Information Week published an article this week talking about why the Conficker Malware won't die. It's been 3 years since Conficker was discovered. Information week reports that Conficker launched 59 million attacks in the fourth quarter of 2011 against 1.7 million PCs. An impressive number for malware that should have already been eradicated.
The article on Information Week caught my eye, because I recently attended a talk where Conficker was discussed, but not in terms of the malware itself, but how it was discovered. It was important because the talk was actually about APTs (Advanced Persistent Threats), and how to keep an organization protected from APTs. Because APTs can come from anywhere and target almost anyone in the organization, it's tough for a single security solution to detect an APT when the threat happens. So how does one protect against an APT? The answer is of course, multi-layered defense. An organization needs to defend not only the web gateway/proxy, but also the router, the workstation, and other network devices.
That leads to the next question, which is how do you detect an APT when it's happening. And that's where Conficker comes in. Conficker was discovered by an IT administrator who knew what a normal log looked like and immediately recognized an anomaly in his DNS logs, which led to the discovery of Conficker. Specifically the administrator saw a spike in DNS requests for hostnames that did not map to IP addresses (Conficker automatically generates hostnames using an algorithm to look for payload servers).
The key here is familiarity with the logs on all your networking devices. Understand what's a normal day, and recognize when your network devices are producing anomalies, and investigate when these anomalies happen. Familiarity with your own logs may be the difference between early detection of an APT, and significant data loss.
So even though Conficker continues to haunt corporate networks, it does remind us we need to remain vigilent in security and become familiar enough with our environments that we recognize when something is out of the ordinary.
Monday, April 30, 2012
Friday, April 27, 2012
Flashback attack and MacOS vulnerability
I know I've been remiss in keeping up with this blog and the latest news out in the security and proxy industry, but sometimes life happens. With that in mind, I'm going to recap probably the most important bit of news that happened over the last couple of months, and that was the reminder to everyone that Macs and specifically MacOS isn't completely protected from malware. The Flashback virus was widely reported on and was estimated to have infected over 600,000 Mac computers. Bigger news was of course that Apple first ignored the news reports and then slowly came around and said they would fix the flaw that caused the vulnerability.
But the big question for many of course, is whether any of the devices on their network helped to prevent the attack from happening, and this wasn't something that any vendor had an answer to. But Blue Coat Systems while they didn't claim to protect you from Flashback, they did claim they helped prevent an infected system from reporting back to the botnet systems collecting data from compromised Macs. You can read about how they did this on their security blog.
But the big question for many of course, is whether any of the devices on their network helped to prevent the attack from happening, and this wasn't something that any vendor had an answer to. But Blue Coat Systems while they didn't claim to protect you from Flashback, they did claim they helped prevent an infected system from reporting back to the botnet systems collecting data from compromised Macs. You can read about how they did this on their security blog.
Subscribe to:
Posts (Atom)
Posts
