Following the release of Symantec's 15th Internet Security Threat Report (ISTR) and with the UK's largest security event InfoSec 2010 due to take place next week, Computing caught up with Symantec's senior director of its global security response operations, Kevin Hogan, to talk about malware trends, and what firms can do to protect themselves.
Computing: What does your job entail?
Kevin Hogan: My team monitors the internet, keeping an eye on the threat landscape and our customers.
Are today's threats different from those of, say, three years ago?
The threats haven't changed much in three years, there doesn't seem to have been a huge amount of evolution. However, the enterprise sector is increasingly the subject of targeted attacks.
Where do these attacks originate?
Email. An attacker tends to work on a PDF-based vulnerability - if they can get a user to click onto a PDF in an email, they can exploit the vulnerability through Adobe's standalone PDF Reader.
Alternatively, an attacker can achieve the same effect by hosting the file on a malicious web site and emailing a link to their target thereby exploiting the PDF flaw through a browser plug-in.
The flaw may be the same, but the way it's exploited is different. Specific attacks on enterprise employees tend to be conducted via an emailed PDF rather than a web site link.
It's probably easier to get the target to click onto a PDF if it is disguised as something the individual might be interested in.
What advice should a chief security officer (CSO) give staff about combating this type of threat?
First, the CSO needs to be clear on who exactly is being targeted.
The more high profile and dangerous attacks tend to have a couple of targets. One target is senior personnel within the organisation, not the average employee.
A lot of effort is put into training employees, but sometimes this training does not reach the more senior staff.
In other cases, people who have access to domain servers or other resources within an enterprise such as IT personnel are targeted.
In several cases, IT personnel who were part of outsourced/offshored IT used by the company were the targets. The attack would then spread throughout the organisation.
The emerging market trends we highlighted in our ISTR, [showing an increase in malicious activity in India and Brazil] are the result of these targeted attacks.
Numerous fairly well-known brands, with sound internal IT security, have been attacked from the offshored or outsourced part of the business.
Which is more important when it comes to combating these attacks: people or technology?
It's a combination of both.
User education is key. When you're talking about enterprises, of course anti-virus software has a role to play – but I liken it to seatbelts and airbags in a car. The driver still needs to know the rules of the road.
Five years ago I could have given a number of tips on how to avoid these attacks such as don't visit gambling or porn web sites and don't double click on attachments to emails.
It's more difficult now, though, because so much of the activity looks innocuous. You have otherwise above-board web sites hosting malware, after being hacked into, with banner ads being hijacked and infected, too. You don't need an attachment in an email any more.
Will desktop virtualisation make enterprises more secure?
It won't make infection less likely, but it does allow firms to deal with a breach more easily.
Virtualisation should be a key strategy for firms.
Have Windows 7 rollouts made enterprises more secure?
No, I'd say the effect has been negligible, enterprises haven't taken Windows 7 up yet.
Our customers are still almost uniformly on XP Service Pack 3, and more often than not SP2, with a smattering of Windows NT and 2000.
What are your views on the current web browser problems?
Well, nobody should be using Internet Explorer (IE) 6. I would urge all Computing readers to avoid that browser version.
More recent offerings like IE 8 and Firefox 3 are a lot more secure than previous browser generations.
If you look in the statistics in our ISTR around browser vulnerabilities, Firefox had far more vulnerabilities in 2009 than IE had.
Does that mean that Firefox is less secure than IE? A lot of people consider it better.
The fact that a browser has had more reported vulnerabilities could mean a number of different things.
It could mean that the browser is inherently insecure because it has many more holes, or alternatively it could mean that it's more secure because people have spent more time looking through the code and dealing with these issues.
It's hard to make judgments about browsers on their reported vulnerabilities.