Security for a day

Catching up on the weekly security news, this headline caught my eye, “US and South Korean Sites Under Attack; Late Data Says Attacking PCs to Self Destruct (July 8 & 9, 2009)” from the SANS weekly newsbites. The piece covers recent attacks on US and South Korean government, military and private industry, with some nice technical links on to what is going on. Basically, once the malware has done its task it then overwrites the MBR and partition table. Just like the viruses of the good ol’ days. However, the one comment I will be passing on to my CIO is from Alan Paller, the director of research at the SANS Institute:

“This morning Korea government sources report that the files on the attacking computers are being overwritten – in a massive suicide of the bot-network. Sadly, it will be very easy to construct a new one.”

The two points he clearly raises are:

1) They can destroy the data on an infected computer

2) They can do easily it all over again

Why?

Cyber warfare is not a new nor are bots, but a willingness to throw away compromised machines on massive scale is – ignoring bot-net herders going mad. I still compete with perception antivirus and a firewall will save us from getting in to trouble. I only wish they did. Take the 560 bootcamp or spend two minutes with John Strand to be re-educated on this.

Leaving aside mobile phones, we have a growing number of requests to replace desktops with laptop in the company, so the perimeter I am supposed to be defending now extends to staff homes and families.

Why?

Well, guess who starts using the laptop when it gets home; The kids, the other half and possibly Romanian circus clowns, that are in town for the day, all of who have a despair need to check their myspace/facebook/web mail accounts. (Note to self: bring up supported number of users have tripled in next pay review;-))

All one of these non-staff members need do is click on a link, download a file or even open a picture, the AV misses it and the laptop is now co-own by someone out in the cloud. Then, the next day, the infected machine comes back to the office.

As we have IT policies in place, I can be sure none of our staff would do this though.

Back to why pass on Alan’s comments rather than a link to one of the excellent articles from the newsbites page. Alan has the necessary gravitas to appeal to my CIO and the board. Despite my monthly reports and management summaries, I still find management respond more actively to respected senior figures’ opinions and suggestions. Comments and articles like this can help changes perceptions of what senior management think IT security is today.

I’ll take all the help I can get.