Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
Operating Systems, it is unlikely that there is adequate AV in place or that the vendor is contracted to provide regular updates. Desktop anti-virus is currently the last line of defence against such malicious codes. Examples of Attacks: W32.Choke WormThis worm uses the MSN Messenger Service program to replicate; it is the second worm that is known to do so. The worm itself does nothing more than replicate, and if it is executed on a computer that does not have MSNMS installed, it simply remains resident in memory without replicating. W95.SoFunny.Worm@mA password-stealing Trojan horse that has worm capabilities and targets AOL IM users and is distributed as Sofunny.exe or Love.exe. W32.Goner.A@mm WormA mass-mailing worm that is written in Visual Basic and spreads using the ICQ IM. W32.LedA mass-mailing worm that propagates itself through Microsoft Messenger. W32.HLLP.VB.14336.CA worm which spreads using MSN Messenger using the file name Black Hat.exe. The worm appears to originate from Sweden, and the only thing it does is attempt to spread using MSN Messenger. W32.Kelvir.BAA worm that attempts to spread W32.Spybot.OFN to all MSN Messenger contacts on the compromised computer through MSN Messenger. This network-aware worm has distributed denial of service and back door capabilities. Backdoor.DoyorgA back door Trojan which allows unauthorized remote access. The Trojan may arrive via an instant message received in AOL Instant Messenger (AIM).
mation that can be used to break normal security procedures, can take the form of persuading its victims to download and execute malicious software that allows entry into the network; becoming a zombie attack platform for launching denial-of-service attacks or establishing back-door network tunnels that bypass firewalls and other filtering devices. Once an unsuspecting user executes the malicious software, their system is co-opted by the perpetrator for use as an agent resident on the trusted side of the network.
2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18. 19.
to analyze each potential risk. Ensure that both your inbound and outbound firewall policies are clearly documented and examined periodically to deter unauthorized outbound traffic. Consider installing such tools as protocol analyzers and sniffers to review network traffic, detect bottlenecks, and identify any network users who may have re-configured their IM applications to circumvent controls designed to block unauthorized traffic. Identify hosts and servers that broker IM applications and block access to them from within your organization in order to reduce the likelihood that they will open back doors into your networks. Companies that opt to control bandwidth availability to discourage the use of IM services should be aware that doing so does not resolve the network security risks associated with them. However, limiting bandwidth to balance the load at egress points and combining those measures with other security controls can discourage users - by requiring them to wait for hours for a file downloadand lead to a mitigation of the risk. Enterprises allowing outbound initiation of IM applications should monitor their bandwidth 24x7 to identify traffic that would otherwise impact critical business processes. Make users aware of social engineering techniques that potentially occur as a result of establishing IM sessions with unknown users (or impostors). Never send sensitive information over IM unless the application has the capability to encrypt messages using a minimum 128-bit encryption (both authentication and session data packets). Promote and enforce good password construction; this is essential in safeguarding IM session(s). All users should be aware of the ease with which passwords can be discovered or cracked and choose passwords that cannot easily be guessed. The user should adopt a password naming structure that they can easily remember, without the need to write the password down. Some IM applications allow senders to hide their IP address from the recipient. If possible, users should utilize this feature within their application. Beware that when performing file sharing/transfer functions in IM, it is possible to reveal your computer IP address to the sender. If that person is malicious, he/she might attempt to use that information to perform a denial-of-service attack against your host PC if the IM application does not have the ability to hide the IP address or is not using a personal firewall. Ensure that files that are transferred (inbound and outbound) using IM are scanned using firm-installed anti-virus software. Do not alter the anti-virus software configuration settings on your desktop or laptop. When communicating with clients over IM, users should be aware of their companys contractual obligations to their client regarding data retention and destruction and ensure that processes are put in place to ensure compliance. Include in the policy provisions prohibiting the distribution of copyrighted materials (e.g., music mp3, photo, software etc.) via an IM application. Block all unauthorized IM session IP ports and services from communicating externally from within the companys internal network(s) unless such sessions are endorsed by IT Operations Management. Consider using third-party software solutions that block IP sessions for specific unwanted IM applications. Ensure that only authorized IM applications are used which are frequently updated with the latest security patches for that application. Authenticate using a methodology that provides a central point of
20.
Conclusions
The use of non-standard IM applications represents a major and growing risk to organizations because, like e-mail, it leaves a written record. Many companies are not filtering their corporate communications, making their organization potentially vulnerable to harassment and discrimination lawsuits. An employer is obliged to provide a safe work environment that is free of discrimination and harassment. If employees circulate rude jokes via IM or make inappropriate comments regarding co-workers, the employer could be held responsible. Apart from legal liability, it is also important to protect against confidentiality breaches, lost productivity, network congestion and to ensure compliancy with industry regulations and privacy laws. Regulations such as HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley demand absolute protection and organizations face stiff penalties for failure to comply. In addition, Instant Messaging has become a popular vehicle for distributing viruses, worms, and other blended threats. Of the already known risks in IM, the bypassing of anti-virus, firewall protection, legal and privacy issues are at the top of the list. The use of IM to convey sensitive business or personal information should be restricted and enforced by policy, network and application controls. In addition, it is equally important that we identify and evaluate new business requirements to determine if they are being fulfilled by the other non-standard applications. As management and staff become more aware of the risks and business requirements, it is likely that more secure integrated solutions will begin to be incorporated in them.
Carlos Valiente, Jr. is a Regional Chief Information Security Officer for the IT Security Group Americas territories at PricewaterhouseCoopers (www.pwc.com).
2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.