Chapter 1: Overview of Preventing Malware, Spyware, Spam, and Phishing Scams

The Internet is a double-edged sword. It is fundamental infrastructure for contemporary businesses and organizations—the Internet has evolved from research tool to the basis for more efficient production and better distribution of information. We have all benefited from new services such as virtual marketplaces and online comparison shopping to instant access to wide ranges of information from a single search engine. However, while realizing these benefits, we have also opened ourselves and our systems to a number of threats.

The Internet is home to malicious programs that can steal, destroy, and make data inaccessible; spyware that ignores social conventions of privacy to track Internet users' activities online; phishing scams that bring the art of the con artist to new threatening levels; and spam, the inevitable electronic counterpart to direct mail that requires so little investment even miniscule response rates justify its use. Consider just a few examples:

• Phishers have claimed to represent Citibank, SunTrust, and Bank of America with emails to customers notifying them of alleged attempts to log on to online accounts from foreign countries or the need to update customer information.
• Brilliant Digital Entertainment has embedded spyware in the popular Kazaa file sharing program to track users' online activities as well as to add infected PCs to a distributed network controlled by the company.
• Spammers claiming to be relatives of deposed government officials in politically unstable countries promise millions of dollars in return for an advance fee to help the alleged victim flee their country. These are known as 419 frauds after the section of the Nigerian criminal code that makes such spam messages illegal.

Imagination is the only limit on the types of fraud and misappropriation of computing resources that arise on the Internet.

Chapter 2: Organizational Responsibilities for Protecting the Network from Internet Attacks

Any computer linked to the Internet is potentially subject to a variety of threats. These threats range from less-malicious port scans to disruptive and costly DoS attacks, virus infections, and theft of information. Damage can easily extend beyond a single compromised system.

SQL Slammer disrupted Internet operations around the globe because SQL Server administrators did not patch a known vulnerability. The problem was likely compounded by the fact that some users of Microsoft SQL Server Desktop Edition (MSDE), which is used for persistent storage in some desktop applications, may not have known they were running a version of SQL Server.

Clearly, protecting information assets begins with knowing which systems are in place and how they function; but organizational responsibilities extend to a wide array of challenges, including:

• Protecting employees
• Protecting information assets
• Protecting customers
• Protecting stakeholders

This chapter examines a variety of threats to organizations and describes how to use secure content technologies to manage those threats and their adverse consequences.

Chapter 3: Viruses, Worms, and Blended Threats

Viruses, worms, and blended threats are all examples of malicious code collectively known as malware. Malicious programs have existed since (at least) the early 1980s with the advent of personal computing. Since then, viruses, worms, and related programs have evolved rapidly, often in response to new opportunities presented by advances in networking or application features. Other times, virus writers are forced to adapt to avoid detection by ever more sophisticated detection techniques and countermeasures.

This chapter examines the history of some of the most common types of malware: viruses and worms. Both types of malware can succeed only when they can replicate and spread without detection. Much of the effort needed to deploy a virus goes into disguising itself to avoid detection. Worms similarly try to hide themselves, but variants exist that have opted to remain in the open and propagate rapidly and in large numbers to survive and spread. There is no single programming technique or stealth strategy deployed by these prominent forms of malware; rather, like their biological namesakes, they have adopted and survived using a variety of techniques.

In addition to using multiple methods to ensure their survival, malicious programs have evolved to become more than a single virus or worm and are now often a collection of multiple pieces of malware operating together to compromise computing platforms. These multiple-threat programs, known as blended threats, are common today. This trend is driven, in part, by emerging uses of malware. The motives for writing and deploying malware have also changed over the past two decades as the economic dimension of malware has emerged to provide one of the most powerful incentives for creating malicious code.

Chapter 4: Spyware and other Potentially Unwanted Programs

Spyware is a type of Potentially Unwanted Program (PUP) that monitors users' online behavior as well as performs other tasks, which this chapter will explore. As with other forms of malware, the use of spyware has increased and studies have shown it affects large numbers of Web users. The pervasiveness of spyware is not limited to a particular segment of the population or to particular types of Web users; it is a problem for home users as well as businesses and other organizations that support large numbers of users.

In the case of home users, a 2004 survey by America Online (AOL) found that 80 percent of the systems survey contained at least one known spyware program. (It also found that 20 percent of those systems hosted a virus). Compounding the problem is a lack of understanding about the issue.

In the AOL survey, two-thirds of respondents felt their computer was safe from online threats. A 2005 survey from the Pew Internet and American Life Project found similar confidence in users' ability to stop potentially unwanted programs. The Pew survey found that 61 percent of home users felt very or somewhat confident that they could keep malware, as well as spyware, off their computers.

Chapter 5: Phishing and Identity Theft

Some of the most challenging security problems are based on people's behavior more than on device or application vulnerabilities. The term phishing has come into use to describe techniques for tricking individuals into disclosing confidential information, such as account numbers, Social Security numbers, or financial data. The practice of conning information and money is certainly not new, but like so many other operations, the Internet has changed how it is done. Email and bogus Web sites are now tools in the con men's toolboxes. With personal information in hand, criminals masquerade as the victim and withdraw money from bank accounts, sell investments, and transfer funds. Another troubling and increasing related problem is identity theft.

Identity theft occurs when a perpetrator uses a victim's identity for financial gain. Pretending to be someone else to secure loans, acquire telecommunications services, or apply for credit cards are common objectives. Identity thieves can get personal information in a number of ways, from sorting through trash looking for account statements, paycheck stubs, or other financial documents ("dumpster diving") to tricking the victim to reveal details through phishing scams.

Chapter 6: Spam in the Enterprise

Spam, or unwanted and unsolicited email, in the enterprise unnecessarily taxes IT resources. Unlike its kin, phishing scams, spam itself is not a direct threat to security; rather the damage it causes is the result of the fact that it consumes network bandwidth and storage as well as wastes employees’ time. As part of broader compliance initiatives, companies may be required to archive all email messages for extended periods of time, so even if spam is deleted by end users, it could continue to consume storage for years to come.

This chapter begins by examining the basic operations of mass emailing and discussing how spammers exploit weaknesses in email protocols. Next, it addresses the economics of spam and the attempts to control spam through legislation. Although helpful, legislation has not stopped spam and likely will not. Technology is therefore crucial to managing spam. This chapter includes a review of spam management techniques and concludes with some guidelines for evaluating anti-spam systems.

Chapter 7: Technologies for Securing Information and IT Assets

Throughout, this guide has have examined threats to an organization's ability to protect the integrity and confidentiality of its information. Some of the most troubling threats today include:

• Viruses, worms, and other forms of malware
• Spyware that monitors, gathers, and steals information about users
• Phishing scams and identity theft
• Spam that taxes network and email service resources
• Employee behavior with IT resources that violates regulations and company policies

Techniques and technologies for controlling these threats is the focus of this chapter. The chapter begins with a focus on content-specific measures for mitigating the impact of these threats. The chapter concludes with a discussion of how a multilayered defense strategy can effectively provide adequate levels of security for an organization while maintaining necessary levels of usability and performance.

Chapter 8: Implementation Issues in Securing Internet Content

Securing Internet content in an enterprise is now a basic element of the broader information security practices of organizations. The Internet is now woven into the fabric of business much like telephones and shipping services; it is difficult to imagine doing business without it. At the same time, with the benefits of the Internet come the downsides: viruses, spam, phishing messages, potentially unwanted programs (PUPs), and time wasted browsing and downloading offensive material.

Throughout, this guide has examined the responsibilities of organizations to protect the integrity of their information and infrastructure, specific threats to that mission, and technologies for combating those threats. This chapter continues the discussion started in Chapter 7 about technologies for securing Internet content with an examination of the implementation issues associated with applying those technologies.

• The particulars topics addressed include:
• Criteria for choosing a secure content mechanism
• Benefits and drawbacks of implementation approaches
• Management issues in securing Internet content
• Best practices in securing Internet content

Let's begin with a discussion of the core features that a secure content system should support.