1 - Targeted Attacks

By definition, malicious software that's targeted at your organization, rather than the entire Internet, is not widely distributed. As a result, your antivirus and anti-spyware vendors may not be able to protect you against it because they haven't seen this specific attack elsewhere.

While computer security experts say incidents of this sort are often handled quietly, one that made the news in Israel occurred when telecommunications and media firms allegedly paid hackers to create customized Trojan horse software to spy on their competitors. Although arrests were made after the scheme was uncovered in May, this custom bit of spyware apparently went undetected at some of the targeted organizations for 12 to 18 months, according to Gartner's MacDonald.

Gartner says other, less publicized incidents include attacks on financial institutions and viruses written specifically to attack design software used in the aerospace industry.

The problem with combating such targeted attacks is that they can't be stopped by the traditional antivirus approach of identifying a "signature"—some recognizable feature of the malicious software, such as the file names or computer memory structures it employs—that is distributed to each user of the antivirus software. When the protective software recognizes that signature, it removes the offending program or, better yet, stops it from being installed in the first place. When malicious software is distributed widely, the antivirus vendors can find sample copies, which they use to identify signatures and develop antidotes. On the other hand, if a custom bit of malicious software is placed within one company only, it won't be spotted by signature-based antivirus or anti-spyware systems.

So, protecting your organization against such targeted attacks will require a more generic and adaptable approach to spotting suspicious activity on your network and each PC or server in your enterprise. "The signature-based approaches are still necessary, but not sufficient," MacDonald says.

The security software market has responded with various types of intrusion prevention products, which are less dependent on attack signatures because they work by blocking suspicious behavior, particularly if it seems to be directed against known network or system vulnerabilities—for example, detecting and shutting down external network connections that are probing for weaknesses in a Web server. Intrusion prevention vendors include Internet Security Systems and 3Com's TippingPoint division, as well as other security software vendors such as McAfee.

The most mature products of this type are installed around the network perimeter like firewalls, scanning and blocking suspicious incoming traffic, or at the connections between local and wide area networks.

But as the ways for attacks to sneak around the network perimeter multiply, another form of intrusion prevention, known as host-based intrusion prevention, is becoming more important. In contrast with network-based intrusion prevention at the firewall or network switch, host-based intrusion prevention software is placed on individual computers.

So far, the best protection is available for servers. Because of the variety of software installed on desktop and laptop computers, separating legitimate from suspect activity in that environment is a tougher challenge for the intrusion prevention software vendors. MacDonald has identified nine competing strategies for host-based intrusion prevention, ranging from inspecting incoming packets of network traffic to bleeding-edge technologies for examining the behavior of software as it executes.

Some approaches to intrusion prevention depend on probabilistic analysis that can lead to false positives, meaning that the intrusion prevention software could stop legitimate software from running because it "looks suspicious." Other approaches, such as "hardening" the operating system by blocking access to all interfaces hackers might exploit, are practical for some single-function computers, such as airport kiosks, but not for the typical business laptop, MacDonald says.

Even with these challenges, Gartner is recommending that enterprises begin deploying host-based intrusion prevention where appropriate in 2006. Vendors offering products in this category include Symantec, McAfee, Panda Software, Internet Security Systems and Check Point.

Story Guide:
Beware 2006

Fallback Plain Failures

Next page: Shielding the Net

Next: ' Shielding the Net ' >>

Discuss Beware 2006: Exploits Increase, Impact Gets More Serious   >>> Be the FIRST to comment on this article!

>>> More Projects: Management Articles          >>> More By David F. Carr