While we have all this attention on Flame, we’ll take this opportunity to define a few concepts to help you understand the coverage. This will be an article in two parts: The first will be about the importance of using layered defense, and describing a specific kind of anti-malware detection called “generic detection”. The second part is about the importance of you – the customer – in the fight against malware.
If you’ve read a few computer security articles, you’ve undoubtedly heard how important it is to use a layered defense. If you’ve not, here is the general idea: Don’t rely on just one technology to protect your computer; use anti-malware software with firewall, for instance. But why is that? Why can’t one technology protect us against everything?
Each technology has its strengths and weaknesses because of the way it’s designed to protect your system. By combining layers, you can give your machines a good amount of overlap that will help prevent against even the newest threats.
Think of your home network like a town. There are many ways to keep your town safe, and each has its benefits and its drawbacks. You could have a police force that investigates crimes and locks up known criminals. You could put up a gate around the town, with guards at the entrances. You could put up a wall with armed watchtowers all along its length. You could even carve your town into the top of a remote mountain, or build a station at the bottom of the sea.
Most towns won’t need the level of protection in the last two examples. Those more-accessible places prefer for their citizens to come and go as they please, and they simply don’t have anything that they feel the need to guard that heavily. Most towns won’t even go so far as to put up a gate. These places that are not totally locked down deal with a certain amount of crime. This is the cost of freedom of movement, and in real life most people employ additional protection to improve their own personal safety.
Most people live in a home; this affords them a certain amount of additional safety. Those homes sometimes have locks on doors or windows, and sometimes they even have automated security systems. The people who live in those homes sometimes own weapons to give them further protection. These are all layers of protection, which people can add or subtract depending on a combination of how much they have to spend on security, how comfortable they are with the specific methods, or how far they’re willing to go to protect what is inside their home.
Similarly, there are lots of ways to protect your network and the machines that connect to it. You could use an anti-malware product, or you could use a firewall, or you could use any of the many other types of security tools. These things can all add up to a more robust defense. There are pros and cons to each type of defense, and you must ultimately judge for yourself what resources you have to spend on security, how comfortable you are with the technology, and how much restriction you are willing to accept to protect what’s on your network.
Let’s delve a little more deeply into one part of the anti-malware part of your potential security arsenal, to shed some light on one of the more advanced detection techniques. At a basic level, anti-malware looks for known threats. First someone discovers a threat, and then researchers analyze it. At that point, the researchers can add detection and removal for the threat.
We’ve collectively been analyzing threats for a really long time now, and in that time we’ve learned to identify some patterns. These patterns are what we use to create “generic detection”.
Malware frequently exhibits certain specific traits that are not frequently exhibited by innocent software. Notice my use of the word “frequently”, not “always”. How do you tell the difference between remote desktop applications and backdoor trojans, generically? Both allow a remote user total control of the target machine. It can be very tricky, but not impossible, to tell these two types of things apart. Researchers tread an exceedingly fine line between crafting detection for suspicious behavior and tagging innocent software unfairly.
How does this pertain to Flame?
It appears that some components of the Flame malware have been around for two years. Other components appear to have been released at various points in the last year. Whether this means some version of Flame has been affecting machines for two years may forever remain a mystery. What we do know is that for those two years, there was detection in some anti-malware products, mostly using generic detection.
But even if the systems that were infected by Flame didn’t have a product that detected parts of this threat generically, they could have been protected by other technology. If they had a firewall in place, it could have detected connections going out to the spy controlling it. Or the firewall might have detected the connection from the spy back into the infected computer. Either way, they could have been alerted to the intrusion. And there are many other types of security tools that could have detected strange behavior before any damage was done.
The same goes for all those run-of-the-mill threats that continue to infect users of both Windows and OS X systems. It doesn’t take much to set up a layered defense, but the additional protection it provides can make a world of difference.
Our complete security suite, with both Anti-malware and Firewall among many other tools, is Internet Security Barrier. To download a 30-day free trial of Internet Security Barrier X6, click this link.