- Peter Tippett
Many IT security managers have a difficult time coming to terms with the fact that their primary security controls are fallible. "Primary" controls, in this context, refer to security mechanisms or technologies that mitigate a particular threat most of the time-in fact, more than 90 percent of the time -- but never all of the time.
Antivirus scanners are a good example of the fallibility of primary controls. AV scanners stop in excess of 90 percent of malicious code threats. But despite the huge day-in, day-out success of AV products, failures still happen -- often in spectacular fashion.
According to the Seventh Annual ICSA Labs' Virus Prevalence Survey every year organizations spend more and more money attempting to mitigate the risk of viruses and worms. Yet each year the impact of viruses -- measured as frequency or cost of virus encounters, incidents and disasters -- continues to worsen.
There are two main reasons why our defenses continue to lag behind the virus and worm problem: the problem is evolving faster than our defenses are and we typically think in narrow terms about how to mitigate the threat. In addition to using AV scanners as a primary control, we need to build a more robust defense-in-depth architecture utilizing practical "synergistic" controls.
The rapid evolution in virus infection vectors -- from boot-sector to file-type to macro to mail-enabled to network-enabled -- points to the possibility that we'll experience a "zero hour" virus relatively soon. When the Form boot-sector virus was released in 1989, it took nearly a year to become pervasive. The Concept Macro virus, first seen in 1995, took about three months to fully make the rounds. LoveLetter took only about one day, while Code Red needed roughly 90 minutes. Nimda took less than 30 minutes. The trend behind these numbers is clear: With each new step in the evolution of malicious code, viruses and worms get closer and closer to spreading everywhere as soon as they're released.
Fewer and fewer new viruses rely on social engineering to succeed. In the old days, malcode never directly exploited a vulnerability in an operating system or application, but rather cajoled users into executing a viral program that then replicated itself. Over the past year, however, malcode has begun to leverage OS or application vulnerabilities with or without additional social exploits. The most successful malcode exploits both technical and human fallibilities.
Furthermore, the desktop is no longer the only replication engine. While client machines are still a significant infection vector, Web, application and other servers are increasingly the primary target, as exemplified by L10n, PoisonBOx, Code Red and Nimda. With the dawn of "the age of the worm," exploit code spreads itself and no longer needs to hitchhike on other code.
Used as a primary control, scanner-based AV products are increasingly powerless against the zero hour threat. And, of course, desktop- or e-mail-based antivirus does almost nothing to address the server-as-worm-vector problem.
To address these problems, we need to go beyond AV scanning as the sole protection for our organizations. AV scanning is still a necessary primary control, but we need to layer in several "secondary" or "synergistic" security controls for a more robust defense posture. Synergistic controls are relatively simple, easy-to-manage technologies and practices that supplement our primary controls. Individually, synergistic controls are nowhere near as good as primary controls. But when used together, they protect our organizations and data when (not if) primary controls fail.
Before we implement synergistic controls, however, we must first ensure that our primary controls are in place and functional. Given the evolution of attack vectors, this means examining controls at both the desktop and server levels.
For desktop-vector viruses, three primary controls are recommended: (1) desktop AV scanning, (2) mail gateway AV scanning, and (3) mail gateway file filtering. Currently, almost all companies use AV at the desktop, according to ICSA Labs' Virus Prevalence Survey. However, only about three-quarters of organizations use AV at the mail gateway, and only about half do gateway file filtering.
Desktop AV. For maximum effectiveness, desktop antivirus must be (a) set up to operate full time and in the background on all file reads, writes and executes; (b) configured to scan all file types; and (c) updated at least monthly.
A common misconception about desktop scanning is that the hard disk must be scanned on a daily or weekly basis. In reality, any periodic scanning adds no incremental value to desktop virus protection. If the full-time background protection is functioning, then all files read, written or executed from the drive will be scanned anyway. Scanning again on a weekly schedule adds little or no value.
Synergistic AV Controls
When used in conjunction with primary AV controls, these and other similar controls can help organizations achieve "synergistic security" against evolving malcode threats. Use this list to develop your own inexpensive, low-impact, low-maintenance strategy to create real defense-in-depth in your organization.
Control Internet Mail
- Disallow noncorporate e-mail by policy.
- Block common Internet mail sites like Yahoo! and Hotmail (get proxy log first).
- Block attachments and/or control content for Internet mail.
Web Proxy Server Content Control
- Use a proxy server.
- Filter file attachments at the Web proxy. (This may be difficult to do on an enterprise scale, since *.exe and *.dll files may be required for certain functions, such as desktop patching.)
- Rapidly apply appropriate filters following new virus alerts.
- Use AV scanning at Web proxy.
Mail Gateway Content Filtering
- Rapidly apply appropriate filters following new virus alerts.
- Filter specific lists of old viruses/worms to protect against new variants and old restarts.
- Filter generic code/scripting items (like classid=) that should not arrive in normal e-mail.
- Convert .html to .rtf or .txt in messages.
- Remove all scripts in mail: script, jscript, vbscript, etc.
- Educate users not to double-click on anything unexpected or unusual.
- Don't double-click on mail with no title or body text.
- Configure Outlook to use AutoPreview, not Preview Pane.
- Apply Outlook security patch.
- Use Outlook 2002.
- Configure Outlook to utilize restricted site zones separate from IE.
- Disable HTML in Outlook 2002.
- Use Russ Cooper's (NTBugtraq) NoHTML utility.
- Use junk mail rules to predelete files with attachments of certain types.
- Use security zones to keep browser from browsing any site not previously listed in acceptable corporate URL list.
- Set all scripting types in all zones to "Disable" or "Prompt" (including the hidden "Local Computer Zone").
- Patch all security-critical vulnerabilities.
- Use e-mail clients other than Outlook.
- Use Web browsers other than IE.
Desktop OS Configurations
- Disable Windows Scripting Host (WSH).
- Change default file associations:
- Configure Notepad to open potentially infected files (e.g., *.vbs).
- Disable Outlook Express (overwrite it with Notepad.exe, but keep original name).
- Use highly permissioned file systems for application and configuration files.
- Rename Notepad.exe to Mediaplayer.exe as a way to delete Media Player.
Use Third-Party Security Software
- Use a desktop firewall on all remote desktops/laptops.
- Use content management software on desktops.
- Use content management software on mail and proxy servers.
Patch, Patch, Patch
- Aggressively patch IE and Outlook.
- Apply critical desktop OS patches.
Office Application Configuration
- Turn on all macro virus protections in Word and Excel.
- Use latest Office applications.
- Use .rtf instead of .doc as default file format in Word.
- Go to thin client, even for browsing.
- Ensure host mail client, application clients and Office clients are highly controlled, well patched and maintained.
- Use heuristics available in AV software.
- Set to read-only: OS files, configuration files.
- Set AV product to alert on DoS; block read-only attribute change.
- Control outbound traffic and protocols as aggressively as inbound.
- Use default-deny mode.
- Use high segmentation protocol filtering (e.g., with routers).
- Use antispoofing, both egress and ingress filtering at border and intranet routers.
- Configure routers (especially border routers) to default deny.
- Use standard builds. Use hash/checksum databases of drives (e.g., Tripwire).
Use available multivendor AV releases for infections (independent of the specific AV used for protection).
- Create and maintain ghost images of drives.
Also, since viruses and worms utilize (or spoof) a wide array of file types -- some of which are not actually program files -- all file types must be included in real-time scans. Since most AV scanning products don't scan all files by default, configuration settings usually need to be altered.
Some vendors recommend updating desktop AV definitions not monthly, but on a weekly or daily basis. Practically speaking, doing so results in a slight increase in desktop protection, but such a gain must be balanced against the additional time, effort and cost that's required. Synergy really helps here, because most synergistic controls are aimed at the zero hour problem, and therefore will also effectively address the "zero week" problem.
AV at the mail gateway. Antivirus at the mail gateway must be (1) configured to scan all file types, (2) architected to never "fail open" when overwhelmed by a huge volume of infected messages, and (3) updated at least weekly.
Most gateway AV products had big problems with overload a couple of years ago. If the gateway received hundreds or thousands of infected messages, the AV function would become saturated, allowing some infected messages to slip through. Though they have significantly improved, virtually all AV products can still be overloaded. AV vendors may outline specific recommendations to reduce this risk; the best strategy usually involves running AV on a separate box rather than directly on the mail server.
File filtering, mail gateway. File filtering at the mail gateway is an absolutely essential control at the enterprise level. Gateway filtering can be accomplished in several different ways. Some server AV solutions come with a file filtering option. Alternatively, you can configure the mail server itself to filter for certain file types. You can add a separate box with Sendmail, Postscript or similar SMTP function with filtering. Or, you can utilize third-party content management software.
The best configuration for file filtering is "default deny," in which all file types are stripped out except those specifically needed in your business environment. Implementing a rule such as "deny all attachments except *.doc, *.rtf, *.xls, *.ppt, *.txt, *.pdf, *.zip" is more effective than using a "default allow" configuration and specifying a list of file types to deny. However, very few products are capable of implementing a default deny rule, and must rely on a list of blocked file types.1
Interestingly, mail gateway scanning and file filtering weren't primary controls three years ago. But as viruses and worms increasingly infect the enterprise via mail-borne vectors, attachment filtering is now an essential practice. In the next year or two, scanning/filtering at the gateway is likely to become more of a secondary control as malcode increasingly migrates away from the mail vector and toward the network vector.
Primary Controls for Host-Vector Malcode
For the rapidly growing problem of malcode that utilizes Web and other servers as a primary replication vector, there's only one real primary control: Assuring that servers are resistant to all easily exploited vulnerabilities. This can be accomplished either via frequent vulnerability tests and patching, or by hardening servers against known attack vectors. An appropriate hardening strategy can be significantly less expensive and easier to maintain than a patching/vulnerability testing strategy, but both strategies are primary mechanisms to prevent malcode.
For next-generation viruses and worms, the only primary controls will be those that mitigate certain vulnerabilities in network-aware components (like browsers) and helper components (like multimedia players). Unfortunately, this means either frequent patching/vulnerability testing cycles at the desktop level -- for most shops a horrific and expensive job -- or some level of hardening at the desktop coupled with a much less aggressive patching regimen.
Dozens or perhaps hundreds of secondary (or synergistic) controls exist for malcode at the enterprise level (see "Synergistic AV Controls"). Each is between 60 and 90 percent effective for some category of malcode, and therefore is defined as a synergistic control. These can range from the complex and expensive (desktop firewalls and content management products) to the specific and trivial (setting certain registry keys and adjusting application and operating system configurations). Such controls should not only cover computer and software issues, but also address network and human factors.
It's important to note that synergistic controls don't necessarily protect data and resources. Some synergistic controls are geared toward detecting an attack, while others are better suited to help the enterprise recover from a virus incident.
Combining robust primary controls with easily applied and inexpensive synergistic controls will dramatically decrease the likelihood that your organization will suffer a virus or worm disaster. The redundancy of controls creates a defense-in-depth architecture in which the fallibility of any one control doesn't significantly undermine the enterprise's overall security posture.2
The idea of using control synergy isn't to use all potential controls, or to pick the "strongest" controls, but to use the synergistic security thought process to create a set of controls that supplement your primary controls and are relatively inexpensive, low maintenance and low infringement in your environment.
About the Author: Peter Tippett, M.D., Ph.D. is the executive publisher of Information Security and CTO of TruSecure Corp.