Cyber security has never been such a hot issue as it is now. In the past few weeks Sony, RSA, Lockheed Martin and the CIA, among others, have suffered embarrassing cyber attacks.
So Nikolai Grebennikov, CTO of security specialist Kaspersky, is working in a growth industry.
As part of his role he heads up Kaspersky’s R&D division, which employs a third of the company’s 2,600 workforce. This division is responsible for new product development, and all research in anti-malware, content filtering, spam and phishing protection, and data loss prevention (DLP) technologies.
Grebennikov sees fighting malware as the company’s primary activity, and it’s one where the cloud plays a pivotal role.
“When a new piece of malware tries to execute on a machine, the machine sends a query to the main Kaspersky database to determine the reputation of the file. From there we try to calculate the security rating for unknown files. We ask: what is the level of risk?”
If the file is unknown and it’s not from a trusted source then intrusion prevention rules will be applied to restrict the execution of the file.
The cloud is used heavily in Kaspersky’s latest products. It’s faster for the firm to update one central anti-virus (AV) database in the cloud and allow its customers’ locally-installed AV software to query that, than it is to update each and every product on customers’ machines. The cloud is also used to take information in the other direction, from the users to the firm.
“We also apply some statistical analysis methods in the cloud. Some times we can detect malware without having analysed it in our lab, we just analyse the incoming statistics from the users. It makes for a very powerful database.”
This means that the company’s customers in effect do some of Kaspersky’s research for it. Once a customer comes into contact with a new malware sample, the information is shared with the Kaspersky cloud.
This enables a fast response to new threats, as it can happen in real-time rather than waiting for a lab technician to find time to pick apart code.
“We can see if it was distributed from a trusted domain, and we can see its behaviour. If it attempted to add a new record to the system registry in critical keys, or tried to create new drivers for the system, we can say that there’s a large probability it’s malware.”
Mobile security, especially the security of the Android platform, is an increasingly important part of Kaspersky’s business. “We are one of the first vendors to create AV solutions for smartphones. In the near future we’ll release products for Android tablets,” says Grebennikov.
He describes three principal areas of risk for mobile devices. The first is malware - external threats that enter the device from the internet, or are hidden within supposedly safe apps.
The second is social engineering tricks, which could be a link on Twitter posing as something the user might like to click on (often a titillating video), but which actually downloads malware. Alternatively, it could be a phishing attack where the user receives an email purporting to be from their bank, perhaps with a link to their latest statement, but which again links to some form of malware.
The third is privacy protection, designed to protect users’ personal information such as their address, or banking details.
“There is malware out there that tries to turn on the camera on your laptop or mobile device without your permission,” he explains. This could be used to attempt to read personal documents, or to spy on someone.
Hacking attempts on mobile devices are increasing.
“In September 2010 we knew of only two major families of malware for Android devices. Already in March 2011 we know of about 90 different families of malware, and the nature of this malware is evolving.”