| COLUMN |
How to use Internet security threat reports |
 |
|
|
The Melissa worm, one of the most prolific email viruses in history, earned its notoriety by forwarding itself to the first 50 people found in a victim's Microsoft Outlook address book. Security researchers celebrated its 10th anniversary earlier this year, and in the decade since Melissa, the world has seen a boom in viruses, Trojans, SQL injection, spam, phishing and drive-by downloads.
There's no shortage of security threat reports from vendors in the antimalware business highlighting that boom. The latest, published by McAfee Inc. and Symantec Corp.'s MessageLabs, as well as Microsoft's Security Intelligence Report, shed light on malicious activity. But while each of these reports summarizes observed attack activity -- profiles of the types of attacks and geographic profiles -- in my opinion, only Microsoft provides meaningful strategies, mitigations and countermeasures for IT on protecting computing resources.
If security products worked well, we wouldn't need these reports; however, they provide interesting analysis even if they are not always actionable. For instance, we are conditioned to believe parts of Asia and Eastern Europe are relatively lawless when it comes to cybersecurity, but McAfee's research reminds us that the United States hosts 45% of the world's Web servers with malicious reputations and 46% of the world's discovered phishing sites, so there is Web security work remaining. Also interesting is Symantec illustrating the dynamic attack processes by reporting that one-third of websites it blocks are less than a month old, and Microsoft reports that the Windows Vista SP1 infection rate is 62% less than Windows XP SP3, which may be a reflection of Microsoft's SDLC program effectiveness.
Security professionals should read the threat reports with caution. They are vendor marketing documents designed to position vendor research teams as industry experts that bring the vendor a competitive advantage. The reports' findings only represent what the vendor is looking for along with a natural bias towards the vendor's business. Security pros can do better by examining multiple vendor threat reports to get a more complete picture and map the threat classes to the business. For instance, a workforce using Windows isolated at home requires different security mechanisms than a workforce using shared devices on an office LAN.
The reports can be used for your user education series. Symantec reminds us that spam and phishing attacks increase with special events, such as Halloween, Christmas, tax filing and celebrity health issues. Pull timely examples and statistics from the threat reports in a continuous series to educate users on how to recognize human engineered cybersecurity threats. Technology cannot catch all attacks, but an alert user can help thwart an attack with a user interface that breaks through security filters.
|
|
 |
IT can also use the reports to substantiate budget requests for malware protection and also for vulnerability management and virtualization projects. The threat reports are designed to create demand for vendor offerings for an increasingly dangerous Internet. For example, Microsoft reports that application-level attacks against Microsoft Office leverage vulnerabilities that could have been patched over 3 years ago. IT can use this information to highlight the need for application-level patching and vulnerability management and also to negotiate for help from service providers for home computers or work with a cross-functional team to evaluate IT-controlled virtual desktops.
While there's no shortage in Web-based threats since the Melissa virus a decade ago, let's hope that at some point, the vendor-sponsored threat reports will show classes of attacks subsiding, because security software has done the job it was hired to do. At a minimum, more vendors need to include recommendations on protective actions while the security industry concocts an antidote. For now, every major vendor is producing a threat report that can best be used to evaluate IT security policies and educate the company.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to eric@ogrengroup.com.
|
|
|
|
