The logical combination of malware-infected systems is commonly referred to as a botnet. Systems in a botnet can be used for various purposes. Examples of this are Distributed Denial of Service (DDoS) attacks against company websites or the sending of spam mails.
Stuxnet & Co.
The fact is that the generation of malware is nowadays not only reserved for experts. Prefabricated building block systems also enable laymen to compile malware. These kits are available for purchase on special websites. No expert knowledge is required.
Integrated trace removal
A recent study by Microsoft shows exactly this fact. According to this, the rate of infection in some EU countries, including the United States, rose sharply at the end of 2011. To date, a low infection rate has generally been observed in these countries. This increase is due to the malware Win32 / ZBot or Win32 / EyeStye. Both variants are generated by a malware kit, are available for purchase and cause different damage.
Timely Updates
This begins, for example, with the deactivation of the personal firewall or other local security components, the spying out of user and computer information, and ending with access to sensitive data, such as the keyboard inputs when visiting an online banking page. The number of infections leads to the conclusion that the United States is increasingly focusing on criminal activities with malware.
The human factor
More and more prominent are the so-called Advanced Persistent Threats (APTs). They use similar mechanisms as traditional malware. In addition, however, there is a much stronger focus on a specific target and a corresponding technological specialization. APTs tend to be organizations that are able to prepare, test and ultimately implement these highly complex attacks through their know-how and resources.
For example, within the APT Stuxnet program code could be detected that is used to program Siemens Simatic S7. These controls are also used in nuclear power plants. Stuxnet was particularly affected by Iran. This suggests that it was a targeted action.
Flame also has similar characteristics. This APT was recently discovered in the Middle East. Although only a small number of around 1,000 systems were infected. Interestingly, however, it was mainly governmental systems that were infected by Flame. For distribution, this APT uses the local LAN or USB sticks. Once infected, screen shots are made on the system, audio recordings are started, inputs via the keyboard and network traffic are recorded.
Interestingly, Flame has an uninstall routine. If a special command is sent from the C & C server, the malicious code is completely removed from the system. Just this feature distinguishes Flame from standard malware. This makes it possible to completely remove the traces of the attack after successful completion.
In all of these threats, the question arises, how this can be adequately addressed. The answer is a holistic security concept, which is not only based on antivirus software, but also on other techniques and, above all, on organizational aspects. The aim is to achieve the maximum level of affordable security with the available possibilities.
First duty to protect against malware is a well thought-out patch management. All systems in the company must always be supplied promptly with the available safety updates. It is imperative that adequate measures be taken to ensure operational stability, such as a satisfactory quality control.
The ever-increasing number of malware attacks are countering the anti-virus vendors with new technologies that enable a faster distribution of signatures and improve malware protection through the use of cloud services. This is a quicker response to a changed threat situation. These new technologies need to be tested and used appropriately, according to their own strategy.
News & Trends - IT Security Report
Many anti-virus vendors have developed into complete IT security providers in the past. In addition to solutions for the client / server area, they also offer protection software for gateway systems. These opportunities must be used primarily in the transition to the Internet and to other, less trustworthy networks. It is now standard to provide both web proxies and e-mail proxies with the appropriate malware technology.
Conclusion
A multi-vendor strategy is usually used here, which means that a different anti-virus solution is used on these gateways than in the client / server area. This allows the detection rate to be increased again. In addition, anti-virus vendors can develop a more comprehensive picture of the current threat environment by evaluating security-relevant information from a variety of sources, such as gateway systems, servers, or clients.
In the meantime, this information is collected centrally and correlated promptly. This allows signatures to be made available quickly and to implement rule updates in the area of e-mail and web proxies.
The same can also be transferred to the level of your own company. Here, too, the messages of safety-relevant systems can be grouped and linked centrally. This is typically done with a Security Information and Event Management System (SIEM).
Guide: Protection from the Cloud
As a result, the outbreak of malicious software can be detected quickly and its distribution in the network is easier to understand. Reporting functions provide the opportunity to generate both highly aggregated reports for the management as well as technically oriented evaluations for the various specialist departments. Management reports are becoming more and more important as the issue of information security is being observed here with growing interest.
In addition to these technical solutions, organizational measures must not be neglected. This begins, for example, with simple awareness measures, which are designed to raise the awareness of employees with regard to IT security. Even today, the human being is not a negligible factor in the field of information security.
Here, for example, the handling of external storage media such as USB sticks can be mediated. If this interface is mastered, one of Flame's one-stop gates can be excluded. In addition, it is also necessary to determine when security incidents are in place and how to avoid them. In many organizations, malware infections are implicitly clear, malware can be removed from the affected system. Technically the problem is solved
This raises the question, however, whether the incident was actually treated completely. The answer is a clear no, as the attacks, for example, can change gateway, server or client systems permanently or the infection can only be understood as a kind of advance notice. An overwhelming protection can only be achieved through a procedure that precisely regulates which sites must be informed when.
Antivirus solutions are still mandatory. However, they must be adapted to the current threat situation, possibly extended by various technical measures and supported by the organization. In this case, you can set up comprehensive protection.
No comments:
Post a Comment