In its Online Financial Fraud and Identity Theft Report, Cyveillance reports results on how well legacy AntiVirus products detect malware. Some AntiVirus products could only detect 30% of malware tested, missing a whopping 70%. Statistically, tossing a coin to make a call about malware would have a success rate of 50%, which is better than the 30% reported by Cyveillance.

At DefCon16 this month, in The Race to Zero contest, three teams competed on the fasted way to modify known viruses, including the ancient Stone virus dating back to 1988, to evade today’s AntiVirus products. The teams succeeded in a few hours. They found it very easy to defeat the AntiVirus products that rely on virus signatures remaining unchanged.

AntiVirus vendors were not pleased by this event. “With antivirus vendors already processing some 30,000 samples each day, there’s no need for any more samples”, said Roger Thompson, chief research officer at AVG Technologies.

But reality demands action, today’s BotNets fill their ranks by infecting PCs with frequently modified malware. A recent report noted that one BotNet changes the signatures of its malware every 10 minutes.

These signature based technologies are not effective in blocking this zero-day malware. Unfortunately, host intrusion prevention system (HIPS) technologies, designed in the late 90’s and bundled with major AntiVirus enterprise endpoint security suites, do not deliver the desired results at an acceptable level of effort. Instead, they

• Inundate administrators with false positives
• Confuse end-users with prompts to make a decision about malware
• Fail to deliver much needed detection accuracy.

The endpoint security field needs a fresh start and a new generation of techniques to detect and block unrecognized, unknown malware without asking end-users to make a decision or divert administrators from other important work.

The Race to Zero (www.racetozero.net) contest was organized by security researcher Simon Howard.

A signed agreement among business partners helps, but guarantees nothing. Incidentally, it can also discourage disclosure. Persuading them to implement better information security practices (i.e., spend more) can be fruitless.

Despite the difficulties, we often need an agreement signed to help facilitate avoiding the following risks posed by our business partner endpoints:

• Infect our mission critical servers (Risk 1)
• Leak data via malware (Risk 2)
• Leak data via removable media (Risk 3)
• Leak data via high-risk endpoint hard drives (Risk 4)

Limit server access to partner endpoints of acceptable risk.
Limit access to machines not just people. Limiting access based on both identity and health requires network access control (NAC) technology, such as Microsoft Network Access Protection (NAP).

• Try to limit access to machines that process as little data, documents, or media from the outside world as practical (Risk 2). This also means denying access to endpoints running p2p and other software.
• Ensure that anti-virus and anti-spyware software are running, up-to-date, and frequently conduct full scans (Risk 2)
• Try to require other anti-malware tools because signature-based anti-malware products are becoming more ineffective every week (Risk 2).
• Deny access to endpoints with promiscuous removable media settings (Risk 3)

Data stored on partner endpoints must be encrypted.
Fixed and mobile PCs can be physically compromised. Limit server access to endpoints with full disk encryption (Risk 4). Second, also limit access to machines that require two factor authentications to utilize the endpoint (Risk 4). If your partner’s disk encryption solution can ensure that write operations to removable media are encrypted, then you might ease up on removable media settings requirements (Risk 3).

Consider limiting partner server access to thin client machines.
One can be very confident that no malware is operating within a freshly rebooted thin client machine (Risk 1). This can also be the most effective, albeit Draconian, risk mitigation to data leaks (Risk 2, 3, and 4). BTW, you could also have them access mirrors of your mission critical servers instead (Risk 1).

Traditional anti-virus products detect only 30% to 50% of malware.
One of the Black Hat presenters noted that one BotNet alters its malware executables every 10 minutes. This makes it nearly impossible for anti-virus vendors to maintain up-to-date signatures to intercept such malware.

Malware attacks are very focused on client computers (i.e., endpoints).
Malware attacks will stay this way for many years to come, exploiting vendor software mistakes. Implement patches and isolate PCs without them. Remember, clever end-users without admin rights can install software. Perform periodic audits because these same end-users generally neglect patches.

Most software vendors use poorly designed safeguards to secure their product self-updates.
One Black Hat researcher predicts that hackers will exploit these weaknesses. Organizations that can utilize patch management systems for their endpoints on and off-enterprise might consider disabling all self-update capabilities on individual applications. Good news: the presenter complimented Microsoft on the cryptographic design of its update mechanisms.

Web browser security risks will get worse before they improve.
More malware infestations occur via web browsers than any other attack vector. In the coming year, researchers warn, recently exposed HTTP based attacks using IFrame/Jscript will dramatically increase in volume with costly consequences, enabling hackers to hijack:

• HTTPS sessions, which are the bread and butter of all e-commerce
• Home routers and cable modems.

Presently, there is little one can do to defend against these attacks without disabling a web browser’s scripting capabilities, which removes the Web 2.0 features that end-users value.

The standard-bearers for the newly designed HTTP version 5 appear to regard security as an after-the-fact detail. As web browsers implement the new conveniences of version 5, they will also be introducing new opportunities to exploit web browsers. Recommendation: assume your web browsers will be compromised and focus on containing the risk.

Man in the middle (MiM) attacks on SSL VPNs and HTTPS will continue to increase.
These attacks not only threaten to compromise information privacy but also threaten information integrity. Hackers can alter private content without leaving a trace of evidence behind. SSL VPN and HTTPS depend on the most vulnerable and most exposed object on the endpoint: the web browser. In formulating security policies, regard web browsers as untrustworthy.