Small Business Defense – Anti-spam
- At August 20, 2009
- By Josh More
- In Business Security
- 0
There are many anti-spam solutions in the market. They tend to fall into a handful of types. However, all of them must do the same thing: somehow determine which emails are legitimate and which ones are not. There are many ways to do this, and most of them use differing combinations of the same techniques. Thus, the main distinguishing characteristic is where the antispam solution fits into the network.
Client Software
A common solution is to use software that plugs into the email clients. This gives the user direct control over spam handling at the cost of requiring the spam to completely traverse the system and end up on the final computer. Thus, the risk exists that any malicious software may exploit the client and then run directly on the target. Additionally, the server must handle the additional load of processing spam and the administrator has no direct control of the anti-spam system.
This solution is generally not a good fit for businesses, though it can be quite effective for home-based users or businesses small enough so as to lack an I.T. department or contracted service.
Server Software
A traditional solution is to purchase anti-spam software for the server. This gives the email administrator direct control over the way that the anti-spam system operates. The users typically see an email folder that contains “known safe” spam messages. Thus, the users are protected against problematic emails but still able to inspect the acceptable ones if they choose to do so.
This is the standard solution for businesses, and works fairly well, though it does result in emails still traversing the system and adding load to the mailserver. As spam traffic increases, the resources of the server must be scaled up. Since there is no control of the spam until it reaches the server, the business still risks denial of service by choosing this solution.
Appliances
One way to solve problem of the limitless scaling of server resources is to shift spam protection to an appliance. In this solution, a dedicated device is placed between the Internet and the mail server which serves only to filter spam. It is more complicated for the email administrator to manage, but it does keep everything within the control of the business.
Some of the larger businesses use this method. It still requires email to enter the network, but it does protect the core systems against exploitation and limits the amount of email that the end users must sort through.
Cloud Solutions
Though “cloud” solutions are getting a lot of market buzz these days, some have been around for a long time. In the anti-spam world, in particular, a cloud solution is often a good one. With this solution, spam need not ever enter the business network. The business is protected against malicious software and denial of service attacks. The users don’t have to deal with spam at all.
However, nothing is perfect. The main drawback to the cloud solution is that it inevitably delays email delivery. In short, you are adding an additional layer of processing and network transport, so every single email is going to be slower. While email administrators often state that “email is not instantaneous”, the delays are often noticeable with this sort of solution.
Conclusion
As always, a balance must be struck. You can emphasize usability — giving control to your users and risking both direct exploitation and the consumption of internal resources. You can emphasize security — making email administration more difficult and delaying email delivery. You can pick a solution anywhere along this spectrum, but no solution will ever be perfect.
What you can’t do, however, is nothing.
Small Business Attack – Spam
- At August 19, 2009
- By Josh More
- In Business Security
- 0
We’ve been battling spam for many years now. We all know that the problem exists, and that it can be annoying… but sometimes it seems like the constant complaining of email administrators is even more annoying. Is spam really such a big problem?
Let’s look at it for a minute… The influx of email can slow the mail servers. Manually sorting legitimate email from spam can reduce employee productivity. In some environments, the adult nature of spam can cause HR issues.
So sure, spam can be annoying, but is it really a serious problem?
Though I try to keep this blog from getting overly technical (after all, there are technical security blogs far better than mine), I am afraid that I have to dig a bit into the labyrinthine mess that is SMTP. The Simple Mail Transfer Protocol dates back to 1971 and is the method still used to transfer email today. (Though it has been extended and tweaked many many (many) times.) These days, it is far from simple but it is still deeply flawed.
At it’s heart are three problems:
First of all, the protocol is plain text. This means that anyone who can read the network traffic as it flows from the sender to the receiver can read the message. This allows attackers to read or alter messages as they go by, thereby preventing the receiver from knowing for certain that the messages are private or even reliable.
Secondly, the protocol is honorary. Just as anyone can drop a letter into a mailbox and put on whatever return address they wish, anyone may send an email and forge any From addresses they want.
There are numerous technical measures that can be put in place to limit these two problems. However none of them work perfectly and each them make the maintenance of the system increasingly complex. If too many of them are implemented, you run an increasingly greater risk of email being greatly delayed or simply getting through at all.
Then, we have the final problem. Though it doesn’t relate directly to SMTP, the fact is that email is not human readable (by most humans, anyway), so recipients have to use email clients. As always occurs, a handful of email clients have become the most popular and are analyzed by attackers for problems. Then, email messages can be forged and sent containing malicious code that will exploit a flaw in the email client.
So what does all this mean?
Basically, in addition to spam being annoying and the extensions we’ve built around it making the actual system work poorly, we have a situation where attackers can target specific people and run their own software directly on the targeted workstation.
So how do we protect against it?
Small Business Defense – User Training
- At May 28, 2009
- By Josh More
- In Business Security
- 0
There was a general belief in the security community many years ago that user training was the only way to address security issues. Then we got slammed by tons of viruses and users all over clicked on links and ran attachments, basically doing exactly what we had all told them not to do. After spending weeks cleaning up the mess, the security community had a change of heart and basically took the stance that user training was a waste of time, and that we need better technology.
Well, it’s time to change this again. The technology doesn’t work. Sure, the technology is great for general threats. It’s good to keep certain applications from running. It keeps many network-based threats at bay. It can even be used to make the organization a bit more agile without too much risk.
However, it all comes down to one thing. No technology is smarter than a person, so everything we build tends to have a process somewhere that allows a person to override the security and effectively say “do it anyway”. Sure, we limit this ability to trusted people. Your executives’ time is highly valuable, so they may have local admin rights to avoid having to wait for help desk people. Your admins may need to bypass security controls to get their jobs done. There may not be many, but, in any organization, there are generally a few “special” people that are outside of the security system.
This makes the highly vulnerable to spear phishing attacks. All an attacker has to do is identify the special people, research them on the Internet, and send them an email that gets them to run something outside of the security controls. Then it’s all over.
There is only solution to threats that bypass the entire security system, and that is to build a new security layer to intercept the threat. Sadly, given the way people have to work, there is only one place to put this security… and that’s in their brains.
Any action that a high-profile person takes is, at minimum, reviewed and considered by their brain prior to it being done. Thus, the last layer in a security architecture has to be the people themselves.
No, don’t waste your time training the average user not to click on links or run attachments. Instead, deploy technology that makes these actions impossible. But then, when the executives explain to you why they are special and why they need to be exempt, your answer should be “sure, but you need training”.
Mitigate the risk with user training. Make sure that they know that they are being specifically targeted. Train them and document the training. Revisit them regularly.
If you are in a position of writing policy, try to build a system where you can test them on their training. If they fail the tests, they lose the rights to circumvent the security technologies.
Remember, the goal is to protect the business. The business, as well as the threats themselves are embodied in these “special” people. It is your job to protect them, even from themselves.
Small Business Attack – Spear Phishing
- At May 27, 2009
- By Josh More
- In Business Security
- 0
Imagine that you own a company. You are responsible for the financial lives of hundreds of people. If you make a mistake, you may have to let some of them go or, worse, lose the entire company and put them all out of a job. This fact doesn’t really keep you up at night, but it is a valid concern, so when you receive an email that reads:
“High Priority: Subpoena issued for YourCompany in case against YourClient”
Naturally, you’re a bit concerned as you do a lot of business with YourClient, and you open the email. Inside, you see your name, your business’s name, your address and phone number and a brief explanation that there is a disagreement between two of your clients and you have personally been asked to court. Then there is a link at the bottom that reads:
“For more information and to schedule your appearance at the trial, please click here.”
You’re probably going to click, aren’t you? After all, if you don’t show up, you could personally be found to be in contempt and in either case, your business will be impacted. It would make the most sense to click the link, get all the information you need and then call your lawyer, right?
Well, bad news. You’ve been spear phished. Some attacker found your information online and constructed an email filled with completely reasonable information all in an effort to fool you into clicking on that link. Sadly, now that you have, odds are that someone on the Internet has your passwords, access to confidential documents and yours (and possibly the company’s) bank accounts. Worse, this information is in the hands of someone that knew you well enough to hand craft an attack against you, so odds are that the information is going to be used.
This is the problem with spear phishing. It’s targeted to high-profile people. Odds are that it won’t get picked up by anti-spam filters, as it is designed to look completely legitimate. It also won’t pass by the security people’s view, as there are likely people who get email so confidential that even the security people can’t see it.
So, in effect, this is a threat that bypasses all of our checks. What are we going to do about it?
Small Business Defense – Detect, Avoid, Leverage Business Relationships
- At March 26, 2009
- By Josh More
- In Business Security
- 0
If you’re dealing with a DDOS attack, I’m afraid that I haven’t much good news for you. Once it’s started, it may be a bit late to try to deal with it. Odds are, you’re best off just waiting it out. Failing that, you can try to change IP addresses on your external systems, however, that technique is less effective than it was and requires the assistance of your ISP.
No, the right way to handle this sort of attack is long before it starts.
These sorts of attacks tend to start a bit slowly, and can be recognized by a ramping up of traffic. However, in order to detect it, you have to first know what legitimate traffic looks like. Thus, for months before the attack, you have to be watching what’s coming in. You should know what “normal” looks like, so you can detect “abnormal”. Not only will this help you differentiate an attack from simply outgrowing your resources, but it will also help you identify how you are using your resources so you don’t waste your money.
Bear in mind that most Internet connections can only carry so much, and if your employees are using it watching YouTube videos, that leaves less for legitimate customers. The first rule is to know what you have and how it’s being used. To reference Tuesday’s post, you need to know how many rats are normal, so you know when you’re about to have too many of them.
Then, you can move on to attack avoidance. There are systems out there that are specifically designed to handle DDOS attacks, but let’s assume that you don’t want to pay for that. One quick solution is to use a set of proxies. These can be servers or network devices in a proxy configuration. The way these work is to simply receive connections and then balance them to the back-end server. Here, you can set up rules to drop illegitimate traffic to reduce what goes through to your server to a manageable amount. There are many technical ways to do this, and none of them are perfect… however, you don’t need perfect. You just need to drop enough traffic to get things working again. (In other words, you don’t need to stop all the rats, you just need to make sure that there’s enough grain for you and your family to eat.)
However, this solution only works assuming that the attack is somewhat small in scope. If the amount of traffic is overwhelming and your connection itself can’t handle it, having a set of proxies won’t help you much. You’ll need to call your ISP. This is why it’s good to have a good business relationship with your ISP. You should know the names and numbers of who you need to call, and you’ll need them to be technically competent. Ideally, you should be able to call them up, and say “I think I’m having a DDOS attack, can you block all traffic from Asia” (assuming that you don’t do business in Asia, of course :). This is like asking for international help in the face of a massive influx of rats.
The huge ISPs tend to have the technical skill, but lack the personal relationship. The really small ISPs will bend over backwards to help you, but may not know how. I suggest going for the middle of the road approach. Interview prospective ISPs and ask how they would handle this sort of situation. Ask if they can give you an emergency number that would always have a live person answering, 24×7. The good ones will, though they might charge you when you call after hours. This is well worth it.
In the end, you will have built an infrastructure that is resistant enough and built a business relationship that is flexible enough. The only way to be 100% protected against this sort of attack is to have more resources than the rest of the Internet combined, and that’s just not going to happen. This sort of preparation is fairly cheap, and worth a lot if you need to leverage it.
In the end, it’s cheap insurance.
Small Business Attack – Denial of Service
- At March 25, 2009
- By Josh More
- In Business Security
- 2
You get the call from your front-line people. Your web site is down and customers are complaining. You call your web folks and they can’t even get to the server. Then, your front-line people call you again and report that the entire Internet connection is down. You call your ISP, and they tell you that your line is up, but you’re getting a lot of traffic.
Their solution? Buy more bandwidth.
In fact, if you buy right now, you might even have it in a few weeks.
What has happened is a distributed denial of service attack. In this attack, the attackers leverage hundreds of thousands of machines and send traffic to a target. In this case, to your server. As it starts, people start to have problems with the web server. Pages will load erratically, customers will experience slowness and the server may start to reboot itself or lock up entirely. However, it doesn’t stop there. The attackers often don’t know when they’re successful, and the traffic just keeps coming. Soon, your Internet connection will fill up and stop responding. If you’re hosting offsite, the line usage may spike and drive you into over-utilization charges. Thus, in addition to losing potential sales for every minute you’re down, you may also be charged for the experience.
So, it sucks to be you, but what does the attacker gain? In the old days (you know, when the hills only went up), this was done out of spite. Someone had taken offense at something you or your company had done, and their solution was to make your life miserable. These days, it’s different.
These days, the attacker may be a competitor or someone hired by a competitor. They may be starting a campaign and want you out of the picture during the process. They may be trying to take one of your biggest clients and want to show that you’re unreliable. It may be a criminal organization using such an attack to hide a second, more subtle attack. It may be an employee that simply wants a day off.
In any of these cases, what are you going to do about it?
Announcement – Linux Security Presentation
- At March 20, 2009
- By Josh More
- In Business Security
- 0
The presentation that I gave at Infragard can be found here. In it, I discuss:
- How to choose between the multitude of Linux distributions
- How to properly secure a system once the choice has been made
The semipermanent home is here, and has a link to the .zip archive containing my raw vector and PovRay files from which this presentation is made.
Small Business Defense – AntiPhishing
- At March 19, 2009
- By Josh More
- In Business Security
- 1
The core problem with phishing is that it is a very human attack. It relies on people to, well, be people. The emails are crafted to be interesting or scary, and right when the reader is at the peak of wanting to know more, they are presented with a link. Once the link is clicked on, it’s game over… so the point of the game is to keep the link from being clicked.
It’s harder than it sounds.
One technique that would work well would be to completely block all HTML email. Thus, no pictures, no links. All email looks the same and all the HTML email coming in will look like utter gibberish. Now, as much fun as we all had in 1995, I think that we can all agree that that approach would not work well these days. So, what does?
Antispam
Many phishing attempts will trigger on good spam filters. The important thing to note, though, is that phishing attempts in a spam folder are just as effective as ones that appear in the INBOX. If you use this as a primary defense, it’s important to make sure that the anti-spam quarantine system traps the messages in such a way as to prevent such clicks from being active. Google’s gmail and their add-on message security products work well for this.
Anticlick
If the emails get through, and let’s face it, no antispam solution is perfect, it can work well to prevent the click from occuring. There are certain technologies that whitelist allowed links and render all others are unclickable. You can also run local HIPS software that can prevent such clicks from downloading and running software. If the HIPS software is good enough, it might even protect against overflows in the email client itself. Again, however, these solutions aren’t perfect.
Employee Education
The absolute best way to keep employees from clicking on the link is to continuously tell them not to click on links. It’s not perfect, but making employees responsible for their actions is the best way to get results. Much as someone would not leave the front door open and unlocked, they should be aware of the ramifications to the business should they engage in unsafe practices on the Internet.
Of course, we all know that people will make mistakes, which is why it would be wise to use both antispam and anticlick technologies as well. The combination of all three work far better than any one alone.
Small Business Attack – Phishing
- At March 18, 2009
- By Josh More
- In Business Security
- 0
Odds are that your business has a relationship with key vendors. Commonly, these include at least one bank and payroll processor. Of course, were one of these accounts breached, things could get really bad. Really really bad. In fact, things could get bad enough that people might not be thinking clearly when they click on links.
That’s all an attacker needs. One brief moment of panic or excitement, one click of a link, and they’re in.
Attacks can come in many forms. All an attacker needs to know is a little bit of information about your company and be able to bypass a spam filter. Then, suddenly, your employees will start seeing emails with subject lines like:
- “Problem processing your paycheck”
- “Health insurance lapsed”
- “[Payroll Company]: Bonus check available”
- “[Your Company] being sued by [Big Company”
Once the employee opens the email, it may be all over, but odds are that your systems are somewhat secure. This means that they’ll actually also have to click on a link. Generally, this is done by naming the link one of the following:
- “click here”
- “more info”
At this point, the user generally clicks their mouse, the attack runs, and the attacker has access to all the files on the workstation.
But you should be OK. After all, it’s not like your employees have access to proprietary or customer data… right?
Announcement
- At March 13, 2009
- By Josh More
- In Business Security
- 0
I am giving some presentations over the next few months
- Group: Infragard
- Topic: Linux and Security
- Time: Wednesday, March 18th at 8:00 AM
- Place: FBL – 5400 University Avenue – West Des Moines, Iowa 50266
Infragard is a joint effort of businesses and the FBI. At this monthly meeting, I will be giving a talk on Linux and Security. The talk is aimed at security professionals who may not be very familiar with Linux. This is an open meeting, so anyone may attend, but they have to RSVP. If you wish to RSVP, please leave me a comment and I will get your information to the person running it.
- Group: ISSA
- Topic: Virtualization and Security
- Time: Monday, March 23rd at 11:30 AM
- Place: Buccaneer Computer Systems – 1401 50th St – West Des Moines, IA 50266
ISSA is a group of security professionals. At this monthly meeting, I will be giving a talk on Virtualization and Security. The talk is aimed at security professionals who may not be very familiar with virtualization. Anyone may attend an ISSA meeting as a guest, but to attend several, you must join. Leave a comment if you wish to be my guest.
- Group: Des Moines Web Geeks
- Topic: Web Applications and Security
- Time: Monday, April 6th at 7:00 PM
- Place: Impromptu Studio – 300 Southwest Fifth Street – Suite 220 – Des Moines, Iowa 50309
The Des Moines Web Geeks are a group of web developers. At this monthly meeting, I will be giving a talk on web applications and security. The talk is aimed at experienced web developers and technologists. We will talk about basic attacks and then play with some tools and hopefully run attacks on some web sites. We’ll try to have some sample sites running, but for a really good time, get permission from your companies to attack your own sites.
After each presentation, I will post the materials on my website. However, the more the merrier, so please come and join the discussion.