Stop Think Connect

Clever Malware Names: Feeding the Propensity to Ignore Systemic Issues

Charlie_Brown_FootBallMy patience with naming malware as if they were Marvel super heroes or X-Men is at an end. Slammer, Sasser, Flame, BlackEnergy. Instead of naming malware in ways that flatter or aggrandize the attackers, please let's use names that call attention to the systemic problem rather than the clever, tricksy software. For example,

WORM:Win32/TriedToWinAnIpodFromAControlSystem.A

TROJ:Win32/Surfed4PornFromARootAccount.C

WORM:Win32/ConnectedMyInfectedDeviceToIndustrialNetwork.A!sys

I was reminded yesterday of the Sun Tzu quote, 

"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."

We're succumbing in nearly every battle, and increasingly it's not only because we don't know the enemy but that we don't know ourselves, or more accurately, that we are unwilling to admit to the myriad of ways that we fail to rigorously implement the most obvious, commonly known, widely recommended security measures.

Certain attacks of the weaponized malware kind can be contained or mitigated by isolating or restricting access from critical networks, by compartmentalizing services, by hardening administrative systems, or by prohibiting users from connecting general purpose clients or devices from critical business or infrastructure networks. These measures also protect against the affects of user who disregard or overlook recommended secure behaviors. 

A typical conversation that follows a successful exploit begins with, "have you read about the BurntUmberGoat attack against the Berzerkestan SCADA network?"

Name malware by the failure they exploit and your conversation now begins, "have you read about the Surfed4PornFromARootAccount MITB attack against the First Bank of Glovania?" 

Changing the naming convention may not alter the attack surface but it might make conversations a bit more educational. There may even be a shame factor to exploit here.

It's embarrassing enough for most folks to have an IT guy tell you, "Your computer was infected with BurntUmberGoat" in front of your office mates.

It's quite a bit different to have her say, "Your computer was infected with Surfed4PornFromARootAccount".

 


Security Awareness

I want to share two resources that I and my team at ICANN have published. Some of these pages explain how to deliver security awareness training. Your organizations may find others valuable in building security awareness programs of its own.

Raising Security Awareness, One Security Term at a Time

Our team members post regularly to the ICANN blog in a series we call Raising Security Awareness, One Security Term at a Time. This page provides abstracts of these monthly posts and links to the complete articles.

Please feel free to contact me with any security terms you'd like to see me explain. 

ICANN Security Awareness Resource Locator

 The resources on this page can help consumers, business or IT professionals avoid online threats or harm and make informed choices regarding (personal) data disclosure or protection.

Please fee free to contact me with any resources you feel we've overlooked.

Stop.Think.Connect @ Securityskeptic.com

You'll find all of my security awareness or privacy posts in this channel.