Security

It's The Law Scrubbing Servers with PestPatrol—continued

If going offline isn't motivation enough to keep systems attack-tool-free, how about legal ramifications and liabilities? According to Mark Grossman, an attorney who chairs the Computer and eCommerce Law Group at Becker and Poliakoff, "My prediction is that courts will find liability against computer owners who negligently allow their computers to be a launching pad for attacks by hackers, terrorists, and others."

Dallas attorney Benjamin Wright demonstrated this in The Legal Risks of Computer Pests and Hacker Tools, a report authored for PestPatrol. In eBay v. Bidder's Edge, said Wright, "The victim company (eBay) was entitled to an injunction against another company (Bidder's Edge) that had targeted a robot data gathering program against the victim and thereby robbed it of bandwidth and optimum system performance."

Monetary damages from a civil suit not enough to convince you? How about criminal charges? The October 2001 Patriot Act [ H.R.3162] imposed severe penalties on those who harbor terrorists or provide them with material support. According to Dr. Bill Hancock, Chief Security Officer at Exodus, ISPs that own and operate the systems used to launch cyber-attacks against others can now be prosecuted for aiding in the commission of a terrorist offense.

As a legal defense, ISPs can use—and require all customers to use—reasonable defenses to detect and remove DDoS zombies. "If [customers] don't [defend their systems from becoming zombies], and your network is used in an attack, you are not liable for damages," said Cafarchio. "ISPs should impose this requirement at a contract level. Once you declare this protection is required, due diligence becomes the customer's responsibility."

The upside
Virus and Pest protection can also be incremental revenue opportunities. "ISPs all are in a frantic struggle to differentiate themselves," said Cafarchio. "Security is so hot right now that, if you're not looking at security as a value-added service, you're doing something wrong." Cafarchio suggests that small ISPs start with anti-virus, personal firewall, anti-trojan, and anti-spyware services. "At minimum, ISPs can be recommending or reselling software to their customers. They could also be pushing product upgrades or sending upgrade alerts to customers, monitoring the alerts that these products generate, and investigating alerts for additional revenue," said Cafarchio.

The small ISP that would rather stick to his core business can still benefit financially from using pest protection in-house. "If you can negotiate a lower rate on IT insurance, based on the steps you are taking, that could reduce expenses by freeing up contingency funds," said Cafarchio. "And if you're not putting out little fires all over the place, you theoretically have more resources to take care of business."

The general manager of a regional ISP who spoke with us, but prefers to remain anonymous for security reasons, substantiated this last point. "We've been using PestPatrol primarily to safeguard our NT Web servers. We've had some bad experiences in the past with hacking, and have put a number of measures in place to reduce data loss and the time spent rebuilding servers. PestPatrol is one of several measures we put in place on our Web servers to make us aware of unauthorized access to those systems."

Enhancing surveillance
Virus scanners, firewalls, vulnerability assessment tools, network and server intrusion detection systems, and file integrity checkers are all proven methods of preventing and detecting hacker activity. Some of these prevent worms from spreading and trojans from being installed; others detect nefarious activity after the damage is done (changed files, connections on unusual ports).

Adding PestPatrol to this mix improves your level of surveillance—spotting DDoS agents before they take part in a flood attack, deleting Spyware before it leaks data through a frequently-open outbound port (80 or 443), or locating hacker tools before they can be used to crack passwords or break into other systems.

PestPatrol includes three Win32 desktop programs: a command line utility, a graphical application, and a background monitor. The CLI scanner, PestPatrolCL, can be invoked at login, on-demand, or at intervals determined by the Windows Task Scheduler. The GUI scanner, PestPatrol, permits ad hoc scans. MemScan runs in the background to detect pests in memory (released in April but not included in our eval copy). All use the same patent-pending "Deep Search" scan engine and pattern files. Engine and pattern updates can be automatically downloaded and installed with PPUpdater, an on-demand or scheduled utility.

Taking PestPatrol out for a spin
Intrigued by Cafarchio's pitch at the ISP Business Expo, we decided to try PestPatrol on a half-dozen lab PCs. PestPatrol is freely available for download in a slightly crippled form. The missing features—pest quarantine and delete—are activated by installing a license, priced from $29.95 for one user, to $13.38 each for 1,000 users. According to Cafarchio, PestPatrol will negotiate ISP reseller agreements involving either one-time purchase or recurring monthly fees.

To run PestPatrol interactively, just select the drives to be scanned. Progress is visible in a Monitor window. When the scan completes, use the Logs tab to step through the Current session, taking the desired action for each pest, then press "Finished." All results are recorded in a Master Log that can be exported or printed for future reference. If something odd should occur, the current session log can optionally be emailed to PestPatrol support.

Configurable Options narrow the scope of the scan. PestPatrol can check everything, all files except archives, or only those with specific extensions. Specific folders and files can be included or excluded. The scan can be limited to Hacker Tools, Spyware, and/or Cookies, including specific types of Spyware. For example, our scans turned up several Hacker Tools—but most were programs that we actually use for penetration testing and firewall evaluation, so we excluded these from future scans. Exclusion worked well everywhere we tried, except for one NT server, where excluded folders kept showing up in subsequent scans.

< Back to page 1: Scrubbing Servers with PestPatrol

Go to page 3: Pest Found—Now What? >