IT Security Is No More Prepared to Deal With Malware Attacks Than Consumers

Despite ubiquitous efforts to educate both IT administrators and end users about digital security risks, surprisingly large percentages of both continue to behave in ways that open doors for cyberattacks, according to security studies released this week.

A third of consumers admitted they would open both an unsolicited email and an attachment contained within it, even if it looked suspicious, if the subject line seemed credible or important enough, according to a survey of 1,000 consumers by market research firm TNS Global , which was paid for by email-security developer Halon.

Of the 94.7 percent of Americans who reported receiving at least one malware-infected email, 8.8 percent infected their own computers by opening the attachment, while 30 percent stopped just short of launching the infected attachments. Malicious emails most likely to be opened were those claiming to come from banking or financial institutions (15.9 percent) social media sites (15.2 percent) and online payment services (12.8 percent).

The study focused on consumers rather than business users, but the differences in behavior between the two are minimal when it comes to email-borne malware, according to David Kennedy, founder of security consultancy TrustedSec , as quoted in an Aug. 28 story at CSOOnline.

Being able to convince one third of email users to open generic, untargeted but suspicious-looking spam sounds like a phenomenal success rate, but it pales compared to the 94 percent success rate TrustedSec manages when it spams a client’s employees with slightly more targeted emails to determine the scale of risk involved.

It only takes an hour or so to come up with a subject line or email topic credible enough to fool most corporate users into opening a spam email, Kennedy told CSOOnline.

Lowering that risk requires ongoing training of end-users and tuning of anti-malware and anti-phishing controls on the network. The volume of spam carrying potential threats, pressure on employees to read and process large numbers of legitimate emails daily and lack of a security system that can stop users from opening infected emails in every case, however, leaves most organizations almost helpless to prevent spam, phishing or spear-phishing based attacks, he said.

According to another study, however, the datacenter- and security specialists who should be educating users and building systems to filter threats from email are often appallingly ignorant of the frequency and type of attacks directed against their organizations.

Of the 250 organizations polled by market research firm Information Security Media Group, half admitted having suffered some form of cyberattack during the past year. Of those attacks, 65 percent resulted in downtime for systems or end users and 19 percent resulted in lost data for the victimized company.

Of the companies that detected the attacks, 13 percent admitted not knowing whether the attack had come from generic malware-infected spam or from spear-phishing or other efforts that targeted their companies in particular.

“That’s shocking,” Bit9 CSO, Nick Levay, told CSOonline. “I was expecting that to be a single-digit number and low single-digit number at that.”

The study was sponsored by security software developer Bit9 (PDF available here; registration required).

The study showed that 70 percent of security experts at organizations polled believe PCs and other end-user devices are the biggest source of potential infections, but are still adapting from a gateway-and-firewall approach to security to one that protects individual machines or data.

While most respondents said their servers and end-point hardware has some anti-virus or malware protection based on signatures from known threats, two thirds said their ability to protect against zero-day or other unknown threats as average or nonexistent.

All but two percent of respondents said their security budgets are stable or rising for 2014, however, and that enhanced detection is the No. 1 priority (45 percent of respondents) followed by awareness and training (44 percent) and endpoint or server monitoring (39 percent).

That may be a step in the right direction, but doesn’t solve the awareness gap that allows even corporate security pros to be unaware of the source of attacks despite an almost constant stream of both malicious spam and warnings about it.

“It made me think that many organizations are not doing an adequate job tracking metrics having to do with security,” Bit9’s Levay said. “There is a huge blind spot when it comes to server and endpoint visibility.”


Image: Maksim Kabakou/