Intrusion Defense - Part 6

Cyber-criminals used to write malicious software (malware) for fun and to show off to other crackers.  However, the reasons for intruding into corporate and personal systems have changed.  Today, many crackers use their skills as a way to make money from illegal activities.  These activities include:

1. Information warfare against governments
2. Extorting money from corporations
3. Identity theft

In many cases, the victims are unaware their systems have been compromised.

Malware exists in the wild in several forms.  The most prevalent are:

• Viruses - A virus is malware an attacker attaches to another program you intentionally install or copy to your

  PC.  When you run the wanted program, the malware also runs.  Viruses can't propagate across the Internet or your network by themselves.  They need your help.
  
  

• Worms - Worms can distribute themselves across your network and across the Internet.  Once a worm takes up residence in a computer in your network, built-in routines attempt to locate other vulnerable systems, sending special packets.  Once a vulnerable system is found, the worm copies itself to that system.  Now there are two copies of the worm attempting to propagate in your processing environment.  Over time, this replication process might slow network performance and compromise all vulnerable systems.

• Trojans - A Trojan is a program that looks like a useful application.  For example, you might download a free music player from an email advertisement.  When you install the player, it performs as expected.  But in the background, it's engaged in activities designed to compromise your system.

• Spyware ­- Spyware is software you download and install, usually as part of another program installation, that gathers information about you, your company, and your system.  It then transmits this information back to a parent device where a criminal is waiting to exploit it.  Spyware has become such a major problem, the next section is dedicated to examining it in more detail.

Spyware

As we saw in the previous section, one of the primary means of delivering Spyware is downloading software from the Internet.  In many cases, the victim actually agrees to its installation along with the primary application.  The victim is usually unaware of his or her approval, because the spyware acceptance clause is buried several pages deep in the license agreement.  Most business users either don't have the time to read the entire agreement, or are unaware of the risks.  Once they accept the agreement and download the software, their computers are compromised.

Another way spyware might be installed is through clicking "OK" on a dialog box that pops up when you visit a site.  This can happen even if the dialog box is just informational.  If you haven't blocked pop-ups on your employees' desktops, you should train your users to always click the "X" in the upper right hand corner of unexpected pop-ups.  This will help prevent the unwanted installation of malware.

Once executing, spyware collects information about the user or about the system.  Personal information that might be collected includes a user's Internet browsing habits, credit card numbers, and bank account information.  Since spyware executes with the same security rights and permissions as the user, it can also access information stored in folders on the local machine as well as data in network storage areas. 

After the information is collected, it is typically transmitted back to a host system managed by the individual or group who intends to use this information to steal the user's identity, blackmail her organization with threats of releasing sensitive information, etc.

Once spyware is installed on a computer, it can be very difficult to remove.  In many cases, attempts at removal are reported back to the controlling system.  The attacker can implement manual or automated processes to ensure the application's components are reinstalled. 

Attackers are increasingly using rootkit technology to hide the presence of spyware.  Neither the files on disk nor the processes running in memory are visible when using normal operating system tools or anti-spyware applications.  Free utilities like Windows Sysinternals Rootkitrevealer can help locate and report on hidden spyware components.

Controls related malware defense should prevent malicious code from gaining a foothold in your network in the first place.  Taking the following steps can help:

1. Keep all operating systems and applications updated (patches, service packs, etc.).
2. Properly adjust browser settings.  The types of sites accessed and the types of Internet activities allowed have a direct impact on your organization's malware vulnerability.  Web filtering software and pop-up blockers are a good place to start.  A good web filtering solution:
   1. Allows a manager to determine the types of sites the employees are allowed to browse.
   2. Is automatically updated, at least daily, with lists of sites that are known to spread malware.  Blocking this web site category alone can significantly reduce business risk.
3. Use firewalls.  Later in this article, we look at how personal firewalls can add to the last layer of defense at the host level.
4. Implement strict acceptable use policies and user awareness processes that cover:
   1. Downloading files from the Internet.
   2. The importance of reading all warnings and agreements before installing downloaded software.
   3. The dangers of installing anything that's advertised as free.
5. The importance of anti-virus and anti-spyware software on all systems attached to your network, AND KEEPING THEM UP TO DATE.

Even with all these controls in place, malware will eventually find a way into your network.  So how do you detect it once it's made itself at home?  First, all users, especially your company's help desk, should be trained to identify the signs of infection, including

1. The appearance of unexpected messages.
2. The appearance of new tool bars or plug-ins.
3. Programs starting by themselves.
4. Systems running slower than normal.
5. Browser settings changing automatically.
6. Systems suddenly rebooting for no reason or after unusual warning messages are displayed.
7. Any strange, unexplainable system activity.

Second, updated anti-malware software should detect and remove all non-hidden malware components.  Finally, an organization's defense should include personal firewall or HIPS solutions.  These solutions may not remove the threat, but they can prevent or delay activities initiated by the threat until your response team can contain and eradicate it.

Personal firewall technology is more mature than HIPS.  Its use is a popular and effective way to protect both mobile and stationary users from becoming infected or infecting your network.  Its functionality in preventing malicious activity targeted at both the host system and the organization's network position it as an alternative to HIPS as a last line of defense.

A personal firewall is traditionally an application that is installed on an end-user device.  Once installed, it performs several protective functions, including:

1. Permitting or denying communication, both outgoing and incoming, based on one or more user-defined policies.
2. Helping protect laptops when connected to other networks and protecting the parent network from infection once the laptop returns home.
3. Prompting a user to accept or reject a process request to perform an action that violates one or more policies.
4. Helping to prevent self-imposed DoS by blocking specific types of traffic, both outgoing and incoming.
5. Providing some level of HIDS by logging unusual system behavior.
6. Helping to identify attacks coming from internal sources.

Because of the growing necessity for personal firewalls on end-user devices, most of the anti-virus vendors include this technology in their basic offerings.  But like any protective technology, there are challenges associated with implementing them.

1. Personal firewalls consume system resources.  Make sure your end-user devices have the memory and processor resources necessary.
2. Attackers have developed ways to compromise personal firewalls without your knowledge.  The presence of a personal firewall might result in a false sense of security.
3. Rolling out personal firewalls to a large number of devices, and managing them once installed, can be a daunting task.  Like HIPS implementations, personal firewalls should be managed by centralized software.  This provides for:
   1. Application of software updates
   2. Ensuring firewalls are running on each end-user device.
   3. Easy roll-out of attack signature or anomaly detection information.
   4. Management of how your users interact with the firewall.  This includes allowing or disallowing them to take an action the firewall warns them against.
4. Ensuring that your host-based applications will continue to run once the firewall is operational.

In this series, we've examined both personal firewalls and HIPS.  So which is better?  The answer is, "it depends."  HIPS is an emerging technology.  As such, it has some issues that need to be worked out.  Personal firewall technology, on the other hand, is mature and mainstream.  Which of these solutions you decide to use depends on your organization's willingness to accept and deploy new technology.  If your company is technically conservative, or you haven't the time to deal with the growing pains of HIPS, I recommend the safe personal firewall route.  Which technology you pick is less important than ensuring that this final layer of intrusion defense is not ignored.

Deperimeterization has strengthened the need for multiple layers of intrusion defense.  The use of IDS and IPS, both network and host, helps in this effort.  Both external and internal threats can be detected, stopped, or delayed by the proper placement of sensors. 

Configuration management is a key component of intrusion defense.  Hardening workstations and servers with secure operating system and application settings, together with effective patch management, minimizes the impact of attacks that make it through all other layers of your security infrastructure

Malware is a significant threat to organizations.  Implementing protection against the growth of spyware attacks is probably the most critical step a business manager can take when considering malware defense strategies.

Finally, personal firewalls can provide a solid last line of defense, even when your patch management processes fail to keep up with the daily discoveries of new vulnerabilities.

See other articles in this series...

Rootkit - A rootkit is a set of applications that a criminal might install on a compromised system.  It allows continued access to the system at the administrator, or root, level.  Components associated with a rootkit don't normally show up in directory listings or lists of running processes.

digg

del.icio.us

StumbleUpon

reddit