Behavioral Vulnerability Is All the Rage
As the sophistication of tools and attack types become more advanced, vendors and their solutions must also do the same. Yet the most comprehensive, successful approach to controlling the crimeware threat is to proactively control and prevent access to places where users can go and get infected by bad things.
From an organizational perspective you have to blend policies and solutions. You cant do either/or. If you try to approach it from an all policy perspective and you dont have a good solution set in place, then you end up spinning your wheels and vice versa, says Redmond, You can throw all the technology you want at threats, but if you dont create good policies around what the users are allowed to do then youre still open to vulnerabilities.
As Peter Cassidy, Secretary General of the APWG (Anti-Phishing Working Group) explains, Behavioral vulnerabilities are the center of the universe. Unfortunately the conversations always about either money or technology and behavioral aspects are never really taken as seriously as they should be. Behavioral vulnerability isnt really quantified in a way that illustrates how it impacts the effectiveness of a particular technology.
The whole idea of providing "value" or "utility" in things like Smiley Central or Hot Bar are great examples of social engineering. Users feel that the applications provide usefulness that outweighs company policy prohibiting unapproved downloads. Media files containing malicious payloads are another example of social engineering as a means of propagation. Viral videos spread across the Internet at breakneck speeds. How many conceal backend crimeware that users are readily installing onto the corporate network?
"There are people who cant conceptualize whats really going on with crimeware, notes Tim Johnson, Product Marketing Manager for Enterprise Threat Shield at SurfControl, There are also those that really won't care or who will misunderstand the risk to the organization. When a user wants to do something and company disallows it, they will often circumvent desktop protection if theyre able. No amount of deep packet inspection or port agility defenses can protect an organization against a deceptive or delinquent user.
Whats a Company To Do?
The situation may seem bleak, because indeed, employees are a necessary requirement for doing business, vendor solutions often fail us, and threats are continually on the rise. However, mitigating the symptoms of spyware, phishing, and their more advanced permutations can benefit from the classic layered approach to Internet and communications security, beginning with an enforced acceptable use policy. Employing the combination of solutions-based, policy-based and behavioral-based controls can drastically reduce organizational vulnerabilities.
Johnson explains, From a policy standpoint, policies are only as effective as the enforcement behind them. From a behavioral standpoint, actively educating users as to what crimeware looks like and how it adversely affects the organization can bring them on board as effective preventative resources. From a solutions-based perspective, even the best and brightest of vendor wares can never provide 100% protection. However, they should always be the first line of defense in a comprehensive security approach.
At a minimum, companies need an effective email filter capable of blocking spyware from entering the network via active HTML, attachments, phishing, spam and other email-borne vectors. This is essential to securing the communications medium. Yet blocking shouldnt stop with email - there also needs to be something at the desktop level that stops the spyware as its introduced, NOT after it is already saved and running.
Lastly, an extremely effective cure for an infected network is to remove the ability to introduce symptoms in the first place. Users unfortunately shoulder most of the blame when it comes to introducing spyware. Diehard delinquents and rogues will do whatever they can to hold onto their messaging, music, games and other nifty widgets. If they can turn off protection, they will. If they can hide their spoils, they will. Companies should implement a solution that disallows running or installing programs (such as games, P2P, and IM applications) that in turn, install spyware. Group Policy Objects - or similar tools - are not enough as they can be easily tricked or circumvented.
Enacting policies is a great idea, but completely ineffectual if they arent regularly, equitably and instantly enforced. Preventative tools are a step in the right direction, but only if they are not of the one-size-fits-all-magic-bullet variety. Workable solutions must have comprehensive, scalable and customizable capabilities to meet the evolving needs of todays organizations.