It has been exactly two-weeks today since the FBI announced its take down of the GameOver Zeus malware. This means that the two week period for consumers and businesses to get their security controls in place to mitigate against the threat has now passed. However, what does this mean for organisations and consumers? And what is the outlook for the botnet?
Please see below comments from leading security experts from Tripwire, Imperva, Lieberman Software and ESET:
Amichai Shulman, CTO of Imperva:
“I think that more than anything this announcement puts emphasis on the poor posture law enforcement has with respect to cybercrime. Imagine the local police announcing a two week grace period in which the local gangs are “weakened” (with no further explanation) and urging everyone to use this grace period for installing improved window bars, more sophisticated alarm systems and in general be more cautious when they leave their homes after the grace period is over. This is absurd.
“Repelling cybercrime is not the responsibility of individuals. This ritual of botnet takedown announcements (remember Cutwail) has been repeating itself for too long. Yes, people should make an effort to protect their digital assets – a reasonable effort. We’ve already squeezed all the juice from the “don’t open weird attachments” lemon. It’s done. It’s over. People use the Internet in order to receive content from unknown, needless to say untrustworthy, individuals. Security people and law enforcement should have realized that by now.
“I don’t expect cybercrime to become extinct (much like regular crime is here to stay), I do expect it to be reduced to an acceptable level – this is the responsibility of law enforcement. I do expect to people to reasonably look after their digital assets. However, you can’t expect anyone with an online bank account (practically everyone) to be a cybersecurity expert – that’s the responsibility of the banking application provider.”
Dwayne Melancon, CTO of Tripwire:
“The majority of the public haven’t been paying attention to this issue, which is how we got into this situation in the first place. Many of the recommended actions fall into the category of “good hygiene” in the computing sense, but it is notoriously hard to get the average user to keep things secure and up to date. Therefore, while I think this was a good idea, I’ll be surprised if it makes a material difference in the reach of the bonnet.
I doubt there will be any significant difference in the numbers of zombie systems involved in the botnet. When you look at longer term warnings such as Windows XP being phased out, they tend to go unheeded by the average users. Likewise, even in the face of persistent, shrill warnings about using strong passwords, ‘letmein,’ ‘monkey,’ and ‘jordan’ always make the top 10 anytime password breaches are disclosed. Why would this two-week warning be any different? Unfortunately, most will not heed it – that’s human nature. Hopefully, those of us who heed these warnings will be safe enough from those who don’t.”
David Harley, senior research fellow at ESET:
“The advice that’s been circulated is, as far as I can see, highly generic: use security software and keep it updated, make sure your systems are being patched, use good password management practice. Good advice in principle, but I suspect that in general, people who aren’t doing all that already are probably not going to start doing it because CERTs or the FBI are recommending it. After all, security commentators make the same recommendations that tend to be made for self-protection even when there is no specific hot story to hang it on.”
Calum McLeod, VP of EMEA at Lieberman Software:
“For businesses the famous quote attributed to Benjamin Franklin is probably the most appropriate; “God helps those who help themselves”. There comes a point where the failure of businesses to take adequate steps to protect themselves leaves them deservedly at the mercy of the cyber criminals. At what point does the failure of businesses to address the fundamental cause of infection, namely controlling privileged access to systems, mean that they should either be prosecuted for their failure to take the necessary steps, or that insurance companies cancel any liability policies these organisations have? The Mandiant M-Trends 2014 report categorically states that 100% of breaches resulted from compromised credentials, and yet businesses continued failure to address this fundamental issue is in itself a criminal offence!
At the same time it is maybe time that businesses also asked security vendors to carry liability insurance. If you’re claiming that you have innovative solutions to protect against a threat landscape, you better be prepared to put your money where your mouth is. It’s time vendors who offer vapourware were exposed as the charlatans that they are, and it’s high time that customers start reading the small print and realise that many of those so called APT solutions are nothing more than a marketing department’s dream.
As far as the consumer goes, it’s a lost cause. How do you educate an IT illiterate population about the need to disable privileged access on their home PCs, and stop watching videos of puppies running around! Maybe we need to consider an “IT driving license”. We don’t let people drive cars until they demonstrate that they’re not a danger to themselves and others, and maybe the same needs to apply to the Internet. The likelihood is that most CSOs would fail!
As far as anyone taking steps to protect themselves, most are more worried about the World Cup, Ukraine, and nutters in Iraq than they are about botnets. In any case since it’s yesterday’s news in the main stream media who are more concerned with overpaid footballers than criminal activities on the net
As far as the botnet goes, it’s just like the flu. If it didn’t infect you this time, the next one will be along soon, and since no one seems to worry about catching it, it’s only a matter of time until some CEO/CIO/CSO is looking for a new job on the back of putting their company on the front page, and some member of the public gets their 15 minutes of fame because some nasty criminal stole their life savings after they watched some video on a social media site.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.