Although the IT security arena has matured immensely in
the past few years - largely as a result of multi-vectored and
hybridmalwarethreats - the bulk of security
systems and products tend to concentrate on protecting from
external threats.
But what about the threat from within and, more specifically,
the security issues that arise from outbound traffic risks?
Microsoft and a number of other mainstream application vendors
have made significant strides in recent years, implementing
draconian file and folder controls to prevent data leaking outside
an organisation's controlled network. But this does not account for
unauthorised
IP traffic.
According to Graham Cluley, senior security consultant with
Sophos, most vendors tend to
promote the inbound security aspects of their products mainly
because this is what customers are asking about. "Outbound traffic
is also more difficult to manage, mainly because it doesn't get
discussed by the industry that much, even though the scale of the
threat is still quite significant," Cluley says.
Outbound traffic risks, he says, include the more obvious
reputational damage that unauthorised traffic, notably e-mail and
botnet traffic, can cause. "There is also the legal liability that
a company can incur as a result of outbound hacking and malware
attacks that can be traced back to the firm," he explains.
The solutions to the problem, argues Cluley, are quite varied,
although most applications - like those of Sophos - fall into the
preventative category. "Our security software, for example, can
monitor the PCs operating in your IP range for spamming and other
unusual outbound traffic. If anything unusual does occur, the
software will either alert you and, if appropriate, lock down the
traffic as required," he says. "Locking down unauthorised outbound
traffic is actually quite easy. It does, however, require the
creation of policy-based rules, which can involve quite granular
program control," he adds.
Lockdown
According to Cluley, a growing number of security vendors are
developing applications that monitor
instant messaging (IM) and allied
peer-to-peer IP traffic, although, he admits, capturing and
analysing all the traffic - including, for example, encrypted
Skype transmissions - is not always as easy thing to do.
Sophos's approach, he explains, is one of stopping any
unauthorised applications from running on the user's PC. "This
lockdown option is built into our AV security software," he says,
adding that in general, this approach prevents most unauthorised
outbound traffic since it stops the application in its tracks. "The
problem is that customising the software to allow for specific
exemptions from policy-based security takes a lot of effort on the
part of the IT staff, many of whom may not have the experience and
understanding to deal with this level of control," he notes.
The problem with unauthorised outbound traffic, Cluley says, is
that a lot of IP traffic is generated by software developed for
consumer applications. Securely translating those applications to a
business environment is not an easy task.
"Our e-mail gateway technology can stop this type of IP traffic.
It has policy support technology built in and can be closely
programmed, which is what you need if you are looking to control
outbound traffic to the Nth degree," he says.
Even with the best IT security systems in place, however, Cluley
admits that no system is totally foolproof against unauthorised
outbound packets slipping out. All you can do is lower the risk as
far as is technically possible.
And just to make life interesting, he says, the security threats
arising from outbound traffic are changing all the time. "A classic
example of this is the threat of IP-generated malware and botnets
that can be loaded from intelligent USB devices. A couple of years
ago this type of threat was almost unknown," he says.
To counter this emerging threat, Sophos is beta testing a USB
device control function within its corporate IT security
software.
Botnet malware
Botnet malware is increasingly rising as a threat. The latest
research from Marshal, the § security specialist, for example,
shows that the
Srizbi botnet now accounts for around half of all spam
generated on the internet.
The security vendor's Trace (Threat, Research & Content
Engineering) security operation says that the Srizbi botnet has
steadily increased its network since the beginning of 2008 and is
now the world's largest spam generator. Bradley Anstis, the firm's
vice-president, says that Srizbi is the single greatest spam threat
we have ever seen.
"At its peak, the highly publicised
Storm botnet only accounted for 20 per cent of spam. Srizbi now
produces more spam than all the other botnets combined," he
explains. Incredibly, Marshal says that Srizbi is estimated to
consist of around 300,000 compromised PCs and sends more than 60
billion commercial spam messages per day.
It's against this backdrop that
PineApp has just released its
new ZombiCop solution that claims to block the growing volume of
spam from zombie PCs that are resilient to existing anti-virus or
anti-botnet technology. According to Steve Cornish, UK sales and
marketing director for PineApp, ZombiCop has been designed for ISP
or MSP (mail service provider) deployment, rather than sold
directly to major corporates. The reason for this, he says, is that
service providers are in a much better position to deal with IP
traffic than companies, who are, after all, merely customers
connected to the internet - no matter how large they are.
In use, ZombiCop allows service providers to filter unwanted IP
traffic on their networks. The software achieves this through the
use of an IP reputation profile engine that assesses the level of
risk and identifies likely sources of zombie e-mails.
"It's these reputation profiles that allow ISPs to make
decisions as to how to handle unwanted IP traffic," says Cornish,
who added that ISPs have the ultimate weapon of requesting that an
IP address or mail domain be added to the
Real-time Black List (RBL) operated by a number of open source
internet organisations such as SpamHaus.
Getting your IP address(es) or e-mail domains added to an RBL is
the internet equivalent of being sent to Coventry. Any e-mails sent
from the IP address or e-mail domain are simply not processed if
they are on an RBL, which could have serious consequences for any
business. This is why, says Cornish, companies need to be very
careful about the integrity of their outbound IP traffic as, if
they fall foul of their ISP − or a third-party service provider -
they could end up on an RBL.
"And once you are on an RBL, it's very difficult to get off. It
takes a lot of time and effort," he concludes.
This article was originally published in
Infosecurity magazine