CLOUD SECURITY
session, the virtual layer can be reset and
scrubbed to a clean state.
“The latest generation of web-
based attacks need a solution
that supplements and goes
beyond the best of traditional
endpoint defences, including
signature-based security,
updates to virus and spyware
eradication mechanisms, and
firewalls”
Without this approach, user accounts
often run with administrative privileges,
giving applications freedom to read and
write to the operating system and kernel.
This allows malicious code to directly
access and harm the operating system.
The benefits of web
shielding
To conclude, placing a virtual shield
around the browser has three core secu-
rity benefits.
It is signature independent. It’s a
zero-hour system that employs a simple
firewall-like rule: reject all changes to
The brightening future of
cloud security
Patrick J. Walsh, Chief Technology Officer, eSoft (www.esoft.com)
The overused term ‘cloud computing’ is irrevocably associated with hype, and
the term ‘cloud security’ is also well on its way to becoming an oxymoron.
Data stored by third parties is data put at risk. Just ask people who’ve had
their Google accounts suspended and lost access to all of their email and
Google Docs.1,2
The risk of hackers getting at the data
is only the smallest part of the risk
involved in storing data with third par-
ties. Yet not all cloud security requires
remote storage of private data, and in
many cases the addition of a cloud secu-
rity component to an overall network
security strategy is very beneficial. Like it
or not, cloud security elements are being
integrated into everything from antivirus
October 2009
the user’s PC unless the user specifically
solicits them.
It protects the user’s PC from the
moment of connection. As web-based
attacks can occur the moment the user
encounters a web site, the shield approach
does not passively wait for malware to
transfer from the internet to the PC. The
virtualisation layer shields the user imme-
diately and through the whole session.
It’s unobtrusive. No special setup or
maintenance on the part of the enter-
prise administrator is needed, and all vir-
tualisation activity is invisible to the user
and requires zero maintenance.
The latest generation of web-based
attacks need a solution that supple-
ments and goes beyond the best of
traditional endpoint defences, includ-
ing signature-based security, updates to
virus and spyware eradication mecha-
nisms, and firewalls. It needs to shield
the browser – the user’s point of contact
with the internet – from the endpoint’s
operating system and file system, to
stop unauthorised changes.
After all, if you’re going to put armour on
your endpoints, why not do what our medi-
eval ancestors did, and use a shield as well?
programs to firewalls. The trick is to
know which technologies have the best
benefit-to-risk ratio.
When to be wary
When private data must leave the net-
work to be protected, alarm bells should
go off. third party storage of documents,
emails, instant messages, project man-
References
1. Krebs, Brian. “Network Solutions
Hack Compromises 573,000 Credit,
Debit Accounts,” July 24 2009.
<http://voices.washingtonpost.com/
securityfix/2009/07/network_solu-
tions_hack_comprom.html>
2. Messmer, Ellen. “Nine Ball attack
strikes 40,000 websites”, 16 June
2009 <http://www.networkworld.
com/news/2009/061609-nineball-
websense-attack.html?hpg1=bn>
3. Broersma, Matthew. “ ‘Gumblar’
attacks spreading quickly” 19 May
2009 <http://news.cnet.com/8301-
1009_3-10244529-83.html>
4. Web Hacking Incidents Database,
2 February 2009 <http://www.
xiom.com/whid/2009/14/
My.BarackObama.com_Infects_
Visitors_With_Trojan>
5. Web Hacking Incidents Database, 22
February 2009 <http://www.xiom.
com/whid/2009/22/federal_travel_
booking_site_spreads_malware>
6. Web Hacking Incidents Database, 16
September 2008 <http://www.xiom.
com/whid-2008-35>
agement details, customer details, and so
on, means full trust of the third party to
protect the data from hackers and from
their own employees.
Does the third party’s staff have access
to the data? What about the filenames or
audit logs? Are you sure their develop-
ers and IT staff don’t have the ability to
view data for debugging purposes? What
happens if the provider goes out of busi-
ness, shuts down the service, increases
its rates, suspends certain accounts, or
otherwise imposes new restrictions on
the data? These risks can all be mitigated
and such services have many benefits,
but due diligence is critical.
Remote storage of documents and
emails or tickets and issues may have
7
Network Security
 CLOUD SECURITY
Figure 1: Google warning on search result.
obvious risks, but other technologies are
integrating cloud security with some less
obvious risks. For example, most of the
major antivirus companies now have a
feature built-in to call home and report
back detected viruses along with infor-
mation like the MD5 checksum and the
source of the file. Generally speaking,
this is no big deal, but do they also selec-
tively upload the file if they don’t already
have that sample? What if that file were
an infected, confidential MS Word docu-
ment? For those moving toward entirely
cloud-based antivirus, all scanned files
that haven’t already been scanned at the
data centre (typically determined by
MD5) will be uploaded to a remote data
centre for scanning.
“Through the power of grid
computing, more antivirus
engines can be employed than
an average network gateway or
workstation”
These types of services may still make
sense, but data, once it leaves a com-
pany’s network, is not longer under the
Figure 2: Firefox warning on malicious site.
8
Network Security
control of the company and so caution
is needed. After all, what is network
security, if not the protection of data and
resources?
When to embrace the
new
There are many benefits that can come
from using cloud security and whether
you know it or not, you’re probably
using it already. Nearly all of the major
web browsers now have built-in features
that check URL blacklists, which are reg-
ularly updated. When doing a search on
Yahoo, for example, sites that have failed
Google’s antivirus checks receive a “This
site may harm your computer” notice.
If attempting to go on to a site like
this from within Firefox, the browser will
display a message warning that the site
has been blacklisted.
This is one excellent use of cloud
security. Google visits the site regularly
to index it for search, and while it’s there
it looks for known exploits and malware
using a variety of antivirus software.
Antivirus scanning is an expensive opera-
tion and using multiple antivirus scan-
ners requires a lot of CPU and memory.
By doing this ahead of time and doing
it once for the benefit of many, the
resource burden has been reduced over-
all. Plus, through the power of grid
computing, more antivirus engines can
be employed than an average network
gateway or workstation.
Antivirus is not enough
Where things get interesting, though,
is on websites that serve up malware
that is not yet detected by any or most
antivirus engines, which a fairly com-
mon occurrence;3 on websites that have
been defaced but are not (yet) serving
up malware; or on sites that have been
compromised and are being used for
purposes other than malware distribu-
tion such as for embedding secret links
to other websites.
These links, called PageRank bombs,
are hidden by using CSS and other
HTML tricks to move the links outside
of the visible page area, or by making the
text colour and background match. In
this way, the site owner and visitors will
not realise that the site is compromised,
but search engines will see the links and
increase the popularity ranking of the
linked sites. According to eSoft’s Threat
Prevention Team, these links are nearly
always to fraudulent pharmaceutical sites
or to pornography sites.4
Detecting malicious or compromised
sites that are not already detected by
antivirus is where the power of the
cloud really shines. This sort of detec-
tion requires much more in the way of
in-depth processing capabilities. Ideally,
any given web page (not just the home
page of the site, but every link possible)
would be regularly scanned first with a
series of up-to-date antivirus engines. If
those engines don’t find anything wrong
with the site, then the site would be
checked for any of hundreds of indica-
tors that suggest that the site may be
malicious or otherwise compromised. If
any suspicious indicators are found, then
the site can be checked using the most
resource intensive processes, includ-
ing using actual copies of Firefox and
Internet Explorer to visit the website and
October 2009
 CLOUD SECURITY

cious website, but is also used by Google

and others to protect their own intel-
lectual property.5 One way of detecting
obfuscated Javascript (or VBScript, for
that matter) is to calculate the entropy of
the script.
Other methods for automatically
detecting these include looking for ‘eval’
and ‘document.write’ methods followed
by numbers, or by using one of several
open source tools that execute the code
and capture the evals and document.
write statements, such as jsunpack and
Didier Stephen’s patched version of spi-
dermonkey.7,8

“Since malware authors have

a tendency to check their
creations against antivirus
scanners before releasing them,
the occurrence of malware that
is not detected by antivirus
systems is unfortunately too
common”
In addition to obfuscated scripts,
other good indicators of suspicious sites
include web pages with hidden links,
with iframes before or after the start or
end HTML tags, iframes that are hidden
or have no meaningful size, embed or
object tags that reference non-standard
browser plugins, and websites that have
Figure 3: Cloud-based computing clusters can do far more detailed checking of sites. only been registered for a short time.

simulate user behaviour (such as pressing mark a website as suspicious, but just
OK buttons) through them. being suspicious is not sufficient grounds
for blocking access to a website, as many
Identifying a suspicious legitimate websites make use of other-
wise suspicious behaviour for non-mali-
website cious purposes. For example, obfuscated
There are hundreds of indicators that Javascript is a key indicator of a mali-
Figure 4: Example of obfuscated Javascript highlighted by the Internet Storm Center.6
Behaviour-based
inspection
If a website is in some way suspicious,
then the real work begins, both in terms
of resource requirements and difficulty
level. The first and possibly most impor-
tant challenge is to identify otherwise
undetected (whether due to obfuscation
or a zero-day vulnerability) exploits by
directing popular browsers to visit the
site and monitoring any resulting down-
loads, software installs, or user prompts
that may lead to software downloads,
including prompts to install plugins.
Many downloaded files, such as PDF
files, may themselves have a new exploit
so the execution of the downloaded file
and using a system with many browser
helper programs (preferably outdated) is
helpful here. The biggest challenge lies

9
October 2009 Network Security
PROCESS CONTROL

recognised these fundamental truths and

Figure 5: Bridging the gap between threat release and antivirus signature release.
in handling false positives, since many example used in a secure web filtering
downloaded files or browser plugins are system, it means empowering businesses
innocuous. Making this determination to block malicious websites even when
requires human antivirus expertise and antivirus programs don’t yet have detection
systems that are outside of the scope of for the exploits or malware being delivered.
this article. Since malware authors have a tendency to
Without a team of security experts check their creations against antivirus scan-
checking sites and continually adding ners before releasing them, the occurrence
heuristics and signatures for identifying of malware that is not detected by antivi-
both suspicious and malicious sites, any rus systems is unfortunately too common.
system is quickly outdated and loses its Luckily, websites hosting malware
usefulness. rotate less frequently than the malware
itself, so that a website blocking access
The end result to a website that is detected as malicious
will avoid even brand-new malware
Though this sort of process is time- variants that are rotated into position as
consuming, the result can be shared the older malware variant starts getting
between many end users, which justifies detected by antivirus software.
the resources expended to determine a A wide variety of companies including
website’s maliciousness. In the case of this Trend Micro, Websense and eSoft have
are pushing cloud-based secure web filter-
ing as a required layer of protection for
modern networks. Best of all, the cloud-
based nature of this protection keeps net-
works protected without risking sensitive
data or local network resources.
References
1. Lilly, Justin. “Google account sus-
pended: A post mortem.” 8 August
2009 <http://justinlilly.com/
blog/2009/aug/07/google-account-
suspended-post-mortem/>
2. Boyd, Dana. “a google horror story: what
happens when you are disappeared.” 8
Feb. 2008 <http://www.zephoria.org/
thoughts/archives/2008/02/08/a_goog-
le_horror.html>
3 Graves, Lee. “Fake Blogs Serve Rogue
Malware.” 9 September 2009 <http://
threatcenter.blogspot.com/2009/09/
fake-blogs-serve-rogue-malware.html>
4. Stiennon, Richard. “Pharma-fraud
escalates dramatically.” 23 June 2009
<http://threatchaos.com/2009/05/
pharma-fraud-escalates-dramatically/>
5. “Obfuscated code.” Wikipedia.
15 September 2009 <http://
en.wikipedia.org/wiki/Obfuscated_
code#Obfuscation_in_malicious_
software>
6. Hall, Stephen. “Hosted javascript
leading to .cn PDF malware.” ISC
Blog. 10 April 2009 <http://isc.sans.
org/diary.html?storyid=6178>
7. “JSUnpack” 15 Sep. 2009 <http://
jsunpack.blogspot.com/>
8. Stephens, Didier. “SpiderMonkey.” 15
September 2009 http://blog.didierste-
vens.com/programs/spidermonkey/

Securing process control

networks
Dominic Storey, technical director, EMEA, Sourcefire UK For example, power companies trade
information about their generating
It is well known that organisations are becoming increasingly thirsty for data. capacity on a power exchange com-
Having details on the performance of individuals, the company and market modities market. Hospitals network
factors has long been a necessity in the high tech and finance sectors. Now, their critical care monitoring systems to
manufacturing organisations running large process control networks are finding record patient vital statistics for outcome
themselves in the same position. studies. As the author and political

10
Network Security October 2009