Operating system improvements
Operating systems must become more malware resistant. Microsoft has significantly improved Windows over the last decade. Modern versions of the operating system provide granular role-based privileges, but they continue to suffer from the same architectural weakness that has haunted Unix-like systems since the 1970s: The Administrator account, required to install software and perform important system administration tasks, is also allowed to modify the operating system.
In practice, many Windows users perform day-to-day tasks while logged in with administrator privileges. While this can be avoided by following best practices, a better solution is to prevent this behaviour in the first place. Desktop and mobile operating systems should dispense with the notion of an all-powerful root or administrator account, and allow carefully controlled role-based privilege escalation to perform tasks such as operating system updates, installing software, and managing other system users.
Stronger separation between the operating system and applications is also required; users granted permission to install applications should not be able to modify the OS. Apple has taken a solid step in the right direction: OS X prevents even the root user from modifying operating system components. As a result, persistent malware will be limited to operating in a user context.
The best anti-malware solution would allow only authorized software to execute. In a simple scenario, such as a user accidentally downloading malware, it would never run. In more complicated scenarios, such as web browser plug-in vulnerabilities, solid execution controls would stop subsequent infection stages.
The major challenge with execution control is making it practical and easy to use. Some progress has been made by adopting a policy-based approach instead of whitelisting individual files. For example, executables could be whitelisted based on the directory, file share, or web site from which they were obtained. But much more work is required; the leading products still require extensive professional services to implement and are more suitable for static server configurations. Execution control products will not address the ransomware problem until they can be easily deployed to desktop and laptops.
It is painfully obvious that signature-based antivirus products do not provide adequate protection from malware. In the long term, whitelisting remains a more secure approach, but applying machine learning to malware detection also shows great promise.
Malware creators can quickly modify or wrap code to evade signature-based detection. This makes it extremely difficult for traditional antivirus vendors to detect targeted and quickly evolving threats. As a short-term solution, some products execute suspected malware in a virtual environment and monitor how it behaves. Malware creators quickly responded by adding countermeasures to avoid detection.
Hiding core functionality within malware is more difficult. For example, while code can be obfuscated, there remain fundamental differences between a word processor and ransomware designed to mass encrypt files. This, in theory, gives machine learning-based endpoint security products an edge when it comes to detecting new malware.
The question as to whether malware creators will, over time, be able to create malware that is statistically indistinguishable from non-malicious software remains unanswered.
Network-level controls provide an opportunity to prevent malware downloads, block command and control traffic, and prevent data exfiltration. Products that intercept and analyze DNS traffic are ideally positioned to provide an additional defensive layer. Unlike firewalls that deal primarily with IP addresses, DNS queries contain insight into the client or application’s intent. For example, a series of queries for nonexistent domains with random character strings is likely representative of malware using a domain generation algorithm (DGA) to contact a command and control server.
As DNS-based defenses evolve, so will malware, and it is possible that malware creators will abandon DGAs for other command and control channels. Currently, DNS-based products appear capable of providing a valuable line of defense.
Reliable backups remain the ultimate defense against ransomware attacks, as well as natural disasters, various crimes, simple mistakes, and hardware failures. To be effective against ransomware, backup systems must provide versioned storage. In other words, previous versions of changed and deleted files must be retained. With hard drive costs of around CDN $0.04/GB, it has reasonable for most individuals and businesses to maintain old versions of files for months or even years.
Many online services, software packages, and storage systems already have versioning features, and more are likely to appear on the market to help preserve data integrity and availability.
Have a security question you’d like answered in a future column? Eric would love to hear from you.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…