I spy

SC. The problem is indeed growing more threatening and harder to remove. Any summary dealing with this subject has to touch on what’s happening behind the scenes and the motivation for this increase. We’ve gone from the early days of malware writers – where we saw people predominantly acting alone or in short-lived gangs – to an age where the majority of malware writers are much better organized and better connected. Once upon a time, the majority of virus writers were ‘hacktivists’. There have always been ‘professional’ hackers and virus writers, but the majority were amateurs or were ephemeral in their careers. That’s not the case anymore. In fact, there are now careers, livelihoods and millions of dollars behind the efforts of malware writers.

Spyware is manufactured by companies, and the hacktivists have grown up – now they can hack-to-work. Spyware companies have venture capital, business plans, business partners, lobbyists, lawyers, developers, QA and more. They produce volumes of malware more quickly than old-style virus writers used to, because now the equation is simple – capture more PCs, keep more resources, sell more ill-gotten gains, and make more money.

This means that the mutation rate is higher, and the ‘keep more’ part of the equation means that every trick possible will be used to disguise, cover and not destroy target PCs. That’s why it is more threatening and harder to remove and why it will continue to get worse; the money isn’t going away.

This move towards fiscally-motivated hacking is occurring primarily because we have crossed a critical mass threshold, where we as a society now have better and quicker access to more online than ever before. This means the cost and risk is low and the payoff is high as we become ever more connected and ever more invested in the internet.

CXO. How is current computer security coping, or not coping, with this?

SC. By-and-large, the technology is there and has been for a while. Companies like CA are making mature solutions available to the market, but the threat at the moment is still growing faster than awareness or responses in general. Unfortunately, most people think this is a passing fad, a subset of viruses, something that will go away, an anomaly or something that can be stopped with a firewall or antivirus tool. Right now we need to make sure that people know the truths – they are aware of the real threat and the limitations of that threat – and that they make an informed, weighted decision to decide when and how to deploy a solution.

CXO. Do you think organisations are becoming more conscious or more savvy of the potential security threats, or is there still a long way to go?

SC. Organisations are becoming more conscious, but not necessarily more savvy with respect to Spyware. The consciousness may be increasing, but that too is not at a sufficiently accelerated rate. Basically, awareness and wisdom have to grow much faster, and public initiatives and standards have to be accelerated because at the moment the ‘bad guys’ are booming and continuing to grow and prosper.

CXO. The National Cyber Security Alliance estimates 80 percent of home PCs are infected with Spyware. For those unfamiliar with this, how does this happen without the user’s knowledge?

SC. Some Spyware infections happen as a result of transparent drive-bys, silently in the background, although these are rarer with the advent of XP SP2; and some are the payload for spam messages, viruses and worms. However, the vast majority are installed due to intentionally vague, open-ended, socially-engineered end-user license agreements (EULA). There are problems when a EULA has dozens or hundreds of ‘page downs’ (which can’t be printed or saved); when they reserve the right to later install, update or modify without involving the user; and when they piggyback their installation on freeware (e.g. Kazaa).

AOL/NCSA had an online safety survey in October 2004 in which they cited that 80 percent of PCs on the internet were infected with Spyware, that 91 percent of users were aware of Spyware and that 95 percent of infected users did not give permission for the Spyware on their systems to be installed. When taken in combination, these statistics are telling.

CXO. So how can IT managers better protect their networks today? What advice can they give to staff so that they change their online behavior and minimize their vulnerability?

SC. The most effective approach is twofold: deploy a tool and sponsor education. The latter could be combined with other education modules on physical security, in HR or on ethics and espionage, all of which are quite common in the corporate world. When choosing a tool, they should look for scalability, inclusion/exclusion listing, reporting, network impact and the general feature set that an enterprise tool will have to facilitate management, measurement and reinforcing people and processes.

CXO. How important do you think regulatory enforcement will be in driving the development or implementation of secure software?

SC. Regulatory enforcement will be very important in driving the development and implementation of security software and of secure software. Not only is the world becoming a more challenging place, it is also becoming a place that requires better information, business metrics and understanding. Controls need to be in place, logging must be ubiquitous, and correlation and reporting are vital.

Secure software (as opposed to security software) must become the watchword of the day. Unfortunately, this is an expensive proposition for smaller vendors and ironically can lead to slower development times, allowing the ‘bad guys’ in malware to have faster development cycles. However, better practices, certifications, surveys, penetration testing, faster patches, intrusion prevention and generally better feedback control loops will enable secure software to become a reality on a far wider scale and will be vital for enterprises to succeed.

The question is whether it will be legislation or industry self-regulation that will be the key driver here. On the one hand, the need for accountability and better corporate governance is one factor behind increasing legal regulations; on the other hand, customer demand and market realities are forcing industry self-regulation. Regardless of which one wins, one of them will come to fruition first and that’s all it will take to push this into overdrive.

CXO. What developments are going on in this field of security today – what are you most excited about?

SC. I am most excited about some of the projects in advanced correlation, anomaly detection and context analysis that are helping out in research, in coordination of resources, prioritization of issues and finding the security ‘needle in the haystack’.

CXO. What future developments are there likely to be in the industry?

SC. I suspect that the industry in general will begin to converge, much like heading upstream in a great river delta. First we’ll see convergence of products around ‘threat management,’ and then we’ll see other product areas and industries converge with security into one big IT river, feeding life to the whole ORGANISATION.

Ultimately, the game is about management and transparency. Security has to be part of the fabric of all we do, and it can’t get in the way of business. When you look at user requirements asking for less wastage of CPU cycles, less obtrusiveness in business processes, more customization, closer integration with business processes or one solution for all these trends; the future has to meet these demands. IT really is only a question of time.