Professional Documents
Culture Documents
W I N T E R2 0 0 7
SO U R CE
From spyware to phishing attacks, security threats are growing more virulent as the promise of big payoffs increase. These days, keeping your network secure is more of a challenge than ever before.
hen savvy hackers create viruses that rake in millionswithout getting caughtit presents a huge incentive for others to join their ranks. As the criminal element continues to find cyber attacks more and more lucrative, tailored and targeted attacks are on the rise. Its no longer the bored hacker looking for glory, the goal today is really about making money. With highly motivated people and big paychecks on the line viruses and spyware attacks are growing more sophisticated and causing immeasurable damage to businesses nationwide. Although viruses and other malicious code still top the charts as the biggest threats to enterprise networks, spyware
S E E C O V E R S T O RY PA G E 2
SECURITY
SO U R CE
C O V E R S T O RY F R O M PA G E 1
With pharming attacks, users can unknowingly give up personal information even if theyre typing in their banks official URL.
now ranks right up there according to IDCs estimates. An FBI Computer Crime Survey, conducted in 2005, found that 79 percent of companies had been affected by spyware and almost 84 percent had been affected by a virus attack at least one time within the last 12 months. Most of the companies surveyed were using anti-virus software and were protected by a firewall. So theres no guarantee that the old line of defense will keep your network secure. For example, with pharming attacks, users can unknowingly give up personal information even if theyre typing in their banks official URL. It might look like your banks site, but in fact, that DNS servers route has been poisoned and its now pointing to a rogue site. In these cases, once you type in your user name and password, it gets logged into a rogue collection server, which actually logs you in to your bank behind the scenes. Other, newer threats include drive by downloads, such as when you go to a web site and something automatically downloads on to your computer without you asking for it or without you knowing it. Regardless of the intent, however, the attacks are more successful because theyre coming in disguised as legitimate traffic. And as attackers go out of their way to collect personal information, when they send out their threats, they often arent ignored. Some go so far as using social engineering tactics such as simply calling the receptionist and asking some questions and incorporating that information into the attack so the recipients wont be suspicious. If it looks like its coming from someone within your own company, its often not considered suspicious. In addition, more companies are experiencing human error as a threat to their networks (see Whos Minding the Network). Even more disturbing are the aftereffects of an attack. According to a 2006 study of 500 North American IT professionals published by Ponemon Institute, some 47 percent of respondents indicated that their companies are incapable of removing spyware from their networks once attacked, with 35 percent stating that their employers cannot prevent many spyware infections in the first place. Spyware typically hides inside computer systems in order to track users Internet habits and provide data to advertisers. Its also being used to collect personal data for subsequent identity theft. But even with spyware detection systems in place, many companies are still vulnerable. The option of simply shutting down the network to attacks doesnt make sense, however. As more attacks look like legitimate traffic, you risk shutting down email and other network traffic required to keep your business moving. (See Keeping Messaging Secure, page 4.) So its key to understand the difference between the good traffic and the bad traffic.
S E E C O V E R S T O RY PA G E 3
W I N T E R2 0 0 7
SECURITY
SO U R CE
C O V E R S T O RY F R O M PA G E 2
SPYWARE
SPAM
HACKERS
APPLICATION VULNERABILITIES
WIRELESS LANS
CYBERTERRORISM
CASUAL INTRUDERS
MOBILE DEVICES
COMPETITOR ESPIONAGE
SCORES ARE BASED ON A SCALE FROM 1 TO 5: 1=NO THREAT 5= SIGNIFICANT THREAT N=435
But since there are ways to infect a network by getting around the gateway devices, desktop protection is also essential. Personal firewalls can prevent outside threats from coming in through the front door via a users laptopa growing concern as more users take laptops home or with them when they travel. A VPN gateway device can also help to prevent infections that users bring in from the outside. If a virus gets around the perimeter on a traveling laptop, its stopped at the individual computer so it cannot spread. Anti-spyware and anti-virus software are highly recommended both at the gateway and at the desktop. A firewall will never look at an individual laptops memory,
S E E C O V E R S T O RY PA G E 4
W I N T E R2 0 0 7
SECURITY
SO U R CE
Iorganziations have had a virus, worm or Trojan horse successfully infiltrate their
ts no secret that the majority of viruses are spread by email. Some 84 percent of
C O V E R S T O RY F R O M PA G E 3
cookies, or system registries, so you also need spyware technology on the gateway. Gateway security not only acts as a first line of defense to catch drive-by installs, embedded installs and browser exploits, but it is also the mandatory last line of defense for computers that are infected, and are attempting to communicate with a rogue collection server outside the network. In most cases the gateway device can detect the attempted communications, and stop them before any damage is done.
UTMs are a response to the complete change in the security space. Small to medium size companies (25 to 500 users) often dont have IT expertise so its important that the technology involved isnt too expensive or complicated. Organizations that want to have the maximum amount of security while reducing total cost of ownership can turn to UTM devices. From a configuration, implementation, and management perspective, UTMs not only address the perimeter but also the issues that crop up in the network itself. There are different ways for viruses to come in other than just at the gateway. For example, if someone comes in with a USB drive or laptop from the outside, it could spread viruses internally. Its not just about perimeter security but internal network security as well. The best solutions are a combination of software and hardware that offer perimeter security and constantly keep the appliance updated. Some devices try to do everything at the gateway, which is processor intensive and will compromise speed coming across the firewall. Its better to use the power of processors on the individual PCs and set up rules on the client side, and not leave it all up to the firewall to do all the heavy lifting. How do you know what youre getting when you purchase a firewall or UTM? Most firewalls are certified with ICSA Labs, a third-party certification body that develops programs in response to industry and end-user needs and works with vendors to develop testing criteria and standards that end users can test products against. All products need to meet a certain criteria annually to remain certified. The standards evolve as well and require that vendors have the provisions to stop the latest threats. ICSA defines UTMs as appliances that include a firewall, antivirus, an intrusion protection system, content filtering, and some VPN element. I
SECURITY
SO U R CE
A key first step is creatingand subsequently enforcingsecurity policies. According to the Osterman survey, 64 percent of respondents have implemented specific policies and procedures instructing employees on how to avoid a sensitive data breach. In addition, over 90 percent of those surveyed indicated that they rely on their employees to take specific actions to help comply with policies. But developing a policy may not be enough to ensure network security. Greater than 80 percent of respondents in the Osterman survey indicated that their organizations do more than develop policy. And, 88 percent stated that they used technology to automatically encrypt data on portable devices. Establishing user authentication procedures is another key aspect of any mobile security strategy. Users, devices, and networks should be authenticated. When a user logs into a remote access device, for example, a user ID and password help authenticate that the user is the appropriate individual to be using that computer. For even stronger security, two-factor authentication can also be used. User authentication requires the use of a VPN service and your enterprises backend authentication, authorization, and accounting infrastructure. The server side of the endpoint security scanning functions on the device, which can be run in an appliance, as router-based software, or as server software. It first checks the device for infection, then that it complies with all required OS and application software versions, then that it isnt running any programs disallowed by your organizations policy. If the device doesnt comply, access will be blocked or the connection can be rerouted to a URL so that patches can be applied. As remote access connections become more integral to mainstream business operations, its crucial to have a solid strategy in place to keep the network secure from possible attack. Successful endpoint security measures involve remote client software with a bundle of security functions that filter out access attempts from intruders and malicious code. I 5
Percentage of respondents who indicated their organizations implement various measures to enforce policies. Respondents were asked to check all that apply.
Source: Entrust 2006 Mobile Workforce Security Survey and Osterman Research
W I N T E R2 0 0 7
SECURITY
SO U R CE
E M A I L S E C U R I T Y F R O M PA G E 4
theyre clogging up email queues causing network traffic flow problems and adding to the damage well beyond what the virus itself was coded to do. And, with threats coming in that have higher volume, intensity, and maliciousness, most companies are finding it difficult to keep up with the attacks. Since email is such an open architecture, its vulnerable to all sorts of attacks. Its difficult to protect because by its nature, and the nature of most businesses, it has to remain open. One of the biggest
Malware: Malicious software is any software program developed for the purpose of causing harm to a computer system, similar to a virus or trojan horse. Malware can be classified based on how it is executed, how it spreads, and/or what it does. Phishing: The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers that the legitimate organization already has. Spyware: Spyware surreptitiously monitors your computer and Internet use, while adware can bombard your PC with unwanted advertising. Both pose a drain on your bandwidth and can lead to loss of security. Trojan: A Trojan is a program that appears to be legitimate, but in fact does something malicious. Trojans are often used to gain backdoor accessremote, surreptitious access, to a users system. Trojans do not replicate as viruses do, nor make copies of themselves as worms do. Virus: A virus is a program designed to replicate. Generally, spread is accomplished by infecting other files. Worm: A program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computers resources and possibly shutting the system down. Zombie: A computer that has been implanted with a daemon that puts it under the control of a malicious hacker without the knowledge of the computer owner.
Zombies pack a double whammy, not only infecting the system, but also damaging a companys reputation.
trends within the threats are zombies when corporate systems are taken over by a virus that enters the systems and desktops become spammers for someone on the outside. Zombies pack a double whammy, not only infecting the system, but also damaging a companys reputation. The spamming that results can be traced to the computers sending it and the organization can, in turn, be blacklisted by ISPs blocking future emails and general use. An increase in blended threatsspam email that may have a virus attached to it, but may also link to a phishing site thats set up to take personal informationhave become so much more than a virus or a worm. Combatting blended threats is driving the messaging security market, according to Osterman Research. Because of the growth in the variety and severity of threats, many organizations are moving beyond first generation antivirus and anti-spam software, replacing these with email content filtering and/or email encryption devices.
S E E E M A I L S E C U R I T Y PA G E 7
W I N T E R2 0 0 7
SECURITY
SO U R CE
E M A I L S E C U R I T Y F R O M PA G E 6
Research firm In-Stat reports that the email security market is predicted to reach $3.7 million by 2009. According to a decision-maker survey conducted by In-Stat, companies are looking for email security products that combine multiple security and management functions. While appliances are expected to overtake software as the preferred delivery model for email security, many decision-makers surveyed were undecided about the platform for near-term purchases. Yet 66 percent of decisionmakers surveyed plan to purchase email security products within the next two years. Not surprisingly, viruses and spam continue to be the top email security concerns.
Long-term Protection
As recommended with network security issues, a multilayered approach to protect email servers is often best. And because some vendors react more quickly than others at getting signatures out to clients, a multiple layered approach from multiple vendors is even better protection. The reason being is that the efficacy of traditional anti-virus products comes from being able to match attachments of incoming email to known virus signatures. What that means is that the virus vendors will have to publish updates whenever a new virus is found. In addition, multiple vendors products act as two different scanners, two different products looking at the traffic, one may catch something that the other missed. It takes away from the one point of report and management, but it also adds to the security of your system. Theres also a range of techniques for anti-spam. Its best to have one good anti-spam product that uses all the best techniques including blacklisting, Bayesian filters, signature-based scanning, and Heuristics scanning in a cocktail approach. Leading anti-spam products look at a message as its coming in and look at elements of it, not just the message, but also how its being sent to try and guess whether its spam or not, if its obviously spam, it will
S E E E M A I L S E C U R I T Y PA G E 8
W I N T E R2 0 0 7
SECURITY
SO U R CE
E M A I L S E C U R I T Y F R O M PA G E 7
reject it. If its not sure, then it will pass it through to another stage that will look at the contents of the messageusing techniques like Bayesian categorization, which checks whether the content is similar to messages that spammers normally send or whether it looks legitimate. Whatever approach, most experts agree that its best to stop spam at the SMTP gateway. Protecting the mail server itself allows real-time scanning to detect incoming viruses as well as detecting viruses internally to make sure that users are not sending viruses around to one another within the network. Its also possible to block malicious incoming emails by certain file types. Many use the same file formats, which are not generally found in normal messages, such as .pif and .vdf and other types of file extensions. Most virus tools allow you to block by the top extension types used by mass mailers. That way you can stop potential attacks. Many products mainly defend the network from the perimeter to the desktop, but that may not be enough. Since laptops are outselling desktops and theyre mobile by nature, you can actually hand carry a threat right around your original perimeter. Where it used to be the outer edge of your network or gateway, threats can come in from either end or in the middle. Its best to consider measures to defend the network so that if one segment becomes infected, it has little chance of infecting other parts of the network. In some cases, splitting a single critical department into different segments, for example, emergency services, could help prevent a widespread attack. A 911 department not only should be segmented from the rest of the network but should be segmented within itself into multiple divisions, so that if any one portion of it should become infected by a virus or other attack the spread would be limited to that one area. One of the least addressed aspects of email security is education. Spammers and virus writers often use social engineering tactics to dupe unwary users, so educating them about what to watch out for can help to mitigate risk. It wont provide 100 percent protection against new threats, but it can be a vital part of any security policy. The more people are aware of the dangers and pitfalls, the fewer incidents youll have of inadvertent outbreaks or infections. I 8
SourceWorks Media Catherine LaCroix, Editor Laura Stoll, Designer
SPYWARE: 79.5%
VIRUSES/WORMS/TROJANS: 83.7%
W I N T E R2 0 0 7