Securing small business. Firewalls Anti-virus Anti-spyware

(1)

Securing small

business

Firewalls

Anti

-

_-

virus

_virus

Anti

(2)

Introduction

Due to the phenomenal growth of the Internet

in the last decade companies and individuals find

it hard to operate without a presence on the

Internet. This means that companies are

exposed to threats, which can have a major

business impact. The fact that one needs to

protect company and individual computers from

unauthorized or unwanted access is considered a

(3)

(4)

Understanding the concept

In order to pick the right Firewall,

understanding what a firewall does is crucial.

I will quickly cover basic TCP/IP concepts and

(5)

(6)

TCP Attributes

TCP runs on top of IP:

A TCP packet contains a port number:A TCP packet contains a port number:

A TCP packet contains a sequence number and A TCP packet contains a sequence number and a FLAG:

(7)

Firewalls

–

_–

The Basic Description

_{The Basic Description}

A firewall is a perimeter defense device:

This means that any firewall splits a network into a This means that any firewall splits a network into a

trusted or protected, and un

trusted or protected, and un--trusted or unprotected trusted or unprotected side.

side.

A firewall filters traffic on a pre

-

defined set

of rules:

(8)

Firewall limits

These 2 factors limits the effectiveness of a firewall These 2 factors limits the effectiveness of a firewall

dramatically and it is important to note that a firewall dramatically and it is important to note that a firewall

does not

::

Protect you from your internal network.Protect you from your internal network.

Protect you from authorized intended or untended Protect you from authorized intended or untended

malicious access. This entails using granted privileges

or access for unintended operations.

Protect you from Protect you from

all

harmful attacks. Exploits found on harmful attacks. Exploits found on the Internet can use different techniques to penetrate

the Internet can use different techniques to penetrate

basic firewall protection.

(9)

What kind of Firewall?

Features of a good firewall:

State full inspectionState full inspection--SPISPI

It does content checking, passing protocols It does content checking, passing protocols through a validation exercise.

through a validation exercise.

It keeps a state of connections whereby it It keeps a state of connections whereby it monitors the state of a TCP connection and monitors the state of a TCP connection and allows traffic accordingly.

allows traffic accordingly.

It does address translation.It does address translation.

(10)

Hardware

-

_-

Software

_Software

Hardware:

Most basic routers do not include SPIMost basic routers do not include SPI

VPN routers doVPN routers do

WiredWired

(11)

Software

Most OS before Win XP do not include any

protection.

Win XP does not include SPI but offers some

basic protection

“

Zone Alarm

”

offers SPI.

(12)

Email Anti

(13)

EMAIL Origins

Origins

Email was created by researchers as a way for them Email was created by researchers as a way for them

to communicate. This was many years before the to communicate. This was many years before the World Wide Web, what we now refer to as

World Wide Web, what we now refer to as ““The The Internet

(14)

EMAIL Security

Why is it insecure?

It was not originally intended for widespread use It was not originally intended for widespread use

outside of research. outside of research.

It was designed to be simple and easy to operate It was designed to be simple and easy to operate

with minimum restrictions. with minimum restrictions.

Security controls were afterthoughts that had to be Security controls were afterthoughts that had to be

pasted on to the email system, instead of being part pasted on to the email system, instead of being part of the original design. Because of this, email security of the original design. Because of this, email security is inefficient and incomplete.

(15)

Define SPAM

General definition

–

un

-

requested or unsolicited

email, usually designed to initiate a financial

transaction or gather data for advertising

Most legitimate companies do not engage in SPAM Most legitimate companies do not engage in SPAM

emailing emailing

A SPAM email is typically sent to many millions of A SPAM email is typically sent to many millions of

email addresses in the expectation that even if only a email addresses in the expectation that even if only a fraction of 1% generate a response, the SPAM email fraction of 1% generate a response, the SPAM email will still produce an economic return

(16)

The new face of SPAM

–

_–

how it went

_{how it went}

from obnoxious to hazardous

SPAM originally was mostly just advertisements

As email and Internet use have become more

common since the late 1990

’

s, email has become

one of the primary ways to distribute viruses

Recently, there has been increasing involvement

of the criminal underworld

Identity theftIdentity theft

(17)

Self installing viruses, or how to run

an email server without even trying

Frequently used to deliver computer programs

designed to infect your computer and send new

copies of the virus to other email addresses

and/or seize control of the computer.

Can automatically install without your knowledgeCan automatically install without your knowledge

Uses your contact lists and emails for target Uses your contact lists and emails for target

addresses addresses

(18)

Someone else

’

_’

s very own email server

_{s very own email server}

on my computer

Capable of sending many thousands of emails per hourCapable of sending many thousands of emails per hour

Severe impact on your Internet browsing performanceSevere impact on your Internet browsing performance

Severe impact on your overall computer performanceSevere impact on your overall computer performance

Spreads virus to your friends and many othersSpreads virus to your friends and many others

May result in your email address being blocked by May result in your email address being blocked by

potential recipients. potential recipients.

May result in your ISP suspending your service until the May result in your ISP suspending your service until the

(19)

“

Surprises

_Surprises

”

_”

in email viruses

_{in email viruses}

In addition to installing an email server on your

computer and mass emailing copies of the virus

to others, most of the recent email viruses also

carry a separate

“

payload

”

which installs a

program on your computer

Silent install

–

you are unaware that the program

(20)

Steal my data please!

This program often carries a component that

allows the program to receive orders from an

outside source.

This allows an unauthorized user to take control of This allows an unauthorized user to take control of

your computer or steal your data your computer or steal your data

Often installs a “Often installs a “key loggerkey logger””, a program that , a program that

captures every keyboard entry you make and records captures every keyboard entry you make and records it for future transmission to other parties

(21)

Stealing your identity

The program can report back to the original

sender

Allows others to steal your data:Allows others to steal your data:

PasswordsPasswords

Bank account informationBank account information

Credit card informationCredit card information

(22)

Putting down

“

_“

Roots

_Roots

”

_”

A new type of email virus is just being seen that

is an even more serious threat. This is a

“

Root

Kit

”

installer.

Replaces key parts of your operating systemReplaces key parts of your operating system

Root Kit virus is almost impossible to detectRoot Kit virus is almost impossible to detect

Is able to take complete control of your computerIs able to take complete control of your computer

Very few anti virus programs can even detect Very few anti virus programs can even detect

(23)

Tearing out the

“

_“

Roots

_Roots

”

_”

There are only a few antiThere are only a few anti--virus companies that have virus companies that have

Root Kit detectors. Root Kit detectors.

FF--Secure has a product in Beta testing called Secure has a product in Beta testing called ““BlacklightBlacklight””

(

(www.fwww.f--secure.com/blacklightsecure.com/blacklight) that attempts to detect and ) that attempts to detect and remove Root Kits

remove Root Kits

Currently, the only fully effective remedy if infected is Currently, the only fully effective remedy if infected is

to wipe the computer hard drive clean and reinstall to wipe the computer hard drive clean and reinstall

everything everything

Fortunately, Root Kits are still very rare, but that will Fortunately, Root Kits are still very rare, but that will

(24)

What can we do?

Don

’

t rely on a single defense

–

use a layered

approach

Use your ISPUse your ISP’’s email virus filtering service, if s email virus filtering service, if

available available

Use a hardware firewallUse a hardware firewall

Install a software firewallInstall a software firewall

Install and maintain antiInstall and maintain anti--virus softwarevirus software

(25)

The Multi

-

level Defense

ISP Email Filtering

Firewall Anti-virus software

(26)

Anti

-

_-

virus programs

_{virus programs}

Install and keep up to date at least one anti

-

virus

program

What capabilities should it have?What capabilities should it have?

Real time file checking Real time file checking –– should be able to check every file should be able to check every file

you use on your computer, as you open it

Real time email checking Real time email checking –– should be able to check all should be able to check all

incoming and outgoing email

(27)

Are two better than one?

Some AntiSome Anti--virus programs require more resources on virus programs require more resources on

your computer than others your computer than others

Norton and McAfee are resource intensive and will not Norton and McAfee are resource intensive and will not ““play play

well

well”” with other antiwith other anti--virus programs. Consider the virus programs. Consider the “

“horsepowerhorsepower”” of your computer before installing a second of your computer before installing a second program, especially if you are using one of these packages.

program, especially if you are using one of these packages.

AntiAnti--virus programs that appear to work reasonably virus programs that appear to work reasonably

well together are (there may be other programs as well): well together are (there may be other programs as well):

Authentium/Command Antivirus (Authentium/Command Antivirus (www.authentium.comwww.authentium.com))

AVG (AVG (www.grisoft.comwww.grisoft.com))

(28)

The Last Line of Defense: YOU

Learn how to identify common attributes of SPAM and Learn how to identify common attributes of SPAM and

virus emails. Listed below are some common virus emails. Listed below are some common

SPAM/virus email traits but this is not a complete list. SPAM/virus email traits but this is not a complete list.

Unusual characters in the Subject lineUnusual characters in the Subject line

Email that asks you to provide confidential information, Email that asks you to provide confidential information,

either in a reply email or by asking you to go to a website. Be

very careful about providing information such as:

Credit Card number / Bank Account numberCredit Card number / Bank Account number

(29)

You

’

_’

re still the last line of defense

_{re still the last line of defense}

If it sounds too good to be true, it probably is.If it sounds too good to be true, it probably is.

No, there really isnNo, there really isn’’t a former Nigerian government official t a former Nigerian government official

that wants to share his $20,000,000 with you.

Do you really want to buy stock or bonds from someone Do you really want to buy stock or bonds from someone

who makes his living sending unsolicited email? If the stock

was really that good (or even existed), he wouldn

was really that good (or even existed), he wouldn’’t need to t need to spend his time trying to get you to buy it.

spend his time trying to get you to buy it.

How much do you want to entrust your health to a pill or How much do you want to entrust your health to a pill or

lotion you saw in a SPAM email, from an undocumented

source, with no safety inspection or valid certification?

(30)

What else can we do?

Don

’

t reward SPAM

My own personal policy is to never visit a website or My own personal policy is to never visit a website or

purchase a product as a result of SPAM. purchase a product as a result of SPAM.

Take responsibility for your computer and use

common sense

Self reliance and common sense are your most Self reliance and common sense are your most

effective tools. Remember, what happens to your effective tools. Remember, what happens to your computer is your responsibility. No software or computer is your responsibility. No software or hardware can properly protect your computer hardware can properly protect your computer without your help.

(31)

SpyWare

…

_…

Who is Watching Me?

(32)

SpyWare, Adware & Malware

•

• SpyWare _SpyWareis any technology that aids in gatheringis any technology that aids in gathering information about a person or organization

information about a person or organization

without their knowledge.

•

• AdWare _AdWareis any software application in whichis any software application in which advertising banners are displayed while the

advertising banners are displayed while the

program is running.

•

• MalWare _MalWareis short for is short for mal_malicious softicious software_ware,, software designed specifically to damage or

software designed specifically to damage or

disrupt a system, such as a virus or a Trojan

horse.

(33)

How did I get this?

•

• SpyWareSpyWare applications are typically bundledapplications are typically bundled

as a hidden component of freeware or as a hidden component of freeware or

shareware programs that can be shareware programs that can be

downloaded from the Internet. downloaded from the Internet. •

• Trojans/MalwareTrojans/Malware can be installed without the user's consent, can be installed without the user's consent,

as a

as a “drive“drive--by download”by download”, or as the result of clicking some , or as the result of clicking some option in a deceptive pop

(34)

Typical SpyWare/Maleware Developer

Tricks

•

• Hide it inside anotherHide it inside another program's installer.

program's installer.

•

• Keep asking to install until the Keep asking to install until the user says

user says YesYes.. •

• Create a false pretenseCreate a false pretense for the user needing the

for the user needing the

software.

•

• Hide software out in group Hide software out in group directories on peer

directories on peer--to peer to peer networks.

networks.

•

• Design it to look essential, or Design it to look essential, or to be invisible.

to be invisible.

•

• Design it not to uninstall, even Design it not to uninstall, even when asked.

(35)

Common Applications that

have or are SpyWare

•

Comet Cursor

_{Comet Cursor}

•

Bonzi Buddy

_{Bonzi Buddy}

•

• InterInter

Net Games

_{Net Games}

•

CoolWebSearch

•

Weather Bug

_{Weather Bug}

•

Incredimail

•

_{Snood & Dynomite}

•

Web Search Toolbars

_{Web Search Toolbars}

•

Instant Messengers

_{Instant Messengers}

•

File Sharing Programs

_{File Sharing Programs}

•

Kazaa

•

Morpheus

_Morpheus

(36)

Things SpyWare/Malware can do

•

• Leave a backdoor openLeave a backdoor open for hackers

for hackers

•

• Install other programsInstall other programs directly onto you PC

directly onto you PC

•

• Load adult orientatedLoad adult orientated images on your PC

images on your PC

•

• Dial a service, most likely adult Dial a service, most likely adult content sites, for which you

content sites, for which you

will be billed! •

• Monitor your keystrokesMonitor your keystrokes •

• Collect information aboutCollect information about you and your surfing

you and your surfing

habits

•

• Modify system settingsModify system settings •

• Redirect your browserRedirect your browser •

• Send/Receive cookies to other Send/Receive cookies to other

SpyWare programs will be billed!

(37)

Signs of SpyWare/Malware

•

• Does your computer seem slow?Does your computer seem slow?

•

• Do you see programs you donDo you see programs you don’’tt remember installing?

remember installing?

•

• When you start your Internet browser,When you start your Internet browser, does it open to a page you've never

does it open to a page you've never

seen before?

•

• Do you see a sudden increase in popupDo you see a sudden increase in popup advertisements on pages where you've

advertisements on pages where you've

never seen them before?

•

(38)

Ways to avoid SpyWare/Malware

•

• Keep Windows up to date.Keep Windows up to date.

•

• Keep your Antivirus up to date.Keep your Antivirus up to date.

•

• Install software only from Web sites you trustInstall software only from Web sites you trust.. •

• Read the fine print on free software.Read the fine print on free software.

“

“There is no such thing as a free lunchThere is no such thing as a free lunch””

•

• Use a tool to help detect and removeUse a tool to help detect and remove unwanted software

(39)

IE Defense

•

• Set your Internet Security settings to at least Medium.Set your Internet Security settings to at least Medium. •

• Open Internet Explorer and click the Open Internet Explorer and click the Tools Tools menu andmenu and then the

then the Internet Options...Internet Options...subsub--menu.menu. •

• Click on the Click on the Security Security tab at the top. Next click on thetab at the top. Next click on the

Internet

Internet icon. The icon. The Security Level Security Level bar should be set tobar should be set to Medium.

Medium.

•

• Next click on the Next click on the Restricted Sites Restricted Sites icon. The icon. The SecuritySecurity Level

Level bar should be set to High.bar should be set to High. •

• Next click on the Next click on the Trusted Sites Trusted Sites icon. The icon. The Security LevelSecurity Level

bar should be set to Low.

(40)

Pop up Blockers

The Google Toolbar

-- for IEfor IE

http://toolbar.google.com/

Maxthon

–

Tabbed BrowserTabbed Browser

http://www.maxthon.com

(41)

(42)

Ad

(43)

SpySweeper

(44)

Tools of Defense

•

• Set up IE in a secure fashion

Set up IE in a secure fashion

•

• A good popup blocker

A good popup blocker

•

• A good Antivirus

A good Antivirus

•

• A good removal tool

A good removal tool

SpySweeper (by Webroot) SpySweeper (by Webroot)

http://www.rockbridge.net

SpybotSpybot--Search & Destroy (by Spybot) Search & Destroy (by Spybot)

http://www.download.com

AdAd--aware (by Lavasoft)aware (by Lavasoft)

http://www.download.com

(45)

SpyWare

…

_…

Don

’

_’

t Be A Victim!

_{t Be A Victim!}

Questions?

(46)

What does RGV do to

(47)

Two Layered Protection

RGV Outsourcers mail Filtering

SpamSpam

VirusesViruses

RGV Implements its own filtering

Spam Spam

VirusesViruses

(48)

August 18, 2005 Combined

Domain

Domain MessagesMessages BytesBytes % of % of Bytes Bytes Blocked Blocked Msgs Msgs % of % of Msgs Msgs rockbridge.net rockbridge.net 30,13630,136 369,495,216369,495,216 62.0 62.0 21,697 21,697 78.7 78.7 Domain

Domain Viruses Viruses Quarantined Quarantined rockbridge.net

(49)

What Next?

RGV will introduce a new free service

(50)

Web Filtering

Residential Customers Parental Control

Parents will be able to control and limit their Parents will be able to control and limit their

children

(51)

Web Filtering

SMB Customers

Will be able to control and limit use of each Will be able to control and limit use of each