How secure is your enterprise against rootkit attacks? Are you relying solely upon your firewall anti-spyware vendor for your defense? If so, maybe you shouldn't...
In eWeek on Friday, they ran an interesting story "Study: Symantec Best at Removing Rootkits; Microsoft Worst". The story outlines a study (paid for by Symantec) by Thompson Cyber Security Labs, which tested the leading spyware vendors for their ability to detect and remove rootkits.
Symantec came out on top. What was most interesting however was the results displayed on page 13 of the report. The test was againt 20 rootkit attacks. Symantec could detect all 20, McAfee 17, Webroot and FSecure 15, Sunbelt 12, Trend 10 and Microsoft 5. All the vendors except for 1 missed 3 or more rootkit attacks.
Then there was the cleanup. Symantec could only clean up 16, Webroot and FSecure 8, McAfee 7, Sunbelt 5, Microsoft and Trend 3.
Bottom line: The vendors are struggling to first of all detect and then definitely remove a rootkit attack. You should not be resting on your laurels of telling your CEO that the enterprise is well defended against these types of attacks because you have an anti-spyware detection system installed. Some of the attacks are going to get through and not be detected. Worse, when they are detected, the odds are great that it won't be effectively removed.
You need a layered enterprise security defense. As I have outlined in my paper "Network Access Control Security 2006", you need to prepare to reimage your enire network if you're infected with a rootkit. This can be a very large undertaking.
Further, you also need to have layers of stronger authentication. This will help mitigate the risk of the a successful rootkit attack where the softwware deploys keyboard and screen loggers.
Then, you must assume that this type of defense too will be breached. Use transaction authentication to protect your most valuable or high risk information, network and applications.
DON'T JUST SIT BACK AND WISH THIS ALL AWAY OR THAT IT WON'T HAPPEN TO YOU. It's better to be proactive now rather than explaining to the media and your Board later why your enterprise was successfully attacked and suffered financial loss.