Malware logo Crystal 128.

Malware logo Crystal 128. (Photo credit: Wikipedia)

Sophisticated malicious attacks can go largely undetected by most antivirus software.  Defense in depth approach requires organizations to monitor for malicious activity, malware (bot traffic) at various levels of the network, perimeter layer, application level and subsequently at critical data level.

How an end user might become infected, the obvious scenario being possibly our less educated users who could potentially be clicking in links in email messages from senders they might not be aware of or people visiting some high-risk sites such as those offering free downloads. The second scenario which is less obvious is where a user may click a link from a known good site which may contain a link to a bad site. The most common situation here is where advertising may have been purchased and site owners may not have been able to perform the due diligence to make sure a reputable company has purchased the ad space. Finally we’ve got our third and scarier scenario where a trusted site has actually been compromised and infected with some kind of malware.

According to Symantec‘s most recent Internet Security Threat Report, Global networks faced more than 286 million cyberthreats in 2010, as attackers employed more sophisticated methods that make malware harder to detect and more difficult to remove. Furthermore, the number of Web-based attacks increased 93% in 2010, and malware writers have been turning their attention to social-networking sites such as Twitter and Facebook, where it’s estimated that 17% of links are connected to malware.

So the malicious activity is on the rise based on the Symantec report, which emphasis the point to monitor and evaluate the harmful traffic into your network.  Malicious activity monitoring also requires an effective incident handling procedures to analyze, evaluate and taking appropriate actions with malicious events at hand.  An incident handling procedures also differentiate the event from incident meaning when an event turn into an incident.

Real time malicious activity monitoring at perimeter will work nicely with ISO 27001 (ISMS) process. It will not only satisfy the auditor need for monitoring and maintaining of certain controls in the standard  but also new threats to the organization will serve as a feed to required risk assessment process which can be evaluated against relevant vulnerabilities.

Below are some of the famous malicious attacks which can be used to breach network:

SQL injection—By analysing the URL syntax of targeted websites, hackers are able to embed instructions to upload malware that gives them remote access to the target servers.

Exploiting system vulnerabilities in another method—In many cases, laptops, desktops, and servers do not have the latest security patches deployed, which creates a gap in the security posture. Gaps or system vulnerabilities can also be created by improper computer or security configurations. Cyber-criminals search for and exploit these weaknesses to gain access to the corporate network and confidential information.

Targeted malwareCybercriminals use spam, email, and instant message communications often disguised to come from known entities to direct users to websites that are compromised with malware. This section includes several different approaches that cybercriminals leverage to infect systems with malicious code.