UK security firm Glasswall Solutions claims the Dridex banking malware is of no threat to UK bank accounts: “if security professionals take the necessary precautions.” While Glasswall is keen to push its solution to block Dridex, its statement could be equally applied against the vast majority of malware. Fortunately for the bad guys and security vendors with product to sell, IT pros are not taking the necessary precautions and nor are users.
Greg Sim, CEO of Glasswall said: “As long as traditional cyber security methods exist, in a hopeless search for known evil, attacks of this type will continue to flourish. The power to stop these attacks is simple – take back control of the files and documents that cyber criminals use against you.”
Glasswall wants white lists to control what can be used
What Sim wants is for organisations to stop allowing users to make decisions over what macros are safe and what are not safe. It believes that policy should be designed at the Governance Risk and Compliance level and then applied to all users. A laudable aim but one that would challenge many organisations and their existing systems which make it hard to implement effective end-to-end policy driven security,
The key to Glasswall’s approach is to use white lists. It claims that: “By creating a white list of “known good” macros, Glasswall prevents all potentially malicious elements from reaching an organisation’s systems.” White lists are nothing new in security terms and there has been a debate raging for over two decades as to whether white and black lists are the solution. White lists contain a list of files that are allowed to run on a network while black lists contain a list of blocked files.
The problem is that most mid to large companies have no idea what macros or even internal code they have. Any deployment of a white list approach would be fraught with the danger of files suddenly being blocked and causing massive disruption to users and the business. As has been seen in the past this would lead users to find ways to bypass security rather than work with it. Organisations also lack an aggressive security testing approach that would enable them to roll out white lists that could be easily deployed and trusted by users.
The other problem with this is that macros are far more likely to be developed by the user community than IT departments. Creating a signing mechanism whereby a user can have their macros signed as safe requires IT resources in terms of testing. Any problems or delays would just play in the constant ‘them and us’ scenario that has bedevilled the IT and user relationship for decades.
Do this mean it cannot be done? No it doesn’t and Glasswall is right to link the need to take back control of files and documents in order to better secure them. Of course, this assumes that the organisation has control of all the files to begin with. The explosion in cloud storage has shown that this is not the case.
There is no question that companies need to do more to protect their data. Users are not the only weak point and the problem here is that Glasswall is assuming that it is possible to impose, within an acceptable level of disruption which it chooses not to define, a mechanism that Sim suggests would be perfect:
“The way to achieve this is to set the standard for “known good” in your business – ensuring no document that fails your stringent requirements will ever make it into the company. No matter how innovative the cyber-criminal, they can never breach your defences.”
Conclusion
White lists, black lists, end-point security, predictive analytics on the wire and machine learning to detect and defeat zero day attacks are all ways to secure an organisation. No single one of these is perfect despite the belief of Sim.
What makes this announcement interesting is that it comes hot on the heels of yet another malware, in this case Kasidet, being exposed by Zscaler and being distributed by macros. The risk is that by claiming white lists are the magic bullet Glasswall, and Sim in particular, are at risk of oversimplifying the security message.