Enterprise IT systems widely compromised

Businesses too complacent with software security education - Bola Rotibi, ISC(2) board member

Enterprise IT systems widely compromised
Enterprise IT systems widely compromised

Research released today claims to show that corporate IT systems may be riddled with security problems - and on a scale that suggests security defences are far less effective than many IT professionals think.

The report - which took in monitoring systems from security systems in more than 10,000 organisations worldwide - found that bot infections hit businesses 20 times an hour, whilst six times an hour, a known malware variant is being downloaded to company IT resources. On top of this, every 24 hours, company networks are infected with a new strain of bots.

Delving into the analysis reveals that 58 percent of organisations experienced users downloading malware every two hours or less - compared with just 14 percent back in 2012, the last time the research was compiled. Researchers also found that the malware code is also encrypted by cybercriminals in order to avoid detection.

Darrell Burkey, director of IPS products with Check Point, the sponsor of the report, said that crypters - aka packers - are the easiest way of evading malware detection, and also the cheapest.

"They take a working EXE file and change its appearance. Since most, if not all, AV engines use binary-based signatures, the result is that the newly created file is not identified," he said, adding that mitigating the risk of unknown malware requires the use of two main strategies, including using emulation or sand boxing technologies to emulate execution in a safe environment and monitor file behaviour to detect any bypass techniques, and/or a good post-infection technology that can detect bot infections and bot activity.

The end result of all this darkware code is, of course, system compromises and data breaches, a situation that Burkey says need to be addressed by more than security standards such as PCI DSS.   

“Whilst standards like PCI provide essential guidance, they must be complemented with a comprehensive, multi-layered security infrastructure dynamically updated with the most current threat indicators and protections - and that system must be monitored by experienced security staff. But, the continued increase in data breaches is a direct result of increased population, organisation and tools and weapons of attackers," he explained.

Commenting on the research, Bola Rotibi, a member of the (ISC)2 Application Security Advisory Board and a research director with Creative Intellect, said that, with the analysis taking in results from 10,000-plus organisations, the level of application vulnerability demonstrates that businesses are still too complacent with their software security education.

"The report, like so many of the other high profile security vulnerability reports available in the market depicts important stats such as malware trends and discovery times, and the evolving threat landscape. Businesses and nations continue to lose vast amounts of money and IP at the hands of sophisticated hackers, but also through their own failures to address the issues correctly," she said.

"Application vulnerability is a multi-faceted challenge that requires a multifaceted approach. We may not see an end to all breaches, but surely the starting point to closing the door must be greater education and awareness followed by the resolve and business backing to do something about it," she added.

Tom Cross, director of security research with Lancope agreed, saying that once sophisticated malware samples get a foothold on your network, you have got to do more than detect them - and have to piece together what they have been doing on your network in order to understand whether the infection was benign or malignant.

"Some threat actors have a long term interest in stealing data from your organisation, and will pivot from an initial infection point to compromise multiple machines in your network with different malware samples that have different characteristics. This means that, even if you clean up one sample family, there are others that the attacker can use to maintain control of your network," he explained.

Tim Erlin, director of product management with Tripwire, meanwhile, said this analysis proves that new threats are developing while the old threats remain.

“The data on the use of risky applications in the enterprise should be a call to action for organisations to take a critical look at their attack surface. Effectively managing risk requires effective inventory of the applications in your environment," he said.

"You cannot protect what you don't know about. Unfortunately, the users who install these applications are often unaware of the risk they facilitate, even after an incident has occurred," he added.