If your computer system is important to your business and you cannot afford to have your business operations halted due to computer virus, spyware, or spam, then you need to read and act on the information contained in this informative report. This report will outline what you need to know before you purchase your next firewall.
- What Unified Threat Management (UTM) is and why your next firewall should be a UTM Firewall
- What Defense in Depth is and how a Firewall can help
- Frightening trends and questions every business owner should know regarding data security
- How website filtering can keep good employees from doing bad things
- History of Malware and Spyware and how to prevent Malware from entering your network.
- The Life Cycle of Internet Threats and how to prevent them
- Dirty Money on the Wire; The Business of Cybercriminals
What is Unified Threat Management (UTM)
UTM is a term to define a fourth generation firewall that combines Firewall, VPN, Anti-Virus, Spam, and Malware detection. Most firewalls only stop or allow traffic and cannot look at what is inside that traffic. Some firewalls pass that traffic off to other devices to inspect, increasing cost, complexity, and slowing the Internet connection.
A UTM firewall will help keep your employees productive by preventing access to known spyware and malware sites. You can also prevent employees from accessing inappropriate sites to help keep them productive.
If you are purchasing a new Firewall make sure you verify that it has the following capabilities:
- Incoming/outgoing Virus scanning of HTTP, SMTP, FTP traffic
- Intrusion Detection/Prevention with signature updates
- Webfiltering with spyware and phishing categories
- Malware/Grayware detection
- Ability to archive HTTP and Instant Messaging (IM) traffic for future review
- Ability to alert you if an attack is detected.
Defense in Depth
Defense in Depth is a security strategy which uses multiple layers to protect important assets. An example of Defense in Depth is Virus scanning of email at three different levels: on your spam filter, on your email server, and finally on your desktop. Each of these virus scanners should be a different type as each virus scanner updates its signatures differently.
A firewall, especially a UTM firewall, helps with Defense in Depth. It can provide a good first layer of Virus Scanning, Spam filtering and spyware/malware filtering. This first layer can prevent the attack before it reaches your network.
A firewall, while it can prevent most attacks, will never protect you against all of them. You should always make sure that you harden you internal resources by reducing your surface area of attack (removing unnecessary programs and services.)
Website Filtering; keeping good employees from doing bad things
Most employees have very good intentions, but with spam or website advertisements they can be lead down the wrong path. This path can lead to spyware and virus infections. It could also lead to the potential compromise of sensitive information.
A good web filter will prevent your employees from visiting those sites. It is like the doctor said; an ounce of prevention is worth a pound of cure. This will save you money by allowing employees to be a more effective at work and prevent the machine from being slowed down by spyware and malware and then having to be cleaned up.
Some employees could be offended by the bad websites others are visiting. These websites could be considered sexual harassment to some employees. You could have a potential law suits if you don’t at least try to prevent access to these sites. A well written Internet policy will also help prevent lawsuits.
History of Malware and Spyware
Nearly 25-years after the first computer virus—the Elk Cloner virus—appeared, malware continues to evolve and pose significant risks to organizations today. Before the Internet, malware was typically transmitted by floppy disks, limiting a malware threat’s propagation rate. Today and into the foreseeable future, every networked computer with an email client, web browser, or any other portal to the Internet is a prime target, allowing malware threats to spread more rapidly than ever before.
While many people use the terms “virus” and “malware” interchangeably, there is an important difference. Malware is a broader term that includes viruses, but also includes any type of threat that is file-based in nature. Newer threat types such as spyware, adware, Trojan horses, and worms all fall under the category of malware.
Malware is typically found within files that are less than one megabyte (MB) in size. According to Fortinet research, 97% of malware discovered since the beginning of 2006 is below one MB in size. The small size of the malware file allows malicious content to be downloaded and executed quickly, creating an unnoticeable infection.
A good UTM firewall proactively detects malware and spyware preventing it from accessing your network.
The Lifecycle of a Threat
The purpose of this section is to provide a clear definition of how threats work. This will prove helpful when discussing changes in the threat landscape and the impact they are having on obtaining effective security solutions.
In general, threats consist of the following four stages:
Transmission – refers to the process of how a threat gets from its source to its target. For locally executed threats, this is accomplished by manually conveying and loading an infected file or otherwise entering code directly into the target system. For remotely executed threats, this stage depends on some form of electronic communication and associated protocols (e.g., instant messaging, file shares, email.)
Penetration – refers to how a threat subsequently gets to its target. For locally executed threats, this stage is not really separable from transmission. It involves bypassing system controls or simply taking advantage of permissions granted to local users. In contrast, the remote execution case involves taking advantage of vulnerability – either in terms of a mis-configuration or a weakness in a piece of code that the target runs. Significantly, such vulnerabilities can be associated with any of the system’s communications services (i.e. at any of the OSI layers) or any of the higher-order applications that it runs (i.e. file/program-centric.)
Launch – refers to the execution of a threat’s payload. It is the primary stage associated with doing harm, such as stealing information, over-writing or manipulating stored data, or crashing a process. It may also involve a communications component that enables the attacker to continue to download and execute additional payloads over time.
Propagation – is an optional but very common stage that involves perpetuation of the threat, i.e. reproduction and spreading. For example, a threat may scan an address range looking for other hosts, or email itself to all of the addresses in a user’s email program. In some instances, self-propagation may be the only “payload” that a threat effectively has – though as will be discussed shortly, this semi-benign mode of operation is rapidly becoming less common.
Another purpose for outlining the lifecycle of a threat is to highlight the fact that there are many points at which an attack can be thwarted. As will be discussed shortly, different countermeasures tend not only to focus on different “layers” of the problem, but also on different stages of the problem. As a general rule, stopping a threat earlier in its progression through the above stages is preferable since it will typically provide the greatest reduction in terms of the threat’s impact on the target environment.
Understanding the nature of threats and how they are evolving is the next prerequisite for establishing the components and requirements of a solution that is capable of countering them.
What’s In a Name?
Unfortunately, the chore of sorting out the meaning of associated terminology is not quite finished. One piece of the puzzle that still remains is the names used to describe various types of threats. After having been used so frequently in recent years, often inappropriately, they have now lost much of their original distinction. To help remedy this situation, brief attribute-based descriptions are provided below for some of the most relevant threat types.
- A program that is able to self-replicate
- Depends on user interaction for penetration, execution, and propagation
- Depends on a host file/program (i.e., is not self-contained) and host resources (e.g., disk)
- A program that is able to self-replicate
- Takes advantage of a vulnerability to penetrate and execute without any user interaction
- Self-contained in that it resides in system memory and uses system and network services for transmission and propagation – it has no reliance on files/programs.
- A malicious program that is within, or masquerading as, an innocent or useful program
- Does not self-replicate
- Does not infect other files
Of course, these only represent a portion of the overall threat pantheon, which also includes spyware, targeted attacks, rootkits, bots, phishing, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. A general term that applies to all of these threats, at least to the extent that they rely on malicious software, is malware. The increasing prevalence of this over-arching term is appropriate, particularly since even the more granular descriptions are really just generalizations. Indeed, the industry at-large has struggled from the outset to maintain a rigorously defensible, technical distinction between viruses and worms. And with the emergence and increasing frequency of blended threats over the past few years, doing so has become an even greater challenge – or a moot point, depending on your perspective. The fact is that by utilizing multiple mechanisms to accomplish any or all of the lifecycle stages, any given blended threat will often incorporate characteristics and capabilities of both viruses and worms. That said, understanding the different ways in which these critters can operate is still an essential prerequisite to being able to effectively stop them.
Trends and Tribulations
Equally essential is understanding how threats are changing. In this regard, one very significant characteristic is the decreasing window of time between the announcement of a new vulnerability and the release of an associated threat capable of exploiting it. Problematic to be sure, this condition is indicative of the need for countermeasures that are more proactive in nature. Undoubtedly, it is also at least partially responsible for the aforementioned emphasis being placed on intrusion prevention systems (IPS) relative to antivirus tools (AV), which are generally classified as reactive in nature. However, a couple of key “clarifications” are in order at this point.
First, the classifications of IPS as proactive and AV as reactive are really just generalizations. Real-world implementations of these technologies typically incorporate both proactive and reactive detection capabilities. For example, most IPS solutions include some measure of Intrusion Detection System (IDS)-like signatures, while all of the leading AV tools now include various heuristic and behavior-based techniques.
A second clarification is that the current need for more proactive countermeasures is largely about identifying a historical deficiency – one that has come to light due in particular to the latest additions to the threat landscape. This should NOT be confused with or interpreted as a situation where all other classes of threats have abated, thereby eliminating the need for other types of countermeasures. After all, threats that exclusively target specific vulnerabilities are not the only ones out there.
Indeed, while current malware trends indicate a decline in the plain-vanilla variety of file-infection viruses, several other types of threats which incorporate virus or virus-like components are actually on the rise. These include:
Blended threats – a significant percentage of which include file/program-centric components. For example, the malware FunLove included a virus and a worm, while Bagle.H of the FunBag family essentially involved a virus in a worm (i.e., as one of its many possible payloads).
Trojans – of all sorts, which are often distributed via spam or a worm, but which inherently, involve loading and operating a program on the target system. This program can then be used to download additional malware, or to stealthily steal data from the target user/system.
Targeted attacks – which generally trade rapid propagation capabilities (involving communications layer exploits) in favor of greater stealth (typically yielded by focusing on file-centric exploits). One particularly disturbing example is that of spy-phishing. In this type of attack, a highly customized (i.e. targeted) email that includes a trojan (or a link that will result in one being downloaded) is sent to a target audience that is pre-disposed to use certain web sites and services. The trojan then simply monitors web traffic, waiting for particular sites to be accessed, at which point it acquires credentials and other valuable information.
Rootkits – which are programs that once installed, provide stealthing capabilities for other pieces of malware (e.g. trojans) in an attempt to make them undetectable by various host-based countermeasures.
A few of the key points to take away from this brief tour of the threat-scape are: that worms are indeed a significant problem; that they are increasingly being used to facilitate the transmission and propagation of “traditional” viruses; but, also that they are not the only means for this to happen.
Just clicking on a link in an email or an innocuous looking object on a web page can initiate the download of a piece of file-centric malware.
Now, whether that malware actually gets to the intended target is yet another matter – one that will be determined by the capabilities of the countermeasures that reside between the source of the malware and its intended destination or target.
A good UTM firewall can detect these types of threats. The UTM firewall can scan to see if the threat is unknown in the wild. You can define filtering of certain file types; it can prevent it before it accesses your network. Finally web site filtering and spam filtering can prevent access to potentially harmful websites, effectively preventing infection.
Dirty Money on the Wire, the Business of Cybercriminals
Cybercrime is described as criminal activity in which computers or networks are involved.
The economic impact of cybercrime is huge; the FBI revealed that cybercrime caused over $67 billion in damages in the US alone last year. Britain’s National Hi-Tech Crime Unit (NHTCU) estimates its cost at over 2.45 billion pounds ($4.6 billion) a year.
That is in addition to Virus attacks, which is estimated at 12 billon and credit card fraud at 400 million.
Cybercrime can be broken into these categories:
- Spamming – Sending unsolicited bulk email
- Carding – The trading of credit cards in chat rooms on the Internet
- Phishing – The attempt to fraudulently acquire sensitive information, such as passwords and online banking credentials, of targeted individuals
- Herding – (Short for Botnet Herds) A Botnet is a collection of software robots that run autonomously. What that really means is a collection of machines that have been compromised by spyware, malware that are under a common command and control infrastructure.
The cybercriminal has many profiles:
- Coders – The “skilled” cybercriminal, usually between the ages of 20 to 25 years old with 5+ years of experience in the hacking community. They are usually self-made programmers or professional coders looking for side incomes, generally from a country that $300 a month will make a difference.
- Kids – The labor force for the cybercrime scene. Aged between 15 and 20, they hang around IRC channels or chat rooms making a small profit buying and trading spam lists, proxies, hacked hosts, or renting out botnets.
- Mafia – They bring in-depth input about real MOB issues. Usually staying within the strict boundaries of the law, they are one of the cybercrime back-ends funding some of the activity.
- Mules – They turn virtual money into cash. They usually take bank transfers into their legal bank account. They typically live in countries with no digital laws.
Cashing In; the cybercriminal business model
The currency is laundered at a website called e-gold operated by Gold & Silver Inc. e-gold accounts have several convenient options for cybercriminals:
- Anonymity – Creating an e-gold account takes less than 1 minute and only requires a few mouse clicks.
- Irreversibility – All transactions are irreversible
- Independence – E-gold is not currently registered in any country. It was registered in the West Indies, but it let it expire.
Carding Business Model
The thousands of credit cards stolen every day are usually sold for between $2 and $5 each, paid by an e-gold account.
Spyware/Adware business model
The business model can be summed up in two parts. Advertisers pay the spyware/adware company to have their ads displayed to users. Also, spyware/adware companies pay their partners/affiliates for each install of the spyware/adware program.