Internal controls may be preventive detective corrective which is preventive control

Preventative

Preventative controls are designed to be implemented prior to a threat event and reduce and/or avoid the likelihood and potential impact of a successful threat event. Examples of preventative controls include policies, standards, processes, procedures, encryption, firewalls, and physical barriers.

Detective

Detective controls are designed to detect a threat event while it is occurring and provide assistance during investigations and audits after the event has occurred. Examples of detective controls include security event log monitoring, host and network intrusion detection of threat events, and antivirus identification of malicious code.

Corrective

Corrective controls are designed to mitigate or limit the potential impact of a threat event once it has occurred and recover to normal operations. Examples of corrective controls include automatic removal of malicious code by antivirus software, business continuity and recovery plans, and host and network intrusion prevention of threat events.

FMECA Summary

This process involves a detailed analysis based on qualitative methods. It is a reasonably objective method and helps to identify controls and issues. It also identifies residual risks and issues. The Failure Mode, Effects and Criticality Analysis model is well accepted in many government and military organizations. The strength of this process lies in its ability to determine the point of failure and focus limited resources to adding controls where they add the most value.

Explaining Antivirus Signatures

It's widely assumed that antivirus works according to a strictly signature-based detection methodology. In fact, some old-school antivirus researchers loathe the term signature, at least when applied to antivirus (AV) technology, for several reasons. (The term search string is generally preferred, but it's probably years too late to hope it will be widely adopted outside that community when even AV marketing departments use the term signature quite routinely). Furthermore:

The term signature has so many uses and shades of meaning in other areas of security (digital signatures, IDS attack signatures, Tripwire file signatures) that it generates confusion rather than resolving it. IDS signatures and AV signatures (or search strings, or identities, or .DATs, or patterns, or definitions …) are similar in concept in that both are “attack signatures”; they are a way of identifying a particular attack or range of attacks, and in some instances they identify the same attacks. However, the actual implementation can be very different. Partly this is because AV search strings have to be compact and tightly integrated for operational reasons; it wouldn't be practical for a scanner to interpret every one of hundreds of thousands of verbose, standalone rules every time a file was opened, closed, written, or read, even on the fastest multiprocessor systems. Digital signatures and Tripwire signatures are not really attack signatures at all: They're a way of fingerprinting an object so that it can be defended against attack.

It has a specific (though by no means universally used) technical application in antivirus technology, applied to the use of a simple, static search string. In fact, AV scanning technology had to move far beyond that many years ago. Reasons for this include the rise of polymorphic viruses, some of which introduced so many variations in shape between different instances of the same virus that there was no usable static string that could be used as a signature. However, there was also a need for faster search techniques as systems increased in size and complexity.

The term is often misunderstood as meaning that each virus has a single unique identifier, like a fingerprint, used by all antivirus software. If people think about what a signature looks like, they probably see it as a text string. In fact, the range of sophisticated search techniques used today means that any two scanner products are likely to use very different code to identify a given malicious program.

In fact, AV uses a wide range of search types, from UNIX-like regular expressions to complex decryption algorithms and sophisticated search algorithms. These techniques increase code size and complexity, with inevitable increases in scanning overhead. However, in combination with other analytical tools such as code emulation and sandboxing, they do help increase the application's ability to detect unknown malware or variants, using heuristic analysis, generic drivers/signatures, and so on.

Malware in the Wild

The WildList Organization International (www.wildlist.org) is a longstanding cooperative venture to track “in the wild” (ItW) malware, as reported by 80 or so antivirus professionals, most of them working for AV vendors. The WildList itself is a notionally monthly list of malicious programs known to be currently ItW. Because the organization is essentially staffed by volunteers, a month slips occasionally, and the list for a given month can come out quite a while later. This isn't just a matter of not having time to write the list; the process involves exhaustive testing and comparing of samples, and that's what takes time.

However, the WildList is a unique resource that is the basis for much research and is extensively drawn on by the better AV testing organizations (Virus Bulletin, AV-Test.org, ICSAlabs). The published WildList actually comprises two main lists: the shorter “real” WildList, where each malware entry has been reported by two or more reporters, and a (nowadays) longer list that has only been reported by one person. A quick scan of the latest available lists at the time of writing (the September 2006 list is at www.wildlist.org/WildList/200609.htm) demonstrates dramatically what AV is really catching these days:

First, it illustrates to what extent the threatscape is dominated by bots and bot-related malware: The secondary list shows around 400 variants of W32/Sdbot alone.

It also demonstrates the change, described earlier, in how malware is distributed. Historically, the WildList is published in two parts because when a virus or variant makes the primary list, the fact that it's been reported by two or more WildList reporters validates the fact that it's definitely (and technically) ItW. It doesn't mean that there's something untrustworthy about malware reports that only make the secondary list. B-list celebrities might be suspect, but B-list malware has been reported by an expert in the field. So, the fact that the secondary list is much longer than the primary list suggests strongly that a single variant is sparsely distributed, to reduce the speed with which it's likely to be detected. This does suggest, though, that the technical definition of ItW (i.e., reported by two or more reporters; see Sarah Gordon's paper, What is Wild?, at http://csrc.nist.gov/nissc/1997/proceedings/177.pdf) is not as relevant as it used to be.

Don't panic, though; this doesn't mean that a given variant may be detected only by the company to which it was originally reported. WildList-reported malware samples are added to a common pool (which is used by trusted testing organizations for AV testing, among other purposes), and there are other established channels by which AV researchers exchange samples. This does raise a question, however: How many bots have been sitting out there on zombie PCs that still aren't yet known to AV and/or other security vendors? Communication between AV researchers and other players in the botnet mitigation game has improved no end in the last year or two. Despite this, anecdotal evidence suggests that the answer is still “Lots!” After all, the total number of Sdbot variants is known to be far higher than the number reported here (many thousands …).

Heuristic Analysis

One of the things that “everybody knows” about antivirus software is that it only detects known viruses. As is true so often, everyone is wrong. AV vendors have years of experience at detecting known viruses, and they do it very effectively and mostly accurately. However, as everyone also knows (this time more or less correctly), this purely reactive approach leaves a “window of vulnerability,” a gap between the release of each virus and the availability of detection/protection.

Despite the temptation to stick with a model that guarantees a never-ending revenue stream, vendors have actually offered proactive approaches to virus/malware management. We'll explore one approach (change/integrity detection) a little further when we discuss Tripwire. More popular and successful, at least in terms of detecting “real” viruses as opposed to implementing other elements of integrity management, is a technique called heuristic analysis.

Integrity detection is a term generally used as a near-synonym for change detection, though it might suggest more sophisticated approaches. Integrity management is a more generalized concept and suggests a whole range of associated defensive techniques such as sound change management, strict access control, careful backup systems, and patch management. Many of the tools described here can be described as integrity management tools, even though they aren't considered change/integrity detection tools.

Heuristic analysis (in AV; spam management tools often use a similar methodology, though) is a term for a rule-based scoring system applied to code that doesn't provide a definite match to known malware. Program attributes that suggest possible malicious intent increase the score for that program. The term derives from a Greek root meaning to discover and has the more general meaning of a rule of thumb or an informed guess. Advanced heuristics use a variety of inspection and emulation techniques to assess the likelihood of a program's being malicious, but there is a trade-off: The more aggressive the heuristic, the higher the risk of false positives (FPs). For this reason, commercial antivirus software often offers a choice of settings, from no heuristics (detection based on exact or near-exact identification) to moderate heuristics or advanced heuristics.

Antivirus vendors use other techniques to generalize detection. Generic signatures, for instance, use the fact that malicious programs and variants have a strong family resemblance—in fact, we actually talk about virus and bot families in this context—to detect groups of variants rather than using a single definition for each member of the group. This has an additional advantage: There's a good chance that a generic signature will also catch a brand-new variant of a known family, even before that particular variant has been analyzed by the vendor.

From an operational point of view, you might find sites such as VirusTotal (www.virustotal.org), Virus.org (www.virus.org), or Jotti (http://virusscan.jotti.org/) useful for scanning suspicious files. These services run samples you submit to their Web sites against a number of products (far more than most organizations will have licensed copies of) and pass them on to antivirus companies. Of course, there are caveats. Inevitably, some malware will escape detection by all scanners: a clean bill of health. Since such sites tend to be inconsistent in the way they handle configuration issues such as heuristic levels, they don't always reflect the abilities of the scanners they use so are not a dependable guide to overall scanning performance by individual products. (It's not a good idea to use them as a comparative testing tool.) And, of course, you need to be aware of the presence of a suspicious file in the first place.

Malware detection as it's practiced by the antivirus industry is too complex a field to do it justice in this short section: Peter Szor's The Art of Computer Virus Research and Defense (Symantec Press, 2005) is an excellent resource if you want to dig deeper into this fascinating area. The ins and outs of heuristic analysis are also considered in Heuristic Analysis: Detecting Unknown Viruses, by Lee Harley, at www.eset.com/download/whitepapers.php.

You might notice that we haven't used either an open-source or commercial AV program to provide a detailed example here. There are two reasons for this:

There is a place for open source AV as a supplement to commercial antivirus, but we have concerns about the way its capabilities are so commonly exaggerated and its disadvantages ignored. No open-source scanner detects everything a commercial scanner does at present, and we don't anticipate community projects catching up in the foreseeable future. We could, perhaps, have looked at an open-source project in more detail (ClamAV, for instance, one of the better community projects in this area), but that would actually tell you less than you might think about the way professional AV is implemented. Free is not always bad, though, even in AV. Some vendors, like AVG and Avast, offer free versions of their software that use the same basic detection engine and the same frequent updates but without interactive support and some of the bells and whistles of the commercial version. Note that these are normally intended for home use; for business use, you are required to pay a subscription. Others, such as ESET and Frisk, offer evaluation copies. These are usually time-restricted and might not have all the functionality of the paid-for version.

Commercial AV products vary widely in their facilities and interfaces, even comparing versions of a single product across platforms (and some of the major vendors have a very wide range of products). Furthermore, the speed of development in this area means that two versions of the same product only a few months apart can look very different. We don't feel that detailed information on implementing one or two packages would be very useful to you. It's more important to understand the concepts behind the technology so that you can ask the right questions about specific products.

Deterrent (or Directive) Controls

Deterrent controls are administrative mechanisms (such as policies, procedures, standards, guidelines, laws, and regulations) that are used to guide the execution of security within an organization. Deterrent controls are utilized to promote compliance with external controls, such as regulatory compliance. These controls are designed to complement other controls (such as preventative and detective controls). Deterrent and Directive controls are synonymous.

Preventative Controls

Preventive controls include security mechanisms, tools, or practices that can deter or mitigate undesired actions or events. An example of a preventive control would be a firewall. In the domain of operational security, preventative controls are designed to achieve two things:

To decrease the quantity and impact of unintentional errors that are entering the system, and

To prevent unauthorized intruders (either internal or external) from accessing the system.

An example of these controls would include firewalls, anti-virus software, encryption, risk analysis, job rotation and account lock outs.

Detective Controls

Detective controls are designed to find and verify whether the directive and preventative controls are working. Detective controls are designed to detect errors when they. Detective controls operate after the fact. They include logging and forensic controls are used to collate unauthorized transactions such as for the prosecution of the offender, or to lessen the impact of the attack or error on the system. Examples of this category of control include audit trails, logs, CCTV and IDSs.

Corrective Controls

Corrective controls are comprised of the instructions, procedures, or guidelines that are used to overturn the consequences of an incident. Corrective controls are put into practice in order to alleviate the impact of an event that has resulted in a loss and also to respond to incidents in a manner that will minimize risk. Examples include manuals, logging and journaling, incident handling, exception reporting, and fire extinguishers.

Recovery Controls

Recovery controls are designed to recover a system and returned to normal operation following an incident. Examples of recovery controls include system restoration, backups, rebooting, key escrow, insurance, redundant equipment, fault-tolerant systems, failovers, and contingency plans (BCP).

Application Controls

Application controls are designed into applications in order to minimize and detect operational irregularities that may occur within the application. Transaction controls are a type of application control.

Transaction Controls

Transaction controls are utilized in order to afford a level of control over the various stages of a transaction as it is processed. Transaction controls are implemented from the first stages when the transaction is initiated through to when the output is produced. Comprehensive testing and change control are also types of transaction controls. A number of these controls have been included below.

Operational Controls

Operational controls include those methods and procedures that afford protection for systems. The majority of these are implemented or performed by the organization staff or outsourced entities and are administrative in nature. Organizational controls may also include selected technological or logical controls.

Types of IDSs

IDSs fall into two types: network-based IDSs (NIDSs), where traffic is analyzed as it passes by a sensor on a wire; and host-based IDSs (HIDSs), where traffic is analyzed as it is accepted by the OS. The former is more readily deployed since it can be done with appliance devices rather than requiring modification of an existing server, and can provide a broader area of coverage. The latter is more precise, since it is able to understand what is occurring at the host itself: thus if an unknown form of attack attempted to cause a system to fail in a known fashion, the network-based sensor would probably miss the attack, but the host-based sensor would see the fault. This allows host-based IDS to function effectively as a preventative control, and is generally considered an appropriate use of the technology.

The Cisco Secure Network IDS product has the capability to do shunning. With shunning, the intrusion detection system alerts actually cause configuration changes in firewalls and routers, and block traffic from those networks.

IDS Architecture

IDSs are generally composed of a management station and one or more sensors. Because the control must see traffic to analyze it, it is generally distributed throughout a network at key locations. The management station integrates information from the distributed sensors (host and network) to provide a comprehensive and comprehensible view of the network. An operator usually interacts with the management station via a Web front-end or dedicated graphical user interface (GUI), and does not directly interact with the sensors. With the Cisco IDS, the management station can be either the IDS Director or a Cisco Secure Policy Manager (CSPM).The CSPM is documented in Chapter 12. In the fall of 2002, Cisco will be announcing a new management device to replace both the CSPM and Director consoles.

Ideally, the management station should integrate with any other operations management platforms in use. In an all-Cisco network, integration with the CSPM is helpful. In larger or nonhomogeneous networks, third-party products, such as HP OpenView, are often used to provide that integration.

Designing & Planning…

Why Should You Have an IDS?

The security events detected by an IDS are typically of three types:

Malicious events, such as those present at an intrusion

Misconfigured events, such as incorrect configuration data causing system malfunction

Ineffective events, such as ineffective network traffic

These security events are also usually classified by severity (that is, the ability of the event to harm the enterprise) and frequency (the likelihood of the occurrence). As an example of two types of malicious events, those that are severe or frequent (for example, the recent Nimda worm) are more important to identify and act upon than those that are minor or rare (for instance, a curious employee performing a port scan on his buddy’s machine). Perhaps even more important is distinguishing between that curious employee port scan on an unimportant machine and a port scan on a core business asset that may signal a prelude to a determined attack.

The business drivers for each of the three types are slightly different. The driver for the first is to reduce the risk associated with a systems compromise. They may be a required part of due diligence for protection of corporate assets. The driver for the second is to identify errors in configuration so that they can be corrected. This reduces the overall cost of maintenance. The driver for the third is to optimize the use of corporate assets.

Benefits of an IDS in a Network

As stated, the tuning process can take different approaches depending upon the desired result. Usually, the desired result should follow the business driver. These are examined in turn.

Deploying an IDS in a Network

The placement of a NIDS requires careful planning. Ciscoʼs Secure IDS product (NetRanger) is made up of a probe and a central management station called a Director (old style) or the CSPM (new style). Each probe has two interfaces: a command interface, on which configuration information is accepted and logging information is sent, and a sensor interface. The sensor interface has an unnumbered interface; some feel that this allows placement of the command interface on a different network than the command interface. If that is your policy, it is helpful to place the command interface on a management network. If you are concerned about the potential for a compromise through the sensor interface, then it is best to place the command interface on the same network as the sensor interface. Let’s look at the best place to put the Sensor interface.

Difficulties in Deploying an IDS

There are several difficulties associated with successful IDS deployments. One fundamental problem is that the underlying science behind intrusion detection systems is relatively new. While everyone agrees that some things can be achieved, the January 1998 paper Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Thomas H. Ptacek and Timothy N. Newsham seemed to throw the field for a loop. They described techniques by which a properly designed IDS can be deceived, with a follow-up discussion that seemed to indicate the loftiest goal of an IDS is not achievable without a complete recreation of all network hosts. In the paper they note:

The number of attacks against network intrusion detection systems, and the relative simplicity of the problems that were actually demonstrated to be exploitable on the commercial systems we tested, indicates to us that network intrusion detection is not a mature technology. More research and testing needs to occur before network intrusion detection can be looked to as a reliable component in a security system.

However, it should not be taken that this is seen as an unusable technology. An IDS is one of the most common security purchases today. Current (2002) Computer Security Institute (CSI)/FBI statistics show that approximately 60 percent of Fortune 500 companies deploy an IDS; in just a few years, an IDS suite will likely be as ubiquitous as firewalls. What this does point out is that this is a technology in a state of rapid change. It is also worth noting that Cisco engineering took the flaws identified to heart; today, their analysis engine is vulnerable to none of these flaws.

A second difficulty is that of expectation. Management may feel that simply purchasing an IDS will make them safe. It doesn’t. It can be of assistance in identifying, imperfectly, attacks on a host or network, and can also be of use in tracking human events. But IDS tools should probably be combined with additional tools to provide a more robust detection environment.

A third difficulty is associated with the deployment phase. The network deployment is relatively straightforward but non-trivial, and coordination between multiple groups is often required. In a larger enterprise, the people who “own” the network are different from the people who “own” security, and clear communication may not always be possible. A host deployment involves interaction with a complex environment, and may involve further unknown interactions.

A fourth difficulty concerns incidence response. An incidence response procedure is a nontrivial task for most enterprises. A significant development effort is usually required. For most enterprises, such programs have not been required before. In many environments, the program is developed after the first incident, as part of a “lessons learned” analysis.

A fifth difficulty revolves around IDS tuning, described next. An IDS, out of the box, is generally not very useful. It must be adjusted to be in harmony with the local environment and the resources available to explore events. It’s this level of effort associated with IDS tuning that management often underestimates.

It should be recognized that most IDS programs are at their most effective several months or even years after their initial deployment.