Reports that that personal details of around 210,000 unemployed people in the state of Massachusetts have been stolen because of a Qakbot worm infection show that multi-layered security – harnessing the power of enhanced firewalls and intrusion technologies – is now needed.
The Executive Office of Labor and Workforce Development reportedly spotted the worm on its systems several weeks ago and took what it thought was remedial action.
Now almost four weeks later, the agency has realised the worm has reappeared on its systems, and the data – which includes a variety of sensitive personal information on newly-unemployed people – has clearly been put at risk for that period.
What’s interesting – and quite sad from a security perspective – is that the state agency clearly had the technology to detect the presence of the worm on its systems, and its IT staff took action to remove the malware from their computers.
Unfortunately, as happens so often with the latest iterations of malware like Qakbot – which at its height last summer was stealing 2GB of confidential data a week – the worm came back with a vengeance, and the IT security people were unable to spot this.
This illustrates the need for multiple layers of protection in an era when cybercriminals are getting extraordinarily clever at evolving existing malware, as well as developing new and multi-vectored threats,
And whilst the reasons for the re-infection will no doubt be reported on once the agency has completed its investigation, the take-out from this is that the increasing complexity of threats is a rising problem – as are the cunning delivery methods used by cybercriminal.
Social networking may be the latest buzzword, but good old fashioned back doors are still an easy entry point for many hackers to deliver immediately actionable threats and `sleepers’ – or perhaps worse – both at the same time.
This is the most likely problem in this case: a threat delivered which may have been deliberately open for detection but at the same time deliver sleepers in several places, perhaps in the registry or using an `update’ to Internet Explorer that is loaded with malware.
These old tricks are still very relevant. The methods used to counter these attacks centre around effective procedures, excellent housekeeping and the training of staff, along with desktop protection and ensuring that devices are patched and not infected.
But there really is no substitute for ensuring that your gateway to the outside world is protected by firewalls and intrusion prevention technology. Taking the security device out of the box and plugging it in and forgetting it, is simply not adequate.
Constant configuration, audit and testing defences – and updating with security signatures that look at vulnerabilities – is now an essential part of the IT security process.
Organisations also need to have solid contingency plans in place to deal effectively with an infection in the event it does happen.
Contrary to what many people think, this isn’t rocket science. The technology to better defend corporate servers – as well as small business computers – exists today. What is needed is a good security planning and review process, as well as contingency plans to prepare for when the worst happens.
Good management of an organisation invariably revolves around effective management of all aspects of the business. IT security is no different, so organisations need to move on from the set-it-and-forget-it approach to the IT security of yesteryear.
IT security managers need to move on up to the latest technology and planning processes. IT vendors don’t develop upgrades and updates for the fun of it. IT managers need realise this simple fact.