Network World – Computer attacks and data breaches happen every day, but every now and then there is an epic attack that people remember long after the mess is cleaned up. The RSA breach of 2011 is one such example. An attacker was able to gain access to privileged user credentials in order to access a server and steal information specific to RSA’s SecurID two-factor authentication products.
RSA’s parent company EMC spent tens of millions of dollars dealing with the fallout from this breach and the theft of critical intellectual property. And RSA was left scrambling, working with customers to try to prevent exploitations made possible by the compromise.
What people may not remember about this breach is it all started with an email sent to an HR employee at RSA. The message had an attachment—an Excel spreadsheet that supposedly contained the company’s recruitment plans for the year. In reality, the spreadsheet had been compromised with the recently-discovered Adobe Flash zero day flaw CVE 20110609. When the worker clicked on the file it unleashed a malware trojan that proceeded to harvest login credentials within the RSA network. And, well, you know the rest of the story.
Just a few weeks ago, Microsoft issued a security advisory about a vulnerability in numerous products, including the 2003, 2007, 2010 and 2013 versions of Microsoft Word for Windows, Microsoft Office for Mac 2011, and multiple versions of Microsoft SharePoint Server. E-mails that are viewed or previewed using a default setting in Outlook allow the attacker to gain the same system privileges as the user who is currently logged in. Attackers have already exploited the vulnerability by creating booby-trapped documents in the Rich Text Format (RTF).
Hopefully this vulnerability has been discovered in time to prevent any attacks. That, in part, depends on companies applying the patch that Microsoft supplied. Only time will tell if the bad guys have been successful in jumping on the vulnerability.
These two stories show how important it is to protect against attacks that exploit unknown vulnerabilities, zero day vulnerabilities, and even known vulnerabilities that have not yet been mitigated.
Trend Micro reports that 91% of cyber attacks begin with a spear phishing email. Of the 47,000 data breaches investigated or analyzed by the Verizon RISK Team in 2013, email was the direct vector of attack on large enterprises 67% of the time. And according to the 2013 Symantec Internet Security Threat Report, 1 in 291 email messages is linked to malware on the Internet or has a malicious attachment.
Privately-held Israeli company Votiro hopes to mitigate attacks launched during the unknown and zero day time frames. The senior security experts who founded Votiro have developed a product with military-grade certification. The solution should appeal to organizations that have privileged data or sensitive data – such as intellectual property or financial data – that is often targeted.
Votiro’s solution works on individual files attached to email, downloaded from the Internet, or taken off a removable device such as a thumb drive or CD-ROM. It’s unknown in advance if a file is clean or contains malware, so Votiro operates its technology on each and every file it sees. Among other techniques, Votiro runs multiple anti-virus engines against the files. Then Votiro’s Secure Data Sanitation Device (SDSD) performs a unique active sanitation process on the file itself, making micro changes in the file in order to interfere with and break any exploit code hidden in the file.
When the intended recipient of the file opens the sanitized version, no harm happens because the attack has been neutralized. This technique does not break the original file format in the event that there is worthwhile content (in addition to the malware) in the file.
The SDSD solution can be located on premise or in the cloud. It is a Windows-based application that uses a customized version of Windows with security embellishments. Email traffic, web traffic and individual files are directed through the sanitation device before being forwarded to servers on an organization’s network. Files passing through the sanitation device are neutralized of any attacks that may be present and are checked for adherence to company policy as for which files are allowed to enter the organization’s network.
Clalit is the largest Health Maintenance Organization in Israel. The company recently implemented Votiro’s Secure Data Sanitation Device to screen and clean files downloaded from the Internet. Clalit COO Doron Yitzchaki says, “We have 40,000 employees throughout our HMO. Sometimes they have a need to download files from places outside of our internal network. For example, a doctor may need to go to a research site to get information to treat a patient. We want to make sure that files that people download are safe before they are brought into our network.”
Yitzchaki says Clalit chose the Votiro sanitation device because it offers a comprehensive and centralized solution that can serve Clalit’s 1,300 clinics, 14 hospitals and 460 pharmacies. “We didn’t want to implement a bunch of local solutions,” Yitzchaki says. “Votiro addresses our needs centrally and assures us that the files we download from the Internet are not bringing security threats with them.”
Another Votiro customer, a financial institution, has all of its inbound email going through the sanitation device before being delivered to end users. This strips out any type of malware or viruses that might be targeting institution employees in order to gain a foothold on the internal network. The Votiro solution adds a few seconds of latency to mail entering the organization in order to look for and neutralize threats. Then again, a few seconds is well worth the time if it prevents an epic malware attack.
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.
Read more about security in Network World’s Security section.