Technology evil-doers are getting better and more nasty at their attacks — going for the operating system itself. The Computer Security Institute’s John O’Leary and Georgia Tech’s Jon Giffin discuss w
By David Weldon
John O’Leary has vivid memories of reading Chicken Little as a child. So much so, that when asked to reflect on the state of information technology security in the workplace, the children’s book character immediately sprang to his mind.
“We in the industry have not done a very good job of conveying to managers the threats that the new wireless world is bringing to their companies,” O’Leary insists. “We have not given them very good sky-braces.”
Well, maybe the sky isn’t literally ready to fall on corporate America as a result of the explosion of mobile and wireless devices among workers. But the risks to corporate systems are still very real, O’Leary says.
As education director at the national Computer Security Institute, O’Leary is certainly in a position to know. His role largely involves educating the private sector and the general public about threats to computer systems and technical devices.
In recent years, the largest threats to corporate systems were from email and firewall vulnerabilities (or total lack of firewalls), which could invite all sorts of malware nasties into a network. Malware is the term given to viruses, worms, Trojans, and any similar software program that does malicious damage to computer applications.
But the bad guys are getting better at what they do, O’Leary says, and the targets now are increasingly the operating system itself.
According to Jon Giffin, an assistant professor in Georgia Tech’s School of Computer Science Institute of Technology program, “There has been a shift in thinking from five years ago, where the operating system is now part of the attack, part of the infection.”
The distinction between attacking the operating system of a PC and applications that run on it is very important, Giffin notes. Virus protection software, readily available on the market and increasingly built-in to new computers, is aimed at recognizing and blocking attacks against the programs that ride on top of the operating system.
From the perspective of the attack generator, “The best part of attacking the operating system is that you’re flying below the radar,” Giffin says.
It gets worse.
“A successful attack could gain complete control over the computer,” Giffin explains.
While a company’s IT support technician might be able to easily identify, contain or remove a normal virus, one that has taken up residence in the operating system code can be hard to detect, and the damage it can eventually do may be permanent.
When managers hear tales of complete computer crashes or so-called “Blue Screens of Death,” among their staff, they should take note.
Even short of flat-lining an employee’s PC, an attack on the operating system can take control of the system, but lurk quietly in the background plotting and hatching all sorts of evil deeds.
“Once a piece of software gets installed onto any part of the operating system, it can now instruct your computer to send out other attacks,” he notes.
The good news, from Giffin’s perspective, is that the information security community is well aware of the new battleground, and is working on better defenses. The bad news: “It is a constant race, and the defenders are frequently behind.”
Giffin sees part of the solution in the academic community better communicating with the private sector on what the largest threats to systems are. He says the research community should take a more proactive role in coming up with security solutions in original code.
“We produce solutions that are add-ons, rather than fixing an initial problem with code vulnerabilities,” he suggests.
Wireless worries
The greatest dangers to the corporate computer system today are the vast number of mobile devices that workers insist on tying to them, Giffin says. In order to enable all of these devices to actually communicate with networks, a bit of security must be sacrificed. And that opens the door to trouble, he explains.
Giffin is in fact charged with helping to find a fix to operating system vulnerabilities. And not on a small scale, but for national level critical systems.
“Much of the research here is funded by the National Science Foundation and the Department of Defense,” he explains. “Large corporations fund some of the research projects, and Microsoft works on some of the ideas.”
IT security has been a major concern for companies for a few years now, and most large corporations have a designed information security manager or director. But Giffin says the proliferation of small mobile devices is increasing at a pace that is hard for them to keep up with. And hardware vendors are “dumbing down” many of the portable and wireless devices to enable networks to recognize them.
This dumbing down is coming at the expense of protective code in the devices themselves, which in turn enables them to more easily become infected with malware, and pass it along to the network, Giffin says.
“It is a very restricted environment in terms of security,” Giffin says of a small portable device. “It runs on a battery, and is not a full system like a laptop. The applications are often very stripped down.”
Added to the reduced security is the obvious problem — their mobility.
“People are carrying these devises everywhere, and they often carry too many devices,” Giffin says. “IT people can’t lock these devices down.”
The risks you take
Unfortunately, much of information security protection is a matter of what a company is willing to pay for and gamble on. That is especially true for large companies with lots of informational assets at stake.
“Threat mitigation is one of the biggest trends now,” O’Leary says. “It involves eliminating security threats, or at least getting to the point that it is a manageable and tolerable level.”
The question that a company has to ask itself, O’Leary says, is how minimal a level of security is it willing to have, by avoiding paying for a higher level of protection?
Risk assessment is getting more attention now, O’Leary says, which is a very good thing. Part of what is driving that are new regulations. But, like Giffin, O’Leary says the other major factor is the increased reliance on devices attached to the network.
Also like Giffin, O’Leary cites the lack of adequate encryption in such devices, as well as reliance on what he calls rogue access points — such as public wireless access connections.
The most important first step in reducing such risks, O’Leary says, is simply a good security policy — with all employees made aware of the risks that mobile devices bring, and why. Employees need to have their behavior modified, or at least be made more aware of when and where they use remote devices.
On a larger scale, senior managers need to be educated in their responsibilities if systems are breached, O’Leary says. That includes legal requirements, requirements to vendor partners and customers should their data be compromised, and obligations to brief top executives.
And reacting after the fact to a security problem won’t cut it, if the IT manager had an ability to make a system more secure, but didn’t, O’Leary warns.
“If you, as a security professional, find a hole that could be exploited, what are your obligations,” O’Leary poses. The answer could mean corporate life or death for that information security professional.
Bookmark with:
- Digg
- Reddit
- Del.icio.us
- Facebook
- Newsvine
Sign Up to Exec UK now for FREE!