Malware-Test.com released on January 3, their latest Spyware and Virus detection tests. The results are still pretty dismal. While there were a couple of vendors who did well in the latest tests (BitDefender 94.85%, ESET 89.12% and Kaspersky 88.86%), most of the vendors were below 50%. This trend has been the same for most of the last year and is great cause for concern.
Spyware used to be somewhat of a separate product category from virus detection software. However, over the last year, more and more spyware has become malware with the introduction of Trojan horse and other malware attacks within the spyware. Thus, in today's world, it is getting very hard to distinguish virus software from spyware software.
The trend also highlights the ability to not only detect the malware but also clean it up. If the malware has rootkit attacks within it, tests from last year indicate that most vendors have a very poor rate of success in cleaning up the rootkits.
Then, to add ore misery to the pain, people like Vinton Cerf, one of the creators of the internet TCP/IP, has recently stated that up to one quarter of all computers attached to the internet, estimated at 150 million, are likely infected with malware.
To add more fuel to the growing storm, it was reported today in CNET that phishing attacks has overtaken viruses and trojans. This confirms the trend experts warned about last summer that organized crime is now using more targeted attacks against enterprises. They are beginning to diminish the use of mass mailer worms.
Then there is the news that Microsoft Word now has four major critical flaws that enable attackers to download malware when the document is opened. Three of these have been identified since early December and still remain unpatched.
Follow this up with recent news that Cisco routers has three major security flaws (for which patches are available). This can increase the already high likelihood of denial of service attacks on an enterprise.
Then add in recent Adobe Acrobat flaws (for which patches are available).
Add to this mix the rising threat from attacks using mobile devices. Almost all experts say that attack threats from mobile devices will grow steadily during 2007.
Finally, add in attacks from things like printers. As printers become increasingly smart and document processing centers, the risk also grows to the enterprise.
Any enterprise must take note of the e-storm that they are in but may not feel the impact. As the attacks get more sophisticated it can be several months or more before an attack is realized. Just ask TJ Max, the retailer, who it's reported had millions of it's customers credit card numbers stolen several months ago but only realized it this December.
THERE IS NO SILVER BULLET FOR THIS STORM. There is no one technology you can turn to, install and then sleep well at night.
The answer is to have multiple layers of defense. This must start with repeated end user training on the risk of clicking on email links and/or attachments. It must also continue to educate them about social engineering attacks. The human link is the weakest link in the chain. By using social engineering, attackers can easily bypass millions of dollars in security defense infrastructure.
The next layer is the firewalls with anti-virus, anti-spyware and intrusion detection software installed. This must be constantly tested and for which updates are immediately installed.
Then there is the network authentication. Enterprises need to ensure that all devices attaching to the network are first, properly patched, and second, are authenticated, using the appropriate authentication strength required based on enterprise risk assessment. This must include mobile devices as well as things like printers.
Next is to have excellent user provisioning. Make sure that users only have what they need to have in order to do their job or use enterprise services. Also ensure that when they no longer need resources, they are instantly deprovisioned.
Then there is the user authentication. Enterprises must have single sign on packages installed that request stronger and stronger authentication as the user drills towards sensitive networks, buildings, applications or information.
Sensitive information must always be encrypted. Avoid the risk of having laptops stolen, like Scotland Yard did containing all their members sensitive identity data.
Then you must assume that even with all of this protection, you will be successfully penetrated. Put transaction authentication on high risk applications and information. Even if the user logs on successfully, check to ensure it is the real user by monitoring their computer hardware, IP address, geolocation, time of day and past user profile.
Your last resort is to assume that this too might be breached and have monitoring on all data leaving the enterprise firewall to spot sensitive data on its way out the door. This should also include databases with profile usage to detect anomalies in usage of the database.
This is a war you're in. Like any good general, you must plan for attacks and have many layers of defense. There is no calvary on the horizon coming to rescue you. It will likely be two to three years before regulatory laws, police forces and technology begin to catch up with the attackers.