Ally in our defences

2006-01-01

Jeannette Jarvis

The Boeing Company, USA
Editor: Helen Martin

Abstract

'Information is ... our lifeblood for details about computer threats, impact and activity.' Jeannette Jarvis, The Boeing Company.


My organization is responsible for the protection of the computing infrastructure of The Boeing Company. This can be a monumental task.

Information is a strong ally in our defences. It is our lifeblood for details about computer threats, impact and activity. The sooner we know of any new threat and its exact payload, the sooner we can implement mitigation strategies. We already employ best practices to keep malware threats outside our company, but we back that up with additional countermeasures. We promote a defence-in-depth strategy that ensures multiple detection points for any new threat. This approach has proved beneficial, particularly on those rare occasions when a product fails to do its job, or when a security vendor does not get timely updates to us.

We monitor numerous anti-virus vendor websites, security vendor websites and alert streams, and other forums literally every hour of every day, screening for new information about computer threats. This constant search for new information allows us to implement protection measures even when the vendors we use are not publishing information or do not have detection available yet.

Our extensive monitoring has shown that many discrepancies exist between vendor write-ups. All security vendors must have current and correct information regarding all viruses listed on their web sites. There is always a concern that if the exploit information is not correct or complete, then the detection may not be correct or complete either. The integrity of the information you publish reflects the integrity of your products.

Sometimes a vendor will not publish new exploit information until an update is available. This is a disservice to customers who may be able to use that information to implement blocking measures to keep the threat out until the vendor can provide the detection updates. A top concern for us is getting information about exploits targeting vulnerabilities in products or operating systems that may not have patches available.

Two details we find valuable that are often missing from virus information are alias names and timestamps that reflect data changes. Providing alias names on all threats would allow the group that provides our monitoring service to correlate the information amongst vendors more easily. We are not suggesting that vendors provide every single alias name available, but provide at least a fair sampling. Of course having a Common Malware Enumeration (CME-ID) identifier for all threats would be the optimum situation. When vendors use a timestamp to reflect changes to their write-ups, we can peruse their sites more easily. Because we seek so much information, we need to be able to find new information quickly, without having to re-read the original details.

Some security providers seem apprehensive about sharing the complete details of threat propagation with corporate customers. I understand concerns regarding publishing links that give access to downloadable malware. For that reason, I advocate creation of two information streams: one for the general public, which does not include the entire malicious URL, and another for your corporate security analysts, who can handle that information correctly.

Some excellent sources of information have been instrumental in getting new threat information into our hands quickly. AVIEN and AVIEWS are grass roots forums that address information sharing. Both forums have given us critical and timely intelligence around exploits.

AVIEN and AVIEWS have also helped build collaboration between customers and security vendors. We really can do more together than we ever can alone. Just as these forums took information sharing to a new level, they are expanding the possibilities yet again with the inaugural webcast conference on January 18. This webcast is one more example of customer-led change.

We all need to continue to understand each other's information needs and work together to provide solutions. As Henry Ford stated 'Coming together is a beginning. Keeping together is progress. Working together is success.'

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

VB2018 paper: Internet balkanization: why are we raising borders online?

Nowadays, walls are not just being raised in the real world, but on the Internet as well. Countries want to isolate themselves and shut down the information they are not comfortable with, or the companies they don’t want to do business with. Freedom…

VB2018 paper: Where have all the good hires gone?

Much ink has been spilled on the subject of the information security skills gap, and how difficult it is to hire and retain people for these positions. And yet, we all know someone who has had a hard time finding a suitable position despite having…

VB2018 paper: Little Brother is watching – we know all your secrets!

In their research, Siegfried Rasthofer, Stephan Huber & Steven Arzt evaluated the security level of the most popular family-tracking apps on Android. They assessed the security of the respective apps and conducted assessments of the corresponding…

VB2018 paper: Inside Formbook infostealer

Formbook is an infostealer that has been advertised for sale in public hacking forums since February 2016 by a user with the handle ‘ng-Coder' but only came to public attention after it was extensively used in spam campaigns in late 2017. This paper…

VB2018 paper: From Hacking Team to hacked team to...?

In this paper (presented at VB2018), Filip Kafka looks at the resurfaced Hacking Team spyware, and at what has changed since the company behind it faced a number of prominent hacks.


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.