Proactive security: safeguards to make the net work. (Security).When the first PC virus appeared in 1987, nobody thought about networks, let alone the Internet. Back then, the only way for malicious code to travel from one computer to another was to infect a program and wait for it to be copied manually. Traditional viruses had to lurk inside PCs for a long time without manifesting themselves. While reactive anti-virus scanners that had to be updated provided good solutions for slow-moving viruses five years ago, they're definitely not adequate for today's vicious Internet vandals, which can deliver their malicious payloads immediately upon arrival. The inadequacy of traditional anti-virus technologies was demonstrated in April 2000 with the introduction of "Love Bug A famous virus that arrived as an e-mail attachment using the "double extension trick." The file name was "I LOVE YOU.TXT.vbs." The .vbs extension slipped by users who thought it was a safe text (.TXT) file. ," and then again in February 2001 when "Anna Kournikova Anna Sergeyevna Kournikova (Russian: Анна Сергеевна Курникова (listen " caused widespread mayhem. In a matter of hours, those simple vandals written in Visual Basic Script (language) Visual BASIC Script - (VBScript) Microsoft's scripting language which is an extension of their Visual Basic language. VBScript can be used with Microsoft Office applications and others. It can also be embedded in web pages but can only be understood by Internet Explorer. propagated globally, infecting millions of PCs. The damages escalated to several billon bil·lon n. 1. An alloy of gold or silver with a greater proportion of another metal, such as copper, used in making coins. 2. An alloy of silver with a high percentage of copper, used in making medals and tokens. dollars in just a few days. Most of the victims had traditional anti-virus software anti-virus software n → Antivirensoftware f installed, and did not have enough time to get the latest update from their anti-virus vendors. Another risk is the increasing sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. of various spying tools, usually arriving in a Trojan disguise. Hackers use every element possible to lure users to execute malicious code that would allow access to the victim's PC. The vandal's most significant feature is its ability to remain unnoticed and reside on a PC for a long time without showing any visible signs. The latest crop of such code has added a further layer of complexity-modular design-which allows attackers to remotely add or remove new vandal capabilities. Hackers can even remove the vandal altogether, so that the victim is unaware that anything wrong has transpired. In addition, modular design In the context of systems engineering, modular design — or "modularity in design" — is an approach aiming to subdivide a system into smaller parts (modules) that can be independently created and then used in different systems to drive multiple functionalities. creates the possibility for tens of variants, depending on the modules incorporated. The fact that activation methods can be customized makes it even Another vandal technique is to embed Visual Basic script inside HTML-formatted email. Since almost any email client See e-mail program. uses HTML HTML in full HyperText Markup Language Markup language derived from SGML that is used to prepare hypertext documents. Relatively easy for nonprogrammers to master, HTML is the language used for documents on the World Wide Web. to compile and read email, an embedded script can be extremely dangerous Exteremely Dangerous is a 1999 four part series for ITV starring Sean Bean as an ex-MI5 undercover agent convicted of the brutal murder of his wife and child who goes on the run to try and clear his name. He sets out to follow up a strange clue sent to him in prison. . Users don't have to execute an attached file; the script will automatically run as soon as an email is opened or viewed in the preview pane. The user will be infected immediately, without any indication. Proactivity is Key It's clear that reactive anti-virus solutions are not the answer. What are needed are new technologies that can proactively identify and block security threats efficiently and reliably. Proactive solutions focus on reducing risks by utilizing a variety of techniques to identify and block new-yet unknown-malicious code. A good proactive solution should provide real-time protection Real-time protection, on-access scanning, background guard, resident shield, autoprotect, and other synonyms refer to the automatic protection provided by most antivirus, antispyware, and other antimalware programs, which is arguably their most important against potential threats by enforcing security policies at the Internet gateway (1) See cable/DSL gateway. (2) A router or server that converts IP packets to IPX, AppleTalk or some other non-IP format and vice versa. It is used to connect non-IP networks to the Internet. and email server See mail server. , or by blocking malicious activity of Internet-borne applications at the desktop. While no single solution is available to accomplish this, the combination of several new technologies such as Sandbox, heuristics analysis and blocking can be employed to effect a satisfactory result. Sandbox identifies every program that arrives from the Internet, monitoring its behavior using application-dependant access control. This prevents an email-attached program from deleting files in the hard disk, or active content in the web page from getting into the "My Documents" folder. Sandbox is based around a monitoring agent and a sophisticated set of rules that monitor specific Internet applications such as browsers or email clients. It creates a security envelope, surrounding the application and sitting quietly in the background until something tries to break the rules. When a violation occurs, Sandbox shrinks, limiting the violating entity and notifying the user. In addition, some rules can be further tuned by users or globally tuned by administrators to accommodate specific requirements. Heuristic Analysis This article is about antivirus software. For the use of heuristics in usability evaluation, see Heuristic evaluation. Heuristic Analysis is a method employed by many computer antivirus programs designed to detect previously-unknown computer viruses, as looks for sequences of commands that are known to be used by Internet vandals in order to identify possible malicious behavior. A smart implementation would use some method of statistical analysis, analysing repetition, order and type of commands to distinguish legitimate macros from malicious ones, and to reduce false alarms. Heuristic analysis can also be implemented to analyze scripts. Several anti-virus vendors have tried to implement this technology for traditional compiled viruses, but this technique can only work efficiently on programs written in script or macro languages, which are not compiled. But since many of the prevalent Internet vandals are script- and macro-based, heuristics can be extremely useful. Blocking is a proactive method that analyzes content to ensure that it is not spoofed. In a security-aware organization, for example, there's absolutely no reason to allow the reception of just any kind of attachments. Usually the corporate environment has a need for specific file types such as Microsoft Office Microsoft's primary desktop applications for Windows and Mac. Depending on the package, it includes some combination of Word, Excel, PowerPoint, Access and Outlook along with various Internet and other utilities. documents, graphics files and archive files; virtually anything else is potentially dangerous. Even if other file types are allowed, security measures can be added. In Office documents, macros can be stripped, and a content security product can be implemented to detect spoofed files. Another good blocking policy would be to block password protected archive files. It's clear that in today's network-enabled IT environments, reactive protection based solely on signature tables cannot be the security technology for the future. The answer lies in proactive solutions that make use of deep analysis capabilities and intelligent behavior monitoring systems to create new and more advanced levels of security as powerful as the threats themselves. Editorial Note Infosecurity Europe 23-25 April 2002 Grand Hall, Olympia, Londin, UK www.infosec.co.uk Tel: 020 8910 7931 email: infosecurity@reedexpo.co.uk Shimon Gruper Internet Security Aladdin Knowledge Systems |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion