Security professionals are not at a loss for tools and applications to thwart threats to their IT infrastructure. So why do we need to consider yet another kind of application, this time for securing content?
The simple answer is that security tools are tuned for particular problems and no one tool will ever address all security needs. As new threats emerge, so will tools that address those threats. Consider some types of security tools and applications commonly found in enterprise IT environments:
There are other, more specialized tools and applications for security professionals but this list gives a sense of the breadth of security devices already deployed within enterprise environments. Do you really need another security tool thrown into the mix? Couldn't the need be filled by an existing tool or combination of tools?
The answers are, respectively, yes and no. Yes, there is a need for another type of tool to meet threats that are conveyed through content, such as email messages and Web content. The tools mentioned in the previous list are designed and configured to address a narrow range of problems, such as blocking access to ports. With the exception of antivirus software, the tools mentioned do not target the high-level content that moves in and out of a network.
To secure content, you need an application specifically designed for that problem. The characteristics of an appropriate tool include:
Figure 1.1: The OSI network model includes seven logical layers; security measures must address threats at every layer.
The best method for achieving all these objectives is to deploy a secure content application, service, or appliance.
A secure content device compliments several of the security devices mentioned in question 1.1, including:
No single security device can address all security threats; in addition, some degree of overlap provides supplementary protection to an enterprise's information infrastructure.
Both secure content devices and desktop antivirus software scan for malware—why use both? Ideally, viruses, worms, Trojan Horses, and other malware would never enter an enterprise network. Secure content devices scan network traffic that is likely to carry malware payloads— especially email, file transfer, and Web-based traffic. Secure content devices can identify and block malware at the perimeter of the network; however, there are other means for malware to enter the organization.
Mobile devices, especially laptops, are not continuously protected by secure content devices. Employees take laptops home to insecure home networks. Sales staff travels with laptops, connecting to the Internet from client sites, airports, coffee shops, and other points beyond the enterprise's control. These mobile devices must be protected while they are disconnected from the enterprise network by desktop antivirus software.
Also, although the majority of malware threats propagate through networks, they can still be transferred through shared storage devices. The earliest viruses traveled on floppy disks that were passed between PC users. Today, flash memory devices have largely replaced floppy disks as the preferred storage device for transferring data, but the problem remains the same: infected programs and documents can easily move from one computer to another. Desktop antivirus software can readily scan flash drives and eliminate known malware before it can infect another device.
Firewalls are the standard means for controlling the type of network traffic that enters and leaves an enterprise network. Firewalls are configured to allow traffic on necessary ports—for example, TCP port 80 for HTTP, 21 for ftp, and 23 for Telnet. When a service provided by a port is not needed, the port is blocked. Firewalls provide a first line, course-grained line of defense; finergrained security is required in addition.
The basic limit of firewalls is that they work with the structure of network traffic, not its content. For example, an infected file can be transferred into a network using ftp as long as the sender authenticates with the ftp server (assuming anonymous logins are not allowed) and the sender does not violate other basic constraints, such as exceeding storage limits. Similarly, a malicious application could use HTTP tunneling to transfer malware or use otherwise blocked protocols to communicate with malware already infecting a local device. This situation is especially problematic because of the high volume of HTTP traffic in enterprises. In one study of a large institution, more than 40 percent of all incoming and 90 percent of all outgoing traffic used HTTP.
Firewalls provide essential security functions but alone they are not enough. Secure content devices examine incoming traffic once it has passed the firewall (or before it reaches the firewall in the case of outgoing traffic). Rather than examine just the structure of the traffic (for example, "this is an SMTP packet"), it examines the content ("Lose weight while you work at home") allowing the secure content device to identify spam and other unwanted content. IPSs are closely related to firewalls.
There are two types of intrusion prevention: host-based and network based. Host-based IPSs protect individual servers and workstations from attacks that cannot, or at least are not, stopped by perimeter defenses, such as firewalls. Host-based IPSs detect anomalous behaviors on servers as well as truly suspect actions, such as an attempt to write a file from a Web browser or the escalation of local privileges.
Host-based IPSs can do some things that other network-based approaches cannot. For example, a host IPS can analyze the content of an encrypted message after it is decoded; a secure content device that monitors network traffic does not have access to the decrypted traffic.
Network-based IPSs use signatures, or patterns of traffic, to detect anomalies in network activity. As with host-based IPSs, there are some attacks that are difficult at best to detect with other methods. One of these attacks is known as Address Resolution Protocol (ARP) poisoning.
ARP is used to map from IP addresses to MAC addresses, the unique physical address on a network interface. ARP, like other Internet protocols, is quite trusting. Devices do not need to authenticate to send an ARP message to another device; any device (or attacker) can send a message telling a server that IP address A maps to physical address B. The server will store that information in an ARP table and use the physical address when addressing messages to IP address A. With ARP poisoning, an attacker can effectively re-route traffic away from a legitimate device to another, compromised machine. Network-based intrusion detection can detect this type of attack in the lower levels of the OSI network model.
Both host-based and network-based intrusion detection provide defenses against particular types of attacks. Both protect information infrastructure, such as the integrity of network routing and the operating system (OS) access controls. These complement secure content devices that analyze the content that depends on that information infrastructure.
The foundation of a secure infrastructure is a set of well-defined policies governing several aspects of information security, including:
Information security policy administration tools are relatively new but are emerging to address the difficulties in managing silos of security. One of the key reasons to use policy administration is to centralize management of policies and reporting. This complements secure content devices by providing the means to report on events and defined policies within the secure content device.
Deploying multiple defensive layers is a standard practice in information security. Some countermeasures, such as network intrusion detection and firewalls, protect the transmission of network traffic. Host-based intrusion prevention and desktop antivirus software protect the integrity of OSs, applications, and data. Secure content devices protect against the introduction of malware, spyware, spam, and phishing attacks from entering a network. Together these and other tools provide a security infrastructure that can provide a layered defense and address a multitude of threats.
The Return on Investment (ROI) for a secure content appliance is based on a range of factors, including:
Clearly, some factors are easily quantified, such as the amount of storage that is taken up with spam. Others, such as lost employee productivity, can at least be roughly estimated. However, some of the largest factors, such as regulatory fines and lost intellectual property are difficult to assess. Nonetheless, organizations can perform some basic ROI analysis on secure content appliances.
ROI is one of a number of capital expenditure analysis calculations. Depending upon your needs, one or more of these calculations may be used to determine whether deploying a secure content device makes financial sense. The most commonly used calculations are:
Savings + Increased Revenue – Recurring Costs
Without going into the details of why the calculation is defined as it is, here is the basic formula for calculating ROI over a 3-year period:
[Net Benefit for Year 1/ (1 + Discount Rate)]+ Net Benefit for Year 2/ (1 + Discount Rate)2 + Net Benefit for Year 3/ (1 + Discount Rate)3] / Initial Costs
For more information about IRR, see and "Internal Rate of Return Revisited" at http://members.tripod.com/~Ray_Martin/DCF/nr7aa003.html.
To assess the investment value of a secure content device, you need to include in calculations the costs of spam, viruses, phishing attacks, lost productivity that result from non-business–related Web activity, violations of regulations, and loss of intellectual property. The last two items are difficult to estimate. The following example will ignore those values, as they are very environment dependent—thus, the results of the calculations may underestimate the true value of the investment.
First, let's examine the cost of spam. There are basically three types of costs: lost productivity, additional hardware costs, and additional administrative costs. To calculate lost productivity, start with the number of email users, the average number of spam messages, and the time required to read and delete those messages. The basic formula for calculating lost productivity is:
Number of email users * number of spam messages per day PER USER* time in minutes to read/delete spam message * (average hourly rate / 60) * number of work days per year
To calculate storage costs, start with the number of email users, the average number of spam messages, the average spam message size, the number of days the message resides on the server, and the average cost of storage. The basic formula for calculating spam storage costs is:
Number of email users * number of spam messages per day per user* * average spam size * average cost of 1MB storage per year/ 365 * number of days message stored
To calculate additional administrative costs, you need to estimate the number of minutes per day email administrators manage spam problems and the hours per month, on average, email administrators and systems administrator spend addressing storage and network traffic–related problems as a result of spam.
With these three factors—lost productivity, additional hardware costs, and additional administrative costs—you can estimate the cost of spam to an enterprise. Figure 1.2 shows an example calculation of a payback period.
Figure 1.2: Example savings and pay-back period on one component of a secure content device—McAfee SpamKiller anti-spam software.
To calculate the ROI of this investment, simply take the net benefit and divide it by 1 plus the discount rate. Assume the net benefit is the savings on spam costs calculated in Figure 1.2, $120,469, the initial costs are $7185, and a discount rate of 6 percent. The ROI for this investment is:
ROI = ($120,469 / 1.06%) / $7,185 = 1581%
For every dollar spent on spam protection, $15.81 is saved. The cost of other threats to secure content are calculated in a similar manner.
The Cost of Viruses
Spam is constant, so users are always having to deal with it. Viruses, while still prevalent, do not present the same constant and sustained level of success in reaching targets. Therefore, one of the key factors in estimating the value of antivirus devices is understanding the probability that a virus will successfully infect an unprotected device. The other factors, which Figure 1.3 shows, are comparable to those used in the spam calculation.
Figure 1.3: Example savings and ROI ratio for antivirus protection.
Checking personal email, shopping online, browsing online casinos, and other non-business– related activities can put a drain on productivity. Secure content devices can prevent not only malware and unwanted content from entering an enterprise network but also users from browsing sites unrelated to business operations. Even a cursory examination of Web logs can give some indication of the level of this problem within an organization. How many users are visiting timewasting sites? What is the duration of time spent at those sites? With estimates of those two measures, you can calculate the expected savings in productivity by blocking those sites.
However, blocking sites does not guarantee that the time will be used 100 percent productively. When calculating productivity savings, consider using an adjustment factor to account for this fact.
The ROI from a secure content device is substantial even when considering only easily quantifiable measures, such as savings due to spam and virus protection. "Soft" benefits—such as avoiding regulatory fines and preventing the disclosure of proprietary and trade secret information—provide additional, but difficult-to-quantify incentives for investing in secure content devices.
For the past several years, governments have been actively changing the regulatory environment with respect to personal privacy and the integrity of business information.
There has been growing concern over the use of private information for unauthorized business purposes. For example, should a pharmaceutical company know of a patient's congenital heart condition so that they can market a new cardiovascular drug? Should banks be allowed to share account information with business partners so that their partners can sell personal financial planning services? The consensus answer to these and similar questions is no. The widespread adoption of privacy protections has been rapid in the United States, the European Union, Canada and Australia. Some well-known regulations governing personal privacy include:
The details of these regulations vary, but the objectives and requirements are similar. First, organizations must exercise due care when collecting and storing personal information. In some cases, regulations define the circumstances in which information may be shared. For example, under HIPAA, physicians can share information about a common patient but not with drug company sales persons. To limit a company's exposure with regard to privacy protection, most will implement access controls.
Access controls are physical and technical safeguards used to protect the integrity and confidentiality of data. Typical controls include access control lists (ACLs) and file protections that define which users may read and change data. Although these are essential controls, they are not always sufficient. Consider the following two examples.
A hospital administrator receives a request from an executive steering a committee working on long range plans for hospital expansion. The committee needs aggregate information about the geographic distribution of patients and the types of medical services provided to patients from various areas. The administrator is pressed for time and cannot assign anyone to summarize the raw data; instead, he or she sends a database extract with detailed patient information, including personally identifying information. The steering committee is not making medical evaluations of those patients, so their detailed, personal information should not be shared. An access control system will not prevent this violation because the administrator has legitimate access to the data on a day-to-day basis.
What is needed in this case is a content-based control such as a content filter that can be configured to detect patterns indicative of personal medical records. For example, if data is frequently shared between systems in the hospital and with resident doctors' offices, there may be a standard program for extracting a patient record. This program may use a well-defined XML scheme with labels such as Patient-First-Name, Patient-Last-Name, and Primary-Diagnosis. These labels can be detected as data is transmitted across the network and, depending upon other conditions in the filter rules, the transmission can be blocked (see Figure 1.4).
Figure 1.4: Extracted data analyzed by a content filtering mechanism can prevent the transmission of protected data.
In this case, there may be no intent to violate the regulation, the busy administrator just did not know that the extract with personally identifying information should not have been copied to others outside of the hospital's group of medical professionals. Not all violations are so benign.
In the past, criminals robbed banks because that is where the money was. Now, stealing identities can lead to the money. Several high-profile security breaches of credit card processing and financial institutions are raising awareness of the threat of identity theft that results from poor security measures. Perhaps the most telling example to date is the exposure of as many as 40 million credit card accounts due to a breach at CardSystems, a one-time transaction processor for MasterCard, Visa, and American Express.
Businesses, governments, and other organizations with responsibility for protecting financial and personal data will often use several security mechanisms including access controls, firewalls, and intrusion detection systems (IDSs). Even with these safeguards in place, users inside the organization with knowledge of systems, patch levels, and application vulnerabilities can avoid security countermeasures and access confidential data. However, when that information is transmitted, it is subject to analysis by content filtering safeguards—preventing unauthorized transmission of protected data.
Filters could be constructed, for example, to detect patterns indicating credit card information being sent outside the organization—for example, a 16-digit number (credit card number) followed by a 4-digit number with the first two digits representing a number between 1 and 12 (the expiration date) being routed to an address outside the network (see Figure 1.5).
Figure 1.5: Depending on the content and the location of the recipient, a content filter can prevent protected data from being transmitted outside an intranet.
Security professionals have long known that no single security safeguard will eliminate threats to information systems and their data. Multiple countermeasures are required to reduce the wide variety of threats that are present today. Content filtering is one layer of a multi-layered defense against privacy violation as well as other compliance violations.
Names such as Enron, Tyco, and WorldCom once elicited images of successful companies that set standards for performance in the market. Now they are more likely to conjure images of executives entering federal courthouses and stories of lost investments. Governments, especially the United States federal government, has reacted to these and other corporate scandals with laws designed to preserve the integrity of information provided to investors and other stakeholders in public companies.
The best-known regulation governing the integrity of business information is the United States' Sarbanes-Oxley Act. For IT professionals, Sarbanes-Oxley creates new demands for ensuring integrity of financial reports, for establishing internal procedures appropriate to ensure data integrity, and for reporting material changes in a company's operations. Other well-known regulations target particular industries, such as the Gramm-Leach-Bliley Act which applies to banks, and Title 21, Code of Federal Regulations, Part 11 (21 CFR Part 11), which applies to the pharmaceutical industry.
These regulations cover a broad range of topics but can be distilled to a set of core principals with respect to the due care that is required to protect information. Business must be able to
Secure content devices can contribute substantially to the multiple layers of security measures that must be in place to meet these regulations.
The primary defenses for protecting privacy and integrity are access controls. Users should be granted permission to view and change data based on their role in an organization. However, primary defenses are not enough:
Secure content devices provide additional levels of protection in these cases. For example, in the case of the disclosed password, the unauthorized user may use the stolen credentials to log in remotely to a server. The unauthorized user may then attempt to download a file with customer names and credit card numbers. If the secure content device is configured to detect the proper patterns (for example, file headers, credit card number, key phrases, and so on), the file transfer will be blocked. The device could also block the transfer of data when an attacker exploits a vulnerability on a compromised server and attempts to copy sensitive information.
Spyware and keyloggers are especially menacing because large numbers of these threats can be deployed to automatically transmit significant amounts of information. Once the information is transferred to servers controlled by the perpetrator, text processing tools can be used to scan large amounts of data looking for valuable information, such as Social Security numbers, bank account numbers, and credit card numbers. Secure content devices can detect those same pieces of valuable information and prevent them from being transmitted in the first place.
The first step in educating users about spyware, spam, and phishing is to explain the nature of the problem and the consequences of unwanted emails and programs.
In addition to using spyware blocking and removal tools, there are several steps users can take to reduce the chances of a spyware infection. These include:
Figure 1.6: Configuring browser security settings is one step to reducing the chances of a spyware infection.
Mozilla Firefox, another popular browser, has fewer known vulnerabilities than IE and is thus a good option for security-conscious users. As with IE, Firefox users can disable the automatic installation of software, as Figure 1.7 shows.
Figure 1.7: Firefox allows users to disable the automatic installation of software.
If the "Allow web sites to install software" option is selected, users can specify which sites are allowed to install software (see Figure 1.8).
Figure 1.8: Firefox allows users to list rusted sites for the purpose of automatically installing software.
It's safe to assume spam will always be with us. Although spam filtering can be quite successful, reaching into the 90+ percent success rates for blocking spam, it's better to never receive spam in the first place. The following list highlights options for minimizing the amount of spam you receive:
Phishing attacks are a more troubling type of spam that warrant their own set of guidelines.
Email users should understand the following about phishing attacks: • Phishing is a form of social engineering, otherwise known as a con. The phisher gains the confidence of their target and then elicits useful information.
As with other security threats, phishing is a process of evolving threats and countermeasures. As email users become more educated about the nature and consequences of phishing, phishers have to hone their appeals. The latest evolution of phishing has earned the name "spear-phishing" because it uses low volumes but highly targeted phishing emails. This method makes these types of attacks more difficult to detect by businesses and more likely to fool the intended victim.