You are here

Why Infected PCs Still Walk the Halls of Higher Education

IHEs have special security requirements
University Business, Dec 2008

Educational institutions have very special requirements when it comes to security. They must maintain a difficult balancing act between open communications and secure networks while meeting the diverse needs of students, faculty, staff and alumni and their host of autonomous desktops, laptops, and handheld devices, all with limited IT personnel and budgets. To make matters worse, the movement toward Web 2.0 has driven more people and applications to the web where hackers lie in wait to take advantage of new vulnerabilities gained through the largely unprotected port 80. Researchers trumpet the fact that attacks are increasing in volume, but they are also markedly more difficult to detect.

As web-borne malware becomes the cyber criminal's weapon of choice, how can universities protect their users and their resources? By understanding each phase of the propagation cycle, IT security professionals can implement appropriate safeguards at each step to detect and defend against web malware intrusion and their subsequent botnet infection.

Universities require open networks that provide their constituents the access they need to learn and discover as they pursue their fields of interest. Whether checking assignments on a campus network, researching through remote libraries, or collaborating with a colleague at a sister university, higher education users require a tremendous amount of flexibility. At the same time, universities must protect their users and their hard-earned reputations by ensuring secure communications. This is no easy task. University IT personnel must factor in mobility, a wide variety of devices, and diverse user practices as key components of the equation.

The rise in mobility has brought its own set of challenges. Users may access university resources through secure campus wireless networks, home broadband, public hotspots and other campus networks. Through each they become exposed, and expose university networks, to any number of cybercrime exploits. When problems do occur it can also be difficult for IT to pinpoint problem areas because it's not as easy as tracing the wire to the infected machine.

There is a great variety in the types of devices utilizing a university network. These can be desktops, laptops, and handhelds and many are independently owned. As such it's difficult for university IT to monitor or manage security for these end points. For example, while network administrators may advocate particular security precautions there is no guarantee users will install them. And there may not be adequate detection or prevention mechanisms to keep infected machines off campus networks.

It is often said that the human is the weakest link in IT security, and for higher education this may very well be the case. From inconsistencies in abiding by university security policies to engaging in social networking, online shopping, ebanking and more, university users can intentionally or inadvertently thwart the best efforts in security. For example, students who discover malware on their machines may fear that any countermeasure could wipe away their hours of labor or research and might therefore elect to work around the problem rather than report it. They then expose the network to malicious software that infects other machines. Likewise, users may succumb to social engineering tactics employed by savvy hackers, again exposing other machines to new threats.

Taking all of these factors into consideration it's no wonder universities are struggling to maintain the delicate balance between freedom and control amidst quickly evolving usage practices, technologies and attacks.

Operating system vulnerabilities have traditionally been the most common targets for malware, but increasingly attacks are taking the shape of web-borne malware. As more users flock to the web, hackers identify new vulnerabilities to siphon information and resources through the largely unprotected web portal known as port 80/443.

Malicious code is readily embedded within user-generated content websites (social networking, video, and auction sites), third party ads, and high-traffic web applications. For example, by exploiting web server "control panel" applications common in shared hosting environments, hackers can gain a foothold on thousands of websites, which then distribute web-browser exploits to spread malicious code across many platforms and locations. Google estimates it serves up over 10 million web pages per day containing malicious content, exposing even casual web users to web malware.

Criminals are using the web as their prime infection vector to take over PCs, creating remote controlled machines or "bots" that can be strung together by the thousands or even millions in powerful, high availability botnets. Recent research has found that 11 percent of the world's computers are enmeshed in at least one botnet.

The practice of employing blended attack techniques is making matters worse. Blended threats attack on multiple fronts, exploiting the inability of conventional network protection to provide a unified defense across network, operating system, application and end-user levels. A blended threat is malware that attacks multiple OS and/or application vulnerabilities in order to infect a computer and use it as a launching pad to infect or attack others.

Cyber criminals are also using complex obfuscation schemes combined with polymophism to evade detection. Obfuscation is a technique in which the malicious code is restructured or hidden so as not to reveal its true purpose. It affords hackers a method to hide malicious code beneath multiple layers of script, such as JavaScript, Flash or Visual Basic script on a web page. Polymorphism is a feature where code mutates to appear different each time while preserving its core algorithms, thereby evading signature-based detection.

Given this escalating threat climate, how can campuses protect their vital resources against infiltration?

Web malware and botnets typically follow a three-step propagation process: initial infection, bot malware installation, and attack/data theft. Propagation begins with some type of infection step or exploit. Today, this step is increasing originating through the web. Once the device is compromised, further malware payloads are loaded onto the machine to create the remote-controlled bot that communicates with one or more command and control servers (C&C). Then the bot is used as part of one or more botnets to execute strategic and lucrative attacks.

By understanding each of these phases, security professionals have an opportunity to deploy coordinated countermeasures to detect and prevent botnets and the web malware used to create them.

To protect students, faculty, staff, and alumni against attacks and protect the university against malicious data and resource theft, IT security professionals must utilize a blended defense that will interrupt and terminate the propagation cycle. They can do this by focusing on three critical steps.

First, they must monitor both inbound and outbound traffic scanning for suspicious activities. Once installed, web malware automatically sets up an outbound callback channel to steal data and resources since outbound traffic from behind the firewall is not typically blocked by traditional security solutions including intrusion detection systems (IDS), secure web gateways, etc. By monitoring the callback channel, universities eliminate latent exploits that rely on obfuscated code calling back to a malicious server in order to initiate further malware downloads or an attack.

Second, to eliminate false positives, suspicious web and network traffic should be replayed within virtual "victim" machines to clearly identify malware, both known and previously undetected or "zero-day" attacks. Having this automated capability frees IT personnel time that is typically consumed monitoring and analyzing alarms signaled by IDS and other security mechanisms.

Third, the identified malware should be uniquely fingerprinted, in addition to having its unauthorized outbound communications tracked. This will help IT security professionals gather critical intelligence about the malware and identify any malicious servers with which it may be communicating.

Universities should also consider the human component as part of their blended defense. The IT department should work closely with university bodies to educate users on the various forms of social engineering; the risks of third party ads, user-generated content sites, and high traffic destinations that follow current events; and inadvertent data leakage. These practices along with technologies that protect against user initiated data leaks all help plug the human gap.

Universities can also employ technologies that detect infected machines as they attempt to get on the network, and continue to advocate secure computing practices that users can follow with their personal devices.

Universities have their work cut out for them when it comes to security. Maintaining a balance between open, ubiquitous computing and secure networks is a tough challenge for limited IT departments. However, by evaluating the threat landscape, including the increasing pervasiveness of blended web malware attacks, and recognizing the propagation cycle, IT security professionals are better equipped to eliminate threats. A blended defense is the best way to ensure a unified front against these unconventional attacks.

In particular, universities should employ integrated solutions that 1) monitor both inbound and outbound traffic, 2) replay suspicious network traffic in virtual victim machines to eliminate false positives, and 3) fingerprint identified malware and monitor any unauthorized outbound communications originating from that malware. With these components, universities can protect their users, resources and reputation from today's most sinister threats.

Ashar Aziz is CEO and founder of FireEye.