Communications controls (also called network controls) secure the movement of data across networks. Communications controls consist of fi rewalls, anti-malware systems, whitelisting and blacklisting, encryption, virtual private networks (VPNs), secure socket layer (SSL), and employee monitoring systems.
Firewalls. A fi rewall is a system that prevents a specifi c type of information from moving between untrusted networks, such as the Internet, and private networks, such as your com-pany’s network. Put simply, fi rewalls prevent unauthorized Internet users from accessing private networks. All messages entering or leaving your company’s network pass through a fi rewall. The fi rewall examines each message and blocks those that do not meet specifi ed security rules.
Firewalls range from simple, for home use, to very complex for organizational use. Figure 4.3a illustrates a basic fi rewall for a home computer. In this case, the fi rewall is implemented as soft-ware on the home computer. Figure 4.3b shows an organization that has implemented an external fi rewall, which faces the Internet, and an internal fi rewall, which faces the company network.
Corporate fi rewalls typically consist of software running on a computer dedicated to the task.
A demilitarized zone (DMZ) is located between the two fi rewalls. Messages from the Inter-net must fi rst pass through the external fi rewall. If they conform to the defi ned security rules, they are then sent to company servers located in the DMZ. These servers typically handle Web page requests and e-mail. Any messages designated for the company’s internal network (e.g., its intranet) must pass through the internal fi rewall, again with its own defi ned security rules, to gain access to the company’s private network.
The danger from viruses and worms is so severe that many organizations are placing fi rewalls at strategic points inside their private networks. In this way, if a virus or worm does get through both the external and internal fi rewalls, then the internal damage may be contained.
Anti-malware Systems. Anti-malware systems, also called antivirus, or AV, software, are software packages that attempt to identify and eliminate viruses and worms, and other malicious software. AV software is implemented at the organizational level by the information systems department. There are currently hundreds of AV software packages available. Among the best known are Norton AntiVirus (www.symantec.com), McAfee VirusScan (www.mcafee.com), and Trend Micro PC-cillin (www.trendmicro.com). IT’s About Business 4.4 provides an example of how a software program known as FireEye helps protect organizations from malware.
Software firewall Internet
INTRANET CORPORATE LAN Internet
Service Provider
Broadband connection DSL, cable modem, 3G, 4G
External Firewall
Internal Firewall Servers
Demilitarized zone
Home Computer
(a)
(b)
Internet
© Dmitry Rukhlenko / iStockphoto
FIGURE 4.3 (a) Basic fi rewall for home computer.
(b) Organization with two fi rewalls and demilitarized zone.
117
SECTION 4.5 Information Security Controls
IT’s [about business]
FireEye (www.fi reeye.com) is one of the world’s most effective private cybercrime fi ghters. The company defends corporations and governments against targeted malicious software. FireEye’s clients include Fortune 500 companies and members of the U.S.
intelligence community.
FireEye’s software examines the entire lifecycle of malicious software, how the malware operates in a network, what the mal-ware is looking for, which servers delivered the malmal-ware, and which control servers the malware receives its orders from. Since 2005, FireEye has defl ected some of the world’s most destructive online attacks, including:
• Aurora, the attack originating in China that targeted Google and other technology fi rms in 2009;
• corefl ood, the botnet that had been stealing millions of dollars from global bank accounts since the mid-2000s and possibly earlier;
• Zeus, a program that used personal information to steal hundreds of millions of dollars from fi nancial institutions in 2007.
To understand why FireEye is so effective, consider its con-frontation with the Rustock botnet. Rustock was the most advanced botnet ever released onto the Web. It reeled people in by putting out spam that advertised fake drugs, online phar-macies, and Russian stocks. Then, from 2007 to 2011, Rustock quietly and illegally took control of more than a million comput-ers around the world. Symantec, a computer security company, found that Rustock generated as many as 44 billion spam e-mails per day, nearly half of the total number of junk e-mails sent per day worldwide. Profi ts generated by Rustock were estimated to be in the millions of dollars.
For months, FireEye collaborated with Microsoft and Pfi zer to plot a counterattack. Microsoft and Pfi zer became involved because Rustock was selling fake Viagra, a Pfi zer product, as well as sham lotteries using the Microsoft logo. Working from FireEye’s intelligence, in March 2011 U.S. Marshals stormed seven Internet data centers across the United States where Rustock had hidden its 96 command servers. Microsoft lawyers and technicians and computer forensics experts also participated in the raids. A team deployed to the Netherlands confi scated two additional Rustock command servers.
Although the operation was executed fl awlessly, Rustock was able to fi ght back. From an unknown location, the bot-master (the person or persons controlling the bots, or zombie computers) remotely sneaked back into its network, locked out Microsoft’s technicians, and began to erase fi les. Clearly, the Rustock masterminds did not want anyone to discover the information contained inside their hard drives. After some diffi -culty, the Microsoft technicians were able to regain control of the
servers. However, the data that were erased in the 30 minutes that the Microsoft technicians required to regain control of their servers may be lost forever.
As FireEye and its partner companies analyzed Rustock’s equipment, they discovered that much of it was leased to customers with addresses in the Asian nation of Azerbaijan, which shares a border with Russia. Forensic analysis of the captured servers pointed Rustock’s opponents to Moscow and St. Petersburg. Rustock had used the name Cosma2k to con-duct business on the Internet, and it maintained a WebMoney account (www.webmoney.com) under the name Vladimir Alexandrovich Shergin. No one knows whether Shergin was a real name or an alias. However, WebMoney was able to inform investigators that “Shergin” had listed an address in a small city outside Moscow.
On April 6, 2011, Microsoft delivered its fi rst status report in its lawsuit against Rustock to the federal court in Seattle (Microsoft headquarters). Then, on June 14, Microsoft published notices in Moscow and St. Petersburg newspapers, detailing its allegations against the botnet spammer. The notices urged the perpetrators of Rustock to respond to the charges or risk being declared guilty. Microsoft also offered (and is still offering)
$250,000 for information about the identity of the person or per-sons operating the botnet. Unfortunately, the Rustock perpetra-tors have still not been caught, and security experts believe that more than 600,000 computers around the world are still infected with Rustock malware.
Sources: Compiled from “FireEye Testomonials,” FireEye Information Center (www.fi reeye.com), January 8, 2013; S. Ragan, “Dutch Police Takedown C&Cs Used by Grum Botnet,” Security Week, July 17, 2012;
P. Cohan, “FireEye: Silicon Valley’s Hottest Security Start-up,” Forbes, May 24, 2012; K. Higgins, “Microsoft Offers $250,000 for Rustock Botnet Operator Identity,” InformationWeek, July 19, 2011; “Microsoft Offers Reward for Information on Rustock,” The Offi cial Microsoft Blog, July 18, 2011; C. Stewart, “Botnet Busters,” Bloomberg BusinessWeek, June 20–26, 2011; C. Stewart, “FireEye: Botnet Busters,” Bloomberg BusinessWeek, June 16, 2011; “Spammers Sought After Botnet Take-down,” BBC News, March 25, 2011; M. Schwartz, “Microsoft, Feds Knock Rustock Botnet Offl ine,” InformationWeek, March 18, 2011; N. Wingfi eld,
“Spam Network Shut Down,” The Wall Street Journal, March 18, 2011;
M. Hickens, “Prolifi c Spam Network Is Unplugged,” The Wall Street Journal, March 17, 2011; “Operation b107—Rustock Botnet Takedown,”
Microsoft Malware Protection Center, March 17, 2011; www.fi reeye.com, accessed March 5, 2013.
Questions
1. Describe why it was so important for law enforcement offi cials to capture all 96 Rustock command servers at one time.
2. If the perpetrators of Rustock are ever caught, will it be pos-sible to prove that the perpetrators were responpos-sible for the malware? Why or why not? Support your answer.
4.4 Fighting Botnets
MIS118 CHAPTER 4 Information Security
Anti-malware systems are generally reactive. Whereas fi rewalls fi lter network traffi c according to categories of activities likely to cause problems, anti-malware systems fi lter traffi c according to a database of specifi c problems. These systems create defi nitions, or signatures, of various types of malware and then update these signatures in their products. The anti-malware software then examines suspicious computer code to determine whether it matches a known signature. If the software identifi es a match, it removes the code. For this reason organizations regularly update their malware defi nitions.
Because malware is such a serious problem, the leading vendors are rapidly developing anti-malware systems that function proactively as well as reactively. These systems evaluate behavior rather than relying entirely on signature matching. In theory, therefore, it is possible to catch malware before it can infect systems.
Whitelisting and Blacklisting. A report by the Yankee Group (www.yankeegroup.com), a technology research and consulting fi rm, stated that 99 percent of organizations had installed malware systems, but 62 percent still suffered malware attacks. As we have seen, anti-malware systems are usually reactive, and anti-malware continues to infect companies.
One solution to this problem is whitelisting. Whitelisting is a process in which a company identifi es the software that it will allow to run on its computers. Whitelisting permits accept-able software to run, and it either prevents any other software from running or it lets new software run in a quarantined environment until the company can verify its validity.
Whereas whitelisting allows nothing to run unless it is on the whitelist, blacklisting allows everything to run unless it is on the blacklist. A blacklist, then, includes certain types of soft-ware that are not allowed to run in the company environment. For example, a company might blacklist peer-to-peer fi le sharing on its systems. In addition to software, people, devices, and Web sites can also be whitelisted and blacklisted.
Encryption. Organizations that do not have a secure channel for sending information use encryption to stop unauthorized eavesdroppers. Encryption is the process of converting an original message into a form that cannot be read by anyone except the intended receiver.
All encryption systems use a key, which is the code that scrambles and then decodes the mes-sages. The majority of encryption systems use public-key encryption. Public-key encryption—
also known as asymmetric encryption—uses two different keys: a public key and a private key (see Figure 4.4). The public key (locking key) and the private key (the unlocking key) are created simultaneously using the same mathematical formula or algorithm. Because the two keys are mathematically related, the data encrypted with one key can be decrypted by using the other key.
The public key is publicly available in a directory that all parties can access. The private key is kept secret, never shared with anyone, and never sent across the Internet. In this system, if Han-nah wants to send a message to Harrison, she fi rst obtains Harrison’s public key (locking key), which she uses to encrypt her message (put the message in the “two lock box”). When Harrison receives Hannah’s message, he uses his private key to decrypt it (open the box).
Although this arrangement is adequate for personal information, organizations that con-duct business over the Internet require a more complex system. In these cases, a third party, called a certifi cate authority, acts as a trusted intermediary between the companies. The cer-tifi cate authority issues digital cercer-tifi cates and verifi es the integrity of the cercer-tifi cates. A digital certifi cate is an electronic document attached to a fi le that certifi es that the fi le is from the organization it claims to be from and has not been modifi ed from its original format. As you can see in Figure 4.5, Sony requests a digital certifi cate from VeriSign, a certifi cate authority, and uses this certifi cate when it conducts business with Dell. Note that the digital certifi cate contains an identifi cation number, the issuer, validity dates, and the requester’s public key.
For examples of certifi cate authorities, see www.entrust.com, www.verisign.com, www.cybertrust .com, www.secude.com, and www.thawte.com.
Virtual Private Networking. A virtual private network is a private network that uses a public network (usually the Internet) to connect users. VPNs essentially integrate the global connectivity of the Internet with the security of a private network and thereby extend the reach of the organization’s networks. VPNs are called virtual because they have no separate
119
SECTION 4.5 Information Security Controls
LOCK UNLOCK
Message
Message
Hannah wants to send Harrison an encrypted message. Hannah has the message. Harrison has a "two-lock box" (encryption method) and
both a locking key and an unlocking key.
Hannah puts her message in the box and locks the box with her "lock" key. Sends the message to Harrison. Only he can open it with his "unlock" key.
Harrison sends Hannah the
"two-lock box" with the "locking key".
He keeps the unlocking key to himself.
Unlocking key Locking key
Unlocking key
Unlocking key
2
3 1
4
Locking key
Locking key
Courtesy of Brad Prince.
FIGURE 4.4 How public key encryption works. (Omnisec AG.)
physical existence. They use the public Internet as their infrastructure. They are created by using log-ins, encryption, and other techniques to enhance the user’s privacy, the right to be left alone and to be free of unreasonable personal intrusion.
VPNs have several advantages. First, they allow remote users to access the company net-work. Second, they provide fl exibility. That is, mobile users can access the organization’s
VeriSign creates digital certificate
for Sony Sony requests
digital certificate from VeriSign
VeriSign transmits digital certificate to Sony
Sony presents digital certificate to Dell for authentication purposes
Dell
Sony VeriSign Digital
Certificate
1 2
3
4
FIGURE 4.5 How digital certifi cates work. Sony and Dell, business partners, use a digital certifi cate fromVeriSign for authentication.
120 CHAPTER 4 Information Security
network from properly confi gured remote devices. Third, organizations can impose their security policies through VPNs. For example, an organization may dictate that only corporate e-mail applications are available to users when they connect from unmanaged devices.
To provide secure transmissions, VPNs use a process called tunneling. Tunneling encrypts each data packet to be sent and places each encrypted packet inside another packet. In this manner, the packet can travel across the Internet with confi dentiality, authentication, and integrity. Figure 4.6 illustrates a VPN and tunneling.
Secure Socket Layer. Secure socket layer, now called transport layer security (TLS), is an encryption standard used for secure transactions such as credit card purchases and online banking. TLS encrypts and decrypts data between a Web server and a browser end to end.
TLS is indicated by a URL that begins with “https” rather than “http,” and it often displays a small padlock icon in the browser’s status bar. Using a padlock icon to indicate a secure con-nection and placing this icon in a browser’s status bar are artifacts of specifi c browsers. Other browsers use different icons (e.g., a key that is either broken or whole). The important thing to remember is that browsers usually provide visual confi rmation of a secure connection.
Employee Monitoring Systems. Many companies are taking a proactive approach to protecting their networks against what they view as one of their major security threats, namely, employee mistakes. These companies are implementing employee monitoring systems, which monitor their employees’ computers, e-mail activities, and Internet surfi ng activities.
These products are useful to identify employees who spend too much time surfi ng on the Internet for personal reasons, who visit questionable Web sites, or who download music ille-gally. Vendors that provide monitoring software include SpectorSoft (www.spectorsoft.com) and Websense (www.websense.com).