PC Malware Driven Security Breach Disclosures—A Case of Worms
by Eirik Iverson, Product Management
When malware on a client PC is the cause of a security breach, the possibilities for what might have been compromised are mind numbing. What data and what data systems might the malware have compromised while the PC was infected? In other words, who came into contact with Typhoid Mary and what did they have in their pockets when they did? Imagine the work required to satisfy full disclosure requirements in good faith. The consequences must scare the hell out of profit-driven businesses.
Before I elaborate on my opening, I must say that people have a right to know if they are at risk due to a security breach. Few places exist within developed economies where legislation does not mandate disclosures of security breaches. Second-generation regulation is rapidly following first generation legislation to close loop holes and increase penalties for non-compliance. It’s becoming ever more cheaper to invest in prevention and incident response planning than to react to incidents.
Okay now, let’s start from the point where a malware infestation on a client PC has been discovered. The malware found is the kind that communicates its booty to a BotNet. Setting prevention and proliferation aside for the moment, what matters from here on out is what did the attackers get?
Before assessing the damage, IT personnel should change the PC user’s credentials on the machine as well as every other networked resource the user is authorized to access. This should be done in hours not days! This activity also identifies every networked resource the user is authorized to access.
Again, who came into contact with Typhoid Mary and what did they have in their pockets when they did?
When did the malware infection begin? Sophisticated malware will frustrate forensic investigations, provided the organization has any or hires any such resources to do so. In addition to what can be found in the PC, much success comes from data mining all relevant logs: firewalls, DHCP servers, DNS servers, etc. One hopes to find likely BotNet communications to and from the infected PC. I would love to know what percentage of forensic investigations establish a 90% confidence in the malware infestation date.
While investigating the infestation date, the team should conduct an assessment of what data assets were on the PC: documents, databases, cached credentials, etc.
With an information inventory of the PC, and an information inventory of the PC user’s networked resources, the team has a broad idea of what data might have been compromised.
Next, one has to determine if the malware was sophisticated enough to steal and spoof other user credentials and access other networked resources? Was there sufficient exposure to facilitate secondary breaches? This is not fantasy.
Today’s malware routinely consists of a downloader that can plug-in a number of modules as needed. One of these could be a widget that sniffs Ethernet traffic, intercepts Windows domain and other hashed credentials, sends them off to the BotNet to be dictionary attacked and classified, and then other modules loaded to access the discovered and cracked resources.
Obviously, this begs the question, were other PCs infected and controlled by the BotNet? If so, the potential breach inventory is broadened further.
Good news, server logs and other data can rule out data that might have been compromised. For example, if the PC user never actually accessed one or more of the networked resources, and if those credentials were not cached in the PC, the team can rule out the data from these resources.
I’m not a forensics expert, and I haven’t played one on TV either. My intent here was to illustrate how pervasive a data leak can be with just one malware infestation on one PC. I also wanted to show yet another good reason for maintaining a practical inventory of one’s information assets.
With the tremendous uncertainty of what data might have been compromised by a single PC infested with malware, it’s no wonder there’s so little data on infected PC security breaches. As few as 20% are reported. Reporting one leads to many questions that are difficult to answer. If not already, the new disclosure laws will make locking down and protecting PCs much cheaper than reacting to incidents.
Malware Prevention is Critical, Few Enterprises Are Prepared, Blue Ridge has Answers
Security software on a typical enterprise computer has less than a 50-50 chance of detecting NEW malware. These anti-virus/spyware products rely on signature-based technology that excels at stopping malware at least a month OLD. The vendors require roughly a month to discover, develop, test, and distribute new malware signatures. Cyber criminals can create tens of thousands of new variants in the time it takes the vendors to create a single signature. That is why they routinely retire half of them within 48 hours of initial use, to further frustrate the vendors.
The vendors have bundled additional security software into security suites with features intended to stop NEW malware. However, they are so complex that these capabilities tend to either be completely disabled or vastly underutilized. Most vendors feature high, medium, and low modes intended to simplify and minimize invasiveness. The net result is that the preferred setting of ‘medium’ is substantially less effective than the disruptive ‘high’ setting.
Blue Ridge offers three products that feature AppGuard Technology, which protects computers from today’s sophisticated threats without confusing or distracting end-users or administrators. AppGuard protects small business computers. AppGuard Enterprise adds centrally managed controls to protect SMB and larger enterprise computers. And EdgeGuard delivers centrally managed computer protection, control (i.e., policy enforcement), and audit (i.e., global operational awareness). Further, Blue Ridge offers managed security services so businesses can focus on what they do best.
Related Articles
Two Web Browsers can be More Secure than One
Secunia Casts More Doubt on Signature-based-Only Anti-Malware Defense
Business Protection from AntiVirus-Failure Caused Fraudulent Bank Transfer Losses
Todays Spear Phishing Attacks Can Wipe Out Small Businesses in One Click