Securing against Viruses, Malware and Hoaxes Good Practice Guideline

Transcription

1 Programme NPfIT Document Record ID Key Sub-Prog / Project Infrastructure Security NPFIT-FNT-TO-IG-GPG Prog. Director Chris Wilber Status Approved Owner James Wood Version 2.0 Author Mark Penny Version Date 12 th February, 2010 Securing against Viruses, Malware and Hoaxes Good Practice Guideline Crown Copyright 2010

2 Amendment History: Version Date Amendment History 0.1 First draft for comment /08/2005 Second draft for Peer Review /10/2005 Comments from Phil Benn incorporated /02/2006 Technical Author, Sections added /03/2009 Reviewed, revised and updated. Previous author: James Wood /03/2009 Further updates following peer review /03/2009 Further updates following peer review /04/2009 Draft for approval 1.4a 30/09/ nd draft for approval following approver comments /10/2010 Document approved. Forecast Changes: Anticipated Change When Annual Review February 2011 Reviewers: This document must be reviewed by the following: Name Signature Title / Responsibility Date Version Infrastructure Security Team James Wood Head of IT Security 1.4a Approvals: This document must be approved by the following: Name Signature Title / Responsibility Date Version James Wood Head of IT Security 2.0 Distribution: NHS Connecting for Health Infrastructure Security Team Website Document Status: This is a controlled document. Whilst this document may be printed, the electronic version maintained in FileCM is the controlled copy. Any printed copies of the document are not controlled. 1.3 Crown Copyright 2010 Page 2 of 29

3 Related Documents: These documents will provide additional information. Ref no Doc Reference Number Title Version 1 NPFIT-SHR-QMS-PRP-0015 Glossary of Terms Consolidated.doc Latest 2 NPFIT-FNT-TO-IG-GPG-0033 Glossary of Security Terms ( nfrasec/gpg) Latest Crown Copyright 2010 Page 3 of 29

4 Contents 1 About this Document Purpose Audience Content Disclaimer Introduction Background Anti-virus Desktop Software Gateway Device Software Server Software File Servers, Standalone Servers and Anti-Virus Exceptions Instant Messaging Services Anti-Virus Policy Malware and Spyware User Education Technical Solutions Active Monitoring Passive Network Monitoring Desktop Security Policies 20 5 Phishing and Scams User Education The 419 Scam Pyramid Schemes, Chain Letters & Fake Notifications Current News Hoax Fake Security software hoax Spear Phishing Technical Solutions A Appendix A - Suggested Attachment Block List Crown Copyright 2010 Page 4 of 29

5 1 About this Document 1.1 Purpose The purpose of this document is to establish vendor and product independent guidelines that will enable organisations to minimise the impact of virus and malware infections. It also provides preventative recommendations that should help reduce an organisation s exposure to viruses and malware. Guidance on ensuring the confidentiality and integrity of sensitive information is detailed in this document including: The appropriate measures to take in the event of a virus attack or the discovery of malware on a system or systems. Dealing with malware and spyware introduced into N3 connected systems without the knowledge of users. The minimum standards for anti-virus protection within N3 connected networks How to deal with malware, spyware, hoaxes, phishing and scams which may vary in content but follow a similar overall structure 1.2 Audience This document assumes a general understanding of the terms virus and malware It also assumes a general understanding of other computing related terms. Further information on information security and related matters is available from the NHS Connecting for Health Infrastructure Security Team website: Crown Copyright 2010 Page 5 of 29

6 1.3 Content This document comprises the following sections/topics: Description and information on anti-virus products for different types of platform Technical solutions for monitoring for malware The need for an anti-virus policy The need for user education on viruses, malware and phishing Descriptions of common phishing attacks and how to spot them An appendix of attachment types which organisations could consider blocking because they could be used to deliver malicious payloads 1.4 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NHS Connecting for Health. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. Any party relying on or using any information contained in this document and/or relying on or using any system implemented based upon information contained in this document should do so only after performing a risk assessment. It is important to note that a risk assessment is a prerequisite for the design of effective security countermeasures. A correctly completed risk assessment enables an NHS organisation to demonstrate that a methodical process has been undertaken which can adequately describe the rationale behind any decisions made. Risk assessments should include the potential impact to live services of implementing changes. This means that changes implemented following this guidance are done so at the implementers risk. Misuse or inappropriate use of this information can only be the responsibility of the implementer. Crown Copyright 2010 Page 6 of 29

7 2 Introduction This document provides general information on the topics of viruses and malware together with potential solutions for their proactive detection and eradication. It covers the concepts of phishing and pharming and what can be done from the perspective of user education in this regard. The document also details additional defence-in-depth concepts which can assist in protecting information assets from harm from viruses and malware. 2.1 Background Attackers are increasingly utilising viruses and malware in their attempts to compromise systems, gain unauthorised access to information and to take control of computer resources - often redirecting these resources for attacks against other targets. Spyware and malware is often bundled with legitimate software. When users install the legitimate software they can also inadvertently install the bundled spyware affecting the confidentiality and integrity of their systems security.. The nature of this type of software can present long term issues for security because it often remains hidden from the user (or poses as a legitimate application) while continually divulging information from the infected host. The most effective defences against viruses, malware and hoaxes are those that combine various technologies and strategies. These range from in-depth technical solutions to effective user education, preventing the compromise of these technical solutions. Crown Copyright 2010 Page 7 of 29

8 3 Anti-virus Anti-virus software and related applications can be used as a technical defence to stop viruses from infecting systems. Such software is generally host based and runs on the system it is protecting. Anti-virus software can detect many types of malware. These types include computer viruses, worms and trojan horses as well as spyware. A computer virus is a type of malicious software which infects files on a computer system. A virus may look for specific types of file to infect such as Word documents; once an infected document is sent to someone else, the virus then spreads to and infects that persons PC. A resident computer virus can survive system reboots and operates in the background on the system, looking for files to infect. A non-resident computer virus only runs when an infected file is launched. A worm is a type of malicious software which does not require user interaction to run. Worms can spread from system to system utilising automated infection methods and generally exploit un-patched software vulnerabilities in order to spread. A worm does not steal personal information from systems but simply exists to spread and cause system problems in relation to integrity and availability. A trojan horse is malicious software which on the surface has a legitimate usage but unbeknownst to the user contains functionality which can be used to steal sensitive data or perform other unwanted actions. 3.1 Desktop Software It is frequently possible to deploy anti-virus software solutions, offering varying degrees of protection, at many different points on the network. Due to the increasing capabilities of desktop machines and their growing exposure to the Internet, host based anti-virus software should be deployed as a bare minimum. A typical feature set would include: On Access (Memory Resident) scanning. On Demand scanning. Scheduled scanning Heuristic capabilities Crown Copyright 2010 Page 8 of 29

9 Automatic updating of definitions and engine. Integration with and messaging services. Logging of all relevant events. Restriction of amendment of software configuration settings to authorised personnel only. It is worth noting that many vendors of traditional anti-virus software solutions have somewhat diversified in relation to the capabilities of their products in direct response to the different types of threat which have materialized in recent years. Many vendors now market their solutions as security suites offering not only traditional anti-virus detection capabilities but additionally features including: A software firewall, Anti-spyware features, Browser plug-ins for detecting phishing web sites and malicious scripts, Anti-rootkit features, USB device control. Whilst such defence-in-depth features may provide additional protection from a broad spectrum of threats, the increased size of the products with their additional performance related demands may mean that on some older systems, system responsiveness is affected. Memory resident scanning provides protection for users from external threats such as malicious sites on the Internet. To provide additional functionality, some websites may download certain files such as Java Applets or ActiveX objects to the users computer. These objects may contain malicious code which then infects the computer. On access scanning allows the anti-virus product to block this malicious code before it runs. All desktop machines connected to the network or with access to the Internet should have anti-virus software installed. The signed Code of Connection or Information Governance Statement of Compliance (IGSoC) 1 details this requirement. 1 Crown Copyright 2010 Page 9 of 29

10 Appropriate mechanisms should be in place to ensure virus definition updates install as soon as available or, if necessary, after stability testing by authorised personnel. Software settings should include daily updates distributed from a centrally provided mechanism. This ensures critical updates will install as soon as available. Further information can be found in the Patch Management Good Practice Guideline (GPG) document available from the NHS CFH Infrastructure Security Team web site. 2 Such frequency of updates may not be possible with portable devices - these will require an automatic check when they access the network and will update as appropriate. Alternatively, some vendors do provide the facility to update virus definitions and the anti-virus software direct from systems controlled by the vendor when a portable device is on the road. This can be useful for devices which are rarely connected to the organisations network. Remote access solutions may provide additional mechanisms, to ensure that the standards for protection are in place on the portable device, before allowing full access to the network. 3 On demand scans allow the user of the machine to scan single files and folders or groups of files and folders as required. This is useful in situations where files have been obtained from a 3 rd party for example (such as on removable media) and the user wishes to ensure that the files are free from viruses and malware Further information is available in the Remote Access and Remote Management GPG documents available from the NHS CFH IST web site: Crown Copyright 2010 Page 10 of 29

11 Scheduled scans should be performed on a weekly basis and should consist of a complete and vigorous scan of the machine. This maintains a consistent baseline of protection. If possible, schedule this scan to run outside of normal office hours or at a time which will not disrupt normal working. For laptops or other portable devices, the scan needs scheduling as normal but should run as soon as possible following the elapsed time when the scan was supposed to run. Many vendors allow their anti-virus products on demand and scheduled scans to be throttled to only use a specific percentage of processor power. This therefore impacts user working less when such a scan is running and should be considered as an option if available and if scans are likely to run when users are working on their machines. A Heuristic capability refers to the ability of the anti-virus software to detect patterns of behaviour on the machine which may represent virus or malware like activities. This type of capability can be useful for detecting viruses and malware which are very new and for which the vendor does not have a specific signature yet available. This further increases the protection that the software can provide. The downside to this capability is that on occasion, innocent activities can potentially be flagged as malicious activity ( false positive ) which can cause unwanted alerts to be generated. 3.2 Gateway Device Software The term gateway device refers to any device which is used to route, inspect or block network traffic. For example, firewalls, proxy servers, remote access devices, routers, Intrusion Detection Systems (IDS) and so forth. Due to their exposure, gateway devices are particularly vulnerable to attack and, if not correctly protected, can potentially act as the initial infection point of a network. The software installed on gateway devices should have all the features of the software deployed on desktop machines but should also include server specific features such as: Inbound and Outbound traffic monitoring. Large Traffic Volume Protection. Heuristic detection mechanisms to detect as yet unidentified viruses in the wild. Crown Copyright 2010 Page 11 of 29

12 Gateway devices require specialist software, expressly designed for operation in server environments or high load situations. Desktop software may not be capable of handling the increase in traffic and does not employ server specific features. The use of different software (possibly from different vendors) also provides defence-in-depth ; separate solutions are less likely to be as easy to compromise as one solution across all areas. Due to the complex nature of attacks, which may spread through the use of , web or network vulnerabilities, the gateway must be able to automatically protect the network when it recognises malicious activity. This heuristic, or behaviour based defence, allows the software to automatically block suspected traffic through automatic detection of new viruses or outbreaks. An example of such a gateway is the web proxy filter. These devices monitor all inbound and outbound traffic (such as HTTP and FTP protocols) for viruses, malware and virus-like activity. Provision of such a device provides defence-in-depth when allied with desktop anti-virus products Server Software is a business critical tool that affects how organisations run, both internally and externally. The widespread usage of and increasing reliance on leaves it open to exploitation as a means for the transmission of viruses and phishing attacks. In addition to the requirements for server grade anti-virus solutions, systems must include specific features that offer additional protection from this avenue of attack. specific features include: Quarantine of possibly infected files. Mass mailing protection. Secured access to logs and quarantined files for audit purposes. Generic attachment filtering (See Appendix A). content and attachment inspection. Controls to prevent the forwarding of infected s. Crown Copyright 2010 Page 12 of 29

13 Multiple virus/malware detection engines If available, it may be prudent to disallow all attachments - apart from those specified on an allowed list (or whitelist.) This is relatively easy to maintain and validation against an established case (e.g. what business need is there for attachment type a, b or c to be transmitted) can occur on a case by case basis. anti-virus and anti-spam measures must not provide an avenue for indirect but disruptive attacks, e.g. flooding users with alerts and rejection messages. If message alerts are used they should: Provide only minimal information. Not be sent to the originator of the - this may lead to information leakage through error messages. Commercially available services offering real time updates to services with critical or 0-day (zero-day) signatures can sometimes prevent the newest types of viruses getting through the gateways. Signatures for protection and gateway devices require updating as frequently as possible. Standard commercial services can offer hourly push updates to ensure maximum protection. Alternatively, commercial 3 rd parties exist that provide services for scanning inbound/outbound for viruses/malware/phishing scams and so forth. These systems work by having all routed via the service provider and scanned prior to onward delivery to its destination. For NHS organisations, it is the recommendation of the NHS CFH Infrastructure Security Team that the services of NHSMail are used. As well as providing a standard platform based on Exchange 2007, NHSMail provides facilities to detect and respond to malware and spam, attachment blocking and other such services. More information can be obtained from: Crown Copyright 2010 Page 13 of 29

14 3.4 File Servers, Standalone Servers and Anti-Virus Exceptions Apart from dedicated servers (e.g. gateway and systems), there are often cases in which an anti-virus solution is desirable but due to possible impacts on availability and performance of systems, prior consideration is necessary. Cases may also exist where certified devices may not support additional software due to their intended purpose, e.g. certified medical devices 4. On Access scanning or memory resident detection mechanisms may adversely affect high volume servers that demand high availability though enterprise class anti-virus solutions can go some way to alleviating these concerns. There is also the possibility that specific files/directories could be excluded from the scanning regime such that performance is not affected. For example, Microsoft makes specific recommendations in relation to SQL Server and the types of files and location of directories which can be excluded from scanning so as not to impact the system performance. 5 It should be noted however that excluding files and directories means that should excluded files/directories become infected, the anti-virus solution will not detect the infection. There will always be some areas unable to support anti-virus, either through incompatibility with appropriate class software or performance impacts. In such cases it is often useful to run scheduled scans as frequently as possible during time periods when resource demand is low. If the system will not support this, scheduled maintenance periods will be necessary to perform comprehensive and complete systems scans. Systems which, due to restrictions, are unable to adopt appropriate anti-virus measures should be isolated from the network using measures as detailed in those Good Practice Guidelines relating to secure Local Area Network (LAN) environments. 6 Additionally, these devices require monitoring through increased auditing and possibly Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS). 3.5 Instant Messaging Services Instant Messaging services are now readily available through Internet Service Providers (ISPs), commercial suppliers and often internally within organisations. 4 The Patch Management GPG provides additional information including statements from the MHRA on such devices For a complete list of Good Practice Guidelines see Crown Copyright 2010 Page 14 of 29

15 These services allow users to chat in real time, while also giving them the ability to share files and workspaces. It is this ability to transmit files, and the possibility that any such transmissions may bypass established controls, that make instant messaging services a significant problem area for those tasked with protecting a system from virus infection. Many anti-virus manufacturers have responded to this situation (via integration with messaging products or file analysis) with solutions that provide real time monitoring of files within instant messaging systems. For those using externally provided IM systems (such as those from Microsoft, Google or Yahoo for example), there is the additional problem of IM spam and possible phishing attacks. If organisations use internal IM systems, they should investigate the features and facilities provided by the software manufacturer which can be turned on to minimise the possibility that malicious files could be shared. Unless absolutely necessary for business functions, the transfer of files using instant messaging services should be disabled and more robust methods utilised as an alternative. For example, the NHS Secure File Transfer Service can be used. More information is available at: (N3 connection required.) 3.6 Anti-Virus Policy Although many threats can be combated using technology, the key to a robust anti-virus policy is empowering each user with the necessary knowledge to help prevent virus outbreaks. An anti-virus policy may be a separate entity or integrated within an overall IT policy. In either case, it should contain a version of the following points: Do not open attachments from unknown senders. Do not download software to corporate hardware. Do not install software, unless provided by your IT department. Report any suspicions relating to viruses or malicious software to your IT department immediately. Crown Copyright 2010 Page 15 of 29

16 Never disable any anti-virus software on your machine or prevent it from updating 7 Users should be aware of the policies in place. Regular bulletins to staff should inform them of any new information or updates to policy. Disciplinary action should be taken against employees who wilfully break the policy (e.g. disabling anti-virus software or attempting to remove it from their machine.) 7 Technical means should be put in place to ensure that users cannot disable or interfere with anti-virus software. Ideally, this is best implemented by ensuring the principle of least privilege is implemented on user desktop systems. (I.e. users are not local administrators on their machines.) Crown Copyright 2010 Page 16 of 29

17 4 Malware and Spyware Due to the many possible methods of infection by malware and spyware, an effective anti-malware strategy requires equally varied levels of protection. Many types of malware application collect information which may be valuable to vendors of those applications, such as browsing habits or the popularity of certain products. This information can then have resale value to the vendor for marketing purposes and can be sold on to other companies. More sensitive information can also be stolen by such software including credit card numbers, credentials for online banking services (often via a keylogger) and so forth. Some types of malware once installed can be used to provide a remote control facility to attackers. Once installed, the users system becomes part of a larger group of compromised systems known as a botnet. These botnets are controlled centrally and can be used for a variety of purposes such as the sending of spam or for performing Distributed Denial of Service (DDoS) attacks on legitimate web sites. 4.1 User Education End user education is one of the most effective tools for the prevention of malware incidents. This should make sure that each user can recognise suspicious behaviour, will not attempt to circumvent technical solutions by installing unapproved software, open suspicious attachments or visit websites designed to spread malware. User education should be an ongoing activity and should begin when an employee joins an organisation. Multiple methods for educating users exist including using posters, desk drops, login banners/notices, formal training sessions and so forth. It is of vital importance that the education links in with the corporate policies on anti-virus, acceptable use and so forth. User education is a key weapon in preventing malware attacks. Whereas previously, visiting certain types of web site or malicious site could result in attempted infection via malware, there have been a growing number of incidents where legitimate and well known web sites have been used to spread malware due to elements of the sites being compromised. The proper policy and procedure regarding malware might include reference to: Identifying suspicious attachments. The reporting procedure for possible incidents. Crown Copyright 2010 Page 17 of 29

18 The types of websites which attempt to install malware covertly. How suspicious behaviour in software can indicate a malware presence. 4.2 Technical Solutions Solutions offering varying levels of protection and monitoring of malware behaviour are widely available. However, due to the covert nature of their existence, detection of new types of malware can be difficult. When searching for an infection, it is advisable to monitor patterns of behaviour rather than attempting direct discovery of the software in the first place Active Monitoring Active monitoring of user machines provides real time protection against malicious processes. There are various, freely available software products that can actively probe all applications running on a machine which can offer some protection against this type of attack. If an application demonstrates behaviour indicating the presence of malware, this type of software should prevent the application starting. Active monitoring software should include the following features: Active process monitoring. Signature based detection. Behaviour based detection. Application/Process quarantine. Crown Copyright 2010 Page 18 of 29

19 4.2.2 Passive Network Monitoring Monitoring at the network level can include Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or basic traffic monitoring at the firewall. Seeking evidence of malicious connection attempts by compromised machines, from analysis of captured firewall logs, can offer opportunities for taking corrective action. Many vendors supply management software that will perform anomaly based detection of suspicious or malicious activities through active monitoring of log files and traffic reporting information. Some open source IDS software can accept multiple streams of information and provide suspicious traffic alerts based on signatures. Similarly, network monitoring tools can monitor network health and alert network administrators if they detect increased or unusual traffic behaviour on the network fabric. Some software offers traffic blocking functionality based on established block lists. If used in conjunction with traffic logs, the source machine and the type of software can be identified and proper action taken. Block lists need to be up to date to ensure that legitimate traffic is not accidentally blocked, or suspicious traffic allowed (due to the source machine trying new destinations in an attempt to send captured data). Crown Copyright 2010 Page 19 of 29

20 4.2.3 Desktop Security Policies Combining technological solutions with user education policies can be an extremely effective solution in preventing potentially hostile applications from installing and running covertly on a system. Desktop policies require the attention of every user and should offer guidance on how to conduct day to day business without exposing the company to unnecessary risks. The use of technology to enforce certain desktop policies can be a useful guarantee of policy compliance. This could encompass remote auditing or even operating system specific tools that restrict some user activities. A basic desktop policy should include: Ensuring that user accounts on systems provide the minimum level of privilege required by the user for their role. Ideally, no user should possess local administrator privileges on their computer. Preventing users from installing or executing unapproved software. Auditing all desktop systems for unapproved software. Control of network based resources. User responsibility for the use and/or misuse of business assets. Control of unauthorised USB devices Crown Copyright 2010 Page 20 of 29

21 5 Phishing and Scams Social engineering techniques may attempt to convince users to open attachments that will spread malware infections, or even to divulge sensitive information such as passwords by replying to hoaxes. 5.1 User Education While technological solutions can alleviate some of the risk surrounding scams (such as spam traps, spam & phishing filters and the like), the most effective defence is user education. Users should be aware of suspicious s and have the knowledge to identify risks; including knowing that a well executed hoax or scam can look entirely legitimate and professional. Users should also be able to recognise important markers such as: Large non-related distribution lists. Requests for information not normally divulged. Attachments where the icon does not match the supposed file type. Large numbers of spelling mistakes Grammatical errors which would be considered abnormal in commercial communications URLs to websites within s where the URL and displayed web address text are different URLs within s which look similar to the URL of the real web site but are subtly different (e.g. small alterations to the domain name etc.) While there are many different subjects, and equally varied formats, for scam and hoax s, they often follow similar patterns. The following examples are a representative selection only: The 419 Scam Named after the specific Nigerian criminal code it violates, the 419 scam has had extensive exposure in the press. Typically revolving around the international transfer of large sums of money, the sender requests that the user divulges Crown Copyright 2010 Page 21 of 29

22 sensitive information (e.g. bank account details) and/or makes upfront monetary payments Pyramid Schemes, Chain Letters & Fake Notifications A common technique initially used to harvest valid address s for spam operations. The scammer persuades the user (using financial incentives) to visit malicious websites or otherwise tricks them into running malware infected attachments. A well publicised example of this type of scam consisted of an sent to many thousands of people, requesting money for an orphaned terrorist attack victim. Many people entered their bank details to pledge money, it was only later that the subterfuge was discovered and that those who responded had revealed their bank details to criminals. A variant on the above is the fake notification which claims that it comes from the users bank and states that the users account will be closed unless the user goes to a web site and verifies their details. These types of scam can often be spotted because the fake banking web site linked to requests information which a bank would never ask for such as PIN number and National Insurance number Current News Hoax Attackers also use s claiming to contain detailed information on worldwide issues, and popular and/or breaking news stories to spread viruses, trojans or spyware. They can achieve this by tricking users into running malware applications after masking them within what seems to be a potentially useful utility. A related type of hoax is that which arrives in an and claims that a file on the user s computer is a virus and provides instructions on how to remove the infected file. These types of hoax also state that the user should forward the e- mail to all contacts in their address book. The file in question referenced in these hoaxes is usually a system file and therefore benign. An example of this type of hoax is the infamous Teddy Bear virus Fake Security software hoax A recent trend has been the emergence of fake security software. The normal delivery mechanism for such software is via adverts in legitimate web sites or by visiting certain types of web site. Normally, a pop-up dialog box will appear claiming that the user s PC is infected with viruses or malware and that by downloading and installing a piece of software they can run a more thorough check of their PC. Once the software is downloaded and installed, it pretends to 8 Crown Copyright 2010 Page 22 of 29

23 scan the PC and finds several examples of viruses and malware on the system. The software then requests payment (via credit or debit card) in order to remove the viruses and malware found. If the user does not pay for the software, it repeatedly generates pop up messages warning of virus and malware infection. Such software often contains techniques to thwart removal. Fake security software can often be detected and removed by legitimate anti-virus products Spear Phishing This is a type of targeted attack which can focus on specific individuals within an organisation. The individuals who are the targets are often those who are very senior within an organisation or whom an attacker would consider to have access to sensitive and valuable information. Alternatively, targets may be considered or known to be high net worth individuals. Spear Phishing attacks often take the form of an which attempts to coerce the recipient into either installing or downloading a piece of software. Once the software is installed, it can monitor keystrokes, spy on and relay sensitive information viewed by the target and so forth. These s can often appear to come from senders that the recipient may have communicated with in the past or may even trust. Thus, such attacks can be very difficult to spot indeed. There have also been cases of new (often 0 day ) vulnerabilities being used in spear phishing attacks. Vulnerabilities in Acrobat Reader and Microsoft products have been targeted in this way as it is more likely that the attack will not be detected by anti-virus or anti-malware products and will not have been patched. User education and awareness training is the best way to detect spear phishing attacks and the advice given in the User Education section above will be of benefit. A useful website which provides further information on identity theft, phishing, scams and hoaxes is Get Safe Online. See: Technical Solutions Due to the complex nature and diverse subject matter of based hoaxes and scams, software designed to prevent this problem may either produce too many false positives or not be effective enough. However, many technological solutions are available which offer an additional layer to user education. Some features which should be included in hoax or spam monitoring solution would be: Crown Copyright 2010 Page 23 of 29

24 Keyword Searching. Domain blocking of common hoax sources. Statistical analysis of content. Attachment filtering. In addition, applications themselves now contain filters which aim to look for the signs of phishing scams in s received. Any suspected s are flagged for the user s attention and moved to a special folder within the software. Whilst these solutions are not infallible, they do provide an extra layer of defence and along with gateway measures and user training are worth using. Software manufacturers of applications additionally provide updates for these filters to further improve their detection capabilities. The deployment of software which analyses the content of s for particular words or patterns (in conjunction with robust anti-virus software) should further increase the effectiveness of blocking the type of hoaxes which attempt to convince the user to execute malicious software. Crown Copyright 2010 Page 24 of 29

25 A Appendix A - Suggested Attachment Block List Below is a list of suggested blocked file types in attachments. To discover the use of particular file extension Internet resources such as may be useful in associating file types with the relevant program. Please note that the following is not a comprehensive list and is subject to change. 9 File Name Extension.ade.adp.app.asp.bas.bat.cer.chm.cmd.cnt.com.cpl.crt.csh.der.exe File type Access Project Extension (Microsoft) Access Project (Microsoft) Executable Application Active Server Page BASIC Source Code Batch Processing Internet Security Certificate File Compiled HTML Help DOS CP/M Command File, Command File for Windows NT Help file index Command Windows Control Panel Extension (Microsoft) Certificate File csh Script DER Encoded X509 Certificate File Executable File 9 List taken from: These attachment types are blocked by default in Outlook Crown Copyright 2010 Page 25 of 29

26 File Name Extension.fxp.gadget.hlp.hpj.hta.inf.ins.isp.its.js.jse.ksh.lnk.mad.maf.mag.mam.maq.mar.mas.mat.mau File type FoxPro Compiled Source (Microsoft) Windows Vista gadget Windows Help File Project file used to create Windows Help File Hypertext Application Information or Setup File IIS Internet Communications Settings (Microsoft) IIS Internet Service Provider Settings (Microsoft) Internet Document Set, Internet Translation JavaScript Source Code JScript Encoded Script File UNIX Shell Script Windows Shortcut File Access Module Shortcut (Microsoft) Access (Microsoft) Access Diagram Shortcut (Microsoft) Access Macro Shortcut (Microsoft) Access Query Shortcut (Microsoft) Access Report Shortcut (Microsoft) Access Stored Procedures (Microsoft) Access Table Shortcut (Microsoft) Media Attachment Unit Crown Copyright 2010 Page 26 of 29

27 File Name Extension.mav.maw.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh2.mshxml.msh1xml.msh2xml.msi.msp.mst.ops.osd.pcd.pif File type Access View Shortcut (Microsoft) Access Data Access Page (Microsoft) Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft) Access Application (Microsoft), MDB Access Database (Microsoft) Access MDE Database File (Microsoft) Access Add-in Data (Microsoft) Access Workgroup Information (Microsoft) Access Wizard Template (Microsoft) Microsoft Management Console Snap-in Control File (Microsoft) Microsoft Shell Microsoft Shell Microsoft Shell Microsoft Shell Microsoft Shell Microsoft Shell Windows Installer File (Microsoft) Windows Installer Update Windows SDK Setup Transform Script Office Profile Settings File Application virtualized with Microsoft SoftGrid Sequencer Visual Test (Microsoft) Windows Program Information File (Microsoft) Crown Copyright 2010 Page 27 of 29

28 File Name Extension.plg.prf.prg.pst.reg.scf.scr.sct.shb.shs.ps1.ps1xml.ps2.ps2xml.psc1.psc2.tmp.url.vb.vbe.vbp.vbs File type Developer Studio Build Log Windows System File Program File MS Exchange Address Book File, Outlook Personal Folder File (Microsoft) Registration Information/Key for W95/98, Registry Data File Windows Explorer Command Windows Screen Saver Windows Script Component, Foxpro Screen (Microsoft) Windows Shortcut into a Document Shell Scrap Object File Windows PowerShell Windows PowerShell Windows PowerShell Windows PowerShell Windows PowerShell Windows PowerShell Temporary File/Folder Internet Location VBScript File or Any VisualBasic Source VBScript Encoded Script File Visual Basic project file VBScript Script File, Visual Basic for Applications Script Crown Copyright 2010 Page 28 of 29

29 File Name Extension.vsmacros.vsw.ws.wsc.wsf.wsh.xnk File type Visual Studio.NET Binary-based Macro Project (Microsoft) Visio Workspace File (Microsoft) Windows Script File Windows Script Component Windows Script File Windows Script Host Settings File Exchange Public Folder Shortcut Crown Copyright 2010 Page 29 of 29