In the previous article we began talking about information assurance and defined some common terms that will be used. In this article we will be defining some types of applications that are used to help secure a computer.

The first applications we will talk about are firewalls, anti-virus, intrusion detection systems and malware scanners.

Firewalls

When talking about how firewalls work, I like to use a Traffic Officer as an example. Traffic Officers are there to enforce certain rules, they do not get to make up the rules but do have some flexibility with the how rules are enforced and interpreted. Some Traffic Officers watch from one direction, while others watch from multiple directions; if you violate the rules they will stop you and either write a ticket or provide a warning. It is possible to get a ticket and still continue on, but breaking some rules will get you arrested.

A firewall is just a computer Traffic Officer and operates the same way. Every firewall has a policy or set of rules that are to be enforced, the enforcement options will depend on the type of firewall:

Some firewalls only monitor network traffic originating outside your computer and attempting to get in. This is currently the default type of firewall for Microsoft Windows XP™.

Some firewalls monitor traffic originating at your computer and going out to the Internet in addition to traffic originating outside your computer attempting to get in. This is how Zone Alarm™ functions.

Some firewalls monitor your behavior in an attempt to warn you if they detect anomalous behavior. These firewalls attempt to learn from your past actions.

Depending on the type of firewall any attempt to access your computer from the Internet or for your computer to access the Internet will be checked against the current policy. Depending on what the rules are this attempt will either be allowed or blocked, a log entry may also be created for later reference.

The main purpose of a firewall is to block everything and only allow what you explicitly say is good. This approach works to protect you since the number of acceptable things you might do is easier to manage than all of the potential bad things that might be attempted against your computer.

This approach is the exact opposite of how an anti-virus program works.

Anti-Virus

The best analogy for an anti-virus program that I can think of is a warrant for someone’s arrest. Warrants are entered into a national database that anyone can search, if a match is found the individual is investigated and potentially locked up.

The national database of warrants only works if people keep the information accurate and current. The approach of having a database of “known bad” items which is constantly updated is how an anti-virus works.

There are two main types of anti-virus programs heuristic and non-heuristic.

Heuristic programs attempt to learn from your behavior. These programs will try to block based upon behavior and a database of known bad signatures. By scanning for behavior they hope to block new attacks before a specific signature is released.

Non-Heuristic programs only block based upon a matching signature. Signatures are excerpts that the anti-virus program looks for; if these are found they presume the virus is present.

Not all anti-virus programs support heuristic behavior and heuristic programs are not a guarantee of protection. Just like the database with warrants, an anti-virus program must be maintained. Most anti-virus programs have an option to automatically download new updates and this is usually turned on automatically.

The problem with non-heuristic anti-virus programs is that you can only know about a new virus after it has been released. The reason anti-virus programs must work this way is that all of the potential malicious code is smaller than all of the potential good documents and programs.

Malware

The term malware is commonly used to describe several different types of undesirable categories. The more common of these are spyware, adware, trojan horses, root kits, worms and virii.

Spyware is a software application that monitors behavior, the information collected is then sent to a remote location. The most common spyware applications do this to support advertising; by watching where you go on the Internet they can target better advertisements.

Adware is a term used to describe software that displays advertisements, usually pop-ups. Adware and Spyware will normally be found on the same system, working together to collect data and then show advertisements based upon the data collected.

Trojan horses are programs that attach to another program. The second program remains hidden and is typically not desired by the person installing the first program. By attaching the trojan to a trusted program the attacker hopes to slip it past your defenses.

Root kits are programs that fundamentally change how an operating system, like Microsoft Windows™ operate. For example, in November of 2005 Sony™ placed software on CDs of their clients. This software was automatically installed when the CD was inserted, changing how Microsoft Windows™ responded to certain files and inserting a security issue that a malicious person could use to completely take over the machine.

The root kit hid any file beginning with $sys$ from a user, this was done by re-writing portions of Microsoft Windows™ at a very low level.

Incidetially, this is why I will no longer purchase anything made by any division of Sony™, they can no longer be trusted.

Worms are programs that self replicate. A worm is similar to a virus with the exception that a worm does not need user interaction to spread. Because of this worms are harder to write and less common than a virus.

Virii is the plural form of virus. A virus is an executable program that often requires you to click on something to execute. Once the program is clicked on the program can do anything that you as a user could do. Typically these will either email everyone it can find, steal data from your computer or attempt to install a trojan or root kit on your system.

Intrusion Detection System

When thinking of an Intrusion Detection System (“IDS”) I like to reference guard dogs. Guard dogs are trained to respond to a specific set of circumstances and can respond in different ways. Sometimes they may just bark while other times they may attack or chase after someone.

It is important to train the guard dog well, or you might have a high rate of false positives or false negatives.

False positives are when an alarm is raised accidentally. If a smoke detector goes off but there really is no fire, this is false positive.

False negatives are when no alarm is raised, but there should have been one raised. If a smoke detector does not go off but there is a fire, this is a false negative.

An IDS is a program with a database of patterns to match, just like a non-heuristic anti-virus program. When the IDS detects one of these patterns it takes a specified action, sometimes it makes a log entry and other times it may take action to block the connection.

If an IDS has the ability to filter out traffic that is known to be bad it is often called an Intrusion Prevention System. The only difference between an IDS and an IPS is whether the application can filter out the attacks before they have a chance to take effect. The idea is that if you know something is bad, do not let it pass. The risk is that you might mistakenly block something legitimate because it looks bad to the program; a false positve.

Over the next few articles that follow we will begin talking about trust and a concept called transitive trust. After talking abut trust we will begin looking at applications and sites, how they can be used securely and the implied trust when using them.

I would really like to hear from any readers: Was this article helpful? Would you like more detail on a particular area? Is there any topic you want me to address in a future article?

-Wayne

Permalink Tags: Information+Assurance, Training, Security

Update: I fixed the tags.