11.5 C
Saturday, October 21, 2017
Home Tags Malware

Tag: malware

Malware, short for malicious software, is any software used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. Malicious software was called computer virus before the term malware was coined in 1990 by Yisrael Radai. The first category of malware propagation concerns parasitic software fragments that attach themselves to some existing executable content. The fragment may be machine code that infects some existing application, utility, or system program, or even the code used to boot a computer system. Malware is defined by its malicious intent, acting against the requirements of the computer user, and does not include software that causes unintentional harm due to some deficiency.

Malware may be stealthy, intended to steal information or spy on computer users for an extended period without their knowledge, as for example Regin, or it may be designed to cause harm, often as sabotage (e.g., Stuxnet), or to extort payment (CryptoLocker). ‘Malware’ is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruseswormstrojan horsesransomwarespywareadwarescareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Malware is often disguised as, or embedded in, non-malicious files. As of 2011 the majority of active malware threats were worms or trojans rather than viruses.

Working independently, IT security companies Symantec and Kaspersky find evidence of two professional hacking groups conducting espionage on-demand. Two separate espionage groups are making highly targeted attacks on the networks of government agencies and private corporations in search of military, political and industrial secrets, according to independent research efforts by Kaspersky Lab and Symantec. One group, in operation since 2011, has compromised hundreds of computer systems at companies and government agencies in Japan, South Korea and Taiwan, as well as systems in Europe and the United States, according to an analysis by security firm Kaspersky Lab published last week. Dubbed Icefog, the group of digital spies is responsible for twin digital attacks on the Japanese House of Representatives and the House of Councillors in 2011. It has also targeted shipbuilding companies, defense contractors, media firms and telecom operators, Kaspersky stated in its analysis. While other groups have tried to maintain their presence in a compromised network for as long as possible, the Icefog group has adopted "hit and run" tactics--hacking in, stealing data and then quickly cleaning up—Kaspersky's global research and analysis team (GReAT) stated in a blog post summarizing the research. "Although there has been an increasing focus on attribution and pinpointing the sources of these attacks, not much is known about a new emerging trend: the smaller hit-and-run gangs that are going after the supply chain and compromising targets with surgical precision," the Kaspersky team said. Espionage groups—frequently referred to as advanced persistent threats (APTs)—are evolving.

The hit-and-run strategy employed by Icefog is just one path such groups have taken to more effectively compromise their targets and steal data. Symantec has studied another group, dubbed "Hidden Lynx," that appears to contract spies, stealing information based on its clients' needs. Both groups show that the attackers' techniques continue to mature as they apply various network infiltration tactics including focusing on their targets' suppliers as a means to compromise targeted systems. For example, the Hidden Lynx group attempted to compromise defense contractors, but when it was blocked by software produced by security firm Bit9, the spies broke into that company's network and grabbed the digital equivalent of a skeleton key. "They reconsidered their options and found that the best way around the protection was to compromise the heart of the protection system itself and subvert it for their own purpose," a Symantec analysis of Hidden Lynx concluded. The Icefog group focuses on a short list of documents, stealing business secrets and company plans, credentials for email accounts and passwords for access to both internal and external company resources. "The Icefog attackers appear to know exactly what they need from the victims," the Kaspersky analyst team stated. "Once the information is obtained, the victim is abandoned." While the exact number of victims is unknown, dozens of Windows machines and more than 350 Mac OS X systems have been compromised by the Icefog malware, perhaps the first time a group has focused so heavily on Mac systems. Kaspersky suspects that there may even be an Icefog tool for infecting Android systems. The group has created at least six different variants of the malware to allow it to use different command-and-control mechanisms.

The group and its malware will continue to evolve, and more will likely follow, the Kaspersky analysts said. "In the future, we predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations," the company stated.
As the Middle East country beefs up its cyberforces, Mojtaba Ahmadi, the head of its Cyber War Headquarters, is said to be found with two bullet wounds near his heart. October 2, 2013 5:31 PM PDT This graphic shows the number of malware infectio...
The (ISC)2 Security Congress 2013 in Chicago focused on the challenges facing information security practitioners – but what are they and what are the solutions? Apart from the increasingly sophisticated nature of attacks, information security professionals often find themselves fighting a culture of disbelief in the businesses they support. Many businesses still do not believe they will be targeted by cyber attacks, typically arguing they have no data worth stealing. Consequently, the business is unwilling to invest in basic security management and control systems, and assumes the IT department will take care of any security issues that may arise. In a typical anonymised case study, presented by Ernst & Young, responders to an incident at a large research firm were told there was no information security officer and no security operations centre (SOC). There was poor identity and access management, no network segmentation and no network situational awareness in the form of intrusion prevention or detection systems. Business units were encouraged to be self-supporting in IT and IT policies were outdated. Consequently, the firm was unaware that a breach had taken place until notified by a third party. Ernst & Young investigators found different variants of custom malware, making them invisible to any signature-based anti-virus or other security systems. The investigators found attackers had gained access to the company’s network by targeting just 19 users connected to the database with a highly-customised and plausible phishing email. The email appeared to come from someone inside the database group and directed recipients to a plausible work-related intranet page. However, clicking on the link launched a set of tools for the attackers. Lessons to be learned This case study contains several lessons. It is important for the business to understand the nature of the threat against the business and the impact of a breach on production, finances, intellectual property and reputation; Organisations need to be able to continually monitor their networks and have the ability to detect and mitigate intrusions as quickly as possible; Security policies and procedures need to be updated regularly and enforced to help information security keep pace with the constantly evolving threat landscape; Malware is increasingly customised and targeted.

This means organisations need to be prepared for unknown attacks. But that does not mean all other attacks go away. Basic IT security remains vital; Human beings are often the weakest link. Consequently, an extremely high proportion of attacks involve a social engineering element. Security awareness training is therefore indispensable; Attackers may be using customised attacks, but operating methods typically remain the same. Though intelligence sharing, businesses can continually update their defence strategies. Many in the security industry believe that, as attackers become organised into structures using teams with separated duties – all dedicated to bypassing defences of specifically targeted organisations – information security professionals need to change tactics too. While the idea of offensive security – where traditional defenders strike back, is gaining popularity in some quarters – others in the profession are cautioning against going to the extreme. Retaliatory cyber attacks are not a good idea, an international panel told attendees of a joint session of the ASIS International and (ISC)2 2013 annual congresses in Chicago. Although security practitioners ability to trace the source of cyber attacks is improving, they said it is seldom possible to do this with total certainty, particularly in the most sophisticated attacks. But even where attribution is possible, retaliation is not good because it typically leads to an escalation of attacks and an increase in complexity, said Scott Borg, chief of the US Cyber Consequences Unit. Tony Vargas, a member of the (ISC)2 application security advisory board, said offensive security is challenging and mistakes could even cost lives in some situations. Security by design Instead, he advocates several legal “offensive” security strategies that enable organisations to be proactive about security through security awareness and secure product development. “Awareness works, and is where security should start.

If we could fix the problem with technology alone, we would be there by now,” said Vargas, a technical leader and security strategist at Cisco Systems. He believes most people in an organisation want to “do the right thing” so, instead of beating them with a stick, they should be made part of the solution. Vargas said information security professionals need to understand the business and help ensure executives and all other users are aware of the general and specific threats to their organisation. “Find out what communication channels they are using, then spread the security message using those channels, whether it is video, Twitter, LinkedIn or instant messaging,” he said. Information security practitioners, he said, must also keep abreast of what is going on in the security industry, and forge partnerships and relationships to help drive the industry forward. An important element of that, he said, is creating software, products and services that are secure by design though implementing secure development lifecycle programmes. “Security needs to be part of every development stage, including initial requirements,” he said. “And any insights from testing, deployment and security incidents must be fed in for continual improvement.” Vargas predicts there will be a “huge market for application security professionals” in coming years, as governments and large enterprise increasingly mandate inherently security products and services. “Considering the present and likely future security skills gap, we need to ensure that the security work is done upfront an not left to the deployment phase; there are not enough people for that,” he said. Procurement Vargas believes information security professionals must work with the business to ensure security is part of the procurement processes. “Business must create demand for security features in products and refuse to buy anything that does not meet their security requirements,” he said. Vargas said it is not only important for information security professionals to work with their peers across industry, they also need to work across the whole business to move things forward. Attendees of the (ISC)2 Congress heard that another key strategy in the face of increasingly sophisticated threats and a shortage of people with the necessary cyber defence skills is prioritising information assets. “Knowing the 'who, what and how' will enable organisations to develop a more focused security strategy and stronger defence posture,” said Adam Meyers, director of intelligence at security firm CrowdStrike. “Organisations can’t defend against everything, but if you know who is likely to attack, what they are likely to target, and the methods they are likely to use, it makes defence much easier.” Borg said that the paradox is that, by taking a broader view and making the effort to analyse attackers and their methods, organisations can narrow down what they need to defend using a risk-based approach. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
RAT user "cutefuzzypuppy" wasn't all that cute.    
The IT world is seemingly under constant attack from all corners of the globe, at all times. Reports out in recent weeks provide fresh fuel for the analysis of IT security and what is under attack.

Among the major trends is the fact that mobile malware...
Manipulation of international financial markets will be the next evolution of cyber crime, according to Scott Borg, chief of the US Cyber Consequences Unit. There is a limit to the amount of money criminals can make through theft and credit card fraud, he told a joint session of the ASIS International and (ISC)2 annual congresses in Chicago. “But there is no limit to the money that can be made by manipulating financial markets,” he said, speaking at an international policy roundtable on cyber security. By taking a position in the market and then conducting a cyber attack to discredit a company, criminals can make an almost infinite amount of money, said Borg. “Even if the beneficiaries are identified, they can always say they took the position based on a rumour in the market,” he said. Borg, who predicted in 2002 the shift from mass disruption cyber attacks to professional, organised cyber crime, said the next shift to financial markets will transform the field of cyber security. Christopher Ling, executive vice-president of Booz Allen Hamilton, said that allied to this, the world is facing a potential loss in confidence in the integrity of information systems. Crawford Samuel, project leader at the International Cyber Security Protection Alliance said one of the biggest challenges in the next few years will be managing personal information online. “If not managed correctly, personal information online will not only open people up to personal attack, but they will become vectors for attack on the organisations they work for,” he said. Adam Meyers, director of intelligence at security firm CrowdStrike, said proliferation of cyber attack capability is another likely future challenge. “We are seeing the emergence of easy-to-use, build-it-yourself malware kits, and it is only a matter of time before emerging countries follow the cyber espionage example of larger powers,” he said. The enormous challenge, he said, will be trying to figure out what to focus on when faced by multiple state actors looking to leapfrog ahead by stealing intellectual property. Dave Tyson, senior director, global information security at SC Johnson & Son, said information security practitioners will need to move from efficiency to effectiveness. “It will no longer be just about efficiency and cost,” he said. Tyson also predicts that as private sector threat intelligence improves, businesses will be guided by who is attacking them when deciding on how to invest in cyber defences. Hord Tipton, executive director of (ISC)2, said the underlying challenge to meet all these challenges will be finding enough people with the relevant skills. In addition to creating more opportunities for people to acquire these skills and join the cyber security profession, international and cross-industry collaboration will be vital to cyber defence in future. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
It’s hard enough securing a high-powered internet-connected workstation from all the threats it may face. But what about mobile devices, which are typically less powerful yet just as connected? Indeed, what about mobile devices that do not even belong to the organisation, but individual staff, under bring your own device (BYOD) policies? “One of the challenges of mobile security is that the device landscape is changing so quickly and the range of devices is constantly changing,” says Jason Brown, enterprise solutions architect at McAfee. The range of potential threats is far reaching. First, there is the huge range of apps that can be downloaded.

While PCs in the enterprise were (eventually) locked down to prevent users from loading any applications they wanted, mobile devices have yet to be subject to the same treatment. As a result, mobile has become the primary target of malware writers. In 2010 McAfee picked up just a handful of samples of mobile malware. But by the beginning of 2013, it had counted more than 35,000 samples – 95 per cent of which had appeared during 2012, overwhelmingly targeting Android. That would not matter so much if mobile devices had not become the lynchpin of personally and professionally valuable data – devices used to access corporate systems, to transfer files between PCs, and as communications hubs containing valuable contact details.Testing timesPerhaps most ominous of all though, warns Brown, is that even some apps that have been approved by Apple, Google, or any other platform controller may contain questionable features.  “McAfee conducted a test across the app world. We were not looking at the way it was created or what it does, we were looking at what it was ‘talking’ to. Of the 100,000 apps that we were looking at in this test, about four per cent were connecting to untrusted locations,” says Brown. Even popular apps can exhibit worrying traits.

For example, Angry Birds sends such data back to its maker Rovio as the last number dialled on the device.

For an organisation, this is an unforgivable security flaw. Other apps demand far-ranging permissions before users can run them. “The problem is that it’s not the permissions individually that causes the problem, it’s the combination of permissions,” says Brown. “It’s ‘what can it do if it combines those permissions?’” There’s a number of different ways of delivering security to mobile devices, Brown continues. However, endpoint security cannot be deployed on Apple’s iOS operating system – the company does not allow it in its app store. While the company’s tight control of its own platform and the apps that can be run on it keeps it relatively secure, if sufficiently serious flaws are found – some 200 vulnerabilities were found in iOS 6 – it can become a wide open target. That is why iOS exploits carry such a high price tag on the black market. Android, though, remains the most vulnerable mobile platform, crackable as easily as the user simply clicking on a URL they may have received in an email. Or, malware can find its way onto devices via “trojanised apps”, which look and work like legitimate apps, but which have been adapted to contain malicious features. While security software is available for Android devices, it can slow them down and the risk is that users will remove it rather than persevere with it. Enterprise-wide, if an organisation wants to secure its mobile devices, it does not need new infrastructure. “A mobile device is just another endpoint device. You shouldn’t need to do anything special just because it’s a mobile device,” says Brown.“Our strategy focuses on three areas: the device itself, protecting the data that is held on the device and, finally, protecting the device from the apps,” he continues.  A large part of this is enforced via the corporate security policy. Protecting the device means enforcing policies in the configurations that the device supports: if it supports encryption, that should be switched on; and, if it has a passcode facility, that should be switched on too. URL filtering should also be mandatory. Where things get trickier is in such abilities as remote lock and wipe, especially if the devices don’t belong to the company. Brown recommends “containerising” corporate data on the device so that it can be treated differently from personal data and apps. “If you do need to wipe a device, it’s not going to wipe everything off,” he says. The value of such a policy will become clear when someone leaves an organisation, potentially taking corporate data on their devices with them.

The security software should also be able to analyse and report on devices that are not compliant with the organisation’s security policies. @GraemeBurton
Malware writers have worked out ways of hiding trojan horses in places where viruses checkers can't look, according to one security researcher. Patrick Stewin has demonstrated a a detector which can be built to find sophisticated malware that runs on dedicated devices and attacks direct memory access (DMA). This will mean that it will finally tell us how effective crackers have been at getting malware into graphics and network cards. The code has managed to find attacks launched by the malware, dubbed DAGGER, which targeted host runtime memory using DMA provided to hardware devices. DAGGER attacked 32bit and 64bit Windows and Linux systems and could bypass memory address randomisation. It has now been developed to a point where the host cannot detect its presence, Stewin said. Stewin said that DMA attacks could be launched from peripherals and are capable of compromising the host without exploiting vulnerabilities present in the operating system running on the host. Stewin's research was to develop a reliable detector for DMA malware and he thinks he has managed to do it. According to SC magazine, the code used a runtime monitor dubbed BARM. BARM modelled and compared expected memory bus activity to the resulting activity. Stewin said the detector would not significantly drain computer power. His code will be shown off in a research paper with the catchy title "A Primitive for Revealing Stealthy Peripheral-based Attacks on the Computing Platform's Main Memory", which will be presented at the 16th International Symposium on Research in Attacks, Intrusions and Defences in October in Saint Lucia. 
Icefog gang surgically strikes high-value targets then vanishes.    
A high proportion of cyber attacks are enabled by an extremely customised and plausible phishing attacks, says Rohyt Belani, CEO of phishing awareness training firm PhishMe. According to security firm Mandiant, 99% of the security breaches it investigated in 2012 started with a targeted spear-phishing attack. Research has revealed this includes attacks against Scada control systems at top energy firms,  Belani told attendees of the (ISC)2 Security Congress 2013 in Chicago. Most Scada systems are not exposed to the internet, which means attackers need to break in and find a way to move internally to get to the Scada systems, he said. The easiest way to break in is to use a phishing email to trick an employee within the target organisation to click on a link that downloads malware onto the organisation’s network, said Belani. In one case study, attackers profiled an energy company employee who worked the 11pm to 7am shift monitoring Scada systems. Using social media and other publically available information, the attackers were able to determine that the target employee was married with four children. The attackers fired a single phishing email that appeared to come from the energy company’s HR department offering a discount health insurance plan for families with three or more children. The employee did not recognise the email was a phishing attack and clicked the link the download the application form, unwittingly downloading attack malware. “It is important for companies to understand how well attackers do their homework to make sure phishing attacks are extremely credible,” said Belani. PhishMe has found that on average 58% of employees will fall for a simulated phishing attack and click on a potentially dangerous link. But 18 months on, after several more simulated phishing emails sent as part of a PhishMe training programme, that figure typically drops to just 8%, said Belani. Most companies have a 3%- 4% churn in staff, he said, so there will always be people who are not phishing-aware, but that is a much more manageable risk compared with 58%, he said. “By building user profiles, companies can fine-tune their training and instead of worrying about all employees all the time, they can concentrate on those who present the greatest risk,” said Belani. But, he said, as resilience and awareness increases, so does the number of suspected phishing incidents reported to security teams, which can be overwhelming, he said. To avoid this problem, PhishMe has developed an Outlook email plugin that enables employees to tag suspicious emails and push them through at the click of the button to an automated process. According to Belani, one company that has implemented this was able to identify three attempted phishing attacks out of 700 employee reports over just 15 days without impacting the security team. Since launch two months ago, around 26 PhishMe customers have implemented the email plugin, including two energy companies, said Belani. “Energy companies have a large number of non-IT savvy users, which makes if more challenging to get them to participate, but it is happening,” he said. “Users can be more resilient and they can become more active participants in the security of any organisation.” Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
Collaboration is the key to successful information security.  For example, UK national threat intelligence became much richer when it was expanded to include other government departments, according to former MI5 chief Eliza Manningham-Buller. “It is important not to say: this is exclusively our job,” but instead tap into the skills and resources required to do the job through strategic partnerships, she said. Manningham-Buller was talking to cyber security professionals at supplier Trend Micro’s 25thanniversary Directions customer event in London last week Trend Micro itself has developed several strategic cross-industry partnerships with technology firms like VMware, Virtual Computing Environment (VCE) and Amazon Web Services (AWS). But there is no “silver bullet” - security is about forming strategic partnerships with those in the security community that can offer the technical controls that map to business needs, said JD Sherry, vice-president technology and solutions at the supplier. Trend Micro not only aims at providing key pieces of the security puzzle, but has invested heavily in cloud-based threat intelligence to help organisations identify the elements they need to put together. Being swamped with threat information is a common problem faced by national intelligence agencies like MI5, said Manningham-Buller. The challenge, she said, is prioritising that information and deciding what to turn into action that can result in better protection. Targeted attacks Cyber threat intelligence services are designed to help organisations identify the threats that are most relevant to them and know if any particular attack is generic or targeted specifically at them. The switch from generic to individually crafted attacks aimed at specific companies is one of several new trends facing IT security teams, said Rik Ferguson, vice-president of security research at Trend Micro. In contrast to the familiar high-volume opportunistic attacks that rely on poor security patching, targeted attacks typically use highly crafted social engineering techniques against key individuals to get past firewalls. Social media, especially LinkedIn, enables attackers to craft very credible phishing emails to trick key individuals into downloading malware that enables attackers to bypass controls and access networks. Such attackers can lurk for weeks, months and even years on networks undetected, in part due to what Ferguson terms “myopic” security, where individual security products all indicate nothing is wrong. “Focusing on particular things in isolation means organisations can’t see the forest [of threat] because they are too focused on individual trees,” he said.  Only by enabling a macro view that includes context and security analytics capability, he said, can a chain of seemingly benign events become more meaningful and potentially expose malicious activity. Context-aware security “Context is king in security right now.

For example, someone accessing a computer in a server room would not raise an alert, but if that person was identified as a cleaner, it would,” said Ferguson. Security strategies need to incorporate new approaches such as context awareness to cope with new challenges presented by emerging technologies. Chief among these challenging trends are consumerisation, cloud and commercialised cyber threats on an industrialised scale that are becoming increasingly sophisticated and targeted. “Consumerisation is everywhere; it is a transformation happening to every organisation,” said Andrew Rose, principal analyst at Forrester Research. Research shows that around 38% of information workers are using smartphones for work, half are using laptops and 17% are using tablets. “Of the laptop users, half are owned by the employees themselves, while of the tablet users, 70% are employee owned,” said Rose. “People prefer to use their own kit because it is familiar, faster and better than company kit and it enables them to work in increasingly flexible and innovative ways." However, this trend has tremendous implications for corporate data security because the company no longer has control over data being replicated on multiple devices that are employee owned. The risks are enormous, said Rose, with at least 700,000 known threats against Google’s Android platform, which is the most popular mobile operating system. But Trend Micro says given the recent rapid increases including malicious apps, the total number of threats is closer to 820,000. Hackers are also not the only ones stealing data, he said. Many Android apps are coded with permissions that enable developers to tap into a wide variety of data sources.

This includes data about calls, contacts and geographical location. “Data is leaking away from consumers and corporations,” said Rose. Cloud security Cloud computing continues to gain momentum as companies increasingly chase after the cost and efficiency benefits.

At same time, security concerns are decreasing. Research shows a 22% decrease in concern about security in the cloud in the past year. Yet security and privacy issues remain, said Rose, such as those raised by the revelations about the US Prism internet surveillance programme, which Forrester estimates could cost the US cloud computing industry between $135bn and $180bn in lost sales. In the majority of cases, it is trivial for cyber attackers to get in Andrew Rose, principal analyst, Forrester Research Other issues include the fact that information about security provisions is often vague and it is unclear whether cloud service providers can guarantee virtual boundaries between data in multi-tenant virtual environments. It is also often difficult to ascertain whether reallocated disk space is wiped properly, that penetration testing is thorough, and that entire servers will not be seized by US law enforcement because of wrongdoing by a single customer of a cloud service. This lack of clarity is particularly worrying in light of the fact that, according to the latest Verizon data breach report, 65% of data breaches are directly related to cyber crime and 19% are linked to state-sponsored activities, said Rose. While the volume and sophistication of cyber attacks is increasing, Forrester research also shows that stealing data remains relatively easy. A study shows that only 1% of data breaches represent a high level of difficulty, 22% represent a moderate level of difficulty, but in 67% of cases there is only a low level of difficulty. “In the majority of cases, it is trivial for cyber attackers to get in,” said Rose. Organisations need to improve their ability to detect and deal with intrusions quickly as many intrusions are discovered weeks and even months later, and often by third parties, he said.

According to Trend Micro, there are on average 1.8 successful attacks a week on large organisations. Attacks tend to take place far faster than organisations are able to respond, said James Nunn-Price, partner and UK cyber and public sector security lead at Deloitte. “Getting in is quick, but responses tend to be slow,” he said. Phishing is another area that needs attention, said Rose.

According to the Verizon study, phishing is the first stage in 95% of so-called advanced persistent attacks and other research shows around 35% of phishing emails are successful, rising to as high as 90% where messages are targeted at specific individuals. Identify data assets In the face of the security risk presented by the emerging trends of cloud, consumerisation and industrialised cyber threats, Forrester recommends that organisations identify their most crucial data assets and concentrate cyber defence efforts around them. Rose, a chief information security officer (CISO) for 10 years, said this could dramatically simplify the task and be tremendously empowering for a CISO, as Forrester research indicates that critical data assets usually represent only around 1% of all corporate data.  “Yet few organisations are able to do this because they are still not classifying their data,” he said. Poor application patch management is another common area of failing, said Rose. “Simply by keeping security patches for all software up to date, organisations can eliminate a lot of risk,” he said. Above all, said Rose, organisations should prepare for failure by focusing on the capacity to respond to and mitigate cyber attacks that typically exploit the weakest point to get in and then move laterally to get to critical data. There has to be a change in security thinking, said Raimund Genes, global chief technology officer for Trend Micro. “If someone wants to get in, they will,” he said. While organisations still need traditional security defences, Genes said these technologies will not help against determined attackers who target specific firms through key individuals. “Organisations need to switch to an inside-out approach to security and seek to protect data where it is.

They also need to move beyond simple sandbox technologies that will cause smart malware to hide and implement smarter sandboxes, and processes that enable them to make sense of what the sandboxes trap,” he said. Overall, Genes said organisations must have a way of dealing with all sources of security intelligence to be able “to put the pieces of the puzzle together”. Consumerisation, cloud computing and virtualisation, and cyber threats are the key parts of the puzzle Trend Micro is focusing on to enable what the company terms a “smart” protection strategy based on the correlation of various sources of threat intelligence. Trend's Sherry said: “Smart protection should be layered, interconnected, real time, and transparent to the user; it should be simple, centralised and automated." Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com This was first published in September 2013
A new command-and-control Trojan for OS X appears to be associated with the Syrian Electronic Army. September 22, 2013 11:19 PM PDT Security company Intego recently found a new malware package for OS X, called OSX/Leverage.A, which appears to be...