Secure Content Appliance Performance

What are threats to content and information assets must organizations address?

The major threats to information assets include:

  • Viruses, worms, and other malware
  • Spam
  • Phishing scams
  • Spyware

Left unchecked, these threats can leave organizations with compromised computers, security breaches, loss of information, identity theft victims, and reduced ROI on information technology (IT) investments because resources are consumed with non-business related content.

Viruses, Worms, and Other Malware

Malicious programs have evolved from small, machine-language programs propagated by sharing floppy disks to sophisticated collections of programs that can gain control of systems, steal personal information, and replicate rapidly. This malicious software, or malware, falls into several broad categories:

  • Viruses
  • Worms
  • Trojan horses
  • Keyloggers
  • Backdoors
  • Rootkits

Viruses

Viruses are malicious programs that attach themselves to other programs to execute and propagate. Viruses can run either as executable programs or as macro-viruses embedded in applications, such as Microsoft Word. Viruses consist of two basic parts, a replication mechanism and a payload, the destructive part of the virus.

In the early days of antivirus protection, vendors could discover identifying patterns within a virus that uniquely identify that virus. This identification allowed researchers to create libraries of signatures to detect a virus that could then be removed or at least quarantined. Virus writers responded with encryption to hide the tell-tale signs of a virus, then with the development of mutating viruses, which change in structure but retain the same functionality.

Mutating viruses require a radically different detection approach: rather than look for the same pattern, antivirus researchers must look at the behavior of a program to determine whether it is malicious. Some indicators are commands to change a file without first being commanded by a user and writing to particular memory locations used for low-level system tasks.

Worms

Worms are similar to viruses in that they are malicious programs that self-propagate. Unlike viruses, worms do not depend upon other programs. Worms exploit vulnerabilities in systems and move, sometimes quite rapidly, from one system to another.

One of the most famous worms is SQL Slammer, which flooded large sections of the Internet within 15 minutes of it release. SQL Slammer exploited a vulnerability in Microsoft's database, SQL Server, forcing unpatched servers to generate database server requests sent to random IP addresses. The worm was not sophisticated in how it targeted other victims; instead it depended upon flooding the Internet with packets knowing at least some of the requests would target a SQL Server database.

SQL Slammer demonstrated the need for both patching and content filtering. Once a malicious piece of software is released on the Internet there may be little time to craft a custom response.

Trojan Horses

Trojan horses are programs that appear to serve one purpose and actually perform another. A program that promises to synchronize your desktop computer's clock with a highly accurate atomic clock but also collects personal information about your surfing habits is a Trojan horse.

Trojan horses, unlike other malware, may be installed intentionally on a system. A user may not realize that a peer-to-peer (P2P) file sharing application he or she downloads to share music files also contains a program to capture usernames and passwords that are then transmitted to an attacker's server. Again, content filtering can help identify malicious programs that are brought into a network intentionally, albeit, under false pretenses.

Keyloggers, Backdoors, and Rootkits

Keyloggers, backdoors and rootkits are some of the most dangerous forms of malware. Keyloggers simply record keystrokes and send the captured information back to an attacker for analysis. Text scanning programs can quickly analyze those files for personal information, such as Social Security numbers, bank account numbers, credit card numbers, as well as usernames and passwords.

Backdoors are changes to a system's configuration and create a way for an attacker to gain control of a system. Creating an administrator or root account controlled by the attacker is one example of a backdoor.

Rootkits allow attackers to gain control of a system but also hide the attacker's tracks, making detection especially difficult. As rootkits can gain control over any aspect of an operating system (OS), the only way to ensure the malware is eliminated is to format all drives and restore the system from a known uninfected backup.

Spam

Spam is unwanted, unsolicited email. Spam not only wastes the time of end users but also taxes system resources, such as storage and bandwidth. In addition, it places demands on email administrators who have to manage the additional volume of email.

The key to controlling spam is to identify it as it comes into the network and deleting or quarantining it. This ability assumes that the spam detection software is highly accurate: it does not identify legitimate mail as spam (known as a false positive) or miss identifying spam (a false negative).

Phishing scams

Phishing scams are cons that use email to lure victims into divulging personal information of sending money to a bogus charity or get rich scheme. Phishing scammers masquerade as legitimate businesses (banks, eBay, and PayPal are favorites of phishing scammers) by sending emails with official logos and urgent messages about the need to update account information or verify personally identifying information.

Once they have the victims' attention, scammers lead victims to Web sites that appear legitimate but are actually phony versions set up to capture information such as bank account numbers, usernames, and passwords. Phishing scams are difficult to detect and user education is one of the best defenses for this threat.

Spyware

Spyware, sometimes called adware, is malicious code that captures information about users and their online activities without their knowledge. In addition to violating users' privacy, spyware can negatively impact system performance. Consequences of spyware include:

  • Loss of privacy and identity theft
  • Decreased system performance
  • Disabling security software, such as antivirus and firewalls, which leaves systems vulnerable to other malware infections
  • Displaying unwanted pop-up advertisements
  • Changing host files and other networking files causing users to unintentionally navigate to spyware-promoted sites.

As with other malware, spyware can be removed, but it is better to prevent its introduction in the first place by filtering content and blocking spyware.

How can an organization protect against spyware?

Spyware, and its slightly more benign variation, adware, are programs that track user's activities and gather information without the user's knowledge. Unlike viruses and worms, spyware is not intended to cause direct and immediate damage to IT infrastructure. Instead, these programs are designed to collect information about users' identities, including account numbers, drivers' license numbers, usernames, passwords, Social Security numbers, and other personal details. This information is transmitted back to those who deployed the spyware.

Regardless of the original intent, spyware often leads to poor system performance and unstable systems. Multiple infections result in numerous processes consuming system resources and interacting in unpredictable ways. Some spyware changes system configurations, for example, turning off firewalls to ensure the spyware can function as expected. This behavior leaves infected systems open to further damage from other malware. Spyware is used to distribute advertisements, aid in identity theft, and perform affiliate fraud to steal fees from legitimate referring sites.

Keeping Spyware Out

The best way to deal with spyware is to keep it off your network. Perimeter defenses, including a secure content appliance, can block spyware as it enters the network. Spyware, like viruses and spam, can be detected using signature matching engines. This detection requires a library of upto-date spyware signatures and a high-performance pattern-matching engine that can scan incoming traffic.

Define a Spyware Policy

Using the Internet inherently requires a balancing of risks and benefits. Spyware is one of those risks, and organizations should articulate the tradeoffs they are willing to make in balancing the utility of Internet services. A policy should include:

  • A statement of acceptable use with regard to Internet sites. Spyware is often downloaded from popular entertainment sites and peer-to-peer networks.
  • A description of the protocols that will be scanned, how spyware will be disposed of, and acceptable impact on network performance by spyware-scanning tools.
  • A general approach to monitoring and event response. Procedures should be defined with detailed descriptions of how to respond to particular events; for example, if more than x pieces of spyware are detected from a site, the URL for that site will be added to the content filter blacklist.

Once a spyware policy is in place, its objectives should be implemented using a secure content appliance along with user education and maintenance procedures.

Scanning Multiple Protocols

Spyware can travel over multiple protocols. Someone browsing a peer-to-peer site opens up his or her system to downloading spyware at the same time. A blended threat piece of malware attached to an email can include keylogging and cookie tracking programs that record a user's online activity. Spyware can also come in a Trojan Horse, such as a utility downloaded via FTP that supposedly keeps your computer's clock synchronized with an atomic clock. It is essential to scan HTTP, FTP, SMTP, and POP-3 traffic as it enters the network.

Monitoring Spyware Detection

In addition to understanding the importance of blocking spyware, security administrators must grasp the volume of spyware reaching the network perimeter. Sudden spikes in spyware detection may indicate:

  • An increase in spyware deployment on the Internet in general
  • Better detection of spyware by the secure content appliance
  • An increase in user browsing and downloading at sites from which spyware is launched
  • An increase in spyware components included in blended threat viruses

We will likely have to live with the ever-increasing spyware deployments on the Internet for the foreseeable future; there is not much we can do, from a technical perspective, to slow that trend. Legislative and legal means might ameliorate that problem some. but we should assume spyware, like viruses, are a threat that cannot be eliminated but can be controlled. Better detection methods will also lead to increases in spyware detection and of course are welcome.

The third cause of increased spyware detection is best addressed by user education and clearly defined policies on legitimate use of IT infrastructure. Analysis of logs can identify the sites at which spyware is entering the network and the URLs can be blocked using content filtering functions of the secure content appliance.

As companies and other organizations get better at patching operating systems (OSs) and locking down networks, attackers will find other vulnerabilities to exploit in the never-ending cat-andmouse game of creating new threats in response to countermeasures deployed by security professionals. Keylogging and URL hijacking are just two ways attackers can collect useful information—both can be done with spyware.

Understanding changes in the patterns of spyware detection can help administrators better pinpoint the specific threats to their organizations.

Educating Users

Like so many other areas of information security, user education is a key element of a successful strategy. Users must understand how spyware works, how it gets onto computers, and how to minimize the chance of getting stuck with it. When users understand this malware can steal personally identifying information, reduce system performance, and lead to unstable systems, they will have plenty of incentive to help address the problem.

How can an organization protect against phishing?

Phishing is the practice of tricking individuals into disclosing private information, especially financial and identifying information. Organizations should implement both educational and technical measures to protect against phishing.

Technical Controls for Phishing

Phishing attacks, like spam, have distinguishing characteristics that make automatic detection possible. Content filtering, such as that provided by a secure content appliance, can identify and block many phishing attacks. Some of the tell-tale signs of a phishing email are:

  • Requests for account numbers, Social Security numbers, or other identifying numbers
  • Requests for funds in return for exceptional returns later
  • Links to Web sites with names similar to legitimate financial institutions' Web sites Phishing perpetrators are adapting their techniques to avoid detection. Researchers at the AntiPhishing Working Group found that although the number of phished brands remains about the same, phishers are now targeting smaller brands, making the pool of potential targets much larger. Nonetheless, technical measures can effectively reduce the threats from phishing attacks.

For example, antivirus techniques can counter phishing attacks that deploy keylogging malware to capture passwords and account numbers. An emerging threat is the use of Trojan programs that change users' host files in order to redirect users from legitimate bank sites to phishing sites. Again, antivirus-type scanning can detect and prevent this type of malware from reaching users' desktops. Another technique for controlling phishing is URL filtering. As phishing sites are discovered, they can be include on URL blacklists to prevent users from inadvertently reaching those sites and disclosing usernames, passwords, and account numbers.

Technical countermeasures that include content filtering, antivirus scanning, and URL blocking will contribute to reducing the risk of phishing, but no technical solution will be 100% effective. Phishers are constantly changing and adapting techniques in response to these technical countermeasures. Educating users will continue to be another essential component in the battle with phishers.

User Education About Phishing

When users understand the threat of phishing and are made aware of the techniques used by phishers, they have a better chance of avoiding the scams. The Anti-Phishing Working Group has compiled several suggestions for avoiding a phishing scam:

  • Use caution with emails or other messages asking for financial account information, especially if the message is not personalized.
  • Do not trust messages from financial institutions that are not digitally signed, they may be spoofed messages.
  • Avoid filling out online forms that prompt for personal information.
  • Check URLs that should be secured; the URL of such sites begin with https:, not http:
  • Patch your browser

In addition to these measures, consider the recommendation from the United States Computer Emergency Readiness Team (US-CERT) issued in 2004 that recommended Microsoft Internet Explorer (IE) users switch browsers because of security flaws in the domain/zone security model, the DHTML object model, MIME-type detection, and ActiveX.

How can an organization minimize spam?

Spam will not be eliminated in the foreseeable future, but there are several measures organizations can take to minimize spam:

  • Educate users
  • Filter content to prevent spam from entering the network
  • Prevent inadvertent relaying of spam
  • Prevent Trojan horse programs from distributing spam through your computers

These measures use a combination of human and technical countermeasures to decrease the likelihood of spam.

Educate Users

Getting a spam message in front of a reader is a key goal of spammers; it is also a critical point for actions that can affect the level of spam this person receives. If spam does make it to a user's inbox, the user should flag the message as spam or junk mail if their email client has a built-in filter. In addition, the user should not

  • Reply to the message
  • Unsubscribe to the message
  • Buy anything solicited by the email
  • Click on a link embedded in the email

These actions will inform the spammers they have found an active email address. In the case of clicking on a link, making a purchase, or even just loading an HTML-based email, which sends back tracking information, these actions can improve the effectiveness of spam. The cost of spamming is so low (especially when the spammers use computers and bandwidth belonging to someone else) that even a small number of responses can make the whole spamming operation worth their efforts.

In addition to properly handling spam, users should provide their email addresses only to trusted parties. When signing up for online services, users should read the privacy agreement and understand for what purposes their email addresses will be utilized and whether their addresses will be sold to a third party. Do not post a personal email address online. Also, do not forward email from an unknown sender; doing so may lead to another user replying to the original spam, purchasing something from the spammer, or otherwise contributing to the success of the spam operation.

Do Not Contribute to the Problem

Also, organizations should make sure they are not contributing to the problem. First, ensure that email servers do not provide for third-party relay. This service is provided by email servers that allow external users to send messages through the server without checking that the sender is a legitimate user. This feature of email servers allows spammers to use the resources of other organizations to send their junk email. To help minimize spam and reduce the threat of impacting the efficiency and productiveness of your own servers, configure email servers to prevent thirdparty relay.

The secure content appliances have to act as relay agents, so it is important to configure the appliances to relay only locally originating mail. Adding at least one entry to the local domains list on the appliance will enable anti-relaying functions and protect against spammers appropriating your mail services. This entry should be added when the appliance is installed. An open relay can easily be discovered on the Internet, often in a matter of just several hours.

Do Not Become a Zombie

Zombies are computers that have been compromised to the point where an attacker can control the functions of the computer. A number of well-known blended threats (malware that includes multiple pieces of malicious code, such as a virus, worm, Trojan horse, keylogger, and video frame grabber) include code to gain some control over the infected computer. Once in place, the malware opens a communication channel with a chat room or private server where it finds additional instructions, updated code, or new code to execute on the compromised machine. Networks of these zombie computers may be used by spammers to conduct their mass mailings.

To prevent this type of breach, use layered defenses, including desktop antivirus software, network and personal firewalls, and content filtering on the network. A secure content appliance provides effective countermeasures to several different types of threats and provides a first line of defense to keep servers, desktops, and other network devices from becoming unwitting participants in a spammer's efforts.

How can an organization implement better access controls to Internet content?

Controlling access to the Internet content is a challenge. Browsers are ubiquitous, there are many sites accessible to users, and the number and nature of sites are changing constantly. Rather than defining access controls on all objects, as is commonly done with operating systems (OSs) and applications, systems administrators are better able to manage Internet content by applying filters as the content is accessed. This method changes the typical access control model of "User A is allowed to perform operations 1, 2, and 3 on file X" to "Users are not allowed to download content from the following sites..."

Content filtering is the process of blocking access to sites listed in a library of banned sites. These libraries, known as black lists, categorize URLs into groups such as entertainment, gambling, shopping, sports, and so on. Effective blacklists can range in size from hundreds of thousands to millions of URLs. As Web content changes constantly, URL blacklists should be updated frequently. At the same time administrators are blocking known banned sites, they may also know of specific sites that should not be accessed from business systems. Blacklists are used to block all content sites regardless of the content. Similarly, white lists are used to ensure that sites with legitimate use in business operations, such as business partners' Web sites, professional references, and general information sites, are always accessible.

As network scanning appliances are typically placed just inside the firewall, they are ideally positioned to scan content as a form of Internet access control. An additional benefit of an appliance-based approach to Internet access control is that antivirus and anti-spam services are available as well. If a user manages to access an untrusted site, such as a peer-to-peer file-sharing network used for downloading shareware, for example, and downloads an infected file, the antivirus scanner will be able to stop the virus before it can infect local devices.