With such a wide variety of threats to guard against, it's only natural for
security administrators to become overwhelmed with preventive maintenance requirements.
Ultimately, this leads to gaps in network defense. This article defines the
importance of desktop policy enforcement and presents a workable model for all
skill ranges of security administrators to utilize for endpoint protection.
Several years ago, while working as a help desk technician at a large corporation,
I would often seek direction from the Security Administrator. When I say "the"
Security Administrator, that's exactly what he was. The one and only administrator
for a company, the size of which today would have a team of security professionals
on staff. There were other networking personnel but only one security technician
with the keys to the kingdom.
This particular administrator was a flurry of activity, using UNIX command
line syntax with seemingly dozens of vi editors, telnet and rlogin connections
open at a time, a conference call going on the speaker phone (muted of course),
all while maintaining a conversation in stride.
One day I asked him, "With so many users, network pathways and servers
to monitor, how can you possibly be aware of all the security issues going on
at any given time?"
He turned around, pointed to his ear and said, "You have to be able
to listen to the wind."
It took a while to figure he meant but eventually, as my experience in network
security grew over the years, it became obvious. There is no reasonable way
to track all activity occurring on a network; incoming, outgoing and everywhere
in-between. A security administrator needs to know their network so well, that
it's second nature to know where to look for potential problems. Essentially,
what this amounts to is a "sixth sense" in being able to hone in on
the invisible. Without it, one is at a disadvantage in combating the vast array
of hostile possibilities skulking beneath the surface.
For better or worse, not all of us are old school UNIX technicians who have
been sitting in the same chair, using the same set of tools in the same environment
for years on end. Defending the enterprise on a comprehensive scale is much
easier said than done, especially in environments where security administration
is meshed with traditional network administration duties. It is rare for technicians
to keep up with security-only tasks. In many instances, preventive maintenance
amounts to reading security web sites and newsgroups, reviewing the latest patches
and exploit information.
In such circumstances, technician work habits can tend to become jaded. It's
not that they don't want to know what traffic is hitting their network, what
traffic has already penetrated their network and what applications users have
on their machines that can potentially breach security. It's a matter of not
having the time to figure it all out.
The most logical pathway to network fact-finding is reviewing log files. Yet,
how many security administrators can decipher IP traffic and hexadecimal dumps
at a glance? How feasible is it to spend the workday pouring over intrusion
detection log files? In the end, the core of security fundamentals rests with
the human element - the ability of the administrator to deduce root cause and
effect as well as come up with practical and effective prevention methodologies.
Coping with "Badware"
Preventive maintenance against security problems begins at the endpoint. If
network-attached computers are limited in their the ability to interact with
"badware", that is a step in the right direction in staving off potential
negative impacts to the entire network.
In a nutshell, "badware" is any program, service or code-bearing
file that arrives on desktops by way of surreptitious means. There are two primary
categories of badware: malware and spyware/adware. There are many derivatives
of each but it's easiest to think of them in terms of destructive and non-destructive
elements. Though, all modes of badware are insidious and require specialized
attention from security administrators
Malware constitutes Trojan horses, worms, viruses and malicious code. Such
applications are usually delivered through e-mail attachments and file sharing
methods. Spyware and adware are marketing applications delivered via seemingly
innocuous downloads and bundled with freeware and shareware programs.
While malware is usually obvious in its destructive intent, spyware and adware
takes the approach of extending an offer of cooperation to end users. To the
casual observer, what's the harm of a few uninvited pop-ups and cute animations?
That's where it starts but the lingering effects can be applications or services
installed in the background and sometimes becoming embedded within the operating
system on Windows platforms.
Unfortunately, spyware and adware is far more advanced than many people realize
- including IT professionals. The whole purpose of spyware/adware is to cull
information from a target host. This information can either be sold to Internet
marketing companies or utilized to somehow enhance understanding of Internet
usage habits. The specific information can be anything from web surfing statistics
to online shopping preferences to operating system registration data - basically
any information that the badware is programmed to cull, it will do so.
By offering some type of functionality or appeal, spyware/adware attempts to
establish a legitimate relationship with the end-user in which information exchange
is downplayed in favor of the advantages of the offered product or services.
Information from the host is sent in the background to a home server for aggregated
In addition to gleaning marketing data from a target host, spyware/adware has
the potential to disrupt end-user productivity due to unanticipated system failures
as well as bandwidth, RAM and CPU cycle consumption. Even worse, spyware/adware
tends to configure itself to launch at start-up. This can lead to conflict with
anything else trying to launch at startup. Thus, these third party applications
can lock up anti-virus software for example.
The most overlooked pathway for badware is in traffic entering and leaving
a network by way of approved applications. "Approved' refers to applications
that people need to use (such as browsers). Rarely will security technicians
(or anyone) take notice of end-user surfing habits until the damage is done.
Sometimes, even innocent business research can lead to users arriving at sketchy
web sites or ones relying on surreptitious advertising. End-users have a tendency
to not read license screen pop-ups before clicking "ok." thinking
it is part of a website's functionality. This is an easy pathway for spyware
and adware to get through onto a corporate network.
Sometimes, spyware/adware is packaged with an installer in such a manner that
there is no "opt-out." Many file sharing programs use this technique.
There may be warnings that spyware/adware will be installed along with the intended
application but more often than not, people will skim through a license agreement
with a singular objective of performing the installation regardless. Spyware/adware
is usually difficult to remove effectively and may even re-install itself. Thus,
even attentive users who realize their mistake will be at a disadvantage in
removing undesirable applications without technical assistance.
If there was ever a surefire repeat problem in the making it is with badware
and IT technicians mistakenly believing they safely removed it at first pass.
While there may be convenient entries in the Windows Add/Remove Programs or
even an uninstall icon, it is just one method the authors of badware use to
gain trust. Spyware/adware doesn't just fool end-users, it is designed to fool
IT personnel with a seemingly innocuous appearance.
The intricacies of end-user Internet usage habits inevitably leads to interaction
with badware of some variety. Such a reality requires the establishing of desktop
usage policies that are enforced by application control capabilities and centralized
management tools. Administrators can never afford to be complacent and believe
that a problem does not exist simply because no one has reported any. If end-users
are connected to the network without a method of policy enforcement, there are
more than enough problems in waiting.
To combat badware effectively, security administrators require the ability
to inventory applications residing on endpoints attached to their network on
a regular basis. Enterprise protection tools exist that can aggregate the application
inventory results, including all executables as well as components such as .dll
files. Some enterprise protection tools will match the inventory against an
online database that determines if the file or file component is known to be
undesirable. From that juncture, administrators can take action by removing
the offending application completely from the infected endpoint. Such level
of detailed discovery is a step forward in ensuring full compliance with company
security policies and maintaining a realistic preventive maintenance strategy
for desktop protection.
Enforcing E-Mail & Anti-Virus Protection
E-mail attachments are the most common method for malware to be distributed.
Additionally, once malware is distributed, it tends to propagate using approved
applications such as chat and e-mail software. Though, attachments can't launch
themselves upon landing in an inbox so the e-mail itself uses social engineering
techniques to intrigue or convince end-users enough to launch the file. Some
malware is "joined" with legitimate files such as graphics so as to
fool the recipient. Once installed, malware can conduct any number of exploits.
If it is sophisticated, it tries to connect to an automated bot residing on
a server on the Internet. By connecting, the malware is able to send the IP
address and DNS information of the infected computer as well as whatever network
information it is able to cull, thus doing the bidding of a skilled intruder
in waiting. This is a common example of badware taking advantage of approved
applications on a network.
E-Mail is one of the most vulnerable pathways in and out of an enterprise network.
Too often, it's easy to assume gateway defense software will quarantine all
undesirable attachments that come through. The reality is today's malware is
very aggressive and is designed to attack the gateway itself. In cases where
e-mail gateway defense is bypassed, desktop anti-virus defense is sure to follow.
The worst part is it's often not obvious that anti-virus protection has been
disabled. The system tray icon stays active and the software may continue to
operate on some level. However, you never really know anti-virus protection
is functioning correctly unless a secondary failsafe is used to monitor the
desktop unobtrusively and beyond the reach of the focus of malware. Specialized
enterprise protection tools exist for this purpose. Such tools will also be
effective against POP3 mail retrieval which is typically outside the enterprise
Significant advances have been made and continue to be made in the areas of
defeating e-mail attachment protection. Malware authors don't need to create
the exploits themselves because they get help from the security community who
publish their test results to widely read venues such as BugTraq. There are
several individual researchers and in some cases, security companies themselves,
dedicated to uncovering weaknesses in e-mail and file protection technologies.
After they post their findings on the Internet, badware authors utilize the
information and incorporate it into to an already formidable arsenal of tricks
to bypass security products.
The most important lesson in dealing with badware is that it takes advantage
of the human condition. Sophisticated badware takes social engineering to a
new level because it's "smart" and utilizes a pre-defined set of manipulative
tactics to reach its objectives. If the badware is successful, the impacts can
affect a company's productivity and even its bottom line.
Taking a Proactive Stance
While there is no quick fix to the ongoing problem of badware infiltration
of a network, administrators can make use of specialized technologies to enforce
endpoint policies. Considering the effectiveness and sophistication of badware,
an in-depth understanding of what is transpiring behind the scenes on a network
has become essential for security administrators in order to achieve healthy
measures of preventive maintenance.
Desktop forensics may seem to be a tedious challenge to tackle but the time
is well spent. Security administration is a series of trade-offs. The rewards
are seldom acknowledged because the fixes take place before catastrophe strikes.