“How secure is our network from unauthorized access?”
If you are an information security or risk management professional, you have undoubtedly become accustomed to having this question asked of you, likely with increased frequency. Those posing this question, whether a senior manager or an individual serving on your board of directors, are acutely aware of the dramatic increase in cyber attacks and the consequences associated with the unauthorized access of customer information, proprietary corporate data or intellectual property. Given your respective role, it is, therefore, logical that individuals turn to you for reassurance that the organization’s confidential information is adequately protected from the rapidly evolving array of external threats.
The next time that you are asked this question, I urge you to reflect on this article. Before you launch into your practiced response of describing the myriad technical controls you have deployed to secure your network perimeter, a best-in-class firewall, robust anti-virus software and a data loss prevention solution, it is advisable to remember this indisputable fact: customized malware has rendered these technologies increasingly ineffective. If you are performing an information security or risk role, you must recognize that a new generation of prolific hackers are routinely deploying customized malware to successfully penetrate the networks of sophisticated, multinational corporations. Therefore, the traditional approach of combating this threat through a technology centric strategy is obsolete.
Organizations that fail to acknowledge this dynamic, and adjust their approach accordingly, will remain at the imminent risk of a data breach and be exposed to the consequences that accompany these events. This article will discuss and define the evolving threat posed by customized malware and provide a multifaceted approach to mitigate this risk.
Customized malware is malicious software that has been modified, reengineered or altered to evade the detection capabilities of traditional security technologies. Customized malware may be presented as any of the commonly known forms of malicious software, including viruses, worms, Trojan horses, rootkits and ransomware. The most common customized malware delivery method is inbound email, normally by a phishing or spear phishing attack. Given that anti-virus products provide “signature-based detection,” only malware variants whose algorithms have been previously identified are prevented from compromising the intended victim. Whenever a new malware variant is identified, a “patch” that addresses this specific threat is created, distributed and installed. In an enterprise environment, conscientious security administrators ensure that all new patches are installed immediately upon receiving the update from their anti-virus provider. Unfortunately, the period that elapses between identification, analysis and distribution of a security patch is 30 to 90 days. In the interim, organizations are significantly exposed to the risk of a customized malware attack.
Although this form of undetectable threat has been active for several years, the widely publicized attack on Target provided the public with unprecedented clarity regarding how customized malware is used. In the Target breach, the malware that was installed within the company’s network permitted a group of hackers, to perform extensive system reconnaissance and, ultimately, the theft of more than 40 million credit and debit card numbers. In addition to the cardholder data, 70 million customer email addresses, home addresses and telephone numbers were stolen. Finally, in mid-December 2013, an external party informed Target management that the retailer had been hacked and the attack eventually was disrupted.
Upon analysis of the malware used against the retailer, it was determined that this variant had a zero percent anti-virus detection rate. Simply put, this form or malware was undetectable.
Although I use the Target breach to demonstrate the characteristics, capabilities and availability of customized malware, similar attacks are commonplace throughout all sectors and industries. If your executive management team was aware that your current security approach would, at best, prevent only one in 20 attempts to penetrate your network, I suspect that you would be reevaluating your system defense strategy.
The persistent and evasive nature of customized malware requires the implementation of a multi-layered approach to data protection and network security. Given the irrefutable evidence that anti-virus products have become increasingly ineffective in preventing this form of malware from compromising global networks, enterprises can no longer rely solely on security technologies. An approach that combines employee education, threat containment and network monitoring will reduce the risk of a customized malware penetration.
I’ll be discussing this issue, including the mitigation strategy we use with our clients, during the session I am presenting at CSX 2015 in Washington DC, 19-21 October titled, “Customized Malware—Address This Threat.” I hope to see you there.
John Moynihan, CGEIT, CRISC
President and Founder of Minuteman Governance
[ISACA Now Blog]