Last month, I posted a list of indicators that you may experience if there were computer Viruses infecting your system (see the blog from June 1, 2007). This was just the first in a series of articles on indicators of various types of Malware. This month, our Malware topic is the Trojan Horse, or just plain “Trojan”.

Trojans are self-contained programs that are designed to look like (and be mistaken for) useful or necessary programs on your computer you would never look twice at. There are several ways a Trojan might make its way onto your system. All you have to do is open or even just read emails that contain a Trojan and suddenly you have it too! A Trojan can be hiding in documents that contain Macros such as a regular Word document. You can download or upload a program or even just click links displayed on Web pages, and guess what? You can get a Trojan that way too! Trojans can also be the payload of a classic Virus, or they can be implanted by an attacker that has already compromised your system.

So when you get a Trojan, what can it do? Typically, Trojans contain backdoor remote administration tools that allow attackers to access your system undetected. There are all sorts of things that can be done from there. Often attackers will implant keystroke loggers or leverage password extraction and cracking techniques that will allow them to then thoroughly compromise your system.

So what are some indicators that you do have a Trojan on your system? Here are some that may show up:

·         Registry updating: Startup messages may appear that say new software has been (or is being) installed

·         You may see new or strange processes running in the Windows Task Manager

·         You may see anti-Virus software and/or personal firewall software terminate suddenly or unexpectedly. This can occur at startup or when loading these programs

·         Applications may suddenly and inexplicably become unresponsive to normal commands

·         You may see unexplained remote login prompts occurring at unusual times

·         You may see an unfamiliar login screen pop up

·         You may see unexpected or unscheduled Internet connection activity

·         You may see unusual redirection of normal Web requests to unknown sites

If you see things like this happening on your computer, it is really a good idea to check them out instead of just assuming they are more inexplicable computer activities. Remember, if you get a Trojan on your home computer and you also use that computer for business purposes, you might just be handing an attacker the keys to the kingdom!

Probably the best known types of Malware that can attack your system are computer viruses. Almost everyone has regularly updated anti-virus software on their computers these days, but did you know that there are viruses that this software will not catch? Anti-virus software relies on regularly updated “virus definitions” to detect a virus on your computer. This means that there are lots of people out there in various organizations that look for new virus types on a constant basis, and if they find one, they write a definition of it and include it on the list. If a virus has never been seen or detected before, and no definitions have been produced and added to the list, then your anti-virus software is pretty much useless. So how else can you detect a virus? What happens with your computer system? How does it act? Well, there is no universal play book on this, but what follows are some activities you might notice happening that are pretty good indicators that you have a virus operating on your computer!

1. Your system may show signs of sudden and unusual sluggishness, especially at start up

2. You may see a significant, unexplained decrease in the amount of memory or disc space you have available

3. Your workstation or even servers may show deteriorating responsiveness – sluggish and slow running

4. You may experience sudden anti-virus software alarm activity without resolution

5. Macro viruses can cause your saved documents to open as .dot files

6. Workstations may experience “churning”, which is unexplained and sustained workstation activity levels

7. You may experience unscheduled hardware resets or hardware crashes including program aborts

8. You may receive disc error messages and increased “lost cluster” results when performing disc scans

9. You may experience excessive and unexplained network activity

10. You may experience unexplained freezing of software applications or receive unexpected error messages

11. There may be excessive consumption of active resources on the CPU

12. Software applications (or their icons) may suddenly disappear from your screen or the application may not execute when you click on it

Now I’m sure that all of us have experienced some of these things happening on our computers before. Who hasn’t noticed their computers running sluggishly or had an error message pop up unexpectedly? And most of the time, these are not caused by virus activity. Even so, ignoring such symptoms can be dangerous! There really could be a virus running that is causing these problems. So check these symptoms out or report them to your IT section, especially if you are experiencing several of the indicators listed above. When dealing with information security, safer is always better!

Aren’t laptops great?! They’re small and easy to handle. You can take them anywhere, and they’re fast and powerful enough to do just about anything you want! And how about the other, even more convenient portable devices like PDAs and Internet capable cell phones? Fantastic! You can download files, email people wirelessly, get your work done while waiting to tee off at the golf course, all kinds of wonderful things. But from a business information security standpoint, they are D A N G E R O U S!!!

Now, you might say to me: “But I have a personal firewall and regularly updated anti-virus software on my laptop. I’m very careful about what I upload and download onto it – nothing but approved corporate software applications. And when I communicate business matters on my laptop, I establish my connection securely and use a tunneling transmission protocol that’s strongly encrypted from end to end. You aren’t talking to ME!” And you’re right – all that is very correct and laudable! But is that all you need to do?

A professor at THE Ohio State University just recently had his home burglarized. He lost some jewelry, a shot gun….and two laptops loaded with the personal private information of lots of chemistry students and post graduates! There was federal grant information on there too. This is a MAJOR problem. All of those folks are now subject to identity theft, so they and Ohio State will have to monitor their credit very closely for a long time. And even then, they may never be sure if their information was truly compromised or not. So maybe they get complacent after awhile, and then, years down the road, BAM! They’re nailed! And since they are undoubtedly going to be very angry about this, they are going to do their best to sue you, and if that doesn’t work out, they are at least going to bad mouth your organization to everyone that will listen. And what if the database you lose has the information of tens of thousands or even millions of people on it? You have problems that may never go away. And these kinds of laptop losses occur on an alarmingly regular basis. We’ve all heard about it on the news.

The point of this is, no matter how securely you install and transmit your information on portable devices, you always have to keep physical security in mind. But you might say to me, “Well, I never let my laptop out of my sight when I’m traveling. I have a laptop security cable I use religiously. I don’t leave my laptop in my hotel room, and if anyone gets a hold of it anyway, it takes a password to log onto my computer.” Unfortunately, these kinds of security measures, while essential, are not foolproof or even that difficult to circumvent.

So what is the answer? Encrypt your sensitive data! Encrypt it well, and encrypt it anytime you are not actively using it. A hassle? You bet! But this is the only reliable way I know of to keep thieves from viewing your data. And every year encrypting your data is becoming more of a trivial exercise. Use PGP for example, or encrypt using WinZip – they have 256 AES available. That way, even if attackers get your portable device and bypass the access security all they are left with is a bunch of babble. Then maybe you and your organization might not make the evening news like so many unfortunates organizations have before!

**Editor’s Note: This article was written with a focus on smaller organizations with limited IT resources. Organizations who feel they can support it should also consider options for whole disk encryption, or perhaps research some of the emerging drive specific encryption and access controls just becoming popular. However, in our experience, these controls and tools vary widely in their effectiveness, feature sets and ease of use. In many cases, whole disk encryption and some emerging technology solutions for this problem may be too resource intensive for many smaller organizations to manage.  — The Editor

Have you ever thought to yourself: “If only they would build some kind of IDS or something that really works! A little box I could plug into my network that would tell me when someone was doing something they weren’t supposed to do. Then I could just kick back, and let technology secure my data. I wouldn’t have to worry at all!” Do you really think that is true?

During World War II, the Germans thought that their Enigma code machines couldn’t possibly be compromised. After all, the Enigma was the epitome of high tech; years ahead of it’s time! They thought that their advanced technology would keep their data entirely safe. They were sure they didn’t need to worry. Were they right? No! Not only was the Enigma compromised, it was compromised in short order by a combination of espionage, clever cognition and (yes) technology. If this instance of German reliance on high technology didn’t cost them the war outright, it certainly made the war much shorter and cost the lives of thousands of German troops.

In the early 1960’s, the United States Military thought they no longer needed to mount guns on their new F-4 Phantom fighter. After all, the F-4 had new, high tech air to air missiles like the Sidewinder and Sparrow! The Military thought no enemy would be able to get close enough to use their guns. They thought that aerial dogfights were a thing of the past! Were they right? No! The enemy was able to exploit tactical errors and circumstance and get in too close for the vaunted high tech missiles to work! This instance of over reliance on high technology caused the death of American pilots and the loss of expensive aircraft!

In the 1980’s and 90’s, the CIA thought that there was very little need for human intelligence sources anymore. Why put agents on the ground when you can see what other countries are doing from space using high tech satellites and hear what they are planning using high tech electronic surveillance and code breaking equipment? The CIA thought they could save money and avoid putting their agents in danger by relying on these high tech solutions. Were they right? No! During the lead up to the current war in Iraq, the CIA found that all the high resolution photographs and electronic intercepts they had told them next to nothing about the state of the Iraqi nuclear and biological programs. Without agents on the ground, the CIA was forced to rely on intelligence from such shaky sources as Saddam Hussein’s own son in law and the few agents that other countries like Germany and Great Britain were able to recruit. The CIA concluded that Iraq had advanced weapons programs and that the U.S. and her allies were in imminent danger of attack. Were they right? No! The CIA’s over-reliance on high technology and their failure to recruit human agents in the Gulf region helped lead to a full scale war in Iraq that has cost the lives of thousands!

Much the same thing is happening today with distributed computer information systems. Organizations think that better firewalls and intrusion detection systems are the answer. Are they right?

Twenty years ago the Internet was just starting to grow. Personal computers were getting more powerful, faster and more useful every day. Lots of software was appearing that made almost every business task easier to accomplish and keep track of. Businesses were able to streamline their operations and get a lot more work done with a lot less people. Everything was becoming more user friendly. Prices were down and profits were up!

Then the crackers started to appear. Information started to disappear! Computers suddenly stopped working! Data began getting corrupted and changed! Confidentiality was lost! Businesses and government agencies began to panic.

What was the problem? Why was this happening? Well, the main problem was that the Internet and transmission protocols that the Internet is based on were designed for the free and easy interchange of information; not security. And by the time people began to realize the importance of security, it was too late. The Internet was in place and being used by millions of people and thousands of businesses. People were unwilling to just scrap the whole thing and start over again from scratch! And there were other problems. The fact that the most widely used operating systems in the world are based on secret source code is a good example. Clever people can always reverse engineer operating code and expose its weaknesses.

So we are stuck with using an information technology system that cannot be reliably secured. And it cannot be reliably secured largely because of a technological flaw. So why would we think that technology alone could solve this problem ?! It can’t.

What government agencies and business organizations are coming to realize now is the need for a renewed emphasis on the application of operational and managerial security techniques to accompany their technology-based information security systems. A good example of this is the requirement by the FFIEC and the other financial agencies that financial institutions must use something more than single part authentication techniques (user name and password) to protect high risk transactions taking place over the Internet. Did they come right out and demand financial institutions use technology based (and expensive!) solutions such as Tokens or biometrics? No! The Agencies happily, and I think wisely, left the particular solution up to each organization. They simply required that financial institutions protect their customer information adequately according to the findings of risk assessments, and they left plenty of room for financial institutions to apply layered operational and managerial security techniques to accomplish the task instead of once again relying solely on high tech.

And despite the insecurity and frustration this lack of clear guidance initially causes organizations, I think ultimately it will help them in establishing tighter, cheaper and more reliable information security programs. If financial institutions and businesses want to get off the merry-go-round of having to buy new IT equipment for security reasons seemingly every day, they are going to have to bite the bullet and do the security things that everyone hates to do. They are going to have to make sure that all personnel, not just the IT admins, know their security duties and apply them religiously. They are going to have to track the security of customer information through each step of their operations and ensure that security is applied at every juncture. They are going to have to classify and encrypt their data appropriately. They are going to have to lock up CDs and documents. They are going to have to apply oversight and double checks on seemingly everything! And everything will need to be written down.

At first this will all be a mess! Mistakes will be made! Time and money will be wasted! Tempers will flare! But the good thing is that once everyone in the organization gets the “security mind-set”, it will all get easier and better.

The fact is that once an information security program is fully developed and integrated, and all the bugs are worked out, it actually becomes easy to maintain. Personnel apply their security training without even thinking about it. Operating procedures and incident response plans are all written down and everyone knows how to get at them. And when personnel or equipment changes occur, they integrate smoothly into the system. Panic is virtually eliminated! And almost all of this is provided by the application of operational and managerial security techniques. In other words, policies and procedures.

So when your organization gets that required risk assessment done. When you develop your required incident response and business continuity plans, don’t just let them sit in the filing cabinet! Use them, and actually start applying them to your business. It will give your organization a head start on what is almost surely going to be a requirement in the future, and could save you some money in the process!