News

Industries

Companies

Jobs

Events

People

Video

Audio

Galleries

My Biz

Submit content

My Account

Advertise with us

Avoid a wipe-out

Malware development has reached a new threat level with the emergence of destructive 'wiper' worms, such as that used in the attack against Sony Pictures.

20 years ago Stephen Hawking, a physicist and author, said that computer viruses should be treated as a life form, as they exploit the metabolism of the host computers they infect and become parasites. The intervening decades have highlighted the truth in his statement, with malware infections growing exponentially. And, like other forms of life, viruses have evolved In 2013 we saw the emergence of ransomware, which criminals used to extort businesses by holding their data hostage and demanding payment for its release.

The next stage in that evolution has arrived with the recent attack against Sony Pictures Entertainment, which has been described as one of the most destructive yet seen against a company, taking much of the company's network offline for a week. The attack used 'wiper' malware, which overwrites the drives of PCs, rendering them inoperable. It's costly to fix because each affected PC's drive has to be replaced or rebuilt, as well as making it near impossible to recover the overwritten data using standard forensic methods.

The scale and purpose of the attack led to the FBI issuing a flash alert, warning other organisations about the potential threat - especially as the specific malware used was not detectable by conventional anti-virus software. It is this last point that is particularly critical: businesses cannot easily protect themselves against threats that their defences cannot 'see.'

Unseen, unknown

The problem is that new, unknown malware continues to be released at a rapid pace. It's relatively easy for criminals to make small adjustments to malware code, enabling it to bypass current anti-virus signature detection, which, in turn, leaves businesses vulnerable. Check Point's 2014 Security Report, which analysed millions of security events from over 10,000 organisations worldwide, found that, on average, a business has new, unknown malware inadvertently downloaded to its network every 27 minutes. That's nearly 50 unknown malware infections every day.

So what can businesses do to protect themselves against unknown, destructive malware? As a first step, it's important that organisations implement basic security best practices recommended to protect computers from any type of infection:

  • Ensure that anti-virus software is updated with the latest signatures;
  • Ensure that operating system and application software patches are up to date;
  • Install a two-way firewall on every user's PC; and
  • Educate users about social engineering techniques, especially involving unknown attachments arriving in unsolicited emails.

    Even if malware is able to evade detection by anti-virus software, some of its actions may be inhibited or blocked by the PC firewall or latest software or OS patches. However, these best-practice measures do not offer complete protection against new, emerging attacks. It's all too easy even for a security-aware employee to click on an email attachment inadvertently, triggering an infection.

    The sandbox trap

    To defend against new, unknown exploits, a security technique called threat emulation, or sandboxing, makes it possible to identify and isolate unknown malware before it can enter the network, so that infection does not occur.

    Emulation works by making it possible to look inside the common file types that we all use for business - emails, Word documents, PDFs, Excel spreadsheets and so on - to see if those files contain a malicious payload, as this is the most common vector for propagating new malware. The emulation engine can run either on a company's main security gateway at the edge of the network, or in the cloud as a service. As files arrive at the gateway or cloud service via email, they are inspected in a virtualised, quarantined area known as a 'sandbox.' Here, the file is opened and monitored for any unusual behaviour in real time, such as attempts to make abnormal registry changes or network connections. If its behaviour is found to be suspicious or malicious, the file is blocked and quarantined, preventing any possible infection and subsequent damage.

    This entire process takes place transparently for the majority of files - so that even in the rare event that a file is inspected and proven 'clean', the intended recipient of the file will not notice any pause in email services. Information about detected file activity is then available to the IT team in a detailed threat report.

    Threat emulation is a critical layer of protection for organisations against new, destructive malware strains, acting as a barrier that blocks these parasitical life forms from attacking networks. While we will never be able truly to wipe out these malicious agents, sandboxing can certainly help to stop them wiping companies' precious data and resources.

  • About Doros Hadjizenonos

    Doros Hadjizenonos is Regional Sales Director Southern Africa at Fortinet
    Let's do Biz