Malware and security expert Gary Werner delivers a keynote presentation on the threat posed to business by malware at IT360, Wednesday, April 7, 2010 in Toronto.
(WEB HOST INDUSTRY REVIEW) — The keynote presentation, on “universal threat awareness,” which kicked off Wednesday’s IT360 conference in Toronto was delivered by Gary Werner, a leading expert in the field of cybercrime, phishing and network intrusion (just so we’re clear, he opposes them).
Werner, who is director of research in computer forensics at the University of Alabama at Birmingham, begins by talking about the UAB’s computer forensics department, describing its work training people who will work in law enforcement, and providing them the tools they’ll need in the process, including the university’s phishing URL project, which has identified 17,341 phishing sites targeting 251 financial institutions, and reported them to law enforcement.
One thing he points out is that businesses should have policies for employees who have their bank or other passwords stolen to report those incidents to the organization they work for, since the means by which that password was stolen may have been a key logger, and your remote workers may also be logging into work systems on the same machine.
He runs through an example of a few phishing sites that were live on April 5, showing some of the information they try to acquire, helping to illustrate the depth of information an identity thief can have on a given subject. A lot of them, he says, are trying to create entire profiles, not just steal credit card numbers.
Another interesting point – he says if your response to malware is to delete it, then you’ve missed the opportunity to identify who had infiltrated your business. This is what Werner’s lab does. And, if it’s just a common piece of zombie botnet malware that is used to send out spam, deleting it might be the simplest and most appropriate response, but if it sends all your word documents to an IP address in Belarus every evening (to use his example), that might be more interesting.
Treating malware infection as an actual security breach, not just a passive infection, is a philosophical point he wants to make clear.
From an investigative standpoint, he says that the common mindset of investigating a certain infection, or a certain piece of malware, misses the possibility that a person operating the malware may have involvement in a very broad network of domains and various malware systems. By way of illustration, he shows a few diagrams of a network of malware he investigated based on one large user of the Zeus malware system.
Back to his main point – how malware, in its interactions with Internet users in general, can affect your business – he shows many examples of phishing sites ask for the victim’s “company name,” which seems to indicate some interest in knowing what they might be able to access from a given user.
Many of the emails designed to trick recipients into installing malware, he says, will arrive at your employees’ work computers via Gmail or Yahoo mail. They can also be delivered via Facebook and, of course, blocking employees from using Facebook can be a difficult sell.
One of his premises is that the security department within a company, the security community within a city, and so on, should be working together to discuss patching and so on. His point really had to do with the lack of awareness, generally, among businesses, banks, and many other organizations, of the actual substance of the threat posed by malware.
He wrapped up, mostly, with the point that businesses should be careful in the way they treat malware – both in the policies they put in place surrounding the reporting of infections by employees (specifically, that employees should be reporting every infection, even on home machines), and in the way a business responds to malware infections on its own systems (that they should examine the malicious software, and find out what it is and what it was doing, before deleting it).
