the bad parts out).
Welcome to change. Embrace it and get ready for 2009!