Fighting botnets: Malware has 'exploded,' says security manager
Botnets are inundating inboxes with malware-laden spam, and they show no sign of slowing. One network security professional outlines his company's efforts to stay on top of the threat
By Joan Goodchild , Senior Editor
March 04, 2011 — CSO —
A report released earlier this year by Panda Security reveals just how sophisticated the business of cyber crime has become. Among its findings: botnets are now available as a service for criminals to rent and launch spam attacks —- with prices that start as low as $15 for the rental of a SMTP server.
Botnets, a network of infected computers controlled by a master bot to send out spam, spread viruses and launch attacks, are responsible for as much as 85 percent of all email spam, according to many estimates. While efforts by some security groups to stop them have been successful, botnets continue to be the attack vector of choice from criminals, making botnet detection and evasion an increasingly crucial part of the security program in many organizations.
So what does an effective strategy look like? CSO spoke with Todd Ferguson, a network security manager at Raymond James Financial, a financial services holding company with subsidiaries engaged in investment, financial planning, investment banking and asset management. According to Ferguson, fighting botnets is like shooting at a moving target — and there is no clear way to know if you're winning.
CSO: What would you say the threat landscape is like now in terms of botnets?
Ferguson: In my organization, we have a unique situation in that we have both independent and employee advisor models. In the case of our independent financial advisors, they are responsible for their own computing systems, networks, etc. The botnet issue is far more prevalent today than just for corporate users and financial advisors. It really transcends all users. It applies to clients, associates and independent contractors alike. Everyone is potentially at risk today. Botnets are not picky about who they target. Any user can be attacked and become a member of a botnet unwillingly. There are challenges to deal with once one of these devices is located, which includes cleaning and assessing the potential damage.
How do you locate a compromised device?
We are big believers in the layered security methodology. We don't rely on any one technology or intelligence source. We use a mixture, as well as our own internal monitoring. We are using the Damballa Failsafe component to monitor network traffic to identify potentially compromised machines through network behavior and intelligence applied. We also use conventional antivirus, IDS, IPS and some proprietary monitoring.