The rapid pace at which cyber criminals seed the industry with new threats contributes to the overall problem that is causing technical safeguards to fail, thus, putting the corporation at risk of violating regulatory standards which untimely will lead to serious consequences if sensitive information is leaked.

For example, in a health care organization one undetected Trojan could make a case for a serious risk of violation of HIPAA §164.308(a) (4) that pertains to protecting health information: "implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) (4) [Information Access Management]"

A False Sense of Security - Audit and Assessment Standards

When doing a security audit to ensure that adequate controls are in place from an information security perspective, the auditor is normally looking at whether the corporation is in adherence to a defined policy. Furthermore, a security audit encompasses some of the following questions:

• Are passwords difficult to break?
• Are computers up-to-date with the latest security patches?
• Do any vulnerabilities exist in the operating system or applications installed?
• Are there Access Control Lists (ACLs) implemented on shared resources to control access to them?
• Have unnecessary services or applications been removed from computers that could potentially expose the resource?
• Are computers regularly scanned for malware?

The missing element in a security audit, however, is assessing for sophisticated active threats (e.g. kernel-mode root-kits, stealth Trojans, key-loggers, etc). Therefore the current assessment tools and verification methodologies used to validate controls rely mostly on identifying weaknesses or potential risk to assets; for example, a vulnerability scan or untimely a penetration test will tell the auditor of potential avenues for attack. But, the number one question to ask is: are assets already compromised with undetected malware?

There are a wide range of technical safeguards that can be implemented to significantly reduce potential exposure and the organization's overall risk; however hackers have devised ways to circumvent these. For example the most common infection vector is via the web through malware laced web-sites that have been compromised and altered in some way, shape or form.

Therefore, a majority of malware (if not detected via signatures or proactively by other technologies) will simply evade perimeter defenses (firewalls, network intrusion prevention, etc.) and make its way to the end-point, especially if it is "targeted" in nature, and with a limited number of hosts designated to be infected.

There are certainly other ways to reduce risk. For example, corporations can implement a policy that limits the administrative access a user has to his or her own PC and other resources on the network. While this reduces the overall risk of unauthorized access, it is not the final solution as hackers tend to abuse system privileges (going around established ACLs) by exploiting applications and other flaws in the operating system.

Proactive defenses such as Host Based Intrusion Prevention (HIPS) can substantially raise the bar in terms of detection, anywhere between 80 and 90 percent. With malware 1.0 this model was acceptable; but with the rate and volume of new threats emerging on a daily basis hundreds or even thousands of threats over time can be missed.

Public companies that must adhere to regulatory laws, must also adopt better internal controls to ensure that hidden infection points are discovered and removed before any exposure occurs. Better yet, modern assessments must take into consideration.