Where networking and knowledge intersect.
Henk-Jan van der Molen
Malware incidents, e.g., with Trojans, are leading to increased financial loss for organizations and individuals. The financial loss can, for example, result from the misuse of bank accounts or the sale of confidential (corporate) information. This loss is caused by the growth in criminal activity involving malware.
Regardless, many organizations continue to utilize the same standard software, even though this maximizes the return on investment for Internet criminals through the misuse of these products. This is because there is a distinct relationship between malware and the market share of software products.
To underpin this thesis, this article will analyze the malware situation and outline an economic model. Based on this model, the consequences of software diversification are described, with some recommendations to implement this security measure.
According to the SANS Internet Storm Center in 2006, “Malware development is accelerating due to efficient and open collaboration, moving from months and years to weeks and days.”1 As an example, in order to write the successful Sobig worm in 2003, a university-level education was required, plus the source code from various viruses was reused and test versions were released.2
There is a suspicion that Internet criminals systematically develop new malware by applying reverse engineering to patches that are released. This method means that anybody who delays the application of a patch runs an increased risk of their vulnerable systems being affected. Fortinet’s recent Threatscape report reveals that of the 108 new vulnerabilities, 62 were being actively exploited.3
Internet criminality does, however, reach even further. On the black market, malware is sold per exploit, even for the newest systems. Botnets can be rented by the hour for criminal purposes, like spamming. A botnet of 10,000 PCs is worth about US $800. It is estimated that the Conficker virus runs on a conservative minimum of 4 million computers.4 In addition to direct damage resulting from industrial espionage, credit card fraud and restoration costs of corrupted software and data, malware also damages reputations of companies whose business processes are disrupted. A recent study shows that 16 percent of organizations had malware infections on workstations in 2008; in December 2008, 5 percent of organizations were infected.5
Even an IT infrastructure with the safest possible settings is not immune to all malware attacks. This is because the measures taken by organizations against malware are found to be increasingly less effective in preventing incidents.6, 7 As an example of this, the so-called zero-day exploits, for which protection is not yet available, occur regularly.8, 9 The security of extra measures, such as two-factor authentication (the use of a token when utilizing Internet banking or teleworking) is subjected to the newest generation of malware that lodges as a browser plug-in.
Internet criminals aim to “earn” as much money as possible. To achieve a maximum return from infected systems, a malware virus has to remain hidden for as long as possible. For this purpose, encryption, root kits and malware are used on rotating web servers. By generating unique malware for every infection and to target this selectively at a few organizations, it will take some time for the malware to appear on the radar of the suppliers of virus scanners, if at all. It is estimated that signature-based malware scanning will detect about 50 percent of all new bot malware.10 This puts more pressure on heuristic scanning (false positives) and real-time suppression of malware actions. It also indicates that the prevention of malware infections is becoming more and more difficult.
In 2006, antivirus software supplier Kaspersky reported, “We’re losing this game. There are just too many criminals active on the Internet underground, in China, in Latin America, right here in Russia. We have to work all day and all night just to keep up.”11 This explains why the growth of malware is showing an exponential trend.12
Based on this information, one can assess the economic principle behind the development of malware. Almost all software has vulnerabilities that are wide open to exploits. In their constant fight against patches and antimalware software, Internet criminals have to continue to invest in malware. The criminals maximize their return on investment by targeting their exploits on software that, at that time, is a market leader. This behavior is summarized in proposition 1, where P stands for the profit per infected computer and Q for the number of computers infected:
Malware for market-leading software gives the greatest returns, because in the time that is available (from issued exploit to installed patch) most systems can be infected. This strategy also offers the highest chance of a targeted exploit being reused. The market share of software products will, therefore, determine in which products hackers will search for vulnerabilities to develop malware (see figure 1).
If many systems operate with the same software, they are susceptible to the same malware. This is comparable to the impact of a crop disease in large monocultures.13
The most successful software products attract a disproportionate number of exploits. The S-curve (see figure 2) is an appropriate model for relating the market share of software to the exploits that are released for that software. Other examples of models that use the S-curve are the spread of epidemics, the growth of a population and the probability of a certain outcome, given a set of risk factors.14
As is evident from various lists of protection recommendations, the number of vulnerabilities of a software product is related to the quality of the source code (and, to a lesser degree, to the development tools used), not to the market share of the product. There does appear to be a strong relationship between the number of exploits that are released and the market share of the targeted software.15 IBM also points out that “the Common Vulnerability Scoring System scores fail to capture the economic opportunity vulnerabilities present to attackers.”16 This corresponds with the often-heard statement that the comparatively high number of exploits for Microsoft Windows is the result of the large market share of this product and is not due to the quality of this software.
For various reasons, it is very difficult to make an objective quality comparison between different software packages, especially when closed-source software is involved. The difficulty lies in the fact that restraining and cumbersome precautions to keep the source code secret are necessary each time a version of closed software is reviewed. Generally, companies that sell closed software want to select the reviewers themselves and enforce the use of nondisclosure agreements (NDAs). The results of past reviews become devalued at the same pace at which new versions of the closed source software are produced.
Cybercriminals having access to the code of open source software is generally not perceived as a security risk, since security by obscurity is ineffective.17 In fact, an internal Microsoft study revealed that “…case studies (the Internet) provide very dramatic evidence...that commercial quality can be achieved/exceeded by [open-source software (OSS)] projects.”18
Based on another study,19 it is assumed that the quality of the different software packages is by and large equal. One could, therefore, argue that the exploits will follow should Mac OS or Linux gain more market share. The migration of a market-leading software product to an alternative does not increase the security if these migrations happen en masse. The focus of malware would then shift to the new market leader. However, improved distribution of the software market will considerably boost security.
In making a rough estimate of the consequences of diversification, the assumption is made in advance that product migrations will not increase the number of exploits released. This is because it seems illogical that Internet criminals will undertake more activities if such an increase would not result in a good return.
Because of the latter, an organization that switches from market-leading product A to an alternative product B is less likely to be affected by exploits, as suggested by the lower market share of B. In the extreme case that all migrations from A to B will result in the market ultimately being distributed 50/50 between both products, the S-curve indicates that 50 percent of the exploits will target product A and 50 percent will target product B. If the number of targets doubles and the total amount of ammunition (i.e., exploits) remains the same, the number of incoming bullets for each target drops by 50 percent. So, even in this extreme situation, the number of exploits suffered by an organization will decrease by half. From this point of view, organizations are better off not choosing market-leading software as a standard product. Again, given enough resources, one can hack even custom-developed software products, but generally the market share indicates if this is worth the effort. This concept is reflected in proposition 2:
It is a known fact that only about 20 percent of the purchase price of hardware and software contributes to the total cost of ownership (TCO). In 2004, IBM estimated software licences to be 27 percent of the TCO; in 2005, Microsoft estimated 8 percent. Given that hardware costs are still dropping, the support to, and the downtime, of end users together with the administration of the infrastructure corresponds to the remaining 80 percent of the TCO. Therefore, a lower impact of exploits will strongly influence the IT administration costs.
An organization that migrates to different software, however, will have to incur costs for training and conversion. Because of this expense, diversification is a security measure like any other: an investment. This has been embraced by the US Department of Defense (DoD). Within the context of diversification as a security measure, the DoD has partially changed over to Apple computers.20
The diversification of standard software for office automation macroscopically serves as compartmentalization against exploits. If the software market is better proportioned between different products, this will spread the risk of malware. The expectation is that the business world will become more secure if organizations do not all opt for the same standard software. More or less the same applies to vendors, since vendors tend to reuse their expensive source code in different products. The decrease in the impact of malware is greatest when the market is equally proportioned. If the number of exploits remains the same in a market that is, for example, divided 50/50 between two products, the impact of exploits will reduce by 50 percent, because an exploit can infect no more than half of the systems. When the software market is better proportioned, the reuse of targeted exploits also becomes more difficult. This distribution compels Internet criminals to develop more new malware, which again yields less per exploit. This decreased yield means that Internet criminals are being hit where it hurts most: decreased return on investment.
The expectation is that, for software suppliers, more diversity in the market will result in fewer active zero-day exploits per product. After all, if the number of exploits is spread over more products, the number of exploits per product will decrease. Because of this reduction, there will be fewer backlogs in the development of patches. This, in turn, decreases the period in which vulnerabilities can be abused and reinforces the security effect from software diversification.
When the targeted software has a small market share and a short patch cycle, fewer computers will be infected by an exploit for that software, which results in a small turnover (P x Qlower). When the targeted source code is small and of good quality, the development of an exploit for that software is more difficult and, therefore, more expensive for cybercriminals. Proposition 3 sums up the selection criteria for software that lessens the risks of malware:
Researching the software products, market shares and number of exploits has proven to be difficult. Because lots of research papers are sold, market share estimates can vary widely21 and information could be biased. For all sources, context information is necessary to interpret these statistics correctly. To achieve a good variety of software products, the market shares of software products and the number of exploits released for each software product have to be objectively monitored and published.
Should the suitability of products be equal, it is advisable to opt for a standard product that works with open standards, in order to guarantee the exchange of data with other software and so that vendor lock-in is prevented. This choice would also lead to a better chance of migrating to another product in the future. “The Netherlands in Open Connection action plan, popularly termed The Heemskerk Plan, is a positive first step toward creating the correct conditions for this.22 With this plan, the Dutch government supports the future-proof development of IT services and applications, by improving electronic interoperability between organizations. The use of open standards and open-source software by the government and the (semi)public sectors is considered important in this context.
Software diversity within one organization conforming to the US DoD vision will indeed decrease the vulnerability of an organization, but will also increase the administrative costs. Should the whole organization change to alternative standard software, it will have a large initial impact, but would be less cost-intensive in the long term.
Changing to an alternative operating system is very radical; it would be easier for an organization to change to alternative software for Internet usage, office applications and e-mail. These types of migrations are relatively accommodating. Most software products offer the same functionality, except the operation of the product can differ.
Migration to another standard product will often provoke resistance, for example, because users and administrators have to acquire new knowledge. That means that it is best to carry out the migration to other standard software when phasing out old software products. Nowadays, the average PC user will often have the same software at home that he/she has at the office. Should an organization facilitate the home use of new standard products, this will increase the acceptance of the product change. This facilitation will also eliminate the risk that home workers will use cracked software from the illegal market, which is often infected by malware.
Govcert.nl mentions diversity of the mobile platform as a possible reason malware cannot spread widely on that platform.23 While everyone agrees that the hardware of important systems should be duplicated, the necessity of (other) fallback software to lessen the risk of cybercrime is not yet broadly accepted. The proportions in the software market have more or less been constant for a number of years. Although several warnings circulate about the risks of a lack of diversity in the field of IT,24, 25 few companies change their standard software. As stated before, every organization can choose its own standard software products, but cybercrime thrives if the majority of organizations use the same product. Contrary to the “Convention on Biological Diversity,”26 it is still unusual to find IT diversity in a policy against digital paralysis. Retaining standard products that are in sight of most hackers does, however, mean implicit acceptance of a rapidly increasing security risk.
At the same time, large-scale paralysis of vital government systems, payment transactions, telecommunication systems or the energy supply through a cyberattack would be deemed unacceptable. Yet, regular controls like firewalls and antivirus software are less and less capable of preventing malware infections. As long as computer systems remain vulnerable to malware, the improved distribution of standard software will prevent a domino D-day of vital facilities and lessen the impact of cybercriminality.
With thanks to Douwe Leguit and Erik de Jong, team manager and advisor, respectively, at Govcert.nl, the Computer Emergency Response Team of the Dutch government.
1 Bueno, Pedro; “Malware Analysis—Lessons Learned,” SANS Internet Storm Center, http://handlers.sans.org/pbueno/presentations/sansfire06_pedro_bueno.pdf2 Author Travis Group, “Who Wrote the Sobig?,” 2003-2004, http://spamkings.oreilly.com/WhoWroteSobig.pdf3 Fortinet, Threatscape Report, June 2009, www.fortiguard.com/report/roundup_june_2009.html4 Cisco Systems Inc., “Midyear Security Report: An Update on Global Security Threats and Trends,” 2009, www.cisco.com/web/about/security/intelligence/midyear_security_review09.pdf5 Ernst & Young, “Resultaten ICT Barometer Over ICT-beveiliging en Cybercrime,” The Netherlands, 28 January 2009, www.ict-barometer.nl/_files-cms/File/Rapport%20ICT%20Barometer%20over%20ICT-beveiliging%20en%20cybercrime%20%2028%20%20januari%202009.pdf6 Govcert.nl, “Trend Report 2007: Cyber Crime in Trends and Figures,” Dutch government, The Netherlands, www.govcert.nl/download.html?f=907 Computable.nl, “Much-needed Incident Management,” 26 May 20068 SearchSecurity.com, “Exploit Code Targets Internet Explorer Zero-day Display Flaw,” 23 November 20099 SearchSecurity.com, “Microsoft Word Zero-day Being Actively Exploited,” 8 July 200810 FireEye Malware Intelligence Lab, “Do Antivirus Products Detect Bots?,” 20 November 2008, http://blog.fireeye.com/research/2008/11/does-antivirus-stop-bots.html11 Naraine, Ryan; “The Zero-Day Dilemma,” eWeek.com, 24 January 2007, www.eweek.com/article2/0,1759,2087034,00.asp12 F-Secure, “F-Secure IT Security Threat Summary for the Second Half of 2008,” www.f-secure.com/en_EMEA/security/security-lab/latest-threats/security-threatsummaries/2008-4.html13 “Nowadays, from an efficiency point of view, arable farming grows relatively few crop types in large monocultures. Throughout the world, modern crops, with increasingly more uniform characteristics, are replacing traditional crops and, therefore, pose a threat, because the genetic base is becoming narrower. The crops that are grown are becoming increasingly more vulnerable to diseases and pests.” World Resources Institute, 200114 “Logistic function,” http://www.economicexpert.com/a/Logistic:function.htm15 The Honeynet Project, “Know Your Enemy: Malicious Web Servers,” 7 August 2007, www.honeynet.org/book/export/html/15316 IBM Global Technology Services, “IBM Internet Security Systems: X-Force® 2008 Trend & Risk Report,” January 2009, www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf17 Kerckhoffs’ principle in “Secrecy, Security, and Obscurity,” http://www.schneier.com/crypto-gram-0205.html18 Raymond, Eric S.; “Halloween Document I (Version 1.17), Open Source Software: A (New?) Development Methodology,” www.catb.org/~esr/halloween/halloween1.html19 Spinellis, Diomidis; “A Tale of Four Kernels,” ACM, Germany, 2008, www.spinellis.gr/pubs/conf/2008-ICSE-4kernel/html/Spi08b.pdf20 Greenberg, Andy; “Apples For The Army,” Forbes. com, 21 December 2007, www.forbes.com/home/technology/2007/12/20/apple-army-hackerstech-security-cx_ag_1221army.html21 For example, market share estimates on MS Exchange vs. Lotus Notes22 Ministry of Economic Affairs, “The Netherlands in Open Connection: An Action Plan for the Use of Open Standards and Open Source Software in the Public and Semi-public Sector,” The Netherlands, November 2007, www.ez.nl/dsresource?objectid=154648&type=PDF23 Govcert.nl, “Trend Report 2009: Cyber Crime in Trends and Figures,” Dutch government, The Netherlands, http://www.govcert.nl/render.html?it=14724 ENISA, “Security Economics and The Internal Market” (Chapter 7), http://www.enisa.europa.eu/act/sr/reports/econ-sec/economics-sec25 Greer, Daniel; “Perspective: Massachusetts Assaults Monoculture,” CNET News, http://news.cnet.com/Massachusetts-assaultsmonoculture/2010-7344_3-5968740.html26 “Convention on Biological Diversity,” http://www.cbd.int/convention/convention.shtml
Henk-Jan van der Molenis senior project leader/ IT advisor at the Transport and Water Management Inspectorate.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.