Security guide: reducing risks from outbound traffic

Although the IT security arena has matured immensely in the past few years the bulk of security systems and products concentrate on protecting from external threats. But what about the threat from within and, more specifically, the security issues that arise from outbound traffic risks?

Although the IT security arena has matured immensely in the past few years - largely as a result of multi-vectored and hybrid malware threats - the bulk of security systems and products tend to concentrate on protecting from external threats.

But what about the threat from within and, more specifically, the security issues that arise from outbound traffic risks?

Microsoft and a number of other mainstream application vendors have made significant strides in recent years, implementing draconian file and folder controls to prevent data leaking outside an organisation's controlled network. But this does not account for unauthorised IP traffic.

According to Graham Cluley, senior security consultant with Sophos, most vendors tend to promote the inbound security aspects of their products mainly because this is what customers are asking about. "Outbound traffic is also more difficult to manage, mainly because it doesn't get discussed by the industry that much, even though the scale of the threat is still quite significant," Cluley says.

Outbound traffic risks, he says, include the more obvious reputational damage that unauthorised traffic, notably e-mail and botnet traffic, can cause. "There is also the legal liability that a company can incur as a result of outbound hacking and malware attacks that can be traced back to the firm," he explains.

The solutions to the problem, argues Cluley, are quite varied, although most applications - like those of Sophos - fall into the preventative category. "Our security software, for example, can monitor the PCs operating in your IP range for spamming and other unusual outbound traffic. If anything unusual does occur, the software will either alert you and, if appropriate, lock down the traffic as required," he says. "Locking down unauthorised outbound traffic is actually quite easy. It does, however, require the creation of policy-based rules, which can involve quite granular program control," he adds.


According to Cluley, a growing number of security vendors are developing applications that monitor instant messaging (IM) and allied peer-to-peer IP traffic, although, he admits, capturing and analysing all the traffic - including, for example, encrypted Skype transmissions - is not always as easy thing to do.

Sophos's approach, he explains, is one of stopping any unauthorised applications from running on the user's PC. "This lockdown option is built into our AV security software," he says, adding that in general, this approach prevents most unauthorised outbound traffic since it stops the application in its tracks. "The problem is that customising the software to allow for specific exemptions from policy-based security takes a lot of effort on the part of the IT staff, many of whom may not have the experience and understanding to deal with this level of control," he notes.

The problem with unauthorised outbound traffic, Cluley says, is that a lot of IP traffic is generated by software developed for consumer applications. Securely translating those applications to a business environment is not an easy task.

"Our e-mail gateway technology can stop this type of IP traffic. It has policy support technology built in and can be closely programmed, which is what you need if you are looking to control outbound traffic to the Nth degree," he says.

Even with the best IT security systems in place, however, Cluley admits that no system is totally foolproof against unauthorised outbound packets slipping out. All you can do is lower the risk as far as is technically possible.

And just to make life interesting, he says, the security threats arising from outbound traffic are changing all the time. "A classic example of this is the threat of IP-generated malware and botnets that can be loaded from intelligent USB devices. A couple of years ago this type of threat was almost unknown," he says.

To counter this emerging threat, Sophos is beta testing a USB device control function within its corporate IT security software.

Botnet malware

Botnet malware is increasingly rising as a threat. The latest research from Marshal, the § security specialist, for example, shows that the Srizbi botnet now accounts for around half of all spam generated on the internet.

The security vendor's Trace (Threat, Research & Content Engineering) security operation says that the Srizbi botnet has steadily increased its network since the beginning of 2008 and is now the world's largest spam generator. Bradley Anstis, the firm's vice-president, says that Srizbi is the single greatest spam threat we have ever seen.

"At its peak, the highly publicised Storm botnet only accounted for 20 per cent of spam. Srizbi now produces more spam than all the other botnets combined," he explains. Incredibly, Marshal says that Srizbi is estimated to consist of around 300,000 compromised PCs and sends more than 60 billion commercial spam messages per day.

It's against this backdrop that PineApp has just released its new ZombiCop solution that claims to block the growing volume of spam from zombie PCs that are resilient to existing anti-virus or anti-botnet technology. According to Steve Cornish, UK sales and marketing director for PineApp, ZombiCop has been designed for ISP or MSP (mail service provider) deployment, rather than sold directly to major corporates. The reason for this, he says, is that service providers are in a much better position to deal with IP traffic than companies, who are, after all, merely customers connected to the internet - no matter how large they are.

In use, ZombiCop allows service providers to filter unwanted IP traffic on their networks. The software achieves this through the use of an IP reputation profile engine that assesses the level of risk and identifies likely sources of zombie e-mails.

"It's these reputation profiles that allow ISPs to make decisions as to how to handle unwanted IP traffic," says Cornish, who added that ISPs have the ultimate weapon of requesting that an IP address or mail domain be added to the Real-time Black List (RBL) operated by a number of open source internet organisations such as SpamHaus.

Getting your IP address(es) or e-mail domains added to an RBL is the internet equivalent of being sent to Coventry. Any e-mails sent from the IP address or e-mail domain are simply not processed if they are on an RBL, which could have serious consequences for any business. This is why, says Cornish, companies need to be very careful about the integrity of their outbound IP traffic as, if they fall foul of their ISP − or a third-party service provider - they could end up on an RBL.

"And once you are on an RBL, it's very difficult to get off. It takes a lot of time and effort," he concludes.

This article was originally published in Infosecurity magazine

Read more on Hackers and cybercrime prevention