Selected Victims

By David F. Carr Print this article Print

Judging the threats posed to computer security, and how to combat them, has never been more complicated. What are the big threats, and what do you have to do to be prepared in 2006.

1 - Targeted Attacks

By definition, malicious software that's targeted at your organization, rather than the entire Internet, is not widely distributed. As a result, your antivirus and anti-spyware vendors may not be able to protect you against it because they haven't seen this specific attack elsewhere.

While computer security experts say incidents of this sort are often handled quietly, one that made the news in Israel occurred when telecommunications and media firms allegedly paid hackers to create customized Trojan horse software to spy on their competitors. Although arrests were made after the scheme was uncovered in May, this custom bit of spyware apparently went undetected at some of the targeted organizations for 12 to 18 months, according to Gartner's MacDonald.

Gartner says other, less publicized incidents include attacks on financial institutions and viruses written specifically to attack design software used in the aerospace industry.

The problem with combating such targeted attacks is that they can't be stopped by the traditional antivirus approach of identifying a "signature"—some recognizable feature of the malicious software, such as the file names or computer memory structures it employs—that is distributed to each user of the antivirus software. When the protective software recognizes that signature, it removes the offending program or, better yet, stops it from being installed in the first place. When malicious software is distributed widely, the antivirus vendors can find sample copies, which they use to identify signatures and develop antidotes. On the other hand, if a custom bit of malicious software is placed within one company only, it won't be spotted by signature-based antivirus or anti-spyware systems.

So, protecting your organization against such targeted attacks will require a more generic and adaptable approach to spotting suspicious activity on your network and each PC or server in your enterprise. "The signature-based approaches are still necessary, but not sufficient," MacDonald says.

The security software market has responded with various types of intrusion prevention products, which are less dependent on attack signatures because they work by blocking suspicious behavior, particularly if it seems to be directed against known network or system vulnerabilities—for example, detecting and shutting down external network connections that are probing for weaknesses in a Web server. Intrusion prevention vendors include Internet Security Systems and 3Com's TippingPoint division, as well as other security software vendors such as McAfee.

The most mature products of this type are installed around the network perimeter like firewalls, scanning and blocking suspicious incoming traffic, or at the connections between local and wide area networks.

But as the ways for attacks to sneak around the network perimeter multiply, another form of intrusion prevention, known as host-based intrusion prevention, is becoming more important. In contrast with network-based intrusion prevention at the firewall or network switch, host-based intrusion prevention software is placed on individual computers.

So far, the best protection is available for servers. Because of the variety of software installed on desktop and laptop computers, separating legitimate from suspect activity in that environment is a tougher challenge for the intrusion prevention software vendors. MacDonald has identified nine competing strategies for host-based intrusion prevention, ranging from inspecting incoming packets of network traffic to bleeding-edge technologies for examining the behavior of software as it executes.

Some approaches to intrusion prevention depend on probabilistic analysis that can lead to false positives, meaning that the intrusion prevention software could stop legitimate software from running because it "looks suspicious." Other approaches, such as "hardening" the operating system by blocking access to all interfaces hackers might exploit, are practical for some single-function computers, such as airport kiosks, but not for the typical business laptop, MacDonald says.

Even with these challenges, Gartner is recommending that enterprises begin deploying host-based intrusion prevention where appropriate in 2006. Vendors offering products in this category include Symantec, McAfee, Panda Software, Internet Security Systems and Check Point.

Story Guide:
Beware 2006

  • Targeted Attacks
  • Shielding the Net
  • Fallback Plain Failures

    Next page: Shielding the Net

  • <1234>
    This article was originally published on 2005-12-13
    David F. Carr David F. Carr is the Technology Editor for Baseline Magazine, a Ziff Davis publication focused on information technology and its management, with an emphasis on measurable, bottom-line results. He wrote two of Baseline's cover stories focused on the role of technology in disaster recovery, one focused on the response to the tsunami in Indonesia and another on the City of New Orleans after Hurricane Katrina.David has been the author or co-author of many Baseline Case Dissections on corporate technology successes and failures (such as the role of Kmart's inept supply chain implementation in its decline versus Wal-Mart or the successful use of technology to create new market opportunities for office furniture maker Herman Miller). He has also written about the FAA's halting attempts to modernize air traffic control, and in 2003 he traveled to Sierra Leone and Liberia to report on the role of technology in United Nations peacekeeping.David joined Baseline prior to the launch of the magazine in 2001 and helped define popular elements of the magazine such as Gotcha!, which offers cautionary tales about technology pitfalls and how to avoid them.
    eWeek eWeek

    Have the latest technology news and resources emailed to you everyday.