Although we have long since known about the virility of email threats and
viruses, this year continues to supply heavily evolved and critically
destructive email attacks.
According to Symantec’s semi-annual Internet Security Threat Report,
which was released this past September, between January 1 and June 30 of
this year, a record-breaking 1,862 new vulnerabilities were documented —
97 percent of them weighing in at moderate to high severity.
Adding to our problems, the time between vendor vulnerability disclosure
and the release of an exploit decreased from 6.4 days to 6.0. On average, 54 days passed between a vulnerabilitys appearance and the release of a patch to fix it.
Doing the math, that means approximately 48 days went idly by between the
exploitation of a vulnerability and the means with which to fix it.
It’s not surprising that hackers are quickly devising exploits although
the large window of vulnerability makes it much easier for them. With all
that extra time, they’re creating myriad versions of attacks and
experimenting with speed and voracity.
It’s difficult to get ahead when ”known” vulnerabilities mean that
they’re known to the bad guys, as well. Common knowledge gives the
hackers a map to more attack points, while the IT department gets the
burden of prioritizing multiple top-tier crises.
The concept of layered security is academic by now. We routinely utilize
an army of solutions working in concert to protect our communication
networks, such as intrusion detection and prevention, spam filters,
anti-spyware tools, authentication, anti-virus, company rules,
regulations and user education. Despite the fortress we’ve built, we’ve
failed to adequately fill the gaps and the attacks keep seeping in.
”Some parts of our system have three layers of protection,” says Brett
McKeachnie, director of Infrastructure Operations for Utah Valley State
College (UVSC) in Orem, Utah. ”Even then, we’ve found that there are
things that can get by all three layers. The threats that are out there
are so diverse that it’s beyond the capability of one vendor and one
solution to protect us,”
UVSC has 3,000 faculty and staff email users, with an average daily email
volume of 50,000 to 100,000 messages. The IT department needed a way to
reduce the slowdowns caused by virus storms, where servers are inundated
by virus-laden emails. UVSC chose to deploy Lindon, Utah-based Avinti
Inc.’s iSolation Server to augment their existing anti-virus solution.
”If you’re concerned about security, you have to have multiple layers,”
McKeachnie explains. ”When we started using Avinti iSolation Server, we
didn’t know how many viruses were getting through. It was a wake-up call.
When school is in full session, we see anywhere between 1,000 viruses on
slow days to 17,000 one particular day, getting caught up in our email
protection.”
Developed as an augmentative tool, the iSolation Server is best
implemented as part of a layered email security strategy that integrates
anti-virus, anti-spam and anti-spyware solutions from other security
vendors. UVSC uses Novell GroupWise for its faculty and staff email
system, SpamAssassin’s anti-spam technology and the iSolation Server to
augment Guinevere, a GroupWare-specific anti-virus solution.
Adding to the Layers?
As an industry, we may have accepted that layered protection is the best
course of action, but when the layers are legacy solutions that the
attacks have long since outsmarted, it becomes a question of how much
more we should add. IT administrators at some large companies say nothing
else is necessary when their existing anti-virus solution is catching all
the known attacks on the network.
In terms of security, a reactive response is rarely the most advantageous
approach to a problem. As a short-term solution, many top-tier
organizations are patching what they’ve already got. This would be
perfect if we knew every pattern and signature yet to be created, but the
reality is that security and attacks are both evolutionary and fluid.
”While the email security challenges companies face today have evolved
from a decade ago, or even a year ago, the email security technology
entrusted to protect businesses and consumers has failed to keep pace
with the threats,” says Terry Dickson, CEO of Avinti, a provider of
email outbreak protection.
In June and July of 2005, The UK government’s National Infrastructure
Security Co-ordination Centre noted a series of attacks identified as
targeted Trojans that were infiltrating companies via email. The
built-from-scratch malware has a much higher chance of defeating
anti-virus products and remaining under the radar long enough to create
extensive security breaches. The malicious nature of the Trojans is such
that even if you report the malware to anti-virus suppliers and receive
updates, the attacker already may have compromised other systems, and
subsequent detection of the original malware will no longer be of help.
”The issue of whether or not to augment existing security is something
the market has grappled with since the advent of virus protection,” says
Curtis Tirrell, a vice president at Avinti. ”The number one line of
defense in protecting email communications is to know what you have. AV
does that by examining known patterns and specific elements of incoming
malware and stops it in your environment. The reality is, sometimes
malware gets missed because of its sophistication and its placement in
the window of vulnerability.”
Prepared for Increased Attacks?
This year’s 10th Annual CSI/FBI Computer Crime and Security Survey found
that for the 690 participating companies, unauthorized access to the
networks has greatly increased and the loss from theft of proprietary
data per head has doubled .
Ironically, at the June, 2005 CSO Interchange in Chicago nearly 100
percent of the participant CSOs said they were well-prepared to handle
spam, worms, viruses, DoS attacks, and hacker attacks.
”Large enterprises have a specific investment in security systems and
they’re doing whatever they can to tweak what they’ve got. I think most
companies will say, ‘What we’ve got now is not perfect, but it’s working,
stable, and we’re going to stick with it,” says Peter Firstbrook,
program director for Gartner, Inc., an industry analyst firm based in
Stamford, Conn. ”I certainly wouldn’t tell people to wholesale replace
their solutions, but augmenting with new technologies that don’t detract
from what they have is definitely a good idea.
”Let me put it this way, if your email security vendor is not evolving
with the threatscape, then you definitely should be looking at
alternatives and installing new hardware,” says Firstbrook.
We have come to accept that enterprise security is a formula based on
budgets and acceptable levels of risk but if history teaches us anything,
we know that we’ll never be able to call the race ‘won’. The biggest
threat we face is our own complacency and the idea that our current
levels of protection are likely good enough.