Cisco press cisco security agent jun 2005 ISBN 1587052059

Publisher: Cisco Press Pub Date: June 01, 2005 ISBN: 1-58705-205-9 Pages: 456 Table of Contents | Index Prevent security breaches by protecting endpoint systems with Cisco Security Agen

By Chad Sullivan

Publisher: Cisco Press Pub Date: June 01, 2005 ISBN: 1-58705-205-9 Pages: 456

Table of Contents | Index

Prevent security breaches by protecting endpoint systems with Cisco Security Agent (CSA), the Cisco host Intrusion Prevention System Learn the basics of endpoint security and why it is

so important in today's security landscape Protect endpoint systems from hackers, viruses, and worms with host intrusion prevention security Prevent "Day-Zero" attacks with the first book on CSA deploymentEndpoint systems, being the point of execution for the malicious code, is where the most effective counter-intrusion mechanisms should be placed Cisco Security Agent (CSA) is an important part of the network security puzzle that can help

organizations secure their end systems Its many capabilities include preventing "Day Zero" worm attacks, end system virus attacks, and Trojan horses; acting as a distributed firewall; performing an operating system lockdown; and performing application control With the vast array of features, capabilities, and complexities associated with CSA, users need expert guidance to help them implement and maintain this important new security device and use it

to maximum effect This book presents a detailed explanation of CSA, illustrating the use of the product in a step-by-step fashion.Cisco Security Agent presents a complete view of host intrusion prevention with CSA, including basic concepts, installations, tuning, and monitoring and maintenance Part I discusses the need for end point security Part II helps readers understand CSA building blocks Part III delves into the primary concern of new customers, that being installation Part IV covers monitoring and reporting issues Part V covers CSA analysis features Part VI discusses creating policies and CSA project implementation plans Maintenance is covered in Part VII.

By Chad Sullivan

Publisher: Cisco Press Pub Date: June 01, 2005 ISBN: 1-58705-205-9 Pages: 456

CSA Rule Modules

CSA Policies

Chapter 5 Understanding Application Classes and Variables Using Application Classes

Introducing Variables

Part III CSA Agent Installation and Local Agent Use

Chapter 6 Understanding CSA Components and Installation General CSA Agent Components Overview

Using Application Behavior Investigation on the Remote Agent Analyzing Log Data

Index

The information is provided on an "as is" basis The author, Cisco Press, andCisco Systems, Inc., shall have neither liability nor responsibility to any person

or entity with respect to any loss or damages arising from the information

contained in this book or from the use of the discs or programs that may

accompany it

The opinions expressed in this book belong to the author and are not necessarilythose of Cisco Systems, Inc

All terms mentioned in this book that are known to be trademarks or servicemarks have been appropriately capitalized Cisco Press or Cisco Systems, Inc.,cannot attest to the accuracy of this information Use of a term in this bookshould not be regarded as affecting the validity of any trademark or servicemark

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity forbulk purchases or special sales

Readers feedback is a natural continuation of this process If you have anycomments regarding how we could improve the quality of this book, or

otherwise alter it to better suit your needs, you can contact us through e-mail atfeedback@ciscopress.com Please make sure to include the book title and ISBN

in your message

We greatly appreciate your assistance

Credits

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa

• Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe

Copyright © 2003 Cisco Systems, Inc All rights reserved CCffi, CCSP, the

Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems

Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net ReadinessScorecard, Networking Academy, and ScriptShare are trademarks of Cisco

Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The FastestWay to Increase Your Internet Quotient, and iQuick Study are service marks ofCisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCffi,CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS,the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, theCisco Systems logo, Empowering the Internet Generation, Enterprise/Solver,EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV,

iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo,

Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX,

Registrar, SlideCast, SMARTnet, Strata View Plus, Stratm, SwitchProbe,

TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems,Inc and/or its affiliates in the U.S and certain other countries

All other trademarks mentioned in this document or Web site are the property oftheir respective owners The use of the word partner does not imply a partnershiprelationship between Cisco and any other company (0303R)

Printed in the USA

This book is dedicated

To my wife Jennifer for her patience and encouragement

To my three little angelsAvery, Brielle, and Celinefor their amazing ability tolearn and their continuous challenge for me to do the same

And to God, for providing me the ability to identify the many opportunities tosucceed that have crossed my path

Chad Sullivan is a consulting systems engineer for Cisco Systems based out of

Atlanta who specializes in security on the Advanced Technologies Team He ishighly certified and currently holds three CCIEs (Security, Routing & Switching,and SNA/IP), Cisco CCSP, and Cisco INFOSEC, as well as a CISSP and CHSPfrom ISC2 Chad has focused predominantly on security as a specialty for anumber of years and has been a member of the Cisco Security and VPN VirtualTeam for the past five years as well as a member of several security professionalsocieties

Jeff Asher is a network systems engineer/security engineering practice manager

at Internetwork Engineering in Charlotte, North Carolina, where he is currentlydeploying endpoint security systems to an enterprise network of more than 6000workstations and 350 servers Jeff has earned several certifications, includingMicrosoft Certified System Engineer and CCNP He earned a bachelor of artsdegree from Virginia Polytechnic Institute and State University

David Marsh is a security consultant for the Cisco Systems World Wide

Security Practice and lives in Atlanta He has focused on security for a number

of years and holds Cisco certifications such as CCNP, CCDP, and CCSP as well

as industry certifications such as CISSP, MCNE, and MCSE David has an MBAfrom Georgia State University and is looking at pursuing the GIAC GSE after hewraps up his CCIE (Security) He is currently engaged in security architectureconsulting for some of the top Cisco customers and has no spare time

I first want to thank Debra Malver, who constantly provided any and all

information and assistance I required I want to thank everyone at Cisco Presswho was involved in the creation of this book, including Michelle Grandin, BrettBartow, Dayna Isley, and Tammi Barnett (I cannot say thank you enough toDayna Isley, who has shaped this book more than anyone will ever know.)

Special thanks to David Marsh and Jeff Asher for reviewing the content of themanuscript and ensuring its accuracy Also, to David Marsh, thanks for his

friendship and for constantly challenging me to think differently To the drivingforces of the "Dream Team" for continuing to challenge me to drive harder,

faster, and further that I believed possible, including Tyler Pomerhn, Mike

Purcell, and Mason Harris To Dave Swink for his practical CSA insight andimplementation guidance To Lamar Tulley and Seth Judd, who are more thesame than they realize To Tyler Durden for providing an escape when it wasneeded To all of my Cisco coworkers, who have had to listen to my rants

regarding the trials and tribulations during my writing cycle, including Joe

Stinson, Steve Gyurindak, John Dodson, Jamey Heary, Paul Ostrowski, andanyone and everyone else who has crossed my path during the past year To JeffWells, who played a great role in the early stages of this book s development and

in shaping Chapter 1 To the Cisco CSA Team, including Ted Doty, Jeff Mitchell,Marcus Gavel, Johnathan Hogue, and Josh Huston for providing assistance whenneeded, both directly and indirectly To a friend and former manager, Dan

Zatyko, who helped shape my career in more ways than he may know To mymother and father for believing in my potential and keeping me focused evenwhen I pushed it away To my sister, Ashley, who drives me to succeed in

competition to her continued success To my in-laws, Royce and Phyllis Lynn,for providing spiritual guidance To Kevin Mahler for helping me to understandthe writing process and for providing many needed contacts to further my career.And finally, to the Academy (The music plays, and I am ushered off stage.)

The Safari® Enabled icon on the cover of your favorite technology book meansthe book is available through Safari Bookshelf When you buy this book, you getfree access to the online edition for 45 days

Safari Bookshelf is an electronic reference library that lets you easily searchthousands of technical books, find code samples, download chapters, and accesstechnical information whenever and wherever you need it

I encountered computer and network security very early in my career My firstjob out of college in the early 1980s was with the National Security Agency, andtwo things immediately became clear First, the governmentand especially theDefense Departmentwere about the only people who were remotely interested incomputer security Second, there were a lot of ways that security could go

wrong

Some things have changed dramatically since then Everyone is aware of

computer security issues to some degree now, even if this awareness is onlyabout viruses and spyware It is both gratifying and concerning to now be able toexplain my job to my mother in 10 seconds ("You know the hackers? We retrying to stop them")

However, some things have not changed much, if at allthere are still a lot ofways that security can go wrong We ve tried many approaches to stopping

attacks, but most of these have struggled to keep up with the rate of change intechnology When we block ports, applications use port 80 (web) When weinspect the packets, the applications use SSL The rate of change is accelerating,and since attacks can fit themselves into any of these nooks and crannies, it

remains easy to miss something

This was why the Okena Stormwatch agent (now the Cisco Security Agent

[CSA]) is such a shock to people who have been involved in security for a longtime In many ways, it seems to violate everything that we ve learned about how

to protect your systems No, you don t need to update it to get the latest

protection Yes, your applications very well may be vulnerable, but CSA willkeep them from being exploited Yes, it will indeed stop an attack that it s neverseen before In a sense, one of the hardest things about CSA is the mental shiftfrom what we have been used to

However, once that shift happens, the current hustle and bustle of our

livesgetting the update, testing the update, looking at the new exploitbecomesmuch simpler While there are still a lot of ways that security can go wrong, CSAprovides a defense even when something is wrong I remember the e-mail that

attacking our web server We re not sure what it is, but Stormwatch is blockingit." That was the Nimda wormthe first of a long line of attacks stopped by CSA

This book provides great detail on how to use CSA, but also provides

background on how CSA works Anyone interested in CSA, and especiallyanyone who uses it day to day, will find this book to be indispensable

The conventions used to present command syntax in this book are the sameconventions used in the IOS Command Reference The Command Referencedescribes these conventions as follows:

Boldface indicates commands and keywords that are entered literally as

shown

Italics indicate arguments for which you supply actual values.

Vertical bars ( | ) separate alternative, mutually exclusive elements.Square brackets [ ] indicate optional elements

Braces {} indicate a required choice

Braces within brackets [{}] indicate a required choice within an optionalelement

Endpoint protection has quickly become a "must have" rather than a "nice tohave" security mechanism in today s fast-paced world Numerous worms,

viruses, Trojan horses, bots, and other security malware circulate and grow onthe Internet at an alarming rate, and you need to counter these effectively withappropriate technologies The endpoint, being the point of execution for themalicious code, is where you should place the most effective counter

mechanisms This reality has prompted the industry to understand the need forsuch software to be developed The Cisco Security Agent (CSA) software

provides the protection necessary to combat these threats Viruses and worms are

no longer simply viewed as a nuisance, but rather as theft and vandalism Thethreats are real, and the protective mechanisms required need to be more robustthan those used previously

This book is designed to enable readers to discover the CSA product with orwithout having a running product in front of them This book first introduces thearchitecture and components of the system and then examines the configuration

of rules and policy Anyone who is investigating the CSA product or endpointprotection in general will gain insight into the product from this book Thoseinvolved in a production rollout will find the information contained herein avaluable ongoing reference

This book is structured to allow the reader to proceed from cover to cover in anatural learning and discovery process The book is organized into 7 major

Part II , "Understanding the CSA Building Blocks," covers the basic

components you must thoroughly understand when attempting to deploy theCSA architecture

Chapter 5 , "Understanding Application Classes and Variables,"

discusses some of the CSA objects that simplify ongoing maintenanceand usability of the software through the use of reusable elements

Part III , "CSA Agent Installation and Local Agent Use," covers the

agents themselves, how you can implement them, and how the user caninteract with the agent locally

Chapter 11 , "Application Behavior Analysis," discusses the new

capability of the CSA agent to collect detailed information regarding aspecific process and how it uses and is used by system resources

Part VI , "Creating Policy, Implementing CSA, and Maintaining the CSA MC," covers policy as a whole comprised of the various building

to implement CSA You also learn about information required to keep aCSA deployment running efficiently and how to provide the necessary level

of backup required in case of a system failure

Chapter 12 , "Creating and Tuning Policy," examines the methods

used to tune policy such that it controls your environment withoutimpacting usability

Chapter 13 , "Developing a CSA Project Implementation Plan,"

lays out a detailed implementation plan that takes you through thevarious stages and steps of a CSA deployment

Appendix B , "Security Monitor Integration,"discusses integrating

the CSA MC with the Security Monitor component of CiscoWorksVMS

Appendix C , "CSA MIB,"introduces the CSA MIB that can be used

with various SNMP management systems

Chapter 1 Introducing Endpoint Security

Chapter 2 Introducing the Cisco Security Agent

The new exploits and rapid propagation techniques seen today are not the onlyreasons security is pushing to the top of many organizations list of concerns.Changes in the world s political landscape, the ever-growing concern of

corporate espionage, cyber-attacks or cyber-warfare, and the dramatic increase inidentity theft are all driving this new security awareness

In this chapter, you explore the evolution and general effect of viruses, worms,and spyware along with a view to where they may be heading In addition, youlearn about other important security issues on the endpoint

This section explores the initiation and evolution of the automated attack againstcomputing infrastructures, including early virus and worm behavior and thedrivers shaping these behaviors

Virus Emergence and Early Propagation Methods

The concept of the computer worm or virus is not new Those who created earlycomputing machines conceived of malicious code or data nearly concurrentlywith their hardware discoveries Early researchers used such code in elaborategames such as Core Wars in attempts to learn more about computing and howunexpected interaction between processes affects the computing environment

The computer virus really started to have an effect at the onset of early businessand consumer networking In the mid-1980s, networking was likely to be done

via sneakernet, the term for using floppy disks to move computer programs and

data from machine to machine The earliest examples of widespread computerviruses utilized this method to propagate themselves Often, the virus wouldreside in the boot sector of the floppy disk or attach itself to executable files.When users then moved that disk to another machine and tried to boot from it orrun executables on it, the virus copied itself into memory and waited to jump onthe next clean boot sector or executable encountered Although this form ofpropagation may today seem slow and primitive, it was remarkably effective.Note that this class of malicious tools was effective because it utilized the

behavior of the attacked system itself as a weapon

Viruses mutate and evolve to match their environment and to take advantage ofnew infection vectors Those who write the viruses drive this mutation and

evolution in the interest of getting the greatest possible impact The first viruseswere effective precisely because of the way computers operated and the waypeople interacted with them The viruses took advantage of the following facts:PCs booted via floppy disks, which provided boot sector viruses fertileground for reproduction

viruses deleted files or destroyed the boot sector itself Often, these viruses

remained inactive within the executable files and in the computer s memory until

a particular trigger date that would activate the malicious virus

Throughout the late 1980s until the present, those who write malicious codehave taken advantage of the increasingly well-connected nature of machines,operating systems, and applications, and their code has mutated and evolvedaccordingly A thorough understanding of the inherent behavior of the targetsystem is crucial to the creation of successful virus codecrucial in fact to anyattack against a particular system To defend a system, you must have this sameunderstanding of system behavior, architecture, and communication

LAN Propagation

The advent of the LAN provided the traditional virus with new propagationopportunities These networks removed the floppy disk and human mobilityrequirement and replaced them with much faster electrons moving through

copper wire With such systems, files and applications are shared with speedsorders of magnitude greater than with sneakernet

With the introduction of LANs, viruses at first stuck to their old method of

operating and continued to propagate, at much higher rates, through infectedapplication files The problem was compounded by the fact that LANs usually

contain one or more file servers, which are devices that act as central repositories

The WAN and Internet

After the emergence of the LAN in business computing, business soon realizedthe productivity gains possible by joining the LANs of their own branches andthose of their partners and customers across geographically dispersed areas Thisnew "super network" is called a WAN A WAN provides the virus with an evenmore vast and extended network and gives an infected business the dubioushonor of being able to spread their infection to their partners or customers

With the emergence of the Internet as a valuable business tool, all of these LANsand WANs at thousands of businesses around the world had the potential to bejoined, creating the "network of networks." Rapidly realized on a global scale,this convergence represents the terminal opportunity for virus code because ofthe great potential for sharing infected files and creates a new kind of vulnerablesystem That system is the entire Internet itself

The Network Worm

Writers of malicious code soon realized they could build a new type of attack,one that would be independent of executable files and would instead attacksystems themselves via their network connection This new attack, called a

network worm, was automatic and usually did not rely on a user s interaction for

infection of a vulnerable system to occur As a result, this approach is a far morerapid and advanced method of spreading malicious code than the virus and onethat takes advantage of the architecture and behavior of the large network

Like the virus, the worm may contain and carry a malicious payload Curiously(and luckily) few worms have done so Most worms have caused damage due todenial of service (DoS) that results from their rapid propagation The worm sability to use all local CPU and network resources on the infected machine oftenrenders them unusable

networks and the Internet via the IP protocol suite At the time of the Morrisworm, the Internet was a loose affiliation of universities, government entities,and a handful of forward-looking high-tech businesses Because of the ubiquity

of certain operating systems on the Internet at the time, the Morris worm rapidlyinfected a considerable percentage of available hosts and, because of its

propagation method, swamped CPU and communication resources on the

infected machine, causing such machines to become unusable It is generallyaccepted that the creator of this worm was performing research rather than

attempting to cause trouble, but the damage done was considerable The wholetech world was suddenly awakened to this new and alarming threat

The Single Environment and Its Consequences

The success of a worm or virus depends heavily on the prevalence of the targetsystem or application in the environment under attack The Morris worm waspowerful because many machines were connected and running a limited set ofsoftware possibilities The worm easily could discover new vulnerable hosts forinfection As each new host became infected, that host in turn found many

"neighbor" machines to infect

Over the past decade, the Microsoft Windows environment has become thecomputing platform of choice for most of the world s PC users, business orindividual As a result, nearly 90 percent of the machines connected to the

Internet are of the same general type and run the same basic networking,

operating system, and application code Although this commonality fostersproductivity for connected users because of the ease of sharing, worms alsobenefit from such an environment and are easily "shared." A single-vendorcomputing environment fully interconnected with high-speed data links is fertileground for aggressive malicious code Combining today s interconnected high-speed networks such as Ethernet LANs, optical WANs, and always-on homeInternet connections (cable modems and DSL) with interconnected machinesoperated by identical software presents easy targets to the network worm orvirus

Just as computers have become more complex and efficient with new

productivity features, so have security threats become complex and efficient.Just about any feature you have come to love over time can be exploited andused against you or others if not appropriately implemented and correctly

secured To help illustrate this concept, you need look no further than your

favorite e-mail program If someone releases an exploit that compromises asystem running a vulnerable e-mail application, the exploit may inappropriatelysend unauthorized e-mails containing a virus to everyone in the local addressbook These e-mails appear to come from the local user s address; therefore, theyhave a much better chance of compromising the receiver s machine because thereceiver believes the e-mail was sent by a trusted source, such as a colleague,friend, or family member

Blended threats combine propagation mechanisms, exploits, persistence, and

damaging payloads In the past, each of these pieces would need to be manuallyexecuted in the proper sequence to fully "own" a system Today, these pieces arebundled together to automatically execute at the appropriate time The fact thatthey are bundled together into simple-to-launch executables makes anyone with

a computer a potential script kiddie Script kiddies are individuals who are

incapable of developing malicious code but instead use the available tools toattack systems Although not necessarily the most dangerous individuals, scriptkiddies are by far the most common and pose a very large threat simply due tothe number of attacks they can generate with little or no knowledge of what theyare doing In most cases, they are not attempting to gain access to a specificsystem but rather are seeking to gain access to any system

Blended threats can be very damaging in a very short period of time The nextsections look at some of the features of a blended threat that make this

automated system so damaging

Delivery and Propagation Mechanisms

For a blended threat to compromise many machines in a short period of time, it

or UDP Layer 4 communication You have witnessed in recent years manydifferent protocol paths between hosts, but the most common method of

automatic threat propagation continues to be e-mail, Microsoft Windows

Distributed Component Object Model (DCOM) and Remote Procedure Call(RPC) communication protocols, and automatically downloaded content

received from web pages using HTTP or HTTPS while surfing the Internet

Another important piece of the typical blended threat is the built-in scanningmechanism Via scanning mechanisms, such as port scans and ping sweeps, theblended threat attempts to locate other vulnerable systems from the vantagepoint of the already compromised machine Regardless of the way a

application server, a protocol stack, or an end user s application

An exploit is the method, software, script, shell code, and so on that is used to

compromise a system vulnerability to gain unauthorized control of or access tothe system s resources Some exploits may automatically compromise an

endpoint through a known or unknown vulnerability (you learn more aboutunknown or day-zero attacks in Chapter 2, "Introducing the Cisco SecurityAgent") such as a buffer overflow with injected shell code Other methods mayrequire a user to open and execute the infected file to be successful in gainingaccess or rights to a system Who would do such a thing? Unfortunately, many

people with myriad motivations Hackers, those who write exploit code, have

become very creative over time and have employed many and varied ways oftricking computer users into executing their malicious code An example of this

is to send an e-mail to an individual with an attachment that appears to be awebsite, such as www.company.com, but is actually a COM file that causes

persistence on the endpoint

Persistence

After the hacker has penetrated the system and the hacker s tool has moved on toattempting to locate other systems from its new vantage point, the typical

blended threat attempts to become persistent on the endpoint such that any basicattempt to clean or stop the virus or worm will only be temporarily successful.Often either the next reboot or some other restart mechanism allows the virus tomaintain its nefarious hold on the infected system There are many ways for aprogram to auto-start itself Among others, these methods include the following:Inserting into the Windows system registry Run or RunOnce keys

Inserting into the Windows Startup group

Inserting into startup scripts or initialization files of Windows or UNIXsystems

Registering itself as a Windows service

Replacing or editing a file or service that already has access to the systemusing common Trojan methods

Creating or modifying a cron job on a UNIX system

These are only a few of the many creative persistence methods available Toensure survival, complex blended threats employ as many of the previous

methods as possible Remember: The goal of any virus, worm, or blended threat

is typically to compromise as many systems as possible as quickly as possible;therefore, guaranteeing that the malicious code will restart after being terminated

or rebooted is a great way to continue its mission When the blended threat haspropagated and become persistent, it can deliver the final blow to the endpointthat has become its temporary home: paralyzing or destructive behavior

The Global Implications

At this point, you see the potential for severe and far-reaching destruction due tothese automated attack tools For example, consider the Slammer worm

Slammer attacked the Microsoft SQL database server engine and gained

database administrator privileges before propagating to other systems Because

of its architecture and targets, the Slammer worm propagated extremely rapidly,reaching worldwide in less than half an hour and infecting hundreds of

thousands of hosts, many thousands of them representing critical systems for thebusinesses and governments involved

deleted database records or files or, even worse, made subtle alterations to thedatabase data administered by the infected SQL management process Such anattack would have caused untold worldwide destruction and economic chaos andmade mitigation of Slammer infections more expensive by an order of

magnitude

What is truly alarming is that there was no way to predict the Slammer attack orprepare for it in a general sense Available patches and firewall best practiceswould have limited its spread, but there is no guarantee that today s fix will stoptomorrow s issue None of the normal security methods used to mitigate attackstakes the behavior of the attacked system into account As a result, the securitycommunity is always chasing the attackers and repairing infected systems ratherthan stopping them before the attack

Spyware

Beyond the typical virus and worm, other threats impact many personal homecomputers and enterprise networks One of these major threats today is spyware

Spyware is an application that runs on a system and performs undesirable

reconnaissance that the system owner is unaware of In most cases, spyware isloaded much like a Trojan horse It is commonly hidden in another applicationthat the user intended to install An example is a program that is installed alongwith the latest freeware game the user downloaded Unknown to the user, thegame not only installed itself but also installed another application that monitorsthe users keystrokes watching for usernames and passwords, logs every websitevisited, can turn on the microphone and webcam attached to the system, and canopen the locally installed e-mail application to steal the local address book All

as installing a program that was "desired," can cause many "undesired" results,

including identity theft or loss of intellectual property.

Most of this chapter so far has focused on automated tools such as viruses,

worms, and spyware Because these threats have grabbed the majority of

headlines over the past few years, they received the majority of the focus in thisintroductory material Viruses, worms, and spyware do not, however, representthe majority of potential security problems on a given infrastructure In addition

to them, there are many others, not the least of which are those caused by theinsider

An insider is a person who has some level of permission on the protected

network Insiders either work for a company and are therefore trusted on itsnetwork or are a member of your family at home and are therefore trusted onyour home network They are on the inside Many security managers focus

strongly on outside threats and ignore the real threat of the insider The insideralready has the type of privilege that an outside attacker desires They are

already positioned to steal or do direct damage to an infrastructure

Some insiders, such as disgruntled employees, cause damage or breaches insecurity will-fully Examples of an insider attack include willful destruction ofdata, data theft, and password theft

Others, however, with the purest of motivation and believing they have the

company s interest at heart, cause damage or breaches by nothing more thanignorance or carelessness

They may write their passwords down on sticky notes and leave them whereothers can find them, dispose of confidential information in a nonsecure manner,

or unwittingly download Trojan horse files from the Internet that create backdoors for hackers

The network security manager must be just as aware of and vigilant against theseinsiders as against the outside attacker These insider issues are far more difficult

to detect and prevent than the more well-known and obvious ones As with theother attacks discussed in this chapter, it is the behavior of the systems underattack that makes them vulnerable

Point security refers to the security strategy of protecting individual devices or

systems with no overall plan or view toward integration of the different tacticsemployed This section explores the weakness of this security method by

defining point security and illustrating common attacks on the point securityapproach

Using Point Security Products

Just a few short years ago, many people believed that securing a network meantadding a firewall to the perimeter and adding passwords to network resources.This simplistic approach proved to be an unsuccessful strategy in securing

networks Attackers began using well-known protocols for transporting theirmalicious code and causing widespread DoS attacks Many of these attackswould compromise known vulnerabilities in common application layer protocolssuch as FTP, TFTP, SMTP, and HTTP Servers running these particular servicesare often behind a firewall However, because firewalls traditionally only limitconnections to end systems over desired acceptable ports, coupled with the factthat communication to these services is required from an untrusted network such

as the Internet, firewalls cannot stop the hacker from gaining a legitimate

connection to the server If the application server was compromised, the hackercould use it as a jumping point to connect to other systems that would not

always the case)

Most typical network security mechanismspasswords, firewalls, and IDSsarestandalone technologies, known as point security because they individually

secure a single point in the network or only cover one point of your securityneeds The best designs possible include a combination of each security

mechanism mentioned previously as well as additional controls such as HostIntrusion Prevention software and physical security controls

Candy Shell Security

Many networks around the world have a very similar security issue: The securitymechanisms are at the edge attempting to deny access to the network from

abroad These edge security mechanisms do not focus on the internal portion ofthe network with advanced security products that could protect the endpoints

effectively This issue is known as candy shell security by many security

professionals

Candy shell security refers to a network that has a hard candy shell or strongperimeter security but easily compromised endpoints, which are the soft chewycenter in this analogy If you rely on signature-based technologies such as

network IDS and perimeter defenses to protect your most valuable resources,you are guaranteeing a treat for the hackers and blended threats will come

Encrypted communication is very common today, and many organizations havehad viruses and worms enter through this communication path Two differentnetwork mechanisms that use this communication path are web page e-mailapplications and IPSec VPN Enterprise users often utilize personal e-mail

accounts via web pages that use SSL encryption from corporate computing

assets IPSec VPN tunnels are not as common for the everyday corporate user,but many corporate partners may connect to the enterprise via this mechanismand thereby provide an unsecured path between the two organizations

Although you may believe that an encrypted stream is the only way maliciouscode may enter your network, do not forget the old standby known as the

sneakernet method of propagation Today s sneakernet is in some ways evenmore damaging because it does not rely on floppy disks with limited storage butrather media such as USB keys, CD-Rs, and DVD-Rs Network security devicescannot detect transported code that is not physically passing through the varioussecurity inspection devices located at the perimeter or pervasively throughout thenetwork architecture

This section explores some methods of computer network attack detection in usetoday and attempts to draw conclusions based on their success against well-known attacks and in concert with other common defense strategies

Signature-Based Attack Detection

A signature in the context of attack detection is a pattern of data that

characterizes or defines a particular attack or exploit Signature-based attackdetection relies on a list of known signatures and an engine to compare dataeither on a network or scanned by a process on a system to this signature list If amatch with a list item is discovered, the matching system generates an alertindicating the match and the expected severity

type of attack detection is called reactive detection.

Application Fingerprinting

Computer applications such as SQL, word processors, and web server programsare composed of one or more executable files and a number of supporting filessuch as dynamic link libraries (DLLs), object libraries, configuration files, andthe like Some of these files change during the execution of the application

program, but many of them, called static files, do not These static files are