As we move into 2015, it’s appropriate to look back and think about what we’ve learned about the threat landscape. To that end, CheckPoint’s 2014 Security Report makes for some pretty interesting reading.
According to their research, in a typical large enterprise:
- Every 1 minute a host accesses a malicious Web site
- Every 3 minutes a bot is communicating with its command and control center
- Every 9 minutes a high risk application is being used
- Every 10 minutes a known malware is being downloaded
- Every 27 minutes an unknown malware is being downloaded
- Every 49 minutes sensitive data is sent outside the organization
- Every 24 hours a host is infected with a bot.
Mind you, this is a “typical large enterprise,” which presumably would have a significant security budget, good perimeter protection, and security professionals on its IT staff. If you’re an SMB rather than a large enterprise, it doesn’t mean you’re off the hook, it just means that you may have a bit more time before the law of averages catches up with you. Or maybe not, because you probably don’t have the resources that a large enterprise has to put toward protecting your network.
Why does this happen? It’s not because your users are stupid, and (in most cases) it isn’t because they’re malicious. It’s because they’re not IT security professionals, and they’re busy trying to do whatever it is that you hired them to do. When a windows pops up with an “OK” button in it, many of them will reflexively click “OK” without realizing exactly what they just agreed to. (And it may have been permission to install malware on their system.) Busy people also often think nothing of opening a file attachment that arrives by email, not realizing that more than two-thirds of malware-infected files are either PDFs, archive files (e.g., ZIP, tar, RAR, CAB, etc.), or MS Office files (typically Word and Excel, sometimes PowerPoint as well). People who are enticed to visit a compromised Web site, and who are then prompted to install an updated video driver in order to view the Web site content, will often approve it without thinking that what they’re installing might not be a video driver at all.
It also happens because, in the continuing arms race between malware writers and security software vendors, the malware writers are getting better at evolving their malware to avoid detection by existing products – typically giving them a 2 to 3 day window of opportunity to exploit systems before the malware is detected, security definitions are updated, and security software is able to detect and block it. And with today’s do-it-yourself malware toolkits, you don’t have to be a sophisticated code jockey to generate a new malware variant. Modern security software typically includes algorithms that look for suspicious behavior in order to try to block unknown malware, but according to CheckPoint, less than 10% of antivirus engines were capable of detecting new malware variants when they were first caught in the wild.
So, in the words of the 1965 “Total” cereal commercial, “What’s a mother to do?”
First of all, you should have a written security policy, and make sure that all of your employees have a copy of it, and sign off on a statement that they have read it and understand it. That way you know that (at least once) they’ve had to give some thought to security and what they are expected to do (and not do). Also, if you ever have to take disciplinary action against an employee, you’ve protected yourself against the “Wait, I didn’t know I wasn’t supposed to…” argument. It could also help to demonstrate that you’ve taken “due diligence” in security matters if you’re ever embroiled in a security-related legal action. It isn’t that difficult to put together a security policy, and there are readily-available templates on the Internet that can be easily modified to adapt to most organizations’ needs.
Second, use a defense-in-depth strategy. A small or mid-sized organization may not be able to afford the sophisticated network intrusion detection/prevention systems that large enterprises deploy, but a good firewall appliance can provide a layer of virus filtering, outbound URL filtering, and intrusion prevention right at the network boundary. A third-party email filtering service such as Mimecast can provide yet another layer of malware filtering using multiple anti-virus engines, as well as outbound content filtering to help prevent “data leakage” from your organization. And, of course, it is still important to have anti-virus software on your servers and workstations.
Third, insure that you have a vulnerability management and patching process in place for applications (e.g., Office apps, Java, Adobe Flash, Acrobat, etc.) as well as server and workstation Operating Systems. If your business is very small, and you can’t afford to hire someone to manage this for you, make sure that systems and applications are set to update automatically. Yes, occasionally Microsoft has released a patch that has broken something. But your chances of getting bitten by something like that are smaller than your chances of falling victim to an exploit if your systems are several months out of date because you didn’t have time to test and apply all the patches as they were released.
Fourth, consider blocking high-risk applications. For example, WatchGuard’s Application Control functionality can give you granular control over social media applications, instant messaging applications, and file sharing applications (e.g., DropBox, P2P apps like BitTorrent, etc.). You can selectively allow, block, or restrict access based on a user’s department, job function, and time of day – and generate usage reports so you know what applications are being run on your network, and by whom. Other firewall appliance vendors have similar capabilities.
Fifth, ask yourself whether your users really need local admin rights to their workstations. Remember that if users have the rights to install software on their own PCs, and they inadvertently approve the installation of something that turns out to be malware, it will be too late at that point to stop it – the malware is going to be installed. There are some utilities out there that can help, like CryptoPrevent from the folks at Foolish IT, which I run on all of my personal systems, and which, among other things, can prevent disguised executables (e.g., mymalware.pdf.exe) from running, and prevent executables from running if they’re in folders that you wouldn’t normally expect executables to be in – but once you’ve given users local admin rights, it’s no longer possible to guarantee that they won’t shoot themselves in the foot.
Finally, talk to your employees regularly about security, so they understand the risks posed by certain applications – and understand why certain things are blocked or prohibited. Remind them about the things to look for that might tip them off that an email message may not be legitimate. Remind them not to open file attachments that they were not expecting to receive. A lot of security breaches are caused by simple human error – and people need to be reminded more than once, simply because they get busy and forget.
Here’s to a safe and prosperous 2015!