Back To The Future

Back to the future

By Dr. Guy Bunker @guybunker

Do you remember the viruses of yesteryear? Probably not. And you probably don’t particularly care to either – the world has moved on. However, a recent story shows that some of the cyber-attack techniques of old are coming back. Specifically, we are talking about viruses contained in macros in documents.

The reason they are making a comeback is that they are relatively simple to construct – and can be readily tailored to the individual. Today we collaborate using a variety of different mediums, but the most common are Word, Excel, PowerPoint or even PDF (with comments). So, as a user we are used to receiving documents through email, or downloading them from a cloud service provider like DropBox, and of course we then open them. The viruses of yesteryear were about beating the system, the computer or the application, the ones today are about stealing critical information – which is done through social engineering and ultimately tricking the user... which turns out to be much easier than trying to find a vulnerability to exploit within an application.

So, what can be done? Unfortunately, people still need to collaborate by sharing documents, stopping that will disrupt the business and so, is not an option. What really needs to happen is that the embedded malware (macros) need to be removed before they can do any damage. We have spent a lot of time in developing our Adaptive Redaction options, and one of those options, specifically Structural Sanitization, does just this – removes active content based on policy.

While Data Loss Prevention is frequently thought about as being the prevention of critical information leaking out from an organization, there is another side, which is preventing the bad stuff coming in. We now have easily implemented policies on our email and web gateways resulting in all incoming documents can have active content automatically removed from them, before they are delivered to the end user. This removes the possibility of document borne embedded malware being able to be activated. (We can also remove macros on the way out as well – which we do for a number of customers, who, especially in spreadsheets want to ensure that their algorithms etc. are protected.)

The attack vector of embedded document malware is not new, but the solution to the problem is. Furthermore it’s quick and straightforward to implement i.e. no need for hitting a wire with the connecting hook at precisely 88 miles per hour, the instant the lightning strikes the tower...