You’ve Got Malware

Published:

Talha Ghafoor takes a look!

There are just too many things going on over the network. More often than not, you sit and wait for the email to sound an alarm that someone is running a port scan or trying to crack a password by sheer, old fashioned brute force. That’s why you should always have an IT team that you trust so when they tell you things like, “there is no such thing as a hacker trying to attack your personal PC which is behind a firewall”.

In the movies, countless directors have tried to take millions of audiences into a suspension of disbelief by proving to them that this is possible but then, think logically: would a hacker who is usually trying to make a statement to a large audience, really be interesting in tinkering with one single user who probably wouldn’t even know what was happening? I doubt there is much that he could do with photographs of my cats in my shared docs!

“While the modern Operating Systems are relatively safer, the trick is to let the attack initiate from inside,” explains Talha Ghafoor, CSO Pakistan’s GoTo Security Guy. “The majority of attacks are done via email. Someone will send you Malware, you open it and it gets installed on your PC. It will start spying on your activities and continue sending it outside.” So imagine in a large company where you have many people accessing email and downloading all sorts of junk without really knowing for sure what they are doing. Doesn’t every single user make the network vulnerable?

“Of course! But large companies have at least 2 levels of protections. First, they have powerful spam and Malware filters running on the gateway. Most banks in the UK and I am sure in Pakistan also, have banned Yahoo, Hotmail and other web mail access from the inside. Secondly, they use special security settings on workstations with limited access to the users.” So can’t attachments be sent to the ‘official’ email? Regardless of what software is being used?

“Yes but there are two things to consider: One, the office emails come via an exchange server that probably has also has some filter enabled, and that filter could be updated as frequent as every hour through subscription. Second, you can create another account on your workstation for example which is not the admin account. That way, you cannot install any software on your pc with that account. Even if you execute a virus, it won’t affect your pc. See, the main issue is that almost all Spyware install themselves as system services which needs admin privileges. You restrict the access of one account and you restrict the damage that can be done.” According to Talha, you can eliminate 95% of Spyware-related problems with the guest account.

But what about specific software that requires the admin account? “That is a bother that your IT department has to live with.” Ugh! For some software, design and video editing software, guest accounts don’t even work. You have to be logged in as the admin in order to execute the software. “True. But there are some tweaks available that will let you customize registry to every criteria required by the user.” Alright wise guy. So we I tweak the software and edit the registry. Will I not make the software or OS more unstable? “At the individual level, maybe. But when it comes to the enterprise, it is done through the central domain controller. Updates get pushed to all the terminals within the organization at same time. It can even go down to bit that you cannot change your proxy server in your web browser or add another printer. These are controlled centrally.”

When talking about the enterprise, is Linux really more secure than the other Operating Systems? “Well, I say that it is very hard to make security related mistakes in Linux. You see, every process, file and folder has visible ownership and attributes defined so it is very difficult to mess up things. Linux keeps warning you in case you haven’t created a guest account during the install and some versions won’t even let you use a root account for normal stuff. Whereas Windows forces you to create a secondary account but it also has admin privileges – it kind of defeats the purpose.”

But wasn’t the whole reason for the success of Windows and increased computer users because it was so easy to install it and use it? You never had to be a techie to use it (unless you were trying to configure networks in the Windows 95!) “Mac was same in terms of ease of use, but the growth rate of Windows is now declining. Vista was a flop and for first time both Mac and Ubuntu are rocking.”

What about at the Enterprise level? How come we don’t hear about Mac being used across large Networks? Was it never intended to be? “It is not gaining in popularity. The problem was with the interaction with other enterprises that were using Microsoft Office and other Apps that were not so Mac-friendly. Now that is changing.” Talha explains the concept of Xgrid on the Mac as an example of how much more network savvy it is. “If you have 10 Macs in your office, you can enable X-Grid. Start encoding a movie, for example, on one Mac and it will share the load on 10 Macs to encode it faster. Similarly it can share load on multiple Mac for any x-grid enabled application.”

Coming back to Malware, what other threats are posed to the network? “Well, Malware literally means ‘bad software’ so there are many categories: Virus, Spyware, Worms, Trojans, Key loggers, etc.” Alright already! So it’s all out there. Tell me, at what point does the IT Guy know that there is, for example, a trojan in the building? “The IT guys usually don’t know.  The concept here is “outsource”. A simple example of outsource is you install an anti-malware and pay the subscription fees and let it take care of everything.”

Talha gives the example of the Blue Coat Content Filtering Proxy. This product in the series enables organizations to scan for Malware, viruses, worms, Spyware, ‘bots and trojans entering through Web-based backdoors, at wire-speed. “So you install one on the gateway where you have main internet connection and it takes care of everything coming in and, potentially, going out.” Fabulous! That is bound to take care of some nasty business right there! How about Security Policy? What role does that play?

“In some banks where I worked, they have enforced policies through their domain controller so that no one can connect USB stick to PC. The workstations are centrally programmed to ignore USB devices. But that is something enforced through the Network or Security Policy – in enterprises, the main Domain Controller Server controls these policies.

Policies are good, but I still want to know about these products. How do you know which brand suits which task the best? “These companies have the sales guys come and they give you presentations and convince you. For countries that don’t have the benefit of sales reps, companies learn from regular magazines with reviews and reports.”

Oh – So who, in your opinion, is the leading vendor for a few different categories of security at the moment? “There isn’t any single one. IT Security is just so big. There might be best anti-virus, but not as good for firewalls, but for the Enterprise level, I’d rate Juniper to be a trusted name for Firewalls; Symantec for host Antivirus protection; Fortinet for Network Antivirus protection; Bluecoat for Content Filtering; Tipping Point for Intrusion Detection & Protection and Nessus for Vulnerability Scanning. Might be a stupid question here, but how come one company doesn’t have the expertise in more than one category?

“The problem is that a product is only as good as how frequently it is updated. No single company has experts finding viruses, worms that work in the same company.” Okay, so who or what dictates the frequency of the updates? Can’t that be “outsourced” to the community that is actually BEING infected? “Well, there are forums on internet where security experts discuss the viruses. There is actually a lot of competition between the top companies on how fast they design the remedy and push it to the their hardware or software running at customer sites.”

For a “typical” virus, how long would you say it takes to encode the remedy? “Around 2-4 hours but it really depends on the complexity.” Sounds to me similar to what the CDC goes through. They don’t joke around when they call it CyberThreat!

“There are two kinds of updates: pull and push. In pull, the devices themselves periodically poll the update server to check if there is an update. This is most common but because of lots of new attacks, some anti-virus company knows the IP address of the client they push the update to those devices. In fact, they have hundreds of regional servers around the world that do quick pushing. Even with this, there are some preventive measures taken by the enterprise. There are mailing lists and honeypots.”

Honeypots are fake servers that love to be attacked – somewhat like virtual servers where you let the attack take place in a protected environment which yields realistic results so you can track what happened, and what the vulnerability was and develop a remedy for it. “There could be tens of honeypot servers on single server but you can, for obvious reasons, never tell that you are attacking a honeypot.”

“There is also something called internal and external penetration testing. A customer, for example, tells us that he wants us to check his firewall and gateway level security. I log into my penetration testing account and add his public IP addresses and begin testing. Through the testing, we get to learn all known vulnerabilities. It scans that customer firewall and tries every single attack and then generates a report. The attack takes around 2-3 days.” Considering it costs in the range of $500 per IP for the test, it is worth the while of the enterprise to have their network tested. This cost is nothing compared to what the organization will go through in the event that there IS a leak somewhere.

“The penetration testing is for companies who have hosted some kind of servers too in their office behind the firewall. If they didn’t, everything incoming on the gateway would be blocked.”

Depending on the size and scale of the Enterprise, the CSO needs to be able to understand, deploy and minimize potential threats which may make his network insecure. The network is never 100% secure. There will always be threats and vulnerabilities opening up. It depends how sharp the CSO is to be able to stay a step ahead of the threat. And that, will make the difference.

Tagged with:

Related articles

spot_img

Recent articles

spot_img