Viruses, trojans, worms, spyware, adware, phishing, snarfing. The internet contains some pretty dark alleys and many of them intersect the most popular highways. You don’t need to be wandering through a strange neighbourhood looking for trouble to find it. If you’re unprotected, it will most certainly find you. Jamie M. Vachon looks at how you can secure your computer systems from viruses and other nasties. You might think you’re fortified, but there’s always another back door. It’s time to get serious!
THE RISK
What are some of the biggest risks to your business and its growth? What could stunt sales, wreak significant financial losses, bring down the wrath of regulatory authorities, and potentially ruin your enterprise’s reputation and future prospects in the blink of an eye? While it may not be on the top of your list, there are few risks in today’s business landscape that can have such a significant impact as a security breach or network virus infestation. It’s an all out war and the ‘bad guys’ are constantly changing tactics in a guerrilla campaign against you — the business owner.
”A lot of the current threat is motivated by profit,” says Ben Guthrie, Product Marketing Manager for TrendMicro, a leading provider of antivirus and content security software and services. “The typical hackers in the ‘90s and early this decade were ‘script kiddies’ looking to prove their technical skill and demonstrate their ability to code. That was child’s play compared to the organisation of operations today.
The case of Jeremy Jaynes represents the most famous, or infamous, illustration of this new shift in motivation. Jaynes was recently convicted under a Virginia law that makes using a false email address to send mass internet mailings, or spam, a felony. It is estimated that Jaynes was making between US$500,000 and US$750,000 a month from his operations.
And it’s not just the spammers who have realised that there are significant profits to be made from getting inside your network. Companies such as Loudcash are paying developers and software companies on a per-install basis for their tool, which monitors surfing habits on the installed computer. And while such ‘spyware’ is generally little more than a nuisance, there are variations that service far more sinister intentions. Keystroke logging programs install themselves without any notification and catalogue and forward every bit of data entered on a user’s PC, including passwords, bank details and sensitive company information. One visit to the wrong website and an unprotected computer could be an identity thief’s best friend.
While it’s easy to imagine the financial cost of cleaning up infected computers or tracking down an identity thief, other potential side effects are not as readily apparent. “There is the risk of litigation due to copyright infringements, privacy violations and accidental or deliberate destruction of data and/or systems,” says Andrew Feberwee, Director of Technology with LIFT Capital Partners, a growing independent financial services provider.
THE ONE THAT GOT AWAY
As if all this isn’t troubling enough, now two new tactics pose an even more sinister threat. Phishing involves sending an email luring unsuspecting users to convincing replicas of real websites, where details such as credit card numbers, usernames and passwords are requested. Pharming exploits a vulnerability in the Domain Name Service (DNS), hijacking a legitimate site and sending all traffic to a fake version of the site. So while some users are just learning to look at the actual address of the URL in a phishing email to determine its legitimacy, a successful pharmer can ensure that the user will never know that, for instance, ebay.com is actually being rerouted to a rogue website.
Terrifying stuff for your average user. While phishing has received enormous media attention lately, users are still falling victim in droves. Phishing websites have become more sophisticated and emulate the real sites down to email links, colour schemes and privacy policies. And they are beginning to manipulate the functionality in web browsers. One such tactic involves hiding the normal navigational bar under an image that deceives the user into believing they are visiting a safe URL.
Adam Biviano, Senior Systems Engineer with TrendMicro, believes the shift in strategy has ushered in an altogether more menacing era of cyber larceny. “They’re not trying to take out the Internet anymore. They’re trying to infiltrate your network without any noticeable impact. Most networks are running legacy systems and never see the light of day except when they are adding hardware or software. These networks are prime real estate for this new style of attack.” So, while your network may seem to be secure and your users aren’t reporting any issues, the ‘bad guys’ could be collecting identity information from your employees and sensitive corporate data from your network.
THE BAD GUYS (REWARD)
Like Jeremy Jaynes, there are thousands of other people making a significant living from preying on the network vulnerabilities of corporations. The global impact of viruses, spyware, and phishing is generally accepted to be over $20 billion. However, trying to put a total dollar figure on the impact is a topic of hot debate, as some believe that the same companies that compile the figures stand to profit most from selling protection.
Less than 20 percent of all security breaches are reported. Violated organisations often keep quiet in an effort to avoid negative publicity and investor impact. With a recent CSI/FBI Computer Crime and Security Survey estimating that the average SME cleanup bill for an attack costs upwards of $500,000, it’s not something victim companies are eager to broadcast.
But it’s easy to concentrate on the dollar impact and forget that there is a highly organised group of criminals who sell their skills to gain access to something more valuable to a corporation than money — its data. It’s hard to put a monetary value on the impact of a company’s top secret product plans being released to a competitor or the marketplace months prior to launch. But just think, how valuable would your customer database be to your closest competitor?
As a deterrent to cyber crime, current penalties and enforcement are regarded as inadequate and falling further behind. As the world becomes digitally integrated, a mounting bounty is on offer for enterprising tech criminals who consider the glittering reward well worth the limited risk. While many countries have tried to institute new laws to crack down on spam, identity theft through phishing, viruses and network break-ins, most suffer from ineffective enforcement or the inability to chase criminals across international borders. According to LIFT Capital’s Feberwee, “Local legislation is just not very effective in a global community.” Smart organisations don’t entrust their security solely to law enforcement. We put locks on our doors to keep criminals out because we know that jail isn’t always a strong enough deterrent, yet we leave our networks wide open for anyone to stroll through, unnoticed.
THE RESISTANCE
Smart companies are beginning to fight back. And while it’s an uphill battle, some are beginning to win the fight. What makes them successful in their defence efforts? “An effective policy defines all critical company assets and then defines a structure to protect those assets,” says Feberwee. “No single security policy is effective for all organisations; each company must define a policy that suits their custom needs. It’s important to realise, too, that those needs can change over time, especially for high growth enterprises. It’s a risk if the existing security policy does not cater for staff growth. The company must provide awareness of the security policy and ensure that it’s up-to-date.”
Almost every effective protection policy will begin at the end user’s desktop. While it’s convenient and popular to allow users to have complete control over their computers, it is actually one of the largest security risks that you can introduce into an organisation.
“End user PCs should allow day-to-day activities but no more”, says Biviano. And while there can be some serious political battles when users can no longer install any software they choose or change the system settings that they are used to having command over, organisations need to “bite the bullet and institute a controlled desktop. There may be political fallout but management needs to decide whether it’s worth the ongoing risk”. That’s why it’s critical to realise that only with management buy-in and support will an organisation be able to defi ne and implement a security policy that provides suffi cient protection on all fronts.
THE LITMUS TEST
End users must be as cautious with their internet usage as if it was their own computer and finances on the line. And while they will generally try to do their best, the biggest culprits in some organisations are those who should know better: the IT staff.
Leading companies are starting to create a security conscious culture where users are part of the front line resistance, avoiding phishing attempts, not visiting suspect sites, keeping sensitive information out of emails and championing others to do the same. And these users realise that, just as they would be on alert and travel in groups in questionable areas of their cities, they must be aware and constantly question the validity of anything they see or receive from unknown sources on the internet.
It’s interesting to see, also, the large number of software companies that are suddenly realising that releasing insecure products into the marketplace is not only unacceptable, it will force customers to move to their security-conscious competitors. And while it may or may not be justified, the most pervasive evidence of this is the perceived insecurity of the Windows platform and the subsequent mass interest and movement to Linux. The trend jolted Microsoft into action, prompting their Trustworthy Computing initiative. In October 2003, CEO Steve Ballmer committed Microsoft to the goal of training half a million IT professionals, developers and partners on security best practices in one year. It touts its success, claiming over 750,000 professionals trained.
More recent evidence of Microsoft’s renewed commitment to security is evidenced by its Windows XP Service Pack 2, with its enhanced protective features. Unfortunately, this new paradigm has caught some developers by surprise and many have found that their once working applications, which were insecure, are now breaking under the more robust SP2.
THE RESOLUTION
Regardless of the size of your network and the number of users you have, almost every security expert recommends that protection be enabled on multiple layers. First and foremost is the entry point to your network from the internet. This layer is usually protected by a firewall, the types of which range from the simple to the very complex. Unfortunately, one of the biggest mistakes that companies make is thinking that they can purchase an off-the-shelf firewall product, plug it in and they’ll be fully protected. In almost all instances there will be a requirement to configure the firewall to meet specific protection needs. And while a firewall is commonly believed to be used solely to keep questionable traffic out of the network, it is also a very useful tool for ensuring that users aren’t accessing sites outside of the organisation that might put the company at risk.
Once the entry and exit points for the network are secure it’s time to make sure that the PCs used by employees are clean and protected. The most obvious enabling tool here is a virus protection software package. And while it’s a good first step, a virus protection tool is only as good and as current as its latest patch or update. Each organisation must ensure that there is a good combination of technology and procedure in place to install updates as soon as they are released. Often, there is less than a 24 hour window between virus detection and update release and the virus hitting your network.
One of the easiest wins a company can achieve in the battle for the desktop is to make effective use of their operating system vendor’s patching and update programs. Microsoft has provided Windows Update to notify users of critical security updates, which can be set to update and reboot automatically. For large networks, Microsoft provides the Software Update Service (SUS) so that patches can be downloaded in off-hours to a central server and then pushed to all desktops.
Smart companies now realise that they need more than just virus protection and patching to ensure they aren’t susceptible to an attack. They are employing spyware detection and removal tools, malware removal tools and personal firewalls for individual PCs. Installing personal firewall tools, such as ZoneAlarm, will often reveal a surprising number of programs that “phone home” without the user’s knowledge. They are often benign, but sometimes they are malicious, such as keystroke logging programs.
And now some vendors are releasing free or low-cost tools to analyse the state of your network and provide recommendations for cleanup and protection. Microsoft has recently released the Windows Malicious Software Removal Tool and Windows AntiSpyware (http://www.microsoft.com/security) for free on their website and TrendMicro offers their HouseCall service for free (http://housecall.trendmicro.com). Such products are aimed at the end user’s PC and will perform targeted scans for spyware and malware. As TrendMicro’s Guthrie says, “You’ll be surprised what you find.”
Ultimately, the responsibility for the security of any organisation’s network and data is up to each and every employee. And technology can only go so far. While it would be a foolish organisation that shuns the multilayered approach espoused by security experts, it is just as naïve to believe that technology alone will mitigate all of the possible security risks that might present themselves. Total protection requires a change of mindset and a security conscious culture. User training, regular system patching, consistent virus software updating, and frequent security audits are critical to ensuring successful protection. As Guthrie concludes, “Just as you get your books audited, get regular system checks and audits”.
If you wait until after a significant breach before you take computer security seriously, you might well discover that more than the horse has bolted. Leading world-class companies are learning to be proactive in their protection. Be vigilant, be strong, and you just might avoid ending up another statistic.
