For the past several years, security experts from Sophos
have actively kept users informed about the latest malware threats and attacks on the Internet. However, consumers might not be familiar with the company's products, because the UK-based security vendor only caters to businesses and organizations.
We recently reached out to Graham Cluley, senior technology consultant at Sophos, to learn his opinion about some of the recent developments on the threat landscape and other industry trends. We hope you enjoy reading what he had to say.Softpedia:
Despite being focused on the business market sector, Sophos recently released a free Mac antivirus
for home users. AV vendors normally use free offerings to promote their more complete commercial solutions, but you don't have paid consumer products. So, what's your strategy with this release?Graham Cluley:
The commercial reason for us releasing a free anti-virus for Mac home users is very simple - it's for brand awareness. Having a free anti-virus for Mac users means that people think we're cool, and helps us get our name out there. Hopefully that will increase our awareness, and may help us sell even more software to businesses.
We thought to ourselves - we have this software, it's good quality and protects businesses well. And the businesses are happy to pay for it (including the 24x7 support that we also offer firms) to protect their Macs.
But there are lots of home Mac users who seem to be oblivious to the small but growing threat of malware targeting their systems. So what have we got to lose by letting them use it at home for free? Everyone wins! Well... everyone wins apart from the people who try to sell anti-virus to Mac home users, of course. They might feel a bit miffed.Softpedia:
Sophos interacts a lot with home users through its blogs, Facebook page or Twitter accounts. Its specialists also routinely comment in the media on many security events that don't directly affect companies. Can you explain how increasing brand awareness among consumers helps your enterprise-oriented business?Graham Cluley:
It's logic really. Businesses aren't amorphous blobs - they're made up of individuals, of people. And many of those people are home users outside of the office.
It makes sense for us to help people - regardless of whether they might directly become customers or not - because it raises the general public's awareness of our expertise in security and *might* one day lead to someone in a company saying "Hey! I hear these Sophos guys know what they're talking about."
We've never had a paid-for consumer product, which means that we've missed one powerful avenue to get our name out there in the mass-market. So, we have to use inventive other methods.
The good news is that, hopefully, the whole community benefits from our approach. It feels good to inform people about new security threats - even the ones which are unlikely to pose a significant issue for businesses.Softpedia:
Back in October, Microsoft started offering its Microsoft Security Essentials (MSE) antivirus product for free to small companies with up to ten computers. Do you think this will affect your business in the small office/home office (SOHO) market segment? Why do you think Microsoft decided to do this?Graham Cluley:
Microsoft wants to clean up the world's Windows computers, because of the bad reputation the operating system can receive when hit by yet-another-malware attack. They've done a good job over the years taking security much more seriously - and some other firms could learn from them.
You have to remember that Microsoft is in a much bigger fight than just one with computer security companies. They're fighting for their operating system's continued dominance over OS rivals such as Linux and OS X.
Rightly or wrongly, Microsoft's name has been tarnished by the huge number of attacks which target the Windows platform - and they need to make the OS a safer place to be to ensure that not too many users switch allegiances.
Microsoft's solution is not a bad one - but it's not as broad as other offerings. For instance, they may not offer protection for users of non MS platforms such as Lotus Notes or Mac OS X and this may figure as an important issue for some firms.Softpedia:
As far as malware attacks go, consumer Internet traffic is considered much dirtier than corporate one, because in business environments there are additional network-level layers of protection like Intrusion Detection and Prevention Systems (IDPS) or firewalls. Doesn't this put you at a disadvantage when it comes to collecting malware intelligence compared to vendors that receive telemetry from both consumer and business products?
Actually Sophos's engine is embedded into some consumer products (for instance, Webroot), as well as online services widely used by the entire internet population, so I don't think this is an issue.Softpedia:
What are the biggest differences between malware attacks in enterprise environments and those targeting home users? Does distribution method and/or motivation differ significantly?Graham Cluley:
Largely it's the same, but obviously there is probably a greater risk of targeted attacks against organisations than individuals.Softpedia:
A trojan affecting both Mac and Windows users has been in the news recently, reopening the discussion about malware on the Mac platform. Do you think we will see more cross-platform malware in the near future? Is there anything specific that would drive malware writers to target Mac, except a growing market share?Graham Cluley:
Yes, we're already seeing cross-platform and platform-independent attacks. Other than the likes of Boonana and websites that serve up the required "flavour" of malware depending on the OS of the visiting computer, there are also attacks that live entirely in the cloud - such as those we have seen spreading virally via Facebook.
My expectation is that as more people spend more of their time on sites like Facebook, it will only be natural for cybercriminals to target them more via that environment. Especially as Facebook is seen to be doing a less mature job at stopping threats than the big webmail companies.
What we do know is that many Mac users run no anti-virus software at all, making them potentially a very soft target for online criminals. As Windows users get bitten more often, and learn from past mistakes and harden their defences, we may see more attacks taking place against Mac users - after all, it's no harder to infect a Mac user than a Windows user.Softpedia:
Do you agree with the idea that because of its openness and because it allows running self-signed code, the Android mobile operating system carries a higher malware risk than its competitors (iOS or BlackBerry OS)?
You currently offer an antivirus product for Windows Mobile. Since some trojans have already been released for Android and Android-based smartphones are seeing increased adoption in corporate environments, are you considering developing a solution for this platform as well?Graham Cluley:
We haven't made any announcements yet on future products for other mobile platforms, so I'll let you leave that to your imagination. However, yes, if I was a betting man I would put money on Android being more exploited by malware authors than the competing app marketplaces. Just because a store is policed doesn't mean that bad apps might not still sneak through the net.Softpedia:
A recently released Firefox extension called FireSheep allows even non-technical users to hijack other people's online accounts over open wireless networks. One method of protection against this type of attack is to use HTTPS (SSL) on websites that support it. However, an even better solution would be to route all traffic through a secure Virtual Private Network (VPN).
VPNs are commonly used to secure on-the-go users in corporate environments, but have an almost zero adoption rate with consumers. Do you think antivirus vendors should start selling secure VPN services to home users and raise awareness about the benefits of such solutions?Graham Cluley:
There's plenty of security tools that anti-virus vendors *could* sell in addition to malware protection. For instance, password managers, parental controls, and so forth. Whether it's a good decision for them or not really comes to individual business decisions.
There's something to be said, I think, for not trying to do absolutely *everything*. Some specialism rather than a jack-of-all-trades can mean a higher quality of product and better focus by the organisation.Softpedia:
Earlier this year, Stuxnet, a highly complex piece of malware designed for industrial espionage and sabotage, took the security industry by storm. A lot of people believe the amount of work put into it suggest that it was created by a nation state.
Do you think Stuxnet was a milestone in the evolution of malware and we will increasingly see threats targeting industrial systems and critical infrastructure in the upcoming years? Do you think application whitelisting would be a good solution to combat them?Graham Cluley:
I haven't seen any reason to believe Stuxnet was written by a "nation", and am not sure what such evidence would look like, but it's certainly the case that it was written by people with specialised knowledge in fields which are not usually of interest to conventional malware authors.
I think there's been a lot of unwarranted panic and speculation about Stuxnet which has probably done nothing other than feed news headlines. Yes, it's an interesting piece of malware - but we see some 60,000 new pieces of malware every single day at SophosLabs.
Much better to be interested in the new attacks which may be putting your company at risk right now, than worry about a single piece of malware that every anti-virus on the planet already detects.