1. /
  2. Confident Insights Newsletter/
  3. Don't Be Hoodwinked: Proactive Protection Isn't 'Easy'

Don't Be Hoodwinked: Proactive Protection Isn't 'Easy'

September 4, 2007


Despite Microsoft's campaign to promote Forefront, its family of client, server, and edge security products, there's nothing easy about combating cyber criminals, who constantly refine their attack methods.


It was only a passing comment, but when Arno Edelmann, Microsoft's European business security product manager, spoke with ZDNet UK earlier this year about the company's OneCare security suite, he may have divulged more than he realized.
"Microsoft is not a security company," Edelmann told a reporter. "Security is important, but it’s just a little part of Microsoft."
Edelmann's observations are particularly revealing in light of Microsoft’s widespread "easy, easier" marketing campaign to promote Forefront, its family of client, server, and edge security products. As Microsoft describes it, "the goal of this campaign is to emphasize Microsoft's competitive differentiation in making security products easier to deploy, implement and manage."
This article examines how the issue of ease of use must be viewed in perspective, especially given the current Internet threat environment, which is characterized by an increase in data theft, data leakage, and the creation of targeted, malicious code for the purpose of stealing confidential information. Despite Microsoft's claims about Forefront (e.g., "beating back pirates. easy. beating back spyware. easier."), cyber criminals continue to refine their attack methods in an attempt to remain undetected and to create global, cooperative networks to support the ongoing growth of criminal activity.

The reality of today's threat environment

For the financial services industry, the latest Symantec Internet Security Threat Report offers a sobering reminder that monitoring security risks and providing in-depth protection are anything but easy. Consider:
  • Symantec reported more than 6 million distinct bot-infected computers worldwide during the second half of 2006, representing a 29% increase from the previous period. However, the number of command-and-control servers used to relay commands to these bots decreased by 25%, indicating that bot network owners are consolidating their networks and increasing the size of their existing networks.
  • Trojans constituted 45% of the top 50 malicious code samples, representing a 23% increase over the first six months of 2006. This significant increase suggests that attackers appear to be making a shift away from mass-mailing worms toward using Trojans.
  • Symantec documented 12 "zero-day" vulnerabilities during the second half of 2006, marking a significant increase from the one zero-day vulnerability documented in the first half of 2006, increasing the exposure of consumers and businesses to unknown threats.
  • Underground economy servers are being used by criminals and criminal organizations to sell stolen information, including government-issued identity numbers, credit cards, bank cards and PINs, user accounts, and email address lists.
  • Theft or loss of a computer or data storage medium, such as a USB memory key, made up 54% of all identity theft-related data breaches in the second half of 2006.
As Arthur Wong, senior vice president, Symantec Security Response and Managed Services, has put it: "The Internet threat landscape is now characterized by highly sophisticated, multi-stage threats aimed primarily at financial gain."

The security implications of Windows Vista

The current threat environment is also certain to be affected by the release of a new version of Microsoft Windows. With the introduction earlier this year of Windows Vista, Microsoft leveraged a number of security technologies in order to mitigate several classes of attack that have historically plagued the Windows operating system.
The inclusion of these technologies in earlier versions of Windows, such as Windows XP and Windows Server 2003, has already resulted in a decline in the number of attacks that focused on core operating system components. As a result, Symantec has seen an increase in the number of attacks that focus on the applications that run on top of the operating system, such as office productivity suites and Web browsers. While Microsoft has invested heavily in protecting the core operating system, attackers have already moved on.
In fact, according to Symantec's latest Threat Report, 66% of all new security vulnerabilities reside in the Web applications layer. Windows Vista provides no enhanced security in this space, as the majority of vulnerabilities today are seen within PHP, Python, Perl, ASP, and other languages. In addition, new Web 2.0 technologies such as AJAX provide an entirely new layer on which tomorrow's threats will propagate.
Windows Vista in and of itself is not a security solution; rather, it is a more secure version of Windows. Symantec continues to see the user as the weakest and most targeted link, as social engineering attacks become more elaborate in order to undermine the security technologies within Windows Vista. Symantec also predicts that the greatest exposure to risk will come from third-party software, which is less likely to employ all the security features available.

Comprehensive protection

To protect themselves against the organized and targeted wave of crimeware attacks, financial services institutions need client security solutions designed to protect against the new threat environment. Perimeter defenses aren't enough; neither is basic antivirus technology. Organizations need multilayered client security that integrates antivirus, spyware, vulnerability-based intrusion prevention, file-based intrusion prevention, and outbound/inbound traffic control.
As their number one priority, financial services institutions must first implement this multilayered, integrated solution on all of their laptop computers—the favored target of crimeware developers. They then need to follow up by adding this protection to all of their network clients, including clients inside the network infrastructure and at any remote sites that connect to the enterprise network, as well as clients that connect from users' homes.
Symantec advocates a solution that automatically detects and repairs the effects of spyware, adware, viruses, and other malicious intrusions in real time. This vulnerability-based detection works in concert with antivirus and traffic control tools to detect and block known, unknown, and emerging vulnerability exploits to help keep systems safe and protect an organization's valuable and confidential information.


The threat environment has changed profoundly in recent years. The majority of today's threats have specific targets, and the attacks are now silent, often going unnoticed until it's too late. The reason that the threat paradigm has changed is that the perpetrators of attacks and their objectives have changed. Glory-seeking individuals aren't the ones behind these new-style attacks. The instigators come from the depths of organized crime, bent on reaping financial gains.
As threats to today's environment continue to evolve in complexity and frequency, more advanced and integrated protection will be required. Businesses today need to evaluate any security product before deploying it, looking especially closely at those products that don't have a security track record. It isn't easy.

Back to Newsletter