RSS Archive Contact Us Advertise

IT Management Begins With Security
SecurityProNews > News > Security News > Regulatory Compliance & The Real Risk Of Undetected Malware
Search:
[ news_security_news ]

Regulatory Compliance & The Real Risk Of Undetected Malware



Ryan Sherstobitoff
Contributing Writer
2008-06-23

SecurityProNews: News RSS Feed Security News RSS Feed


With the emergence of regulatory laws borne out of experience from a variety of embarrassing security breaches, today's corporate leaders face a myriad of repercussions.

These range from serious fines to jail time when found not in compliance with regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), and Payment Card Industry (PCI), etc.

These regulations are designed to protect the privacy of individuals and to ensure the proper internal controls are in place to maintain confidentiality and integrity of sensitive information.

For example it mandates in the Sarbanes-Oxley act section 404 that any publicly traded corporation must maintain adequate internal controls, ranging from proper financial reporting to the protection of critical assets. This includes designing controls around the premise of protecting consumer data from an information security perspective.

Normally, these controls are defined and established through a risk analysis that identifies potential threats and weaknesses. The development of a policy framework based on this audit untimely drives the definition of what would be considered "adequate" controls.

However, in 2007 the industry suffered a record-breaking loss of information stemming from data security breaches ranging from stolen laptops to hijacked advertising. This was exemplified in the highly publicized Monster.com attack. According to an article in CIO Magazine, a Trojan stole more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc.'s job search service.

Despite established security policy, these breaches lead to public dismay and a loss of consumer confidence. Take for example the TJ Maxx incident that exposed 45.7 million credit card numbers, according to details in a filing with the Securities and Exchange Commission last year. The breach eventually cost the retailer millions of dollars in both hard costs incurred and stock value reduction.

These incidents raise several interesting questions. Were these security breaches a result of undetected malware, perhaps a targeted attack orchestrated by a foreign hacker group? This certainly appears to be the case as more and more targeted attacks are involving malware of some shape or form. Take for example the recent incident with popular supermarket chain Hannaford. Why did the internal controls established according to company policy fail to protect assets from being compromised? And what are the real risks and implications of undetected malware as it pertains to regulatory compliance?

These are all good questions, especially concerning the changing crimeware landscape and its evolution from curiosity to financial gain. Not surprisingly, this trend has a considerable part do with the dramatic increase in information exposure in 2007.

According to the PandaLabs 2007 Annual Report, a majority of identity theft and financial fraud incidents in 2007 were related to Banker Trojans that infected individual consumers, thus, stealing credentials and other personal information that could be used to gain profit.

Furthermore, if we put this into perspective we are more at risk then we were a few years ago when the primary concern was the prevention of network worms that caused data destruction.

In that day and age, controls were designed around the need to ensure the integrity and availability of information assets. CIOs and IT Managers designed and implemented systems that had the primary goal of ensuring that their users had access to information. At that time security was a secondary concern in this scenario, because the threats were different and much less sophisticated.

Today we face a new breed of threats with different motives: financial gain through targeted attacks. In fact targeted attacks in 2007 showed a marked increase over previous years with respect to online fraud.

The mentality of CIOs and IT Managers has shifted to a security focused mind-set, especially with the advent of recent high-profile security breaches. What's alarming is the rate at which malware is developed and released to infect victims on a daily basis. In a 2007 report published by Panda Research, entitled "From Traditional Antivirus to Collective Intelligence," PandaLabs saw over 4000 new strains per day last year.

This is mainly due to the overwhelming inability for security vendors to respond to an ever increasing rate of new malware strains, thus, the anti-virus industry is not really protecting their customers. Signatures are generated on the basis of what the vendor considers a threat and thereby traditional AV products may not reflect actual reality. As a result, we are witnessing a literal denial of service against vendor resources.

Therefore, a large number of malware currently circulates the Internet undetected, thus, resulting in a large number of companies infected despite having up-to-date security solutions.

The rapid pace at which cyber criminals seed the industry with new threats contributes to the overall problem that is causing technical safeguards to fail, thus, putting the corporation at risk of violating regulatory standards which could untimely lead to serious consequences if sensitive information is leaked.

For example, in a health care organization one undetected Trojan could make a case for a serious risk of violation of HIPAA §164.308(a) (4) that pertains to protecting health information: "implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) (4) [Information Access Management]"
A False Sense of Security - Audit and Assessment Standards

When doing a security audit to ensure that adequate controls are in place from an information security perspective, the auditor is normally looking at whether the corporation is in adherence to a defined policy. Furthermore, a security audit encompasses some of the following questions:
- Are passwords difficult to break?

- Are computers up-to-date with the latest security patches?

- Do any vulnerabilities exist in the operating system or applications installed?

- Are there Access Control Lists (ACLs) implemented on shared resources to control access to them?

- Have unnecessary services or applications been removed from computers that could potentially expose the resource?

- Are computers regularly scanned for malware?
The missing element in a security audit, however, is assessing for sophisticated active threats (e.g. kernel-mode root-kits, stealth Trojans, key-loggers, etc). Therefore the current assessment tools and verification methodologies used to validate controls rely mostly on identifying weaknesses or potential risk to assets; for example, a vulnerability scan or an untimely penetration test will tell the auditor of potential avenues for attack. But, the number one question to ask is: are assets already compromised with undetected malware?

There are a wide range of technical safeguards that can be implemented to significantly reduce potential exposure and the organization's overall risk, however hackers have devised ways to circumvent these. For example the most common infection vector is via the web through malware laced web-sites that have been compromised and altered in some way, shape or form. Therefore, a majority of malware (if not detected via signatures or proactively by other technologies) will simply evade perimeter defenses (firewalls, network intrusion prevention, etc.) and make its way to the end-point, especially if it is "targeted" in nature, and with a limited number of hosts designated to be infected.

There are certainly other ways to reduce risk. For example, corporations can implement a policy that limits the administrative access a user has to his or her own PC and other resources on the network. While this reduces the overall risk of unauthorized access, it is not the final solution as hackers tend to abuse system privileges (going around established ACLs) by exploiting applications and other flaws in the operating system.

Proactive defenses such as Host Based Intrusion Prevention (HIPS) can substantially raise the bar in terms of detection, anywhere between 80 and 90 percent (source: "From Traditional Antivirus to Collective Intelligence," Panda Research, 2007). With malware 1.0 this model was acceptable; but with the rate and volume of new threats emerging on a daily basis hundreds or even thousands of threats over time can be missed.

Public companies that must adhere to regulatory laws, must also adopt better internal controls to ensure that hidden infection points are discovered and removed before any exposure occurs. Better yet, modern assessments must take into consideration the possibility of assets already compromised by hidden and undetected malware.

Summary

Regulatory compliance is an interesting but challenging topic that every public corporation, no matter what size or shape, is untimely affected by. Organizations must evolve their security best practices to include better assessment methodologies that take into consideration crimeware innovations and available technologies that not only assess weaknesses, but locate active unnoticed infection points.


About the Author:
Ryan Sherstobitoff is chief corporate evangelist of Panda Security. Sherstobitoff oversees and manages the strategic response to new and emerging virus attacks.

Sherstobitoff’s extensive experience includes work designing and managing network infrastructures, as well as mobilizing and managing security technologies throughout widely dispersed large-scale networks. Sherstobitoff has worked on a variety of security technologies in a myriad of platforms and environments, including financial, industrial, and service infrastructures.

Prior to joining Panda Security, Sherstobitoff worked as a consultant for GE and Crystal Decisions (Business Objects).

Sherstobitoff earned a professional designation in Information Systems from Okanagan University in British Columbia. He holds industry certifications in Microsoft MCSE, Microsoft MCSA, A+, Cisco CCNA and Comptia A+ Certified.

More news_security_news Articles

SecurityProNews: News RSS Feed Security News RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - 1998-2009 All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds