Another type of malware that's not technically a virus because it's usually not self-replicating is a Trojan program, which appears to be something useful, such as a free utility, but in reality contains some type of malware. What's unfortunate about a Trojan program is that users willingly run the software and don't even know it's causing problems on their systems. Rootkits are a form of Trojan programs that can monitor traffic to and from a computer, monitor keystrokes, and capture passwords. They are the ultimate backdoor into a system and are among the most insidious form of Trojan software because they can mask that the system has been compromised by altering system files and drivers required for normal computer operation.
A virus is a program that spreads by replicating itself into other programs or documents. Its sole purpose is to disrupt computer or network operation by deleting or corrupting files, formatting disks, or using large amounts of computer resources. Viruses and worms that spread through e-mail attachments have been common place for years. They are simple to avoid; just don't open any e-mail attachments sent by someone from whom you're not expecting a message. Even if you know the sender, beware; malware programs can use an e-mail program's address book to send messages, causing you to believe the message is safe. Most virus scanners actually detect a virus or worm contained in an e-mail message and often deletes the attachment before it ever reaches your inbox, but if the virus is very new, it might not be detected.
A worm is similar to a virus in that it's self-replicating, but a worm doesn't attach itself to another program; rather, it's a self-contained program. Worms are now more common than viruses because with the Internet and widespread network connectivity in general, worms don't need help to spread. Whereas a virus requires a user to run the program containing the virus to operate, and then copy that file to spread, a worm can do its work without any help and can spread through an available network connection. Some insidious actions a worm can perpetrate include using amount of network bandwidth, deleting files, sending e-mails, and creating backdoors into computers.
NETWORK SECURITY POLICY
Without a security policy, the availability of your network can be compromised. The policy begins with assessing the risk to the network and building a team to respond. Continuation of the policy requires implementing a security change management practice and monitoring the network for security violations. Lastly, the review process modifies the existing policy and adapts to lessons learned.
The last area of responsibility is response. While network monitoring often identifies a security violation, it is the security team members who do the actual troubleshooting and fixing of such a violation. Each security team member should know in detail the security features provided by the equipment in his or her operational area.
While we have defined the responsibilities of the team as a whole, you should define the individual roles and responsibilities of the security team members in your security policy.
Approving Security Changes
Security changes are defined as changes to network equipment that have a possible impact on the overall security of the network. Your security policy should identify specific security configuration requirements in non-technical terms. In other words, instead of defining a requirement as "No outside sources FTP connections will be permitted through the firewall", define the requirement as "Outside connections should not be able to retrieve files from the inside network". You'll need to define a unique set of requirements for your organization.
The security team should review the list of plain language requirements to identify specific network configuration or design issues that meet the requirements. Once the team has created the required network configuration changes to implement the security policy, you can apply these to any future configuration changes. While it's possible for the security team to review all changes, this process allows them to only review changes that pose enough risk to warrant special treatment.
We recommend that the security team review the following types of changes:
- Any change to the firewall configuration.
- Any change to access control lists (ACL).
- Any change to Simple Network Management Protocol (SNMP) configuration.
- Any change or update in software that differs from the approved software revision level list.
We also recommend adhering to the following guidelines:
- Change passwords to network devices on a routine basis.
- Restrict access to network devices to an approved list of personnel.
- Ensure that the current software revision levels of network equipment and server environments are in compliance with the security configuration requirements.
Monitoring Security of Your Network
Security monitoring is similar to network monitoring, except it focuses on detecting changes in the network that indicate a security violation. The starting point for security monitoring is determining what is a violation. In Conduct a Risk Analysis, we identified the level of monitoring required based on the threat to the system. In Approving Security Changes, we identified specific threats to the network. By looking at both these parameters, we'll develop a clear picture of what you need to monitor and how often.
In the Risk Analysis matrix, the firewall is considered a high-risk network device, which indicates that you should monitor it in real time. From the Approving Security Changes section, you see that you should monitor for any changes to the firewall. This means that the SNMP polling agent should monitor such things as failed login attempts, unusual traffic, changes to the firewall, access granted to the firewall, and connections setup through the firewall.
Following this example, create a monitoring policy for each area identified in your risk analysis. We recommend monitoring low-risk equipment weekly, medium-risk equipment daily, and high-risk equipment hourly. If you require more rapid detection, monitor on a shorter time frame.
Lastly, your security policy should address how to notify the security team of security violations. Often, your network monitoring software will be the first to detect the violation. It should trigger a notification to the operations center, which in turn should notify the security team, using a pager if necessary.