Almost every day new reports of companies becoming victims of malware in one form or another are reported. Most of us look at these stories and quietly hope the same fate doesn’t befall us. A recent example is Mitsubishi Heavy Industries where a reported 80 servers and computers were infected. Once 80 computers on a network are infected what confidence would I have that the problem was isolated to just those computers? When this is coupled with a report from Trend Micro (Trend Micro finds 100% of enterprises had undetected malware), it becomes worrying just how large the scale of the problem may be.
It will be interesting to see over the coming months whether malware designed to attack behind corporate firewalls becomes significant or whether it is just too hard a target for malware writers to worry about.
Once malware is inside a corporation, what are the consequences and what approach should a company take to mitigate the risk? For the purposes of this blog I am not going to focus on Advanced Persistent Threats (APT) as the risk is extremely low for most companies. Instead I question how damaging a generic, untargeted, piece of malware could be.
My first consideration was, once malware is on a corporate network would it be easy for it to spread? If the malware cannot pass from machine to machine the risk is relatively low. A quick investigation highlighted three possible attack vectors:
- DHCP attack;
- Collaborative environment (e.g. Sharepoint).
It is well documented that most email in the world is spam and filters have reached a level where the vast majority of it is removed without us ever seeing it. This level of protection is rarely available for internal email. This is exacerbated by the implicit trust an email from a colleague would have, particularly from a board member or HR. Therefore it is not unreasonable to imagine malware aimed at damaging a corporation may well use a vector that has been effectively closed on the internet.
An interesting weakness comes from DHCP, which is universally used in corporate networks to assign IP addresses to machines. This mechanism has been successfully used in attacks to trick PC’s into using a rogue DNS server. This provides a mechanism for the malware to spread further.
Collaborative environments provide an effective storage area for infected material to be distributed. It is very likely users would treat material stored in such an environment as a trusted resource. This opens a mechanism for malware to spread inside a corporation.
So a cursory glance easily identifies a number of vectors; it would be safe to bet a dedicated team of hackers could invent an innovative and difficult to detect mechanism. Once a large number of PCs are affected it is likely to take significant time and resource to return the system to a clean state.
As such, an attack aimed at damaging a corporate network should be viewed in a similar fashion to a physical attack. Therefore I propose this sort of attack should be listed in a business continuity plan, as required by ISO 27001. Businesses that have planned for this style of attack are far more likely to recover quickly and return to business as normal. Most businesses will be able to quantify the cost to the business for downtime. What is missing from the equation is the likelihood that such an attack will occur. No magic formula exists for this, but as more businesses are attacked then it will not be reasonable to put the risk of this occurring as 0.
IPL is an IT services company specialising in the delivery of intelligent business solutions. Our Information Security Management System is certificated to ISO/IEC 27001:2005. Clients entrust IPL with their most sensitive and critical systems knowing that we will not let them down. We are utterly focused on providing a great service; we never play politics, and always fulfil our commitments. Our record of successful delivery is exemplary.
