IT Security Isn’t Important – Part 1 of 3

That’s right, it isn’t important.  I realize that it matters to most of the people reading this.  What I have  recently realized, however, is that it really doesn’t matter to most.  We in the industry are in denial about our place in the scheme of things.  It’s self-evident to us that information security is of vital importance.  We talk about the massive market for IT security, the amount of press breaches are given, and the big push for compliance and increased security across all standards.  Still, it’s just not that important to enough people.  Symantec had roughly $6b in revenue last year.  While they were doing that, Avon sold $11b worth of cosmetics using a network of door to door salespeople.  Think about it.

The IT security market is considerable.  Gartner estimates it to be in the realm of $85b a year.  $85b is a lot of money.  Having said that, there was more money spent on commercial cleaning and garbage removal last year than there was on IT security.  So really, how important are we?  While the threat of a dirty office is no laughing matter, I don’t think it is quite as important as keeping your data secure.

We talk a lot about user awareness and training, and yet I think we’ve failed in that it’s something that we mention to people and then forget.  It’s very much a “do as I say and not as I do” mentality.  We speak to organizations and groups about awareness, but do little ourselves to spread that awarenes.  I’m as guilty as anyone in this regard.  Three years in, and the most my friends and family can say of my business is that I do “fancy anti-virus or something”.  This is usually followed up by a request to “speed their computer up”.  The number one question I get from the average consumer?  “Is it safe to use my credit card online?”  Nearly twenty years on, and we still haven’t answered a single question for the general public.

Most people have a very good knowledge of “real world” crimes.  It makes sense, they’ve been around longer and get all the good TV shows.  What we need to do is translate cyber crimes into “real world” crimes.  Most people think they know what a virus is, or what a hacker does.  Mostly though, they just don’t.  I have had far too many conversations with C-level execs and VPs who have absolutely no clue.  It’s disheartening when you speak to the CIO of a Fortune 50 company who doesn’t know what a botnet is.  It’s disheartening, but it’s also enlightening. We need people to understand that what happens online affects the real world, and them directly.  In short, we need to make information security important to them personally.

It’s up to us as security professionals to make it important to everyone.  It’s up to us to help people understand.  We need to step outside of the security groups and the IT crowd.  We need to talk to the business leaders, the financial teams, the HR groups, all of them.  We should be talking to our friends, our colleagues, that aunt that keeps sending out the cute slideshows.  If we ever want the average user to “get it”, we need to help them do so.  Until then, it just won’t be important.

While we need to exchange ideas and information with our peers, what I think is even more crucial is that we spend more time talking to the uninitiated.  It’s great to see all the experts at an event, but what would help our industry more is to see the non-experts at these events. If we keep talking to other experts and rely on them to spread the word, we’ll continue to fail.

So do we start at the top?  Should we try to get the government to mandate the hell out of security and force people’s hands?  Do we harass CEOs to institute appropriate policies and then enforce them?  I don’t think so.  Good policy is important, but even the best policy is easily ignored by those who care little for it.  I think we all know enough users who skirt their employers facebook policy.  If people don’t understand the policy and the reasoning behind it, they will never back it, and they will never adhere to it.

Defence Intelligence has run a number of informational seminars in the past.  These have mostly been aimed at specific threats or technologies, and were designed for security experts.  What I’m asking myself now is, why have we never done a far more basic seminar for the layman?  We feel the pain of the security staff while they try to justify their budget, but what have we done to help them?  I’ve been frustrated many times while trying to explain why “we have a firewall” is not a legitimate security stance.  Really, though, how much have I done to correct it?

We’re going to change.  We’re going to start offering basic informational seminars and training to both our clients and our potential clients.  No fees, no product pitch, just basic information, awareness and policy for anyone who might be interested.  At least then we’ll be able to say that we’re doing our part to make security important.

Part 2 coming soon – Why IT Security Isn’t Important

Mariposa Redux

It seems that long after we identified and took down Mariposa, bad folks are still using the butterfly kit behind it to build large botnets. 

There’s been some coverage around the EvilFistSquad/Metulji takedown recently, and given the relationship to Mariposa, I thought I’d say a few words.

A few points:

Mariposa is back?

EvilFistSquad/Metulji is not Mariposa.  It is similar in intent and based on the same butterfly kit.

How big is it? 

Like Mariposa, it’s impossible to tell for certain.  Even if all command and control domains were seized, dynamic ips, NATs/firewalls, etc. make it impossible to be sure.  By all accounts, it’s big.

Who is behind it?

The FBI and Interpol arrested two individuals earlier this month in connection with this botnet.  It is unclear, but likely, that other operators are still at large.

Is it still active?

Some of the command and control domains have been taken down, but not all.  Compromised systems are still losing data.

What we can learn from this:

What this takedown shows us is that you needn’t be technically proficient or even all that clever to amass millions of victims.  Think about it:

The creator of butterfly was arrested and had his equipment seized.  The authorities have all his transaction details and know who purchased the kit.

The botmasters raised suspicions by extravagant spending.

The botmasters used their real names and addresses in some cases.

As Luis Carrons from Panda was quoted as saying: “Obviously, those bot masters are either not concerned about going to jail or just plain stupid.”

This case also goes to show just how difficult these botnets can be to dismantle.  Even when the malware is known, even when the attackers are less than gifted, it can still be incredibly difficult to take down a botnet.  Mariposa was a rare slam dunk in that we were able to gain control of all of the C&C domains simultaneously and redirect them to our space.

Working with Panda and the FBI for the Mariposa takedown was a pleasure, and I’m glad to see that they’re staying on top of all the butterflies out there.  This is another example of how Law Enforcement, Researchers, and the private sector can work together to be more effective in the fight against online crime.

Congratulations to all those who worked on this, keep up the good fight.

Keith Murphy

Google Plus Anti-Malware

Google never rests, and is always mixing up something new to try out on its users. Some efforts have been failures and others have been welcomed by many. Recently, Google announced a seemingly one-time attempt at informing specific users of a possible malware compromise on their systems.

Currently they are a bit vague on the malware involved, but state in their blog that this particular malware uses a limited number of proxies to send traffic to Google. When a user compromised by this malware visits Google they are displayed a message at the top of their browsers saying, “Your computer appears to be infected.”

It must really be a very specific and limited means of terminating traffic that ends up at Google through these proxies for the company to display these messages with confidence. A wide range of malware utilizes Google in some way to carry out functions or as a form of communication. Some use Google resources as a way to spread malware, through fake Blogspot pages or highjacked web searches. Some malware just checks Google to make sure the compromised system has an internet connection. 

This may only be a one time event, but I wouldn’t put it past Google that this is an introduction into future areas of exploration into the anti-virus field. Why not? They dip their fingers into every other internet pot. Google safe browsing is already a sight people have grown accustomed to and understand as well as embrace.  Is Google going to capitalize on their already existing involvement in the malware world by taking the extra step toward their end users? Is Google AV on the horizon?

Matt Sully