Wildlife organization battles online attacks

IFAW reportedly targeted by hackers

As the network security engineer for the International Fund for Animal Welfare, Paul Ponte deals with security challenges that are almost as wild and wooly as the creatures his users deal with on a daily basis.

"Some of the places where we work and the people with whom we work introduce security risks that are kind of exotic," he says.

As a controversial, international force in conservation--IFAW leads the fight against the milking of bear bile in China and the baby seal hunt in Canada. The organization finds itself in a number of crosshairs that wouldn't normally be focused on a small non-profit, 375 people strong.

"We have encountered custom-made malware targeted at IFAW that has been delivered to us from host governments specifically for the purpose of spying, for sniffing network traffic," Ponte says. "We've been mail-bombed by dozens of Japanese mail servers because of our anti-whaling stance at a time when we were doing some DNA analysis of some whale meat found in a Tokyo fishmonger's shop. It seems like whenever we get into any sort of semicontroversial stance, there's always some special attention paid to us by one party or another."

For example, when the Canadian seal hunt is on, Ponte's team has noticed probing attacks against the laptops of users attending the watch observation mission on Prince Edward Island.

"They connect to a wireless network that was available at a free coffee shop style wireless network, and suddenly a machine that might have had two security blocks in the previous month gets several hundred," he says.

The users are scattered over the globe, across 15 countries. This makes endpoint security a top priority because each desktop or laptop must be fortified for use outside the network and remain clean enough to return to the network without causing damage.

"About four years ago, after a period of extreme duress in terms of desktop security issues, ranging from viruses to even worms and Trojans--the gamut of desktop security problems--we realized that that part of our security equation was lacking and that we needed to put some more effort into that," Ponte says.

He is more aware than most security administrators of the shortcomings of relying solely on anti-virus software for endpoint protection. Because IFAW has fallen victim to custom attacks, Ponte has seen how little protection a common anti-virus solution offers for unknown malware.

Anti-virus and anti-spyware programs generally depend on defensive signatures that are based on known viruses that security researchers discover. If a virus remains undiscovered by the researchers, no signature is made and the customer remains unprotected.

According to Gartner, signature-based technologies such as anti-virus software have less than a 50 percent chance of catching completely new threats and can miss up to 10 percent of old threats in the wild.

To protect IFAW from the "exotic" threats it faces, Ponte decided to augment his anti-virus protection with whitelisting technology. Rather than blocking out the known bad programs and missing all of the unknown bad programs, IFAW now only allows in the known good programs, keeping all bad programs from launching. Because IFAW had already used Checkpoint technology elsewhere in the infrastructure and it stacked up well against the competition, the organization decided to use Checkpoint Endpoint Security to implement whitelisting.

"We were able to use it to identify and segregate unknown malware-malware that was simply not recognized by any anti-spyware, anti-virus program that's out there, which was shocking to us, frankly," Ponte said. "We've since implemented a much more restrictive program control. We know every application that needs to be run on any of our user's laptops, so we use a whitelist system. If it's not white listed, it won't run until someone in our IT department allows it. Of course, we only allow those things that we trust."

This content continues onto the next page...