Navigating the New Cybercrime Threatscape, Part 3
Those who intend to fight against malware distributed by cybercrooks might do well to look to a term first coined by an Air Force colonel. "OODA" stands for Observe, Orient, Decide and Act, and it's a strategy that can help you increase your resistance by becoming more aware of the real-world threats we face.
With the constantly evolving Internet security threatscape, being able to actually get a grasp on the latest threats, let alone arm oneself against them, can seem overwhelming.
While there are seemingly limitless best practices in regard to cybersecurity, below are several that should help reduce the likelihood of becoming a victim of cybercrime.
The OODA Loop
As stated in previous entries to this series, cybercriminals have typically been on the inside edge when it comes to the race between cybercrime and cybersecurity. One of the strategies that has the potential to change this losing streak is called "OODA" -- Observe, Orient, Decide and Act. This acronym was a revolutionary concept created by U.S Air Force Colonel John Boyd in the early 1960s.
Colonel Boyd observed that when two adversarial forces are maneuvering, there is a tendency for one side to be constantly outmaneuvered. One side is deciding and acting before the other side can make a move. When one party gets locked into only Observe/Orient and is unable to Decide and Act, they are at the complete and utter mercy of the other party.
OODA's roots go back to the Vietnam War. The challenge was that too many American pilots were becoming casualties of poor air-to-air tactics against the smaller, more agile, and significantly less costly Russian MiG aircraft. When the U.S. Navy instituted TOPGUN to combat the MiG exchange ratio, its educational effort showed dramatic results. The exchange ratio increased nearly three times from just under 4:1 to 13:1, according to Benjamin Lambeth's The Transformation of American Airpower.
It's not a stretch to take these lessons learned in the air and transfer them to a different kind of battle -- the one against cybercrime. First, let's compare cybercrime and its victims to the scenario Colonel Boyd faced. Cybercriminals are inside corporate OODA loops every time they steal data. They are inside consumer's OODA loop every time an online scam or phishing attempt works. Cybercriminals are global and often well-organized though their organizations tend to be smaller and more maneuverable than most corporations. Additionally, some criminals are sheltered by certain countries' policies and laws, or lack thereof. Their thefts fuel their home country's economy, and they aren't prosecuted if the crime is beyond the border. Combined, all of these factors allow cybercriminals to gain an advantage and outmaneuver their victims.
Like TOPGUN education provided better decision-making skills for Navy pilots, you increase your resistance by becoming more aware of the real-world threats we face. Successful businesses employ OODA loop tactics against their competition. They are quicker off the start and are constantly crushing the market. With cybercrime, that's where we all want to be, and hopefully some of you are there right now.
If you look at where antivirus technology was versus where antivirus tech is today, one can see that the industry has grown and changed tremendously. In the past, there were static signatures which were somewhat easy to defeat over time, and they opened a "window of vulnerability" -- the time from when an exploit was discovered to when a signature was created and globally distributed. Following static signatures was the heuristic analysis of applications. In the past, this method had been plagued with a high number of false positives (which can be as time-consuming and disruptive as having real malware on a system).
Fast-forward to today: Leveraging active/passive heuristics and static signatures for exceedingly high performance and detection with very low false-positive rates has proven to be a very successful combination. This is the best of both worlds and is able to scale with the ever-increasing prevalence of malware creation and distribution. Even with a technology such as whitelisting, there are pros and cons, and its implementation will have to be evaluated for a particular organization's model. Whitelisting, while requiring fewer updates than traditional antivirus signatures, requires constant maintenance and querying of an ever-growing database of "allowed" applications, as well as their patches, updates and hotfixes, transferring the burden of analysis from antivirus companies' malware researchers to system administrators. Once an application is determined to be legitimate, it is allowed to run on the host system. If the application in question is, instead, malicious, then effective (active) heuristic analysis will be able to determine the application's intentions and flag it as malicious.
The Future of Antivirus
What we are seeing today is the convergence of several solutions into comprehensive security packages that address multiple security issues -- including malware. Security/antivirus has historically been an after-thought in the development of applications and operating systems.
Today, application and operating system vendors are taking a more active role in securing their products -- but we still have quite a distance to travel. With the amount of mergers and acquisitions over the last few years regarding antivirus vendors, one can clearly watch the antivirus landscape morph into different models and meta-solutions. I see antivirus not as dead or dying, but changing to meet the threat from vectors that were not viable at the beginning of the antivirus industry.
While none are a panacea for every cybercrime woe, there are some easy rules to follow to help ensure a good layer of online protection.
- Use strong passwords. It's a lot harder for a criminal to steal your information if they can't get through the front door.
- Keep systems updated and patched. This pertains to applications as well as operating systems and security software.
- Become aware that risk from Internet-connected machines will never be 0%. The realistic goal is to reduce the risk to an acceptable level.
- If you are sent a link or attachment (via email, instant message and so forth) verify with the sending party. It takes a moment to check -- but it may take hours or days to clean an infected system.
- Use a residential broadband gateway router between your computer and your broadband provider's modem to break the direct link the Internet has to your home computer.
- Periodically test your backups by restoring them.
While most of the above practices can also be applied to business computing, because of the increased amount of people involved (therefore decreased security), there are additional guidelines for businesses:
- Simplify security for the end users. The more complex it is, the less inclined users are to using it.
- Keep systems updated (patched). This includes applications as well as operating systems.
- Partner with the government and academia.
- Educate end users, and make this an ongoing process.
- Inventory assets. Know what's on your network.
- Use business assets for business only. By doing this in conjunction with an effective policy (and enforcement), the risk level can be reduced dramatically.
- Run network audits regularly (log files, anomalous traffic, etc.).
- Hire a security firm to help secure your business.
With this basic outline in place, next week's piece, the final one of the series, will look to what resources are available to guide you along the path to a safer online existence.
Jeff Debrosse is the North American research director at ESET