Chapter 1: Overview of Preventing Malware, Spyware, Spam, and Phishing Scams

The Internet is a double-edged sword. It is fundamental infrastructure for contemporary
businesses and organizations—the Internet has evolved from research tool to the basis for more
efficient production and better distribution of information. We have all benefited from new
services such as virtual marketplaces and online comparison shopping to instant access to wide
ranges of information from a single search engine. However, while realizing these benefits, we
have also opened ourselves and our systems to a number of threats.

The Internet is home to malicious programs that can steal, destroy, and make data inaccessible;
spyware that ignores social conventions of privacy to track Internet users’ activities online;
phishing scams that bring the art of the con artist to new threatening levels; and spam, the
inevitable electronic counterpart to direct mail that requires so little investment even miniscule
response rates justify its use. Consider just a few examples:

• Phishers have claimed to represent Citibank, SunTrust, and Bank of America with emails
  to customers notifying them of alleged attempts to log on to online accounts from foreign
  countries or the need to update customer information.
• Brilliant Digital Entertainment has embedded spyware in the popular Kazaa file sharing
  program to track users’ online activities as well as to add infected PCs to a distributed
  network controlled by the company.
• Spammers claiming to be relatives of deposed government officials in politically unstable
  countries promise millions of dollars in return for an advance fee to help the alleged
  victim flee their country. These are known as 419 frauds after the section of the Nigerian
  criminal code that makes such spam messages illegal.

Imagination is the only limit on the types of fraud and misappropriation of computing resources
that arise on the Internet.

Chapter 2: Organizational Responsibilities for Protecting the Network from Internet Attacks

Any computer linked to the Internet is potentially subject to a variety of threats. These threats
range from less-malicious port scans to disruptive and costly DoS attacks, virus infections, and
theft of information. Damage can easily extend beyond a single compromised system.

SQL Slammer disrupted Internet operations around the globe because SQL Server administrators
did not patch a known vulnerability. The problem was likely compounded by the fact that some
users of Microsoft SQL Server Desktop Edition (MSDE), which is used for persistent storage in
some desktop applications, may not have known they were running a version of SQL Server.

Clearly, protecting information assets begins with knowing which systems are in place and how
they function; but organizational responsibilities extend to a wide array of challenges, including:

• Protecting employees
• Protecting information assets
• Protecting customers
• Protecting stakeholders

This chapter examines a variety of threats to organizations and describes how to use secure
content technologies to manage those threats and their adverse consequences.

Chapter 3: Viruses, Worms, and Blended Threats

Viruses, worms, and blended threats are all examples of malicious code collectively known as
malware. Malicious programs have existed since (at least) the early 1980s with the advent of
personal computing. Since then, viruses, worms, and related programs have evolved rapidly,
often in response to new opportunities presented by advances in networking or application
features. Other times, virus writers are forced to adapt to avoid detection by ever more
sophisticated detection techniques and countermeasures.

This chapter examines the history of some of the most common types of malware: viruses and
worms. Both types of malware can succeed only when they can replicate and spread without
detection. Much of the effort needed to deploy a virus goes into disguising itself to avoid
detection. Worms similarly try to hide themselves, but variants exist that have opted to remain in
the open and propagate rapidly and in large numbers to survive and spread. There is no single
programming technique or stealth strategy deployed by these prominent forms of malware;
rather, like their biological namesakes, they have adopted and survived using a variety of
techniques.

In addition to using multiple methods to ensure their survival, malicious programs have evolved
to become more than a single virus or worm and are now often a collection of multiple pieces of
malware operating together to compromise computing platforms. These multiple-threat
programs, known as blended threats, are common today. This trend is driven, in part, by
emerging uses of malware. The motives for writing and deploying malware have also changed
over the past two decades as the economic dimension of malware has emerged to provide one of
the most powerful incentives for creating malicious code.

Chapter 4: Spyware and other Potentially Unwanted Programs

Spyware is a type of Potentially Unwanted Program (PUP) that monitors users’ online behavior
as well as performs other tasks, which this chapter will explore. As with other forms of malware,
the use of spyware has increased and studies have shown it affects large numbers of Web users.
The pervasiveness of spyware is not limited to a particular segment of the population or to
particular types of Web users; it is a problem for home users as well as businesses and other
organizations that support large numbers of users.

In the case of home users, a 2004 survey by America Online (AOL) found that 80 percent of the
systems survey contained at least one known spyware program. (It also found that 20 percent of
those systems hosted a virus). Compounding the problem is a lack of understanding about the
issue.

In the AOL survey, two-thirds of respondents felt their computer was safe from online threats. A
2005 survey from the Pew Internet and American Life Project found similar confidence in users’
ability to stop potentially unwanted programs. The Pew survey found that 61 percent of home
users felt very or somewhat confident that they could keep malware, as well as spyware, off their
computers.

Chapter 5: Phishing and Identity Theft

Some of the most challenging security problems are based on people’s behavior more than on
device or application vulnerabilities. The term phishing has come into use to describe techniques
for tricking individuals into disclosing confidential information, such as account numbers, Social
Security numbers, or financial data. The practice of conning information and money is certainly
not new, but like so many other operations, the Internet has changed how it is done. Email and
bogus Web sites are now tools in the con men’s toolboxes. With personal information in hand,
criminals masquerade as the victim and withdraw money from bank accounts, sell investments,
and transfer funds. Another troubling and increasing related problem is identity theft.

Identity theft occurs when a perpetrator uses a victim’s identity for financial gain. Pretending to
be someone else to secure loans, acquire telecommunications services, or apply for credit cards
are common objectives. Identity thieves can get personal information in a number of ways, from
sorting through trash looking for account statements, paycheck stubs, or other financial
documents (“dumpster diving”) to tricking the victim to reveal details through phishing scams.

Chapter 6 Spam in the Enterprise

Spam, or unwanted and unsolicited email, in the enterprise unnecessarily taxes IT resources.
Unlike its kin, phishing scams, spam itself is not a direct threat to security; rather the damage it
causes is the result of the fact that it consumes network bandwidth and storage as well as wastes
employees’ time. As part of broader compliance initiatives, companies may be required to
archive all email messages for extended periods of time, so even if spam is deleted by end users,
it could continue to consume storage for years to come.

This chapter begins by examining the basic operations of mass emailing and discussing how
spammers exploit weaknesses in email protocols. Next, it addresses the economics of spam and
the attempts to control spam through legislation. Although helpful, legislation has not stopped
spam and likely will not. Technology is therefore crucial to managing spam. This chapter
includes a review of spam management techniques and concludes with some guidelines for
evaluating anti-spam systems.

Chapter 7 Technologies for Securing Information and IT Assets

Throughout, this guide has have examined threats to an organization’s ability to protect the
integrity and confidentiality of its information. Some of the most troubling threats today include:

• Viruses, worms, and other forms of malware
• Spyware that monitors, gathers, and steals information about users
• Phishing scams and identity theft
• Spam that taxes network and email service resources
• Employee behavior with IT resources that violates regulations and company policies

Techniques and technologies for controlling these threats is the focus of this chapter. The chapter
begins with a focus on content-specific measures for mitigating the impact of these threats. The
chapter concludes with a discussion of how a multilayered defense strategy can effectively
provide adequate levels of security for an organization while maintaining necessary levels of
usability and performance.

Chapter 8: Implementation Issues in Securing Internet Content

Securing Internet content in an enterprise is now a basic element of the broader information
security practices of organizations. The Internet is now woven into the fabric of business much
like telephones and shipping services; it is difficult to imagine doing business without it. At the
same time, with the benefits of the Internet come the downsides: viruses, spam, phishing
messages, potentially unwanted programs (PUPs), and time wasted browsing and downloading
offensive material.

Throughout, this guide has examined the responsibilities of organizations to protect the integrity
of their information and infrastructure, specific threats to that mission, and technologies for
combating those threats. This chapter continues the discussion started in Chapter 7 about
technologies for securing Internet content with an examination of the implementation issues
associated with applying those technologies.

• The particulars topics addressed include:
• Criteria for choosing a secure content mechanism
• Benefits and drawbacks of implementation approaches
• Management issues in securing Internet content
• Best practices in securing Internet content

Let’s begin with a discussion of the core features that a secure content system should support.