I was recently asked to identify the “twenty most dangerous pieces of software” to us as a company. My first thought was “WHY?”
What good does it do anyone to stop twenty pieces of dangerous software in a world that is full of thousands that are constantly chagrining and never stop moving.
That in itself identifies a key problem with some people’s perception of IT Security.
Many people often compare the internet to the Wild West in terms of security. We have a Posse consisting of Anti-SpyWare, Virus Scan and firewalls that are there to protect us. The problem with many of these tools is that they are mostly reactive tools using historical data to protect us from what is known to be bad. We also have IPS tools that are more proactive and prevent events from occurring at all.
I am trying to dispel this mindset and create a new mindset by trying to bring the threat into focus so that the bigger picture can be seen. A lot of security Managers still think in this type of mindset and want the Top 20 or seek 80/20 compliance thinking that is fine in today’s world. All this tells me is that they really don’t understand security and risk analysis.
Ten years ago we would have an outbreak that would infect thousands of computers and that would bring down the network and make headlines. The goal of the attacker was to get attention or impress his girlfriend.
Today we have criminals and criminal organizations that are out to make a profit and don’t want to be seen or be detected.
The nature of the IT World we live in today has changed and the mindsets we have about security have to change to meet the current environment that is thrust upon us.
With this short article I try to convey a real world experience based on an analysis of what we currently see coming into 2008 and base it on actual data from our reporting tools and databases of historical data for the last 60 days where we average 45,000 events per day.
The Areas for risk include:
- Loss of Data
- Circumvented Physical Access
- Circumvented Electronic Access
- Exposure due to Illegal Activities
What follows is a classification list by type of software that should be considered High Risk to Very High Risk for any corporation or home user.
The examples used are more related to function than specific software packages. The reason being is that you can easily use any internet search engine looking for items in these categories and come up with a dozen to hundreds of examples many of which change, are new and retire almost daily. Getting specific will be an impossible task since there are thousands upon thousands of moving targets.
The list is ordered by the threats we encounter the most with a few exceptions. Freeware is listed first because it is extremely prevalent in the wild. It is also, very often, benign or even beneficial to your company. What one has to keep in mind is the popularity of freeware and how much of it is compromised or altered or mimicked by people with mal-intent. It is not uncommon for legitimate freeware to be altered or to be copied in name only so that vandals and criminals can propagate their MalWare under the reputation and the guise of legitimate freeware.
The rest of the list that follows freeware is very often a direct result of this altered or questionable freeware.
The next in the list is Pirated or Stolen Software. Pirated Software is in second place for the exact same reasons that freeware is top of the list. People are looking to get something for nothing. When we follow the rule of “If it sounds too good to be true, it probably is.” Then we are right on track. Very often people will think they are getting expensive software for free, when they are really getting a version of Photoshop that has a hidden payload buried inside a modified setup routine.
Then we come to number three in the list, Peer to Peer. Peer to Peer is a problem because this is one of the most common methods of distributing malicious software disguised as or embedded in what ever files the user is seeking. Another thing to remember in peer to peer is that not all traffic and sharing is via the inter/intra-nets, we must include portable media devices in this list. USB Thumb Drives definitely act as a form of Peer to Peer propagation in the exact same way we used to see viruses propagate on floppies via the old standard known as sneaker net. How many times have you been in a meeting or presentation and a vendor or service provider hands an employee a thumb drive to plug into a company laptop on the company network.
When you consider this exact scenario, what has just happened? Both your physical access controls and electronic access controls have been breeched and were just escorted into your building and network by your own employee, probably while walking right past your security personnel as well.
The rest of this list includes more specifically the types or categories of software that should not be allowed in your corporation or by a home user or should be limited to select groups for specific purposed as Managed Exceptions on a case by case basis. The vast majority of these are propagated by the first three categories in this list.
One more category should have a little bit more mentioned because this involves a bit a hybridized form of attack: Religious or Cultural Materials. This category deserves a little more attention because it combines a bit of social engineering combined with an electronic attack. It is not uncommon to find files that are of a malicious nature disguised as something legitimate that capitalizes on current events and people’s emotions. Unsuspecting users see a subject line in e-mail or in am IM Message that causes them to click before they have a chance to think.
Much of this data was compiled from the enterprise database of actual incidents from within our own corporate environment. Since I can not reveal internal company information I can not make available my research data.
The list that follows is compiled from an analysis of data in our database and based on actual incidents in my company.
The list is by Category with Examples:
- Screen Savers
- Alternative Applications
- E-Cards or Greetings (Web, E-Mail & Executable)
- Pirated Software & Keygens
- Peer to Peer
- Bit Torrents ( A.K.A. Torrents)
- Peer to Peer applications like Bear Share
- Portable Storage Devices (USB Thumb Drives)
- Key Loggers
- Non-Standard Applications / Devices
- Telecom Applications
- Phone Tools
- Physical Access
- Palm Pilots and PDA’s
- Internet Browsers
- Mozilla Firefox
- Internet Explorer
- Video & Audio
- MP3 Tools
- Video Tools
- Cloning Tools
- E-Mail Server & Client Applications
- Web Mail Clients
- Non-Standard E-Mail Servers
- Non-Standard E-Mail Clients
- Portable Software *
- Files Shares with Everyone Full Control
- Non-Standard VoIP Applications
- Hacking/Cracking Tools
- People that are curious about such tools.
- People that are intentionally using such tools.
- Tools that are part of other software and execute without the user knowing.
- Sharing of valid work related files that are infected or compromised.
- Internally from employee to employee
- Externally – between your company, Customers and Vendors.
- Legacy Devices / Drivers
- Devices that are no longer supported can have drivers that create vulnerabilities or holes that can be exploited, or the drivers have been exploited and are made available from impersonated download locations.
- Religious / Cultural Materials
- Some groups appear to be targeting some cultural groups. Due to the current geopolitical climate around the world.
- Many groups are being targeted based on race, religion or geographic location.
- Entertainment / Current events.
- Britney Spears
- War in Iraq.
Whether you are a home user or an IT Professional this article and list are intended to help you raise your own awareness and the awareness of others. The Internet is no longer the Wild West. We are now in the mega metropolis stage where there are great places to go and fun things to do. You just have to remember that no matter how great a metropolis can be it will always have its seedier side and dangerous dark alley ways teeming with bad people wanting to do bad things.
Also always remember what my dad use to tell me: “If it’s too good to be true, it probably is.” Or as Ronald Reagan would have said “Trust, but verify.”
* Portable Software is software that can be utilized via a portable device like a thumb drive or USB Hard Drive and does not have to be “installed” to be used on any computer.