Monday, October 29, 2007

Wake Up Corporate America

I am constantly hammered for downplaying the "inside threat" and focusing on external attackers. Several months ago I noted the Month of Owned Corporations as an example of enterprises demonstrating security failures exploited by outsiders. Thanks to Bots Rise in the Enterprise, it appears the external threat is finally getting more attention:

Who says bots are just for home PCs? Turns out bot infections in the enterprise may be more widespread than originally thought.

Botnet operators traditionally have recruited "soft" targets -- home users with little or no security -- and the assumption was that the more heavily fortressed enterprise was mostly immune. But incident response teams and security researchers on the front lines say they are witnessing significant bot activity in enterprises as well...

Rick Wesson, CEO of Support Intelligence, says the rate of botnet infection in the enterprise isn't necessarily increasing -- it just hasn't been explored in detail until recently. "What's changing is the perception. It's been underestimated, underreported, and underanalyzed," Wesson says. "Corporate America is in as bad shape as a user at home."

Wesson says his firm, which does security monitoring, instantly finds dozens of bot-infected client machines in an enterprise customer's network when it starts studying its traffic. "We find dozens of bot-compromised systems off the bat. The longer we stay in [there], the more we find."
(emphasis added)

Wake up, corporate America (and the world). When you open your eyes you're not going to like what you see, but dealing with the truth is better than pretending everything's ok.

4 comments:

jbmoore said...

I gave a talk to my bosses along with data showing that the AV engine our corporation uses can take 2 weeks to update its signatures for a particular bot. By that time, the bot has been mutated and downloaded to the infected host. They liked the talk, but that pretty much was it, and we are one of the company's IT Security groups. You can scream all you want, but like MR says in his second podcast, you pointed me to, things won't change until the senior managers are replaced with Internet savvy ones.

Anonymous said...

I have been working for a major MSP for the last two years. As an analyst I routinely encountered bot traffic on the internal networks of customers. It was frustrating to deal with the majority of customers that seemed to ignore or otherwise mishandle the escalation of bot related activity. A tactic that works well with customers that ignore repeated bot related escalations is to jump the chain of command and speak to the CIO or CISO. Sooner or later corporate America will finally wake up.

Tim Johnson said...

Richard:

Great website, I don't know where you find all of the time, but keep up the great job!

Tim Johnson
Sacramento

oledb said...

As long as the company in question isn't the target of a botnet DDOS, they could care less. It won't be until a major downstream liability case, that companies take this as serious as it should be.
On the topic, of the insider threat, that is a near religious discussion with me. I'm so sick of the paranoia preached at every CON by everybody. When you don't consider any existing defense you have in place, the external threat is far greater then anything from inside. While the damaged caused by a insider attack can be considerable, the likelihood of it occurring is much lower then what anybody will ever admit too. The press helps to build this myth as well with their coverage of insider cases. The bottom line is that aside from separation of duties, enforcement of LUA, and monitoring there is not much you can do for an insider threat. Its an almost wholly reactive situation. Of course, vendors don't see it that way :-)