Lessons from the field
This is part one of a two part series looking at real world problems customers are having with what has loosely been described as Web 2.0. I say loosely because a quick look at Wikipedia reveals some discussion as to what the phrase means. Wonderful for marketing folk who can claim almost anything as Web 2.0 equipped. Not so for us security folk. Whilst Skype, instant messaging and video streams smuggle viruses into our networks we are stuck with a phrase that could also mean your fridge has an internet browser built into it. So put aside the vague and come with me as I look at Web 2.0 in the real world.
This is a story about a customer who had a big virus outbreak this year. It started from the inside out, the first thing they noticed was users complaining about slow internet. Shortly after they found millions of emails in their outbound queue going from places like yahoo addressed to places like hotmail. They own MailMarshal, WebMarshal, a PIX firewall with Trend Micro installed on the servers and desktops. What followed was blacklisting by reputation services and good emails coming back from clients and suppliers. In terms of visibility the only product worth anything when it mattered most was MailMarshal, because they could see the millions of emails going out. No virus scanner went off, no alarms from either WebMarshal or the firewall. Logs quickly showed the emails coming from the Exchange servers but because their virus scanner wasn’t triggering it took days to find code samples Trend could analyze and create a signature for. Days in which they were running mostly blind.
They could never prove it, but in the end decided it must have come from the Internet and blamed WebMarshal for not stopping it. I don’t know for sure but guess it was probably a Flash Player exploit, which WebMarshal was never going to stop. The way they saw it they had layered protection three deep, a firewall, a content filtering proxy and virus protection. In reality their third layer of protection was actually their first and only layer of protection. And I’ll tell you why.
I had a friend in show business who traveled a lot, had been doing so for years. He was very famous and customs guys had checked his bags a hundred times, always finding the same things. His name was Mr Browser. Each trip Mr Browser would come back with something from his travels to wow the crowds. He met this friend Mr Flash, who the crowds loved because he was, well so flashy and entertaining. But customs didn’t know him from a bar of soap and wanted the full body search routine. So Mr Flash asked Mr Browser to get the stuff he wanted for his shows when he was traveling. “Customs trust you and won’t be worried if there’s a few new things in your bag”, he said. And so that’s what happened. It all went swimmingly until one gig Mr Flash’s latest toy exploded on stage killing dozens of people.
A browser is just an HTML decoder, that’s all, it can’t decode a flash player data stream, that’s why you need flash player. But flash data streams are closed proprietary data that cannot be decoded without Adobe program code. Your firewall just sees HTTP packets. Your proxy server just sees gibberish inside HTTP packets. Your browser sees the gibberish but with a note saying “pass this to the flash player please”. If your firewall can’t see inside it, your proxy can’t see inside it and the browser can’t see inside it - the only line of defence is the anti virus program on the desktop watching as Flash Player decodes it and the exploit goes bang. In effect their last line of defense was in fact their last and only line of defense. The only protection they actually had was the Trend scanner, which failed with spectacular results.
Lesson number one. Desktop protection is becoming more important than ever because Web 2.0 protocols like Skype, Instant Messaging, Silverlight, Quicktime, Flash Player and others tunnel all the way to the desktop. Review your anti virus option and buy a scanner that is proven to pick up new threats quickly. Don’t go on reputation, number of fancy extras, giveaways or sales promises. Instead, check out this brilliant piece of research from Cyveillance that shows why not all virus scanners are equal.
Sadly for my customer this research shows if 100 new viruses were released today 30 days on Trend would not have signatures for 62 of them. That’s simply not good enough.
Comments
Post new comment