In August 2004, Microsoft released Microsoft XP Service Pack 2 (SP2). This marked a significant date in the network security world. The largest software provider in the world had released a version of their operating system (OS) that had built in security turned on by default. The next several weeks and months were interesting as many dependant software applications “broke” when the security features were tightened up. But all things said and done, it was a great milestone in security, and although it was a rough road, it was a long time in coming.
Security enhancements included a major revision to the internal firewall that was renamed Windows Firewall, advanced memory protection that took advantage of the NX bit that is incorporated into newer processors to stop buffer overflow attacks and removal of raw socket support.
The removal of raw socket support is supposed to limit the damage done by “zombie” machines, enabling infected computers to be used remotely to launch DoS attacks). Additionally, security-related improvements were made to email and web browsing.
Windows XP Service Pack 2 included the Windows Security Center, which provides a general overview of security on the system, including the state of anti-virus security, Windows Update and the new Windows Firewall. Third-party anti-virus and firewall applications can interface with the new Security Center.
These modifications to the world’s most popular OS shocked the hackers of the world. No longer was it very easy to attack and compromise systems. No longer were there more open systems than they had time to compromise. Attackers would scour the internet looking for open systems, and when found would quickly close the holes so another attacker couldn’t claim what they had rightfully stolen.
Don’t get me wrong, I said no longer was it very easy. Now it is just sort-of easy. Much of this is due to systems having been brought online in other countries where there is more pirated software, and other older OSs that don’t have security features enabled.
There are also a lot of older systems right here in the United States that are still using OSs older than XP SP2. Lastly, even with security turned on, there are other ways of having a system be vulnerable. But because most of the systems or information that had the highest value to hackers had become more secure, they were required to get creative in their attacks.
In 2005, we saw the beginning of a movement towards an entirely new type of attack method. Until then, most attackers would compromise a system by simply attacking it through known vulnerabilities or “bugs” that could allow the attacker to gain some level of control over the system. These are commonly referred to as “inbound attacks.” With personal firewalls loaded onto many systems, as well as other security features enabled, the “inbound attack” approach became increasingly less profitable.
New attack methods were seen where the attacker would take advantage of vulnerabilities within the internet browser itself. These vulnerabilities would allow the attacker to download malicious code, trojans or other applications in the background simply by having the user look at a web page. Some of the new attack methods included luring unsuspecting users to malicious web sites via spam, instant messaging or other popular websites. In one case, an attacker created a Hurricane Katrina relief website, giving up-to-date storm watch information, videos of survivors, even links to real donation sites. This website was indexed by several search engines and quickly became one of the top links when typing “Katrina” into a search website. Just by clicking the link, a malware program was installed onto the user’s PC.
Malware programs can crash your system, keystroke (password) capture, screen shot capture or give full remote control. What people don’t realize is that the software makes an outbound connection to the internet. Because the internal computer is making the request (connection) out to the web, it is assumed by the security systems to be “authorized” traffic. The PCs can make connections back to the attackers systems and do just about anything they want. This defeats all the security designed to stop inbound attacks.
In 2006, we saw many more of these types of attacks. Many new ways of attracting unsuspecting users to malicious websites increased. One was disguised as a phishing attack. The phishing website would install malware on the remote computer, even if the users did not enter any personal information.
The popularity and success of these new attack methods, coupled with security devices that often only block inbound attacks, will continue this trend and even increase it in 2007 and beyond.
Stopping malware attacks requires dedication to a strong security posture that includes a layered security approach.
The following security solutions, which reduce malware and potential attacks in your environment, are as follows:
Intrusion detection and prevention: Use an IDS/IPS system to do “deep packet inspection” that will look beyond the header information of the packet and look at the payload, comparing each packet with known hacker attack signatures. Be sure the system is continually updated, fine tuned, and monitored 24/7 to gain the security benefits needed.
URL filtering: Also commonly known as website, or content, filtering. These solutions prevent an internal system from accessing unauthorized websites. All websites are put into any of 50-plus categories, and you decide which types of websites employees should be allowed to access from the corporate network.
Spam filtering: Be sure that spam is being filtered from at least the network level, and then optionally on the desktop as well. Reducing spam will keep many end users from clicking on links that could contain malware.
Policies: A strong internet-use policy stating what users are allowed to do on the internet is critical. End users that have the ability to download peer-to-peer (P2P) software, use instant messaging, or install applications are often the first to be burned by attackers. Reduce the applications and access end users have to what is only required for them to perform their duties.
Training: Train employees on proper use of the internet, downloading, etc.
PC Restrictions: Most OSs have the ability to restrict the user so they may not install or download applications. Although this becomes an increased burden on the IT staff, the security benefits are enormous.
Gateway anti-virus: Use gateway anti-virus (AV) to stop malicious emails from entering your network. Don’t solely rely on the desktop AV to stop all viruses and worms.
Vulnerability scanning: Be sure you are running vulnerability scans on all internet-accessible systems and all critical servers at a minimum to find vulnerabilities. From time to time it is also recommended to run a full network-wide vulnerability scan.
Patch management: Once vulnerabilities are identified, patch them in a timely basis.
The IT security solutions to keep malware away exists today, but far too few utilize enough of them to get the proper protection and risk-mitigation that they need. Through a combination of good end-user training, policies and technology, security risks can be reduced as network security risks continue to evolve.
— Kevin Prince is CSO of Perimeter eSecurity.