Infosecurity Europe 2005.

The scary truth about the fragile Internet

Per Olav Forland and Ella Maehlumshagen, Norman ASA Norman ASA (OSE: NORMAN) founded in on October 1, 1984, is active within the field of data security. With products for antivirus (virus control), personal firewall, antispam, and encryption. It is hardly controversial to claim that the beginning of 2005 was a fairly rough period regarding the sheer number of new malicious programs threatening the Internet community. New variants of Bagle, MyDoom and Sober appeared and spread on a daily basis--sometimes even more than once per day.

Recent attacks have given us reason to believe that we are witnessing a war between different groups of malware (MALicious softWARE) Software designed to destroy, aggravate and otherwise make life unhappy. See crimeware, virus, worm, logic bomb, macro virus and Trojan. writers. If this is true, lots of "innocent bystanders" were severely harmed by this "shoot-out". Some of the latest malware analyses have also made us aware of the fact that the virus authors can cooperate in a way that makes the attacks even harder to discover and more difficult to stop. While investigating some of the latest attacks it was discovered that the authors of Bagle and Zafi were actually using each other techniques to make the attack worse. They did not meet each other physically, but they were using each others information and techniques in order to inflict the most possible damage. Undoubtedly, this is a scary trend that poses large threats to the IT community. Joined criminals that share information with the intention to cause damage and perform illegal actions such as fraud and theft. Only to mention some possible threats.

The latest development has clearly shown that the trend towards increased criminalisation Noun 1. criminalisation - legislation that makes something illegal; "the criminalization of marijuana"
criminalization

lawmaking, legislating, legislation - the act of making or enacting laws of the Internet will continue. As a consequence, the antivirus vendors have to be on high alert around the clock and spare time is no longer a familiar word.

The "perfect" piece of malware

In 1988 the Morris Worm A famous occurrence of Internet sabotage. On November 2, 1988, Robert Morris, a Cornell University graduate student, unleashed a worm on the Internet that infected between 6,000 and 9,000 computers, overloading the entire Internet and causing many servers to fail as a result. appeared sending shock waves through the word while demonstrating the fragility of the Internet. Since that time several papers have been written about how to create the perfect piece of malware. Various propositions have been mentioned. Reolof Ternming, and the group Stuart Staniford, Vem Paxson and Nicholas Weaver have written two extremely interesting articles about the fragility of the Internet focusing on the fatal consequences that might be realised when a worst case scenario

This article is about the television show. For other uses, see worst-case scenario.

Worst Case Scenario is a reality show aired on TBS in 2002 in the U.S.. attack happens. An interesting point is that the issue is how, not if, it can happen.

As Temming is claiming in his article "Worst nightmares come alive?" the Internet is actually more fragile today than it was ten years ago. Why? First of all: ten years ago the Morris Worm used weaknesses common to a UNIX system Noun 1. UNIX system - trademark for a powerful operating system
UNIX, UNIX operating system

operating system, OS - (computer science) software that controls the execution of computer programs and may provide various services to propagate prop·a·gate
v.
1. To cause an organism to multiply or breed.

2. To breed offspring.

3. To transmit characteristics from one generation to another.

4. itself. Today most desktop computers are using Windows operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. from Microsoft. A single program could attack all these machines. Ten years ago the Internet was used by an elite group of specialists and professionals. Today the average user can't tell email from "mpeg". While the early users of the Internet were limited to only a selected group of persons, IT today is major business.

All of this makes the systems more fragile and easy to exploit. Temming carefully describes how easy it is for potential malware authors to exploit the systems, paying explicit attention to the trojan/virus that are proliferating Proliferating is the multiplication of a certain thing. Often it is used as a biological term to describe the increase of cells due to cell division.

Look under proliferate or proliferation for more details. themselves by the use of so called robots.

Unlike Temmings article, the Staniford/Paxson/Weaver paper approaches the threats from a scientific angle, including the use of mathematical models

Note: The term model has a different meaning in model theory, a branch of mathematical logic. An artifact which is used to illustrate a mathematical idea is also called a mathematical model and this usage is the reverse of the sense explained below.

based on actual behaviour of previous malware, and use of these models in analyzing "better" constructed malware. Both articles argue that it is surprisingly easy to create a malicious program that can infect infect /in·fect/ (in-fekt´)
1. to invade and produce infection in.

2. to transmit a pathogen or disease to.

in·fect
v.
1. more than one million computers in a very short time. And with that many infected computers under a malicious person's control, the Internet will be unsafe for a very long time.

Let us examine some of the characteristics of a perfect piece of malware, based on the paper by Staniford, Paxson and Weaver.

Let us assume that a person's goal is not only to wreak wreak
tr.v. wreaked, wreak·ing, wreaks
1. To inflict (vengeance or punishment) upon a person.

2. To express or gratify (anger, malevolence, or resentment); vent.

3. havoc by spreading a program with no payload (1) Refers to the "actual data" in a packet or file minus all headers attached for transport and minus all descriptive meta-data. In a network packet, headers are appended to the payload for transport and then discarded at their destination. . She has a much more ambitious end, as she intends to control the Internet to some extent, including shutting down part(s) of the Internet and/or particular domains. The malicious person with evil intent aims to "own the Internet', not by offering a bulk of money; rather by seizing it by use of malware. The first step for her would be to distribute this malware. A clever way to do this is to use worms as spreading mechanism. The authors do not use the term "worms" as programs that spread by email attachments--worms in this context are defined as programs that replicate themselves by using security flaws as spreading mechanism instead of human interaction, is that the malicious person is not dependent on any other humans than herself. She only has to 'trick' computers, and this facilitates easy testing and fine-tuning of the malware.

We have seen examples of such worms all through the history of the Internet. The previously mentioned Morris worm was the first (famous one at least). More recent examples are the Code Red worms, Ninda, SQLslammer and the Blaster worms. The disadvantage of this technique is however that when a vulnerable program is patched, this spreading mechanism does not function any more. It may therefore be smart to add additional spreading mechanisms. To avoid detection during the initial spread (by the worm itself) the intiator of the malware has as a built-in facility in the malware, to use other spreading mechanisms to take place at a certain point in time after the initial worm infected a computer. This technique enables the malware to live much longer, as it is able so spread even though the systems vulnerable to the worm are patched. We saw clearly by comparing the CodeRed worms and Nimda. The latter had additional methods for spreading and endured a much longer life as active malware. Additionally there are several other spreading mechanisms that the malicious writer can use--permutation scanning, topological to·pol·o·gy
n. pl. to·pol·o·gies
1. Topographic study of a given place, especially the history of a region as indicated by its topography.

2. scanning and interact scale hit-lists, to mention a few.

How to defend yourself

Obviously, with worms spreading as fast as those discussed here, human action cannot possibly defend against the infection of a magnitude of computers. As we have seen in the scenario above, our evil person has been able to infect almost all vulnerable computers on the Internet with her malicious program. This could have happened so fast that thousands of computers could be infected without anyone's knowledge.

We have seen that several of the worm/viruses that have emerged in the wild have more--or mostly--less successful methods to update themselves. Both the articles mentioned in the introduction discusses ways to issue commands to the malicious program.

Staniford, Paxson and Weaver's paper outlines a way for distributed communication between the worms, in such a way that a command sent to any worm will be distributed to the others, using encrypted en·crypt
tr.v. en·crypt·ed, en·crypt·ing, en·crypts
1. To put into code or cipher.

2. Computer Science communication between the different instances of the malicious program.

They also draw attention to the fact that it is theoretically possible to issue commands to the worm of such a character that new different child worms may be created and spread into the computers all over the Internet that are already infected. Or attacking other computers with different vulnerabilities. This technique would have as a side-effect that the worm's children and grand-children might live long after the original malicious program was discovered and removed from the computers.

The authors of "How to Own the Internet in Your Spare Time" discuss what to do to defend ourselves against the threat they describe. They recommend that one uses the same approach as is used in the world of medicine and establishes "Cyber- Centre(s) for Disease Control". They also assign some roles of such centre(s).

A different - complementary - approach to this might be to increase the research and resources aimed at stopping (potentially) malicious programs based on its behaviour - a technique already in use in Norman Sandbox A restricted environment in which certain functions are prohibited. For example, deleting files and modifying system information such as Registry settings and other control panel functions may be prohibited. technology. In theory this method could stop the worm from infecting the vulnerable computers. It could also stop the infection from the malicious program payload, even if the worm had succeeded in infection.

Top 5 Myths of Outsourcing Email Security

Scott Petry, Postini

Organizations throughout Europe are naturally concerned whenever anyone brings up the topic of "outsourcing security" whether it relates to email communications or any other aspect of the IT infrastructure. Safeguarding the privacy and security of privileged communications PRIVILEGED COMMUNICATIONS. Those statements made by a client to his counsel or attorney, or solicitor, in confidence, relating to some cause Or action then pending or in contemplation.
     2. Such communications cannot be disclosed without the consent of the client. is essential to meet current laws and regulations. Yet comments by leading industry analysts, as well as industry surveys, reflect changing attitudes towards outsourcing security--particularly when it comes to fighting spam E-mail that is not requested. Also known as "unsolicited commercial e-mail" (UCE), "unsolicited bulk e-mail" (UBE), "gray mail" and just plain "junk mail," the term is both a noun (the e-mail message) and a verb (to send it). and viruses. This article addresses the most common myths surrounding the concept of outsourcing email security to a managed email security service.

Myth # 1: We will lose control if we outsource email security

Mathew Kovar, a vice president for analyst firm Yankee Group's security solutions group, recently observed that many companies today are making the move to outsourcing security.

"Security outsourcing will prove attractive,' said Kovar, "for reasons other than the cost savings typically cited by companies that farm out business processes. Among the drivers toward managed services An umbrella term for third-party monitoring and maintaining of computers, networks and software. The actual equipment may be inhouse or at the third-party's facilities, but the "managed" implies an ongoing effort; for example, making sure the equipment is running at a certain quality are the accelerated attacks of today's threats--giving enterprises virtually no time to put up defenses on their own before an attack infiltrates Infiltrates
Cells or body fluids that have passed into a tissue or body cavity.

Mentioned in: Eosinophilic Pneumonia a network--legislative requirements such as HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, and Sarbanes-Oxley, and the trend toward pushing out the network perimeter to include partners and remote workers." (1)

Kovar cites anti-spam services as a prime example of this trend. 'One of the easiest managed services to see success is e-mail anti-spam services," Kovar said, "People saw the pain and saw that they needed to outsource the solution." (1) Phebe Waterfield, another analyst at Yankee Group (the Yankee Group, Boston, MA, www.yankeegroup.com) A major market research, analysis and consulting firm founded in 1970 by Howard Anderson. It provides general consulting and strategic planning in the computer and communications field. was more specific. "Many companies once tried to manage spam internally because they were concerned about entrusting their E-mail to an outside company. That's considered a little paranoid par·a·noid
adj.
Relating to, characteristic of, or affected with paranoia.

n.
One affected with paranoia. these days,' she says, 'now that the aggressive and ubiquitous nature of spam has led to a change in mindset mind·set or mind-set
n.
1. A fixed mental attitude or disposition that predetermines a person's responses to and interpretations of situations.

2. An inclination or a habit. .'

Myth # 2: We can't comply with policies or regulatory standards if we outsource email security

Many anti-spam managed service firms must first accept and store messages on their own servers, filter out spam and viruses from those messages and then pass along legitimate messages to their customers. Other managed services, however, are able to conduct analysis of messages in memory, in real time, so that no legitimate messages get stored but rather they are instantly passed along to their respective recipients. It's an important distinction when evaluating an outsourced email security solution that will minimize privacy and security concerns.

If your firm's email system goes down for any reason, an email security managed service should also have the ability to spool or hold messages for several hours rather than letting them bounce back to senders. This assures that in the event of an email server See mail server. outage out·age
n.
1. A quantity or portion of something lacking after delivery or storage.

2. A temporary suspension of operation, especially of electric power. inside your firm's network, messages can be retained by the managed service until your email server is able to accept them again.

For an extra measure of assurance you should look for an email security managed service that has been SAS-70 or WebTrust certified. Developed by the American Institute of Certified Public Accountants With over 330,525 CPA members (in August 2006), the American Institute of Certified Public Accountants (AICPA) is the largest professional organization of Certified Public Accountants (CPAs) in the United States of America. (AICPA AICPA

See American Institute of Certified Public Accountants (AICPA). ) and based on the global ISO (1) See ISO speed.

(2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI. 17799 standards, both SAS-70 and WebTrust certifications mean that the managed service's business and security practices pass inspection for ensuring the availability, integrity and confidentiality of its systems and your firm's communications.

Myth # 3: It's more expensive to outsource anti-spam and email security

The perception that outsourced services are more expensive than in-house solutions is clearly a myth when one considers the total cost of ownership involved in purchasing, updating and maintaining anti-spam software or appliances. Choosing a managed service for email protection can provide immediate reduced costs and increased efficiency and effectiveness compared to in-house anti-spam software and appliance products.

* Lower infrastructure costs - By keeping spam, viruses and attacks from ever reaching an enterprise's internal email servers, companies can eliminate or avoid purchasing additional servers because email traffic is significantly less. This also reduces your firm's email archiving See e-mail archiving. storage space requirements since no spam messages are ever accepted or stored.

* Reduced administrative burden on IT staff - By eliminating the burden of maintaining additional in-house IT infrastructure, your firm IT personnel are free to focus on supporting firm activities, and supporting revenue enhancing tasks.

* Restored user productivity--Beyond email infrastructure and IT staff-time savings, an email security managed service can easily pay for itself with improved productivity by all users in the firm.

* Less complexity managing and maintaining email security - Most email security managed services are effective regardless of the mix of email platforms or operating systems in a firm's IT environment.

* Minimized risk of email system performance degradation or failure - Since intrusions cannot reach the firm's email gateway, your network cannot be overloaded or comprised from email threats, thus avoiding slowdowns or email system downtime The time during which a computer is not functioning due to hardware, operating system or application program failure. .

Myth # 4: Outsourcing email security can't accommodate my diverse users

While some anti-spam service vendors require a 'one size fits all' approach, others offer administrative flexibility that can reduce the necessity of time-consuming IT staff oversight and allow your attorneys and other users to customize their email filtering within limits set by your firm's overall email policy. A managed service should allow individual users to control the aggressiveness of spam and blocking within limits set by the administrator, as well as give them the option to review quarantined quar·an·tine
n.
1.
a. A period of time during which a vehicle, person, or material suspected of carrying a contagious disease is detained at a port of entry under enforced isolation to prevent disease from entering a country. (suspect) messages if they choose. This permits the administrator to satisfy the requests of individuals who may want to review all quarantined messages.

Myth # 5 Outsourcing email only lets me conduct content policy filtering for inbound in·bound¹
adj.
Bound inward; incoming: inbound commuter traffic.

Adj. 1. inbound mail

Nothing could be further from the truth, since an email security managed service can block viruses for both inbound and outbound emails, and enforce policy compliance for inbound and outbound messages. Look for web-based access that will allow your email administrator to set policies for individual users, user groups, as well as the entire firm. This kind of flexibility is particularly important for firms that want to vary message policies according to according to
prep.
1. As stated or indicated by; on the authority of: according to historians.

2. In keeping with: according to instructions.

3. the roles of specific attorneys or other firm employees.

Integration and Centralised Adj. 1. centralised - drawn toward a center or brought under the control of a central authority; "centralized control of emergency relief efforts"; "centralized government"
centralized Management.

David Perry

This article is about David Perry, the game developer. For the David Perry who was a co-commentator on the UK video game TV show 'GamesMaster', please see Dave Perry, and for other uses, please see David Perry (disambiguation)

David Perry , Trend Micro

Few organisations have failed to invest in security products to protect different points of their network. Awareness about the threats is high and IT managers have adopted a range of counter-measures to protect their networks and users. But, even as the amount of antivirus software See antivirus program.

(tool) antivirus software - Programs to detect and remove computer viruses. The simplest kind scans executable files and boot blocks for a list of known viruses. installed increases, the damage caused by attacks also keeps on going up. According to analyst firm the META Group, 99 percent of Global 2000 organisations have antivirus defences but 35-45 percent of these same antivirus defended organisations still experience financial losses of on average $250,000 due to virus attacks.

So, what is happening?

As working patterns change in business and government, networks are having to become flexible to support remote or home workers who increasingly use a laptop rather than a PC and are logging on and off networks inside and outside of the office.

Organisations have recognised that they need to invest in security products to protect the more varied points of access associated with this working environment. However, these products are not integrated and must be managed independently of each other.

For IT managers this creates a serious problem. The new waves of Internet worm (networking, security) Internet Worm - The November 1988 worm perpetrated by Robert T. Morris. The worm was a program which took advantage of bugs in the Sun Unix sendmail program, Vax programs, and other security loopholes to distribute itself to over 6000 computers on the and virus attacks propagate rapidly, infiltrating infiltrating adjective Referring to a tumor that penetrates the normal, surrounding tissue and simultaneously attacking multiple network entry points. Managers need to be able to coordinate their defences centrally. Without this capability they are more vulnerable to virus attacks and more likely to incur heavier damage than those whose defences are coordinated network-wide.

In its analysis META believes that the quality of management functionality of the antivirus solution is more important than the quality of the scan engine or the signature updates. This seems self evident when you also consider how defences are applied in more traditional situations. Having plenty of tanks deployed at all points where you expect to be attacked is wholly sensible but only works if you can respond quickly to a rapidly changing battle plan. A failure to bring in reinforcements with the latest tactics and updated defences can deal a fatal blow regardless of how much expensive armour you've deployed. Being finally victorious is no triumph if the number of losses and scale of damage is massive.

Similarly for virus attacks, avoiding large scale battles is the prime objective when the costs of clean-up and restoration are proportionately much greater and certainly the most time-consuming part of an outbreak.

How then are IT managers responding to the latest virus attacks?

From the moment new vulnerabilities are uncovered to virus outbreak containment and clean up, the series of actions available to an IT manager have become more inefficient, costly and even disruptive at times. At the onset of an outbreak, IT managers gather information from a range of external and internal sources to evaluate how they might prevent or contain a virus before it gets out of control. Without reliable information, IT managers are not certain if they are taking the right protective measures. Just as in the heat of battle, sometimes they are tempted to take drastic action. Some shut down entire networks or block ports at the firewall - measures that may stop the virus getting through but also stop normal business functions happening, too. Others wait for their antivirus company to respond and deploy the virus pattern files once they arrive. Certainly this approach will block email worms like SoBig, but file scanning will not detect network viruses like MSBIaster or Slammer A worm that caused a billion dollars worth of damage on the Internet on January 25, 2003. Slammer infected computers all over the Internet by generating random IP addresses and causing the computer's buffer to overflow with its own instructions that replicate itself and start the process that travel inside packets to wreak havoc on hosts and servers before the packets can be reassembled into files for virus scanning.

And, it is these kinds of attacks that are increasing in frequency and sophistication so·phis·ti·cate
v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates

v.tr.
1. To cause to become less natural, especially to make less naive and more worldly.

2. . For example, the speed with which the SASSER network worm was able to propagate and its successive releases of iterations prompted antivirus software vendors to declare a red alert (high-risk virus) to contain its propagation. The speed of these attacks also highlighted a decreasing window of time between patch availability and virus attack. While the MSBLAST worm exploited the RPC (Remote Procedure Call) A programming interface that allows one program to use the services of another program in a remote machine. The calling program sends a message and data to the remote program, which is executed, and results are passed back to the calling DCOM (Distributed Component Object Model) Formerly Network OLE, it is Microsoft's technology for distributed objects. DCOM is based on COM, Microsoft's component software architecture, which defines the object interfaces. vulnerability 26 days after Microsoft had released the fix patch, the Sasser worm utilized the L SASS See SAS. exploit a mere 17 days after the patch was made publicly available. Some forecast the possibility of a zero day attack with no or little time between a vulnerability being identified and exploited, becoming more rather than less likely to happen in the near future. Whether they have specific counter-measures or not, the speed and variety of these attacks puts a real premium on being able to manage defences much more proactively than before. IT managers need to be able to centralize cen·tral·ize
v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es

v.tr.
1. To draw into or toward a center; consolidate.

2. the management of their disparate security solutions, saving time when responding to an outbreak and thus ensuring the risk is reduced and damage limited. Having a single point of view on the outbreak also enables the right defences to be deployed at the right time and place. For example, identifying and blocking high risk vulnerabilities by quarantining infected systems, allowing other systems to continue running, or providing comprehensive protection at both the application and the network layers.

The concept of a centralized cen·tral·ize
v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es

v.tr.
1. To draw into or toward a center; consolidate.

2. command post ties at the heart of Trend Micro's Enterprise Protection Strategy. Enterprise Protection Strategy is a customer-driven approach designed to manage the (virus) outbreak lifecycle, from vulnerability prevention to malicious code prevention and elimination. Through coordinated delivery of its industry-leading products, services and threat-specific expertise from Trend Micro's global network of security experts, Enterprise Protection Strategy helps organizations prevent viruses from exploiting vulnerabilities on the network, enforce security policies to control network access of devices, prevent of contain and eliminate viruses and remnants spreading through applications and network layers, and centrally manage and integrate outbreak security actions.

Trend Micro Control Manager is a key function of the Enterprise Protection Strategy; it monitors virus activity within networks and the status of antivirus networked devices. Before and during an attack, it provides the IT manager with the tools to assess and isolate vulnerabilities, monitor how the outbreak is progressing, contain an attack, deploying new pattern files and network signatures as soon as they are available, and manage the clean up and restoration thus helping reduce the overall TCO (1) (Total Cost of Ownership) The cost of using a computer. It includes the cost of the hardware, software and upgrades as well as the cost of the inhouse staff and/or consultants that provide training and technical support. See ROI. .

Infosecurity Europe 2005, 26th -28th April Olympia www.infosec.co.uk

COPYRIGHT 2005 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:	CONFERENCE CLIPPINGS
Publication:	Software World
Geographic Code:	4EUUK
Date:	May 1, 2005
Words:	3367
Previous Article:	Comprehensive spyware solution for home users.(new software from Symantec Corp.)
Next Article:	Outsourcing upheaval.(IT News)
Topics:	Computer software industry Trade shows Computer viruses Prevention Reports Electronic mail systems Forecasts and trends Safety and security measures Email Forecasts and trends Safety and security measures Internet Forecasts and trends Outsourcing Safety and security measures Internet security Forecasts and trends Outsourcing Software industry Trade shows

Related Articles
Passwords given away for a cheap pen! (Security).(according to Infosecurity Europe 2003 survey)
Security breach contract.(Security)
Global INFOSEC Partnership Conference (GIPC) (May 4-6, 2004).(Conferences, Workshops & Symposia)(Global Information Security)(Brief Article)
Conference clippings--Infosecurity Europe 2005.(DATABASE & NETWORK JOURNAL INTELLIGENCE)
Pet groomers: ranked by number of pets groomed per week in the San Fernando Valley.(The List)
Web server attcks & website defacements increase by 36%.(Security)
Password management receives vote of no confidence.(information technology managers surveyed)(Brief Article)
Infosecurity covers the globe.
Infosecurity Europe 2006 25th-27th April 2006: Grand Hall at Olympia, London.(Security News)