Wildlife organization battles online attacks

As the network security engineer for the International Fund for Animal Welfare, Paul Ponte deals with security challenges that are almost as wild and wooly as the creatures his users deal with on a daily basis.

"Some of the places where we work and the people with whom we work introduce security risks that are kind of exotic," he says.

As a controversial, international force in conservation--IFAW leads the fight against the milking of bear bile in China and the baby seal hunt in Canada. The organization finds itself in a number of crosshairs that wouldn't normally be focused on a small non-profit, 375 people strong.

"We have encountered custom-made malware targeted at IFAW that has been delivered to us from host governments specifically for the purpose of spying, for sniffing network traffic," Ponte says. "We've been mail-bombed by dozens of Japanese mail servers because of our anti-whaling stance at a time when we were doing some DNA analysis of some whale meat found in a Tokyo fishmonger's shop. It seems like whenever we get into any sort of semicontroversial stance, there's always some special attention paid to us by one party or another."

For example, when the Canadian seal hunt is on, Ponte's team has noticed probing attacks against the laptops of users attending the watch observation mission on Prince Edward Island.

"They connect to a wireless network that was available at a free coffee shop style wireless network, and suddenly a machine that might have had two security blocks in the previous month gets several hundred," he says.

The users are scattered over the globe, across 15 countries. This makes endpoint security a top priority because each desktop or laptop must be fortified for use outside the network and remain clean enough to return to the network without causing damage.

"About four years ago, after a period of extreme duress in terms of desktop security issues, ranging from viruses to even worms and Trojans--the gamut of desktop security problems--we realized that that part of our security equation was lacking and that we needed to put some more effort into that," Ponte says.

He is more aware than most security administrators of the shortcomings of relying solely on anti-virus software for endpoint protection. Because IFAW has fallen victim to custom attacks, Ponte has seen how little protection a common anti-virus solution offers for unknown malware.

Anti-virus and anti-spyware programs generally depend on defensive signatures that are based on known viruses that security researchers discover. If a virus remains undiscovered by the researchers, no signature is made and the customer remains unprotected.

According to Gartner, signature-based technologies such as anti-virus software have less than a 50 percent chance of catching completely new threats and can miss up to 10 percent of old threats in the wild.

To protect IFAW from the "exotic" threats it faces, Ponte decided to augment his anti-virus protection with whitelisting technology. Rather than blocking out the known bad programs and missing all of the unknown bad programs, IFAW now only allows in the known good programs, keeping all bad programs from launching. Because IFAW had already used Checkpoint technology elsewhere in the infrastructure and it stacked up well against the competition, the organization decided to use Checkpoint Endpoint Security to implement whitelisting.

"We were able to use it to identify and segregate unknown malware-malware that was simply not recognized by any anti-spyware, anti-virus program that's out there, which was shocking to us, frankly," Ponte said. "We've since implemented a much more restrictive program control. We know every application that needs to be run on any of our user's laptops, so we use a whitelist system. If it's not white listed, it won't run until someone in our IT department allows it. Of course, we only allow those things that we trust."

Whitelisting has also helped IFAW get control of desktop settings by clamping down on user privileges on the desktop. This ensures users don't inadvertently muss up desktop settings, which can also negatively affect security.

"We have strongly tightened up our user rights and privileges on the desktop," Ponte says. "We haven't completely locked down all of our end user workstations, but we have reduced privileges quite a bit."

The decision to do so caused an "immediate and initial reduction in the number of infections and exploitation of security vulnerabilities" on his laptops, Ponte says. He noted that security incidents dropped off by at least 75 percent after IFAW harnessed the power of whitelisting technology.

Not only has there been a security benefit to whitelisting, but it has also helped Ponte get better control over software licensing compliance.

"So when we implemented the whitelisting program control, initially, there was some grumbling from users who wanted to run applications, for example, that we don't own," he says. "We don't want users running applications if we haven't paid for them. It was pretty simple for us to do. And now, managing it is simple."

One of the tricky parts of administering endpoints is the question of how to deal with endpoints not owned by the organization. Ponte explains that IFAW must contend with a number of users who belong to partner organizations and may need access to the network. He says that IFAW has evolved its policies to balance access with the security of network resources.

"We've moved from a policy [in which] only IFAW machines can connect to IFAW networks, period, to a sort of laissez-faire policy that wasn't working, to giving our partners a bare-minimum necessary access. But as we increase access, we increase observation and security on those users," Ponte says, explaining that client-side endpoint security software is only installed on user systems that need access to the network.

Of course, endpoint whitelisting can't solve every security problem. Ponte has driven a number of initiatives to complement his use of Checkpoint's product.

"I am using intrusion prevention from SourceFire, the creators of Snort, and that's a key element. I'm a heavy user of Microsoft organic tools for maintaining security, as we are budget-limited," he says. "This includes MBSA, the Microsoft baseline security analyzer, which we have running via script and by a system management server and other tools. We use that heavily to make sure that our machines are up to date. We use WSUS, the Windows Server Update Service, in combination with SMS to make sure that all of our machines receive security updates as quickly as possible."

In addition, IFAW recently decided to run with a network-access-control project that will take advantage of the existing endpoint security client and a newly installed Hewlett-Packard Procurve-based network infrastructure to validate that each of the clients meets a minimum security baseline with up-to-date settings, patches and compliant programs running before they are allowed to join the network. Ponte says this is critical in a dynamic environment where machines are coming and going as users enter the network from trips out in the field.

"I had a user show up just this week who had been traveling in the South Pacific from small island to small island and hadn't been connected in something like 90 days," he says. "It's nice to know that that's something that we can fix."