No one is exempt

I ran across this article this morning. The author and some people he interviewed seem to have been under the impression that corporate networks were almost immune to bots and similar malware. At first I thought "how naive" but then I remembered that I used to think that also. That is until I thought about all the different attack vectors that a network is susceptible to.

Years ago, when malware was sparse, a firewall and AV software was all many companies (even large ones w/ big budgets) needed and used. Virus' popped up from time to time when someone took a floppy disk home and got it infected and then used it at work. Then email started being used more frequently to spread them but they were mostly limited to doing little "real" damage and could be contained fairly easily. The malware writers got smarter and the advent of the Internet as a critical tool of business for both home and business use raised the stakes.

Now a corporate network can be secure at the perimeter, secure at the end point (as secure as is reasonably possible) and secure on the wire, yet still be open to attack from many points. Machines can get infected and the protections in place are often totally in the dark that anything has happened. You can get infected by doing things you shouldn't be doing and you can get infected by doing things that aren't inherently dangerous (browsing a legitimate site that has been compromised). The corporate network may be adequately secured to prevent this (at least we like to think so) but your home network, the coffee shop, the book store and other open wi-fi hot spots are ripe for the picking. These are the places where many users get infected and then they often bring the infection back to the office.

I'd dare to say that most corporate networks are not equipped to notice this unless something really unusual happens to trigger and IDS/IPS or they happen to stumble across it. Michael at mcwresearch gives us a great example of this. I also tell a story here of a time when I "stumbled" across something at a client site.

This is what is so scary about today's malware. It's easier than ever to get infected and harder than ever to be detected. That's why it's so important that security professionals continue to work diligently in all areas to protect their little corner of the network and Internet. Everyone from the Security Researcher down to the desktop guy is important in the fight. No one is better than anyone else and no one is more important than anyone else. We all have to work together if we ever hope to win this battle.

Legitimate Rootkits?

I ran across an article on SearchSecurity.com this morning that caught my attention. It's about how rootkits are becoming more popular. What caught my attention is this comment on the teaser page "industry experts at RSA Conference 2007 say rootkits have also emerged as useful tools for legitimate businesses trying to exert control over users." My jaw dropped. After the Sony fiasco and just the fact that rootkits are, by design, hacker tools used to hide bad things you would think that we would have learned something. I know that there are lots of hacker tools out that have legitimate uses in security. I think it's great when we can use hacker tools to make our networks and systems more secure against those very tools. I think it's a good idea to keep a close eye on what the hackers are doing so we can counter them. I don't think that using something designed to hide bad things on our systems is a good idea for any reason. If there is a way to subvert the legitimate rootkit, and there is a way that will be found, then it is a major danger to our systems security and we need to fight against any company that wants to implement their use.