Malicious code that comes with release notes?

New security report shows that’s how sophisticated cybercriminals have become

I was astonished when Mike Dausin of security provider HP TippingPoint briefed me on a new state of network security report and explained how much more sophisticated writers of malicious code had become. Their code is much cleaner than it had been in years past and that recently, some updated versions of this code had actually come with release notes.

“When you think about code having release notes, that implies a level of maturity that just wasn’t there before,” said Dausin, manager of advance security intelligence for TippingPoint, whose DVLabs unit conducts research into network vulnerabilities and helped produce “The Top Cyber Security Risks Report,” which was published today.

Distributing malicious code with release notes is like a maker of burglar tools distributing a brochure about how to use a new pry bar to break into a house. It’s a particularly brazen move and underscores the point that the bad guys are getting much better at their jobs.

The 43-page report identifies four major areas of concern for network administrators and makes five recommendations of what enterprises should do to improve their game to match the improvements in the bad guys’ game. In my interview with Dausin and another contributor to the report, we also discussed Microsoft’s role in being a target but also a contributor to a solution to the problem.

Writers of malicious code have gradually tried over the last 10 years to improve their code to make it work and be passed off as legitimate, but that’s really only moved it from being “kind of strange-looking to looking really, really strange-looking,” Dausin said. “But what we found [now] was that the level of sophistication of these attacks as well as the level of maturity of the attacks has grown dramatically in just the last year or so.”

And the attack targets have changed as the use of computer networks has changed. Increasingly, executable code is finding its way into networks through the Web browser because that’s how more applications are being delivered, such as with software-as-a-service offerings. While the report recommends companies pay closer attention to security of Web apps and encourage Web app developers to design in security, it makes a bold suggestion: Enterprises should adopt a “smartphone-like model,” such as on Apple’s iPhone, of only allowing apps to run on their network that are certified and don’t allow executable code.

“PCs can download and execute arbitrary executables and we really feel that the smartphone way of doing things is controlling the ways that you can install and run executables on the phone,” said Dausin. “We really feel that PCs will move in that direction, certainly in the enterprise.”

In some ways they already do, he acknowledged, with configuration and access management security that determine what software runs on the network and who can use it.

Another problem area is third-party software that isn’t as quickly patched as operating system software, said Wolfgang Kandek, CTO of Qualys, which monitors computer networks for security risks, and which also contributed to the report.

Microsoft has gotten better at identifying and fixing vulnerabilities in its Windows operating systems and its customers have gotten better at applying those patches, Kandek said. But they are less diligent about patching third party software. According to Qualys, while Windows patches were applied to 50 percent of affected machines within 15 days, it took an average of 60 days before patches in Adobe Reader software were applied to half the machines. “This is an average, some companies may be more diligent, but others may never look at it,” he said.

The report also raises concerns about the “consumerization” of technology in the enterprise such as the use of sites such as Facebook, Twitter or iTunes by employees. Like other Web-based apps, they can be an entry point for malicious code, the report says. TippingPoint’s Dausin admits that’s a risk versus reward choice as companies find sites such as Facebook and Twitter useful for marketing, but attackers are trying to leverage those sites for nefarious purposes.

Qualys’s Kandek understands the risk but his company uses Twitter and doesn’t see the wisdom of blocking it. “All the interesting vulnerability reports come out on Twitter nowadays. I can’t imagine a company that can function without that,” he said.

Update: Unfortunately, logistical problems prevented me from getting to the IE 9 beta launch event in San Francisco yesterday but I see a number of my colleagues covered it. Interestingly, some of them noted IE 9’s new security features such as an upgraded SmartScreen Filter that adds a “download reputation” feature to prevent users from unsuspectingly downloading malicious files.

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022