News that new versions of an old worm – Agent.btz – which attacked the US military back in 2008 are still appearing, and causing problems for today’s Milsec professionals, enforces an organisation’s need to boos the efficiency of IT security defences.
With many tens of thousands of new malware and attack variants arriving daily in cyberspace, it is natural that the focus of IT security defence strategies will be on the latest attack methodologies.
Many IT security technology users assume – incorrectly as it turns out – that the older attack vectors used by malware, phishing attacks and other electronic nasties, are all countered by today’s IPS, IDS, UTM or firewall systems, but the reality is that old attack vectors can be modified and re-used by cybercriminals.
The real hackers are possibly creating very few new attacks and if they do security devices will not detect them if they don’t know what they are looking for. The constantly quoted ‘thousands of new attacks each day’ has to be read with scepticism.
More accurately, the statement should be that the many variants of existing attacks number in the thousands. Script kiddies thrive on them; there are tools out there to help them; not so much skill is needed. These variants test the ability of the security rules (Signatures) to recognise the vulnerability being exploited, and the audit and pen testing tool to provide samples (Traffic) that truly test the capability of the rule.
As this revealing Reuters report notes, these revitalised darkware elements can then try to slide in under a firm’s IT security defences, which makes it imperative that a company’s ITsec platforms are operating at peak efficiency.
The reality with IT security defences – no matter what strategy they employ – is that there are only so many processor cycles to go around.
Put simply, this means that an IT security platform needs to be regularly tuned and refined over time, in order to balance the areas of defence it needs to focus on.
And the more efficient the security platform is, he said, the more cycles there are to cope with less popular attack vectors, such as reworked and re-energised malware, as exemplified by the Agent.ntz worm which is now causing headaches for President Obama’s military IT specialists.
The story here is that old worms and viruses can never be ignored. They may appear to offer a lesser risk profile than today’s headline attack code, but the reality is that they will pose a risk – and a risk that needs to be countered.
Modern IT security is all about balancing risk with the costs of provisioning security. In an ideal world, an IT manager would deploy as varied a selection of security defences as is required to 100 per cent defend against all attack methodologies.
In the real world, however, this isn’t going to happen, so it makes sense to optimise an organisation’s existing ITsec defences, and the way to do this is to use automated auditing and pen testing systems.
Security devices vary between manufacturers, what the default configurations offer, and what the needs of each individual set-up are. The only way to enhance security is to audit and test regularly and in a real world live environment. In my mind the issue is simple, no matter what other testing you do the only true test is ‘Does the malicious traffic pass through my device and do I want it to?’
If it does get through and you don’t want it to then you have to either configure correctly or add the security rule to stop it. Proper and regular audit and fix, retest cycle will save most companies millions of dollars in expenditure on new devices that could just repeat the same poor job, just faster.
Probably the most reputable testing house in the USA, Nsslabs.com, issue group test reports each year, around October. The last two reports have highlighted two major failings with many IPS/IDS providers. The first is the apparent inability to identify Malicious traffic that has had even the most basic evasion techniques applied and the other is the ‘habit’ of dropping older signatures in favour of newer signatures to maintain speed of throughput.
Hackers know this, that’s why old attacks are either revived or simply altered (evasion applied) to get through current defences. The report says that some very well known (expensive) devices are as good as useless due to this omission. The reports are very extensive and recommended reading by serious IT security professionals.
It’s shame that that the US military have been publicly exposed as having such major problems, from avoidable threats. Maybe they will notice that Traffic IQ is on the list of approved products and consider it as a useful part of their defence mechanism and not just throw millions of dollars at the problem.
In the real world, IT professionals do not have the budget that their US MilSec peers do. And for them, automated auditing and pen testing technology is the optimum way forward.