'Blended' attacks pose serious security threat
Published: 29 Apr 2002 10:32 BST
Though the term is new -- "blended" security threats aren't. These types of threats target several areas of network vulnerability simultaneously. What is new and unique, however, is what the malicious code within them is doing.
In a blended threat, malicious code can take many forms and can attack your enterprise in a number of different ways. It can also do more than one kind of damage while it's in your system.
You might, for example, find a piece of malicious code that can attack your company's computers through email attachments, infected Web sites, or even through direct attacks on your routers and servers. Once inside your firewall, these threats can spread through everything from shared disks to internal Web servers. And they can spread to the rest of the world through email and file transfers, for example.
Vendors say the blended threat problem is just getting rolling. Symantec's Carey Nachenberg says he expects to see malicious code that can morph itself each time it replicates, making some antivirus software useless. He sees greater threats on the horizon. Key to preventing tomorrow's blended threats are such items as layer 7 firewalls, which examine the contents of packets as they pass through. He also thinks companies need vulnerability management software, intrusion detection, and something new called behaviour blocking.
Behaviour blocking software is still in its infancy. In general, the software looks for certain operations that are carried out by inappropriate applications. For example, the software might alert the security staff if there's an application detected that's erasing or changing other applications or trying to use the Internet in conjunction with such activities.
According to Nachenberg, behaviour blocking software runs on a separate server, with drivers on each computer. The drivers watch for suspicious behaviour by software installed on the computer, and alert the server if it spots something. What might constitute suspicious behaviour? Perhaps an application that accesses the Internet, deleters or changes files, or creates new applications. But for behaviour blocking to be useful, of course, you already need to be infected.
The tools to fight blended threats already exist. The first line of defence is applications that reside on your servers and look for malicious code. A good example of this is Mail Security from GFI. Likewise, it's important to make sure you have adequate firewalls, and that you keep them and all your security software up to date. And, of course, you need to keep your operating systems and Internet server software patched and updated.
Don't forget about the single most important tool of all: training. Teaching your staff not to open attachments, download things from Web sites not related to your specific business activities, and bring software from home are all critical to keeping your enterprise secure. Unfortunately, training takes time and costs money, and that means it's usually the first thing axed by the accountants.
Most companies don't have to worry about terrorists as much as they have to worry about random strikes by self-propagating malicious code, hackers, and disgruntled employees. That means that you have to take precautions against blended threats, or malicious code, now. If you don't, the next round of email and Web-propagated worms will surely find your servers. And you know what your life will be like if that happens.
Wayne Rash runs a product testing lab near Washington, DC. He's been involved with secure networking for 20 years and is the author of four books on networking topics.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
12 out of 33 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
