Filtering Content

CIOs need to become savvy in their selection of content filtering solutions as enterprises in the Middle East pay renewed attention to the security of their IT network.

  • E-Mail
By  Sarah Gain Published  March 1, 2005

Filtering Content|~|Neo-NOD32B.gif|~|Worms are one of the worst enemies of corporations today, says Adaox’s Neophytou.|~|Malicious software or “malware” in the form of viruses, worms, spyware and trojan horses is an increasingly large threat for organisations of all sizes. All too often, businesses find their operations being compromised by infections that can result in files being corrupted; information being altered or deleted, or confidential data being distributed. Some attacks disable hardware; deny access to legitimate users, or cause hard drives to crash. This results in wasted resources and compromised systems that lack regulatory compliance or suffer from lost or stolen data. In turn, this can cause users and clients to lose confidence in an organisation.

For businesses that rely on the internet for their livelihood this can be a real problem. A survey conducted by the Truste organisation reveals that customers are still concerned about the security risks involved in online shopping. Almost half the survey’s respondents cited fear of credit card theft as a major concern. This type of hacking is also a major issue for merchants, especially under-resourced small- to-medium-sized businesses (SMBS).

However, for tier one enterprises, however, a more pressing threat is the risk of outbreaks of worms or viruses that result in denial of service (DoS). Typically, the loss of service causes the unavailability of a network service such as e-mail, or the temporary loss of all network connectivity and services. In the worst cases, for example, a website accessed by millions of people can occasionally be forced to temporarily cease operation. In some instances, a DoS attack can even destroy all programming and files in a computer system.

This type of security breach does not usually result in the theft of information, but it can cost the target company a great deal of time and money. Although usually intentional and malicious, DoS attacks can sometimes happen accidentally, as was reported to be the case when Dubai’s ATM network went down in December last year.

Many residents and tourists were unable to withdraw money for several days, and the Central Bank of the UAE was adamant that the predicament was down to a technical problem with the Dubai mode of the UAE Switch On/X system that is responsible for linking all the city’s ATMs. While the anomaly may not have been triggered malevolently, the episode is still a clear indication of the vulnerability of banks and the disruption that DoS can cause.

Growing online threats means enterprises cannot afford to run their affairs without a comprehensive content filtering solution. As financial institutions and enterprises deploy mission-critical devices such as ATMs and self-service kiosks on TCP/IP networks, the de-facto standard for transmitting data over networks, network worms are continuing to prove problematic.

“It can infect all available machines within ten minutes, overloading systems and creating DoS as the pipelines of a network are filled with data intentionally generated by the worm. This clogs the network, causing systems to crash and potentially costing a company a lot in terms of resources and capital,” says Neo Neophytou, managing director of Adaox.

Neophytou also identifies the Nachi worm, which aggressively scans networks for new machines to infect, and Lovsan, a worm that causes unpatched machines to reboot continuously and is programmed to launch a massive attack against Windowsupdate.com, as infections that can be particularly destructive to businesses.

“If a virus or worm manages to create denial of service for a major network and, for example, the transactions of a major bank network are impeded, there is a big financial loss,” explains Neophytou. “If a hole is created in a network it can not only create major disruption but at the same time the risk is that hackers can gain access to confidential data, credit card numbers and other sensitive material. Network worms are one of the worst enemies of corporations today and they are spreading fast,” he continues.

“In today’s multi-faceted networking environments, it is essential to ensure that content entering and leaving an organisation meets the company’s security policies and privacy regulations,” says Peter Kwisthout, territory manager for McAfee.

The consensus of opinion from the security vendors is that organisations that store large quantities of sensitive data need a multi-layered filtering solution. “Threats use more than one protocol to infiltrate networks,” says Kwisthout, “It is critical to ensure that all protocols are protected and secure.”

Various types of scanning are required to prevent the access or availability of web pages or e-mail that contains viruses or general content that is deemed objectionable. Worldwide leader in security assurance, the International Computer Security Association (ICSA), states that as many as 86% of viruses are transmitted via email and SMTP scanning can protect this e-mail traffic.

Companies also need to use http scanning to protect web traffic and to guard against DoS attacks and blended threats, while FTP scanning can shield any files that are being downloaded from an FTP server. POP3 scanning comes into effect when employees use company PCs to check personal e-mail accounts as it safeguards email traffic over the internet.

However, security threats do not just present themselves as e-mails containing worms or viruses that attack the system. Trojan programmes that have been designed to send spam, to attack web resources or to download and install malicious code into the computer are also serious threats. There are many different ways to deploy this malicious code to the computer as Eugene Kaspersky, founder and head of anti-virus research at Kaspersky Lab, points out:

“The most widespread method of deployment at the moment is the infected web page.” In these cases, the security of a vulnerable web page is breached and when a file is downloaded and executed on the computer the file will download the rest of the infected data.

“There are different methods of distribution for this type of web page, such as spam that looks genuine and directs people to the corrupt page. In other cases they use compromised search resources. When someone looking for information types in some strings the infected pages will appear at the top of the results, presenting themselves as pages where the information is available," explains Kaspersky.

A level of URL or web filtering is therefore also necessary for organisations wanting to block access to specific websites, as this will not only enhance security against unreliable webpages, but will also prevent wasted network bandwidth and potentially improve issues of staff efficiency.

“It is also important for companies to minimise disruption by reducing the quantity of spam that gets onto the network,” says Kwisthout. The time spent on reading and deleting junk mail detracts from more important business activities and deploying a level of protection at the gateway can save time and money.

“A company with 10,000 employees that has no spam filtering installed will spend about US$49 per user on the server resource to handle spam. An organisation that has spam-filtering software can reduce this to around US$25 per user, which is a considerable saving straight off,” he adds. “Also, by 2007 the average expense per user to a company without server resources will be in the region of US$257, whereas it may only be costing a business that operates the technology around US$130. That’s a saving of hundreds of thousands of dollars per annum.”

Aside from the issue of employee productivity, a critical concern for companies is the network security infringements that spam can involve. Vast quantities of spam provide a fast and effective means of spreading data and viruses across the network. The high propagation rate of the medium is also being used to create security exposure. Integrated solutions at the gateway level combine anti-spam, anti-virus and content filtering and enable IT administrators to offload the network bandwidth and manage email traffic in detail.

Although the market is inundated with content filtering solutions, however, even the most reliable of technologies cannot be 100% effective due to the virulence and rapid ingenuity of new malware. “We see spam as a new common threat that businesses are going to face every day. Organisations have many choices of appliances that they can install at the gateway in order to check every individual email entering its systems, but each employ various methods with varying degrees of success,” says Neophytou.

Content filtering usually operates by specifying character strings that, if matched, indicate undesirable content that is to be screened out. The content itself is typically screened for pornographic content and sometimes also for violence or hate oriented content and the filtering parameters are tuned to correspond to the needs of the individual organisation’s internal policies.

When the Al Ghurair Group of Companies deployed general public license (GPL) content filtering solution, Spam Assassin back in 2003, the company initially allowed users to dictate their own rules but as anti-spam solutions have improved, the implementation of a centralised management can attain much more complete spam and virus detection.

Solutions such as that in place at Al Ghurair operate on a rules-based platform and can work with applications such as Microsoft Outlook to categorise junk mail. Anti-spam engines use different strategies to ensure filtering is provided to the levels specified by the implementing organisation. The most reliable and widely used approach is the mathematical Bayes method, based on the theory of probability inference.

This system predicts that certain words will correctly identify a piece of e-mail as spam while other words will show a piece of e-mail to be legitimate. Unlike other filtering techniques that only look for spam-identifying words in subject lines and headers, a Bayesian filter examines the words in a body of an e-mail, its header information and metadata. Word pairs and phrases and even html code can be screened.

However, the Bayesian filter does not work by itself. It works in conjunction with a dictionary element. “This uses a Latin dictionary to identify certain words and meanings associated with around things such as adult material and drugs. The dictionary is integrated to check whether inappropriate words are repeatedly added into the text or are in the title,” explains Neophytou. “This is a complicated process that mainly uses mathematical algorithms, but it can maximise the accuracy of categorising an e-mail as spam,” he continues.

In addition to the lexical filtering and the recognition of html code distinguishing features such as colours, content filtering solutions also use a mathematical error-detection scheme known as DCC, the distributed checksum clearinghouse. This system checks the quantity of e-mails that are coming out of a particular server as a high daily transmission rate typically corresponds to a high probability that the output will be spam.

Finally, content filtering will screen the origin of incoming mails, checking against a list of known, blacklisted servers. This filtering parameter requires regular anti-spam updates to ensure an up-to-date ‘black hole’ list is in use, providing maximum security.

Large organisations with strict regulatory and internal compliance policies, such as banks, need to be concerned with employing sophisticated content filtering solutions according to Kwisthout: “A small manufacturing company would probably be mainly concerned with an anti-virus or maybe anti-spam protection, probably not even at the gateway level but rather at the PC or server level. For larger enterprises, however, particularly in zones with strict regulatory elements such as Europe and the US, comprehensive content filtering is definitely critical.”

Despite the fact that external compliance is less of an issue in the Middle East, Kwisthout believes that companies often require stringent control not just for virus prevention but also for other reasons: “I think in this area the need for filtering is probably more of a cultural issue than a regulatory one. Junk mail can often contain very sensitive material and in the culture of the Middle East I believe that most companies feel the need to protect their employees from inappropriate content.”

Having developed one of the world’s most comprehensive e-government systems, protecting that system became a major priority for Bahrain’s Central Informatics Organisation (CIO), the body responsible for regulating the Kingdom’s governmental IT systems. The CIO last year set an example to the region’s business community on the importance of virus protection when it deployed anti-virus and content filtering software for the entire government network.

“The problem for a large corporation is that if that one layer fails the system will be completely exposed. Companies investing in this type of multilayer gateway and email server technologies demand very high accuracy rates to ensure maximum security on inbound and outbound messages, and local and internet mail traffic,” explains Neophytou.

Even with the latest updates and the parameters tuned to meet an organisation’s compliance policies, the filtering software is rarely foolproof. Spammers mix numbers with letters in order to get junk mail to slip through the filters.

On the other hand, the dictionary facilities in the software can be slightly overzealous and critics of content filtering solutions point out that it is not difficult for the programmes to unintentionally exclude desirable content. Neophytou agrees: “An over-sensitivity to trigger words can result in legitimate messages being blocked and this can create delays in business practices for an organisation, resulting in them losing money. That is were the anti-spam software can still fall down.”

However, traditional signature-based client and parameter filtering still struggles with containing the spread of worms and viruses once they reach a network. The complexity of the new viruses and worms that are coming into the market is rapidly growing and there is a need to react with better quality tools. “By exploiting vulnerabilities in a system, the automatic spread of the new malware is able to occur extremely quickly and in a traditional anti-virus it can take many hours to provide an update,” explains Neophytou.

This problem can be exacerbated because even though vulnerabilities in the systems may be known and patches provided long before the worm is released, businesses do not necessarily update their systems promptly. “Once a patch is released systems must updated and even though in most cases these updates are automatic, vulnerabilities are still found regularly. Worms exploit this on a regular basis,” Neophytou continues.

Enterprises now require proactive protection policies that can rapidly identify rogue and infected devices. In contrast to traditional algorithmic programming, which is based on mathematically provable procedures, heuristics-based technologies can serve this need by protecting against new worms and viruses without the need to update immediately. A branch of artificial intelligence, heuristics is characterised by its self-learning abilities, enabling a high percentage of virus detection even without the latest systems updates.

Conventionally, anti-virus vendors publish updates of known medicines for specific viruses that are downloaded to the server usually on a daily or weekly basis. This definition database functions as a yes/no filter for every email or internet connection, checking for viruses against a selection of samples.

Currently, if a company experiences an outbreak of a novel form of malware, there is a possibility that the necessary medication is not in the database and the company may have to wait anywhere from one minute to one month for the vendor to provide an update. “In this case of advanced heuristics, the artificial intelligence senses whether an email attachment or website is trying to enter to the server computer and can decide instantly whether or not it looks like a virus. The solution can provide a success rate of up to 90%,” explains Neophytou.

This emerging trend in anti-virus filtering is gradually finding its way into improving other areas of content filtering: “There will be more intelligence introduced to the problem of anti-spam filtering. By including heuristics in this system, spam filtering will also become more accurate,” says Neophytou.

While more tools are becoming available that aim to maximise security for a specific level, it will still not be possible for organisations to protect themselves entirely. To minimise the ever-present risk, enterprises are beginning to look for centralised systems that impose certain security updates, possessing the ability to isolate and remotely repair infected devices during an outbreak.

Feeding information to a central administration system can illuminate visible vulnerabilities and infections in a specific area of a network, alerting IT departments immediately to any problems in the set-up.

Installing the necessary anti-virus software on every PC is not cost effective. A central administration platform gives complete control over the business’ internal systems. “In larger enterprises there is a vital need for remote management tools because it saves a lot of financial resources and time,” Neophytou says. “They also make it easy for IT managers to see that every anti-virus solution is correctly updated. If they become aware of an infection in a machine then a cleaner can even be deployed remotely.”

While security is becoming an ever-higher priority for companies in the Middle East, the security vendors are engaged in a head-to-head battle with anonymous internet pirates: “They release new malicious codes and we try to keep up with them by developing the protection. We are developing protection against viruses, hacker attacks and spyware – it’s not just anti-virus at the moment, it is anti-everything,” says Kaspersky.

“To keep up with the hackers it takes a team of experts working round the clock, seven days a week and without any holidays to fish for the new virus samples, analyse and process them and find a detection and cure quickly and cheaply,” he adds.

For enterprises though the protection of their core business is not a matter that should be taken lightly. As Kaspersky says, “Security is security— it does not matter if it’s your anti-virus, your car alarm system or the lock on your door—until it’s hacked. Then you realise the value of security.” ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code