|
Computer Viruses - The New IT Arms Race
|
By Simon Heron
[Hits: 821]
|
|
The stark reality is that network security in this Internet ageis a race. This race starts every time a new virus, worm orvulnerability is discovered; and only finishes when either anorganization's network is protected or compromised.
These are the only two possible outcomes; you win or you lose,there are no silver medals. And the IT departments around theworld are finding themselves increasingly under pressure, as newviruses and worms such as Klez.h, Netsky.q, MyDoom.a, Bagle.z,Slammer, Sasser and the current plague of Zafi.b, seeminglybreach networks with ease.
The "arms race" is currently being lost because most of the ITworld is still looking to out-of-date technology to protectthemselves. The vast majority of the anti-virus systems outthere, use "PULL" technology, in order to obtain the latestanti-virus signatures. The simple fact is that even if networksecurity is updated once a day like clockwork, because there arenew viruses, worms and vulnerabilities appearing all of thetime, within just moments of that daily update, the system can(and most likely will) be vulnerable once more.
There is simply no way that an IT manager, or even two or threeskilled people working in an IT department, can provide thistype of 24/7 update service for their organization.
Most anti-virus vendors still use this ineffective "once aday," or even "once a week" update model, despite theirmarketing claims of so called "live," or "active," or"automatic," updates.
There are already nearly one hundred thousand known computerviruses, and each month over a thousand new viruses, worms and"Trojans" are added to the mix.
Of course, not every one of these viruses and worms is destinedto be as "successful" as Klez.h, Netsky.q, MyDoom.a, Bagle.z orthe current plague of Zafi.b; but at the moment a new virus orworm is first discovered, it is almost impossible to know forsure which will be a major problem, and which will be no morethan a mere curiosity.
A variety of factors will come into play that governs thesuccess of the virus, worm or trojan.
The virus writer needs to get his or her virus to"critical-mass" before the major anti-virus companies can get avirus signature out, installed on their customers' computersystems, and protecting them. To achieve this, many viruswriters are turning to Spamming techniques, ensuring criticalmass within moments of launch. "Blended" technology is alsobeing used to further improve the virus' or worm's chance ofsuccess. Rather than depend on just mass mailing emails, forexample, certain worms (such as variants of Netsky) may wellattack users via certain open and unprotected network ports, toexploit known vulnerabilities in popular operating systemsoftware.
If a worm is able to reach critical mass quickly, and takesadvantage of a wide spread vulnerability, the result is oftenhundreds of thousands of computer systems around the world,being infected in just moments.
A classic example of the speed with which viruses spread is theSQL Slammer worm. On 25th January 2003, at 05:29:36GMT, wedetected and blocked the first probe to UDP port 1434 in Korea.In Japan, Thailand, Germany, Switzerland, Australia, England,Saudi Arabia, similar probes were being reported worldwide in amatter of seconds. Within three minutes, we had detected andblocked probes to that port throughout the world.
This means that effectively within three minutes of itsrelease, the worm had probed every single active Internet host,and detected and infected every single active and vulnerableserver. Probe rates were as high as one probe per IP address persecond in Korea and Australia.
If you are connected to the Internet, you are at risk, pure andsimple. And if you think that having a firewall and ananti-virus program installed is enough to protect you, then youneed to think again - and fast.
The speed of the Internet has made "friction of distance"evaporate.
In the face of the onslaught from malware, protection needs tomove with the times. Firstly, networks require blendedprotection, which includes firewall, VPN (Virtual PrivateNetworking), IDP (Intrusion Detection and Prevention),anti-virus, anti-SPAM, content filtering and company policymanagement; just having parts of the jigsaw is not enough.Secondly, these systems need to work seamlessly, withzero-latency between the intrusion detection and the firewall.Thirdly, all of these systems need to be updated in real-time,using state-of-the-art PUSH technology, not the PULL technologyof yesteryear.
Last but not least, systems need to include the latestheuristic technology, and not rely too heavily on patternrecognition alone, as we see more and more zero-day high speedattacks across the Internet. A high quality anti-virus heuristicengine, such as the one from Kaspersky, can actually block up to92% of known viruses, even without have any signaturesinstalled.
|
|
|
|
