Hitchiker's World
 
Endpoint Protection: New Approaches to Best Practices by Larz on 01/11/02

Abstract

With such a wide variety of threats to guard against, it's only natural for security administrators to become overwhelmed with preventive maintenance requirements. Ultimately, this leads to gaps in network defense. This article defines the importance of desktop policy enforcement and presents a workable model for all skill ranges of security administrators to utilize for endpoint protection.

--------------------------------------

Several years ago, while working as a help desk technician at a large corporation, I would often seek direction from the Security Administrator. When I say "the" Security Administrator, that's exactly what he was. The one and only administrator for a company, the size of which today would have a team of security professionals on staff. There were other networking personnel but only one security technician with the keys to the kingdom.

This particular administrator was a flurry of activity, using UNIX command line syntax with seemingly dozens of vi editors, telnet and rlogin connections open at a time, a conference call going on the speaker phone (muted of course), all while maintaining a conversation in stride.

One day I asked him, "With so many users, network pathways and servers to monitor, how can you possibly be aware of all the security issues going on at any given time?"

He turned around, pointed to his ear and said, "You have to be able to listen to the wind."

It took a while to figure he meant but eventually, as my experience in network security grew over the years, it became obvious. There is no reasonable way to track all activity occurring on a network; incoming, outgoing and everywhere in-between. A security administrator needs to know their network so well, that it's second nature to know where to look for potential problems. Essentially, what this amounts to is a "sixth sense" in being able to hone in on the invisible. Without it, one is at a disadvantage in combating the vast array of hostile possibilities skulking beneath the surface.

For better or worse, not all of us are old school UNIX technicians who have been sitting in the same chair, using the same set of tools in the same environment for years on end. Defending the enterprise on a comprehensive scale is much easier said than done, especially in environments where security administration is meshed with traditional network administration duties. It is rare for technicians to keep up with security-only tasks. In many instances, preventive maintenance amounts to reading security web sites and newsgroups, reviewing the latest patches and exploit information.

In such circumstances, technician work habits can tend to become jaded. It's not that they don't want to know what traffic is hitting their network, what traffic has already penetrated their network and what applications users have on their machines that can potentially breach security. It's a matter of not having the time to figure it all out.

The most logical pathway to network fact-finding is reviewing log files. Yet, how many security administrators can decipher IP traffic and hexadecimal dumps at a glance? How feasible is it to spend the workday pouring over intrusion detection log files? In the end, the core of security fundamentals rests with the human element - the ability of the administrator to deduce root cause and effect as well as come up with practical and effective prevention methodologies.


Coping with "Badware"

Preventive maintenance against security problems begins at the endpoint. If network-attached computers are limited in their the ability to interact with "badware", that is a step in the right direction in staving off potential negative impacts to the entire network.

In a nutshell, "badware" is any program, service or code-bearing file that arrives on desktops by way of surreptitious means. There are two primary categories of badware: malware and spyware/adware. There are many derivatives of each but it's easiest to think of them in terms of destructive and non-destructive elements. Though, all modes of badware are insidious and require specialized attention from security administrators

Malware constitutes Trojan horses, worms, viruses and malicious code. Such applications are usually delivered through e-mail attachments and file sharing methods. Spyware and adware are marketing applications delivered via seemingly innocuous downloads and bundled with freeware and shareware programs.

While malware is usually obvious in its destructive intent, spyware and adware takes the approach of extending an offer of cooperation to end users. To the casual observer, what's the harm of a few uninvited pop-ups and cute animations? That's where it starts but the lingering effects can be applications or services installed in the background and sometimes becoming embedded within the operating system on Windows platforms.

Unfortunately, spyware and adware is far more advanced than many people realize - including IT professionals. The whole purpose of spyware/adware is to cull information from a target host. This information can either be sold to Internet marketing companies or utilized to somehow enhance understanding of Internet usage habits. The specific information can be anything from web surfing statistics to online shopping preferences to operating system registration data - basically any information that the badware is programmed to cull, it will do so.

By offering some type of functionality or appeal, spyware/adware attempts to establish a legitimate relationship with the end-user in which information exchange is downplayed in favor of the advantages of the offered product or services. Information from the host is sent in the background to a home server for aggregated analysis.

In addition to gleaning marketing data from a target host, spyware/adware has the potential to disrupt end-user productivity due to unanticipated system failures as well as bandwidth, RAM and CPU cycle consumption. Even worse, spyware/adware tends to configure itself to launch at start-up. This can lead to conflict with anything else trying to launch at startup. Thus, these third party applications can lock up anti-virus software for example.

The most overlooked pathway for badware is in traffic entering and leaving a network by way of approved applications. "Approved' refers to applications that people need to use (such as browsers). Rarely will security technicians (or anyone) take notice of end-user surfing habits until the damage is done. Sometimes, even innocent business research can lead to users arriving at sketchy web sites or ones relying on surreptitious advertising. End-users have a tendency to not read license screen pop-ups before clicking "ok." thinking it is part of a website's functionality. This is an easy pathway for spyware and adware to get through onto a corporate network.

Sometimes, spyware/adware is packaged with an installer in such a manner that there is no "opt-out." Many file sharing programs use this technique. There may be warnings that spyware/adware will be installed along with the intended application but more often than not, people will skim through a license agreement with a singular objective of performing the installation regardless. Spyware/adware is usually difficult to remove effectively and may even re-install itself. Thus, even attentive users who realize their mistake will be at a disadvantage in removing undesirable applications without technical assistance.

If there was ever a surefire repeat problem in the making it is with badware and IT technicians mistakenly believing they safely removed it at first pass. While there may be convenient entries in the Windows Add/Remove Programs or even an uninstall icon, it is just one method the authors of badware use to gain trust. Spyware/adware doesn't just fool end-users, it is designed to fool IT personnel with a seemingly innocuous appearance.

The intricacies of end-user Internet usage habits inevitably leads to interaction with badware of some variety. Such a reality requires the establishing of desktop usage policies that are enforced by application control capabilities and centralized management tools. Administrators can never afford to be complacent and believe that a problem does not exist simply because no one has reported any. If end-users are connected to the network without a method of policy enforcement, there are more than enough problems in waiting.

To combat badware effectively, security administrators require the ability to inventory applications residing on endpoints attached to their network on a regular basis. Enterprise protection tools exist that can aggregate the application inventory results, including all executables as well as components such as .dll files. Some enterprise protection tools will match the inventory against an online database that determines if the file or file component is known to be undesirable. From that juncture, administrators can take action by removing the offending application completely from the infected endpoint. Such level of detailed discovery is a step forward in ensuring full compliance with company security policies and maintaining a realistic preventive maintenance strategy for desktop protection.


Enforcing E-Mail & Anti-Virus Protection

E-mail attachments are the most common method for malware to be distributed. Additionally, once malware is distributed, it tends to propagate using approved applications such as chat and e-mail software. Though, attachments can't launch themselves upon landing in an inbox so the e-mail itself uses social engineering techniques to intrigue or convince end-users enough to launch the file. Some malware is "joined" with legitimate files such as graphics so as to fool the recipient. Once installed, malware can conduct any number of exploits. If it is sophisticated, it tries to connect to an automated bot residing on a server on the Internet. By connecting, the malware is able to send the IP address and DNS information of the infected computer as well as whatever network information it is able to cull, thus doing the bidding of a skilled intruder in waiting. This is a common example of badware taking advantage of approved applications on a network.

E-Mail is one of the most vulnerable pathways in and out of an enterprise network. Too often, it's easy to assume gateway defense software will quarantine all undesirable attachments that come through. The reality is today's malware is very aggressive and is designed to attack the gateway itself. In cases where e-mail gateway defense is bypassed, desktop anti-virus defense is sure to follow. The worst part is it's often not obvious that anti-virus protection has been disabled. The system tray icon stays active and the software may continue to operate on some level. However, you never really know anti-virus protection is functioning correctly unless a secondary failsafe is used to monitor the desktop unobtrusively and beyond the reach of the focus of malware. Specialized enterprise protection tools exist for this purpose. Such tools will also be effective against POP3 mail retrieval which is typically outside the enterprise gateway's defenses.

Significant advances have been made and continue to be made in the areas of defeating e-mail attachment protection. Malware authors don't need to create the exploits themselves because they get help from the security community who publish their test results to widely read venues such as BugTraq. There are several individual researchers and in some cases, security companies themselves, dedicated to uncovering weaknesses in e-mail and file protection technologies. After they post their findings on the Internet, badware authors utilize the information and incorporate it into to an already formidable arsenal of tricks to bypass security products.

The most important lesson in dealing with badware is that it takes advantage of the human condition. Sophisticated badware takes social engineering to a new level because it's "smart" and utilizes a pre-defined set of manipulative tactics to reach its objectives. If the badware is successful, the impacts can affect a company's productivity and even its bottom line.


Taking a Proactive Stance

While there is no quick fix to the ongoing problem of badware infiltration of a network, administrators can make use of specialized technologies to enforce endpoint policies. Considering the effectiveness and sophistication of badware, an in-depth understanding of what is transpiring behind the scenes on a network has become essential for security administrators in order to achieve healthy measures of preventive maintenance.

Desktop forensics may seem to be a tedious challenge to tackle but the time is well spent. Security administration is a series of trade-offs. The rewards are seldom acknowledged because the fixes take place before catastrophe strikes.

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.