Threats to Enterprise Security

{LANG_NAVORIGIN} Enterprise Security
By: Dan Sullivan, 04/18/2005

The New Playing Field of Malware

In the early 1990s, malware was typically a single type of threat, such as a boot sector virus, a macro virus, a backdoor, or a DoS attack. These threats used a single method of attack, for example, through email or through a chat room. Today, malware consists of a combination of multiple types of attacks and methods of spreading, resulting in blended threats. Some of these threats also use automated probing techniques to search for vulnerabilities.

The impact on security management is clear: Single-system responses to threats, such as firewalls and antivirus software, are not sufficient. Security must be managed across platforms and services. It must also include safeguards for internal as well as external threats. This section will first examine blended threats, then present example “viruses” that are actually much more than traditional email malware.

Characteristics of Blended Threats

Blended threats can be any combination of attack methods and propagation methods. Many spread as worms—programs that spread through vulnerabilities in a network. Unlike true viruses, worms do not depend upon other applications to work. The following list offers general characteristics of blended threats:

• Like conventional viruses, blended threats can damage files, corrupt OS configurations, and overwhelm network resources. Common damage includes changing registry settings, injecting malicious code into OS executables, and adding scripts to HTML documents.
• Blended threats spread through multiple methods and can sometimes avoid common safeguards. For example, the Fizzer work is a virus with its own SMTP engine and spreads over the Kazaa peer-to-peer network. Safeguards on corporate email systems are bypassed in both cases.
• Blended threats can include routines that probe for known vulnerabilities, such as buffer overflows and the use of default passwords on predefined accounts.
• Newer threats are making greater use of networks to maintain the malware after it has infected a system. Worms such as Fizzer connect to a Web site to download updates to the virus.
• Blended threats might contain basic network utilities. As noted, the Fizzer virus has its own SMTP engine; the Lovsan virus has a built-in Trivial File Transfer Protocol (TFTP) utility.

Detailed Example of a Blended Threat
The Fizzer worm is a prime example of a blended threat. The malware spreads as an email attachment. When an email user opens the attachment, the virus copies a file to the Windows system directory, then places two other files, a DDL library and another executable, in the system directory. The library is used to log keystrokes and the other executable is used reassemble the virus.

Next, an entry is added to the Windows registry activating the worm for each Windows session. It also attempts to stop any antivirus software that is currently executing.

Once installed, the virus begins to spread. With email propagation, the virus searches for email addresses in Outlook address folders and targets OS folders, such as cookie folders. Infected messages are sent to all addresses found using a spoofed return address. The addresses are randomly selected from a list of large email domains, such as msn.com, yahoo.com, and hotmail.com. Recipient names, subjects, attachment names, and message bodies are chosen from a list within the virus payload. The worm also searches for Kazaa peer-to-peer network folders. If found, the virus is copied to the shared folder. Users who download and execute files from that folder infect their own systems.

The worm creates three backdoor mechanisms. First, it attempts to connect to several IRC servers and, once connected, the virus creates bots presumably so that the virus author can issue commands to the infected system. It also creates a new AOL Instant Messenger user and connects to a chat room, presumably waiting for instructions. Finally, it uses ports 2018 through 2021 to listen for commands from a remote host.

Blended threats, such as Fizzer and Mydoom, spread rapidly and can inflict significant damage. Security professionals are no longer dealing with a single DoS attack, an email virus, or a backdoor—they are dealing with all of them at once. These emerging threats require a more holistic, integrated approach to enterprise security management (see Figure 2.11).


Figure 2.11: Blended threats combine multiple forms of malware into a single payload.

Phishing and Threats to Brand Integrity

In addition to threats to physical infrastructure information, information security managers are facing challenges targeting intangible assets. Hijacking brand identity in a process called phishing. Phishing, which began as a ploy used by telemarketers to gather benefit check information from the elderly, has become a prominent threat to online business services.

Phishing is a scam in which a perpetrator masquerades as a legitimate business to trick victims into revealing personal information by using a variety of techniques. Many phishing scams use email as the vehicle to solicit information. The process begins with a mass emailing asking the recipient to update account information or otherwise provide personal information. The email is purportedly from a bank, online service, or other vendor that has a large online customer base so that chances are good that some of the recipients are actually customers of the business. The message contains a link to a legitimate-looking phishing site at which victims are prompted for information.

Financial services and online services are popular targets for phishing scams. According to the Anti-Phishing Working Group (http://www.antiphishing.org), Citibank, U.S. Bank, Bank One, Fleet, Wells Fargo Bank, PayPal, eBay, Yahoo!, MSN, and AOL have all been victims of phishing scams in the first half of 2004.

For statistics on the prevalence of phishing, see the Phishing Attacks Trend report at http://www.antiphishing.org.

Phishing is viable attack for several reasons:

• It is fairly simple to forge a return address in SMTP.
• Perpetrators can easily copy HTML code and image files from legitimate sites to create a phishing site.
• URLs of phishing sites are often similar to legitimate addresses, fooling many victims.
• Consumers, too often unaware of the potential for phishing, trust the companies that supposedly sent the email.

Several measures can reduce the impact of phishing within an organization. In addition to the basic security measures, antivirus, anti-spyware and firewalls, anti-spam, content filtering, and URL filtering can reduce illegitimate emails and prevent access to known phishing URLs. URL filtering can identify known-bad sites and poorly constructed “phish” sites, such as http://www.citibank.i.com (this is a fictional example of a phish site).

These will help protect confidential organizational information as well as employee personal information from deceptive and manipulative techniques to acquire such information. Furthermore, policies and processes must be in place to protect customer account information from employees or contractors willing to sell that information. As with other threats, protecting against phishing requires a combination of technology, people, and processes.

In addition, companies with online services should educate customers about the company’s policies for updating account information or asking for personal information. Clearly communicated customer interaction policies must be regularly conveyed with a process that helps customers easily and securely alert the organization when possible foul play occurs.

Managing Threats

The first part of this chapter has described the complexity and variety of threats that organizations face. This section explores how to manage those threats.

Antivirus and Intrusion Detection Systems
Antivirus and IDSs are integral parts of comprehensive security. Tools such as these presume that threats from the outside can penetrate firewalls (which they can) and that threats can emerge from within an organization (which they do).

Antivirus software protects against a wide range of vulnerabilities including:

• Trusted software that does not adequately protect against unauthorized use, such as embedded macro languages
• Vulnerabilities in common applications such as the known MIME vulnerability in Microsoft Explorer that was used by the Nimda worm
• Backdoor programs slipped in through blended threat viruses and worms
• Being used as a zombie to launch DoS attacks such as those included in Mydoom and Mydoom.B

Antivirus software is an effective measure for keeping malware out of a network; intrusion detection is an effective measure for recognizing and possibly stopping direct attacks. IDSs and intrusion prevention systems (IPSs) detect unusual and threatening activity. The two general types of IDS are host based and network based.

Host-based IDS monitors and detects changes to files using integrity checks. The IDS calculates a hash function value for critical system files when they are first installed (or at least known to be free from corruption), then periodically recalculates the hash function for the files. If there is a difference in the original and newly calculated hash values, the file has been changed. Host- based IDS also uses audit logs, process monitoring, and other techniques to monitor activity on systems.

Network-based IDS monitors network traffic using statistical and pattern-matching algorithms; some use signature-based approaches, similar to antivirus software. This approach works well in many cases and is less likely to generate false positives than statistical techniques. Like antivirus programs, network-based IDS needs to be updated frequently and can miss a new type of intrusion attack. Statistical approaches develop profiles of “normal” traffic on a network, which are then used to identify unusual activity. Unlike signature-based approaches, statistical IDS does not need signature updates. As is often the case in IT, a combination of both approaches can yield better results than using either alone.

IPSs are also host and network based. Host-based IPS (HIPS) works to stop malware and unauthorized processes at the compromised server or workstation. HIPS uses signatures and patterns to identify unusual activity. Policies specify how the HIPS responds to such activity. Responses can include terminating processes and blocking network traffic to or from a device. Network-based IPS (NIPS) functions at the firewall level to inspect packets and identify suspicious streams of packets. After a NIPS has identified a suspicious packet, the packet as well as any other packets in the stream are discarded. Correctly identifying malicious packets is a challenge and falsely identifying a legitimate stream of packets can prevent valid traffic and degrade overall system functionality.

Integrating HIPS and NIPS with Identity Management systems allows for fine-grained access controls coupled with the ability to immediately respond to violations of security policies. Both antivirus and IDS play a role in safeguarding systems from becoming zombies for DoS and other illicit attacks on other systems. Again, integrating and coordinating multiple security components is an essential element of effective security management.

Data mining techniques are also being applied to intrusion detection. For a theoretical perspective on this topic, see Lee and Stolfo’s “Data Mining Approaches for Intrusion Detection” at http://citeseer.nj.nec.com/cache/papers/cs/3327/http:zSzzSzwww.cs.columbia.eduzSz~wenkezSzpaperszSzusenix.pdf/lee98data.pdf.

Content Filtering
Organizations that depend heavily on the Internet can find many products in the antivirus, anti- spam, and code-filtering categories. These products generally focus on one functional niche and operate independently of one another. To reduce the administrative burden of managing all of these point solutions, an integrated, customizable, content-filtering solution is recommended. Filtering for spam should use a multi-layered approach to differentiate between spam and valid emails, such as global and individual white and black lists, heuristics, statistics, and realtime blackhole lists (RBLs).
















Your IP address will be sent with this e-mail

From e-mail to e-mail