David Harley

Defense-in-depth

This chapter covers Defense in Depth (DiD). It deals with Paul Schmehl’s work, in which he takes a broad look at DiD in the enterprise. Following this, it discusses Ken Bechtel’s work, which covers many of the implementation angles. It also considers David Harley’s research, which looks at some specific tools and technologies. Mitigating the impact of malicious code upon the enterprise requires more than just anti-virus (AV) software. It requires a well-thought-out plan of action that addresses various contingencies. This chapter is designed to facilitate that thought process and to outline procedures and issues that can help ensure a reasonable level of protection in a generic corporate environment. Many security practitioners prefer a centrally managed infrastructure with a dedicated AV console. Such a system not only provides positive control of the AV software but also provides critical reports and statistics, resulting in meaningful metrics. These can be used to further enhance the defensive architecture. Current AV products work best against known viruses. Vendors are improving their technology to detect new, unknown viruses using advanced heuristics, but these systems are still evolving, as are the technologies against which they are designed to provide protection.

Antimalware Evaluation and Testing

This chapter reviews the work of David Harley and Andrew Lee who emphasize the do-it-yourself (D-I-Y) theme, discussing at length some of the thorny issues around the evaluation and testing of antimalware software. Testing is a particularly hot topic among antivirus (AV) professionals. Evaluation in the real world is about painstaking research to find the imperfect solution that best matches one’s particular environment and a future involving lots of monitoring, reviewing, tweaking, filling gaps and cracks, and being prepared to re-evaluate one’s present approach. This chapter explores the question of which antimalware packages should be used and how they should be configured and used to the best advantage. There are a number of other very capable packages, and while some of the core technology is very similar between products, the interfaces can be very different even between individual products in a single vendor’s range, reflecting the very different functionalities between them. There’s a great deal of difference between a no-cost evaluation product (or a free-for-home-use version), and a full-blown multi-platform enterprise edition with central console management and cascading staging servers. In any case, security products (especially AV) change frequently, and sometimes very dramatically.

Chapter 1 – Customer Power and AV Wannabes

Publisher Summary Nowadays, technical solutions are not enough, because so many of the current pains in assets are far less susceptible to proactive detection. No single group has all the answers, and some problems are better addressed by some of the public and not-so-public coalitions between different types of security vendors, security organizations, other service providers, special interest groups, law enforcement agencies, educationalists, and so on. This chapter describes the statement by Robert Vibert, founder of the Anti-Virus Information Exchange Network (AVIEN) and the Anti-Virus Information and Early Warning System (AVIEWS), in which he relates the historical origins and development of these two closely linked organizations. Following this, it examines David Harley’s works, which look at the uneasy relationship between the anti-malware industry and its customers in the hope of defining it. He takes up the theme of the sometimes stormy relationship between the antivirus industry and its customers and tries to dispel some common myths. Furthermore, it quotes James Wolfe who considers the roles of the independent researcher, the vendor-employed specialist, and the corporate security specialist. Finally, it describes David Harley’s security certification in the context of malware research and examines the work in which David Harley and Ken Bechtel consider whether there is a need for a specialist certification for anti-malware administrators.

Chapter 8 – Education in Education

Publisher Summary It has long been held in some security circles that education does not work. In fact, this assertion is really based on a fundamental disagreement about what one can expect education to accomplish. Education and training have certainly made a difference in many organizations, especially as part of a multi-layered protection strategy. The antivirus industry has developed a somewhat pretentiously entitled tripartite (three-part) model for categorizing the kinds of damage malware can cause. This model groups damage under three main headings: availability, integrity, and confidentiality. Security awareness and good practice through a more rounded educational approach, rather than focusing entirely on operational training, is likely to make user education far more successful. This chapter reviews the work of David Phillips who offers some insights into user education from an educationalist’s perspective. It also quotes David and Judith Harley, who look at various aspects of security in schools and other educational establishments. Finally, it suggests that fragmented responsibilities and uncertainty about which informational resources are reliable can create intense difficulties. However, community-oriented information and resource sharing initiatives like the Warning, Advice and Reporting Points (WARP) movement can make quite a difference.

Stalkers on Your Desktop

Experience suggests that many administrators and managers with excellent technical knowledge in mainstream security (network security, firewall, encryption, and so on) are less familiar with the issues of cyber stalking, and have been subjected to the popular misconceptions generated by the media and those same consumer-level sources. Issues that seem to have comparatively little relevance to security in the marketplace have a habit of sneaking in through unexpected crannies. When they do so, they can have serious knock-on effects on the enterprise’s business processes. This chapter deals with the thorny issue of malware nomenclature by Ken Bechtel and describes David Harley’s historical look at how people got here, before expanding on some of the (mostly) malware-related problems they face today (rootkits, spam, phishing, muledriving, hoaxes). It is a superficial tour around the malware scene. The issues discussed in this chapter are common topics for discussion in the Anti-Virus Information Exchange Network (AVIEN) and the Anti-Virus Information and Early Warning System (AVIEWS). However, the fact that these organizations include a number of individuals with considerable specialized expertise suggests a strong likelihood that a future publishing project will go much farther into the areas that are only briefly touched upon in this chapter.

Avien and Aviews

Publisher Summary This chapter maps the developments in the Anti-Virus Information Exchange Network (AVIEN) and Anti-Virus Information and Early Warning System (AVIEWS). Todays world is very different from the time AVIEN and AVIEWS were born. However, threatscape has not changed. Nowadays, AVIEN members are rarely restricted in the scope of their work to virus management or even malware management. Packages and appliances that address these areas of security are seen as part of a multilayered strategy, often essentially customer driven, not solution-driven. The name of the game is not antivirus or antimalware, but network security, application security, desktop security, and so on. In the same way, many of the antivirus (AV) companies have moved away from that single market view and market themselves as security vendors rather than AV vendors. The security industry and its customers understand each other a little better than they did, and some of that isdown to AVIEN. Meanwhile, initiatives such as the AVIEN online conferences and sponsored events at Virus Bulletin conferences have ensured that AVIEN and AVIEWS stay prominent in AV circles. Because of changes in the commonly seen malware types, dissemination patterns and media, and so on, there are fewer attempts to broadcast a single malicious program to the entire Internet universe. Also, vendors have augmented their methods of acquiring samples through means such as honeynets and honeypots. Virus discussion, though still of intense interest, is not enough. So AVIEN and AVIEWS are changing again.

Avien and Aviews: the Future

Publisher Summary This chapter maps the developments in the Anti-Virus Information Exchange Network (AVIEN) and Anti-Virus Information and Early Warning System (AVIEWS). Todays world is very different from the time AVIEN and AVIEWS were born. However, threatscape has not changed. Nowadays, AVIEN members are rarely restricted in the scope of their work to virus management or even malware management. Packages and appliances that address these areas of security are seen as part of a multilayered strategy, often essentially customer driven, not solution-driven. The name of the game is not antivirus or antimalware, but network security, application security, desktop security, and so on. In the same way, many of the antivirus (AV) companies have moved away from that single market view and market themselves as security vendors rather than AV vendors. The security industry and its customers understand each other a little better than they did, and some of that isdown to AVIEN. Meanwhile, initiatives such as the AVIEN online conferences and sponsored events at Virus Bulletin conferences have ensured that AVIEN and AVIEWS stay prominent in AV circles. Because of changes in the commonly seen malware types, dissemination patterns and media, and so on, there are fewer attempts to broadcast a single malicious program to the entire Internet universe. Also, vendors have augmented their methods of acquiring samples through means such as honeynets and honeypots. Virus discussion, though still of intense interest, is not enough. So AVIEN and AVIEWS are changing again.

Chapter 11 – Avien and Aviews: the Future

Publisher Summary This chapter maps the developments in the Anti-Virus Information Exchange Network (AVIEN) and Anti-Virus Information and Early Warning System (AVIEWS). Todays world is very different from the time AVIEN and AVIEWS were born. However, threatscape has not changed. Nowadays, AVIEN members are rarely restricted in the scope of their work to virus management or even malware management. Packages and appliances that address these areas of security are seen as part of a multilayered strategy, often essentially customer driven, not solution-driven. The name of the game is not antivirus or antimalware, but network security, application security, desktop security, and so on. In the same way, many of the antivirus (AV) companies have moved away from that single market view and market themselves as security vendors rather than AV vendors. The security industry and its customers understand each other a little better than they did, and some of that isdown to AVIEN. Meanwhile, initiatives such as the AVIEN online conferences and sponsored events at Virus Bulletin conferences have ensured that AVIEN and AVIEWS stay prominent in AV circles. Because of changes in the commonly seen malware types, dissemination patterns and media, and so on, there are fewer attempts to broadcast a single malicious program to the entire Internet universe. Also, vendors have augmented their methods of acquiring samples through means such as honeynets and honeypots. Virus discussion, though still of intense interest, is not enough. So AVIEN and AVIEWS are changing again.

Chapter 9 – DIY Malware Analysis

Publisher Summary This chapter is based on the works of Michael Blanchard and Bojan Zdrnja. It deals with malware analysis and forensics techniques and tools, starting from basics and progressing to advanced forensics. In the past couple of years, malware has become increasingly difficult to analyze and remove. Most malware authors today are organized crime gangs that seek profit. They go an extra step in making it difficult to remove their malware, to hide it, and to make reverse engineering more complex. This is why the only sure way to deal with infected machines is to reinstall them. However, before doing that, one should make sure that he/she knows what the infection vector was, because otherwise the same re-infection can be faced in the future. A prepared and tested incident response plan is a must for every organization today. Malware incidents do happen, no matter how much one has invested in protection. When previously unknown malware strikes an organization, people get to assess the impact and decide on the countermeasures. This can be very difficult in the first few hours of malware spread, as most antivirus (AV) vendors would not yet have definitions and malware descriptions. By analyzing malware when it is required, one is able to assess the impact (and the threat) correctly, and ultimately decide on money spent by the organization on damage recovery which can range from reinstalling the infected machine to dealing with stolen intellectual property or customer data.

Chapter 4 – Big Bad Botnets

Publisher Summary This chapter describes the works of Tony Bradley and David Harley who revisit the subject and offer a comprehensive overview of the robot (bot) threat and its implications for the enterprise. Botnets are arguably the biggest threat that the Web community has faced. Certainly, they are the clearest current illustration of the way in which organized crime has not just discovered the Internet but also the means to exploit it, or at least to exploit huge numbers of the systems connected to the Internet to make equally huge illicit profits. Bots are a serious threat to Internet and computer network security, unique in their ability to compromise tens or hundreds of thousands of systems, waiting to be used as a drone army for all kinds of malicious activities. Bot technology is a complex and fast moving area. Bot herders have developed sophisticated mechanisms for staying concealed. Furthermore, Malware has shifted from fast-burner viruses and worms intended to spread the fastest and gain infamy and bragging rights, to the blackhat economy of today, where the malware author is part of a gang aiming at financial gain, working on sophisticated financial models. There is no single measure that guarantees detection of bot activity, but good monitoring of multi-layered defenses definitely contributes immensely to keeping the bots away.