[ISN] ITL Bulletin for April 2008

From: InfoSec News (alerts@private)
Date: Tue Apr 29 2008 - 22:24:31 PDT


Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov>

ITL BULLETIN FOR APRIL 2008

USING ACTIVE CONTENT AND MOBILE CODE AND SAFEGUARDING THE SECURITY OF 
INFORMATION TECHNOLOGY SYSTEMS

Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce

Private and public sector organizations face complex challenges every 
day in protecting the security of their information technology (IT) 
systems and their information. By adopting new technologies, 
organizations often can perform mission-critical functions and serve 
their customers more efficiently. But the new technologies that enable 
organizations to improve their system capabilities and provide better 
services can also introduce new threats and risks to IT systems.

Active content is a technology that offers great convenience to the 
users who download files and electronic documents from the Internet. The 
Web pages that they retrieve are used as electronic counterparts to 
paper documents. However, the electronic documents that are downloaded 
are often more than just text. They are programs or they contain 
programs that can carry out or trigger actions automatically without the 
user directly or knowingly invoking the actions. Examples of electronic 
documents with active content are Web pages with digitally encoded 
multimedia information, such as interactive weather maps, stock ticker 
information, live camera views, and programmed broadcasts.  Loading an 
encoded document into a word processor can have the same effect as 
executing a program.

Active content is a form of mobile code -- a program such as a script, 
macro, or other portable instruction that can move from one platform to 
another where it is processed. The user is often unaware of the transfer 
of the code, which can contain malicious code inserted by an attacker. 
It is generally impractical for organizations to prohibit the use of 
active content by their staff members, but appropriate controls can be 
employed to minimize the risks and maintain the appropriate levels of 
security.

The Information Technology Laboratory of the National Institute of 
Standards and Technology (NIST) recently updated its guidelines on 
active content to help organizations protect their IT systems and 
information from the security risks that accompany the use of active 
content. The revised guidelines discuss the technology, the new security 
risks introduced, and the recommended secure solutions.

NIST Special Publication (SP) 800-28 Version 2, Guidelines on Active 
Content and Mobile Code: Recommendations of the National Institute of 
Standards and Technology

NIST SP 800-28 Version 2, Guidelines on Active Content and Mobile Code: 
Recommendations of the National Institute of Standards and Technology, 
replaces an earlier version of the guidelines which had been issued in 
2001. The revised publication, written by Wayne A. Jansen and Karen 
Scarfone of NIST and by Theodore Winograd of Booz Allen Hamilton, 
provides updated information about active content and mobile code 
technologies, and discusses the components of the IT system's browsers 
and servers that handle active content. One major section of the 
publication covers the threats associated with the use of active content 
and mobile code. Threats are possible dangers to a computer system, 
which may result in the interception, alteration, obstruction, 
destruction, or other disruption of computational resources.

Another principal section discusses the risks to systems that process 
active content. Risks are a measure of the likelihood and the 
consequence of events or acts that could cause a system compromise, 
including the unauthorized disclosure, destruction, removal, 
modification, or interruption to the availability of system assets. The 
safeguards that can protect system resources from attacks are covered in 
detail. Safeguards are approved security measures taken to prevent or 
reduce the risk of system compromise, and include management, 
operational, and technical controls.

NIST's recommendations for managing and improving the security of IT 
systems that process active content are summarized in a section of the 
guide. NIST SP 800-28 Version 2 includes a list of references for both 
in-print and online resources that can be consulted for more information 
on active content and mobile code. The appendices provide a summary of 
available browser request methods, the categories of server response 
codes, a glossary of terms, and an explanation of the acronyms used in 
the publication.

This ITL Bulletin summarizes NIST SP 800-28 Version 2, which is 
available at 
http://csrc.nist.gov/publications/nistpubs/800-28-ver2/SP800-28v2.pdf.

Background on Active Content

Active content technologies include built-in macro processing, scripting 
languages, and virtual machines. The use of these technologies blurs the 
distinctions between code and data. Examples of active content documents 
are PDF documents; Web pages conveying or linking to mobile code such as 
JavaScript, VBScript, Java applets, and ActiveX controls; desktop 
application files containing macros; Flash and Shockwave media files; 
and Hypertext Markup Language (HTML)-encoded e-mail bearing executable 
content or attachments. Web pages with active content can deliver 
digitally encoded multimedia information or even an interactive 
experience enabled by embedded computer instructions.

For many people, being able to download files and electronic documents 
from the Internet is a useful function and a common practice. Users 
consult Web pages for items such as forms, brochures, magazines, and 
newspapers that they might previously have used in a paper format. 
Today, desktop and laptop computers, portable handheld devices, such as 
cell phones and personal digital assistants (PDAs), and Internet 
appliances can access the Web.

Users are generating content for display on Web pages. Social 
networking, photo and video sharing, bookmarking, and knowledge-sharing 
sites are becoming increasingly popular. Many organizations operate 
knowledge-sharing Web site sites for both their internal and their 
external users. These Web sites are more interactive than previous Web 
pages, allowing users, who could be legitimate or malicious, to modify 
or add to existing content. This situation challenges organizations to 
secure their computer systems against potential threats that are 
associated with user-generated content.

In the past, the flow of information on the Web was from Web sites to 
the user. Now user-generated content allows information to flow freely 
in both directions and makes it more difficult for an organization to 
control what information leaves or enters its networked systems. Both 
system browsers that allow users to view pages from various sources and 
the servers that interconnect to the Internet are associated with the 
processing of active content and mobile code.

In addition, many different components of a system may be involved. For 
example, each implementation of active content technology may require a 
different interpreter to be installed as a browser component on the 
user's computer. This further complicates the security configuration 
position for organizations because each interpreter may be supplied by a 
different manufacturer. The installed browser components must be 
monitored and updated whenever vulnerabilities are discovered. If 
organizations do not have a centralized configuration management system 
to track these changes, they may be using systems that have not been 
patched with new controls. Similarly, new versions of active content 
implementations may alter how the interpreter presents active content. 
Patches to active content components may be incompatible with the active 
content generated by an organization's Web sites. To deal with these 
complex situations, organizations may have to choose between two 
potentially costly alternatives: to continue using incompatible and 
possibly vulnerable browser components, or to update the Web site.

Active content technology provides excellent capabilities to the user, 
but it also results in vulnerabilities that an attacker could exploit. 
Many of the problems that organizations experience with malware on their 
systems may result from active content, which can be the delivery 
mechanism for mobile code.

Risks and Threats Associated with Active Content

Many computer technologies involve risk. Flaws or weaknesses in the 
technologies' design, implementation, or configuration can introduce 
vulnerabilities to a system. Vulnerabilities also result from the 
absence of security controls or weaknesses of controls, leading to 
violations of the organization's security policy for a system. While 
technology-related vulnerabilities are often subtle and do not affect 
either the overall functionality or performance of a product, they may 
be discovered and exploited by an attacker. Risk analysis can determine 
the impact of the vulnerability, depending on factors such as the value 
of the resource affected or the perceived harm to one's reputation.

Organizations are exposed to technology-based risks because active 
content and mobile code allow systems to execute code that may not be 
trustworthy. All software contains defects, and some of these defects 
may be the source of vulnerabilities that an attacker could exploit. 
When determining the risks associated with active content, organizations 
have to consider the capabilities of the software to be implemented and 
the security controls provided by the environment. In some situations, 
it may be necessary to utilize an active content technology regardless 
of the determination of risk. For example, a critical system may require 
JavaScript or PDF support.

Many threats are a result of security issues that were not addressed 
when Internet protocols were developed. These problems are exacerbated 
by the scale of the Internet, the complexity of software, and the 
prevalence of mobile code. Many Web interactions rely on mobile code, 
either running on a Web server or Web browser. These interactions are 
susceptible to the threats associated with mobile code.

Attackers may exploit vulnerabilities in connected hosts, as well as 
other vulnerabilities existing in an operating system, Web server 
software, or a Web protocol. Voluntary standards efforts are addressing 
these issues to reduce the risks involved. Standards for Internet 
Protocol Security (IPsec), Secure Domain Name Server (DNS), and Public 
Key Infrastructure (PKI) have been implemented in products. 
Government-certified security evaluation laboratories have been 
established under regional and worldwide mutual recognition schemes. 
Organizations have established incident response teams, which have 
improved their effectiveness in combating intrusions. Commercial 
software is available for detecting and eliminating malware, filtering 
network protocols, patching computer systems, and detecting and 
preventing intrusions.

By assessing the threats associated with the use of active content and 
mobile code, organizations can take steps to reduce them. The 
possibility of attacks, which can impact the confidentiality, integrity, 
accountability, or availability of IT resources, can then be reduced.

NIST'S Recommendations for Managing Active Code

NIST recommends that organizations adopt security policies based on 
their assessments of security needs and their level of acceptable risks. 
To mitigate the risks that are specifically associated with the use of 
active content, organizations should:

Examine the concept of active content and understand how it affects the 
security of IT systems.

The use of products with capabilities for producing and handling active 
content contributes to the functionality of a system as a whole and thus 
is an important factor in IT procurement and implementation decisions. 
Active content technologies allow code, in the form of a script, macro, 
or other kind of portable instruction representation, to execute when a 
document is rendered. Active content technology can be used to deliver 
essential services, but it can also become a source of vulnerability for 
exploitation by an attacker.

E-mail and Web pages accessed through the Internet provide efficient 
ways to convey active content, but they are not the only means. Active 
content technologies span a broad range of products and services and 
involve various computational environments, including those of the 
desktop, workstation, server, and gateway devices. To understand their 
security ramifications, organizations are encouraged to consult needed 
technical information that is available from many information resources 
and to gain a sound understanding of the security implications of active 
content. NIST SP 800-28 Version 2 contains an extensive reference list 
of these information sources.

Develop organizational policies regarding the implementation and use of 
active content.

Information security in any organization is largely dependent on the 
quality of the security policy and the processes that an organization 
imposes on itself, including policy awareness and enforcement. As 
appropriate to their situation, organizations should develop policy for 
the procurement and use of products involving active content 
technologies. Active content should only be applied where it 
specifically benefits the quality of the services delivered and not 
simply for its ready and easy availability within products. Both the 
consumption and production of active content should be addressed by the 
policy. A badly implemented, poorly planned, or nonexistent security 
policy can have a serious negative security impact. The policy should be 
stated clearly and consistently, and made known and enforced throughout 
the organization. Putting an organizational security policy on active 
content in place is an important first step in applying effective 
safeguards and mitigating the risks involved.

Assess the specific benefits that are gained from the use of active 
content, balance the benefits against the associated risks, and select 
appropriate controls.

Since the use of active content brings both benefits and risks to the 
organization, it is essential that organizations analyze and manage the 
risks that are associated with the use of active content, as well as all 
other threats, on a continuing basis. Organizations should conduct 
periodic risk analyses to identify the threats to their systems and 
their systems' vulnerabilities to the threats. They should assess 
potential attacks and the chances of success, and estimate the potential 
damage to systems and information that could result from successful 
attacks. Then organizations can adopt policies and procedures to reduce 
the risks cost-effectively to an acceptable level and to maintain 
security throughout the life cycle of the system.

See NIST SP 800-30, Risk Management Guide for Information Technology 
Systems, for details on the risk management process. Security involves 
continually analyzing and managing risks. A risk analysis identifies 
vulnerabilities and threats, enumerates potential attacks, assesses 
their likelihood of success, and estimates the potential damage from 
successful attacks. Risk management is the process of assessing risk, 
taking steps to reduce risk to an acceptable level, and maintaining that 
level of risk.

Every organization must take into account its own needs for protecting 
the ability to carry out its mission and safeguarding assets, its 
budget, and its culture. As new products are selected and procured, 
organizations should consider the risk environment, cost-effectiveness, 
assurance level, and security functional specifications, and then make 
their decisions. Organizations should also be aware of the 
interconnectivity and associated interdependence of external as well as 
internal organizations. A risk may be accepted by one organization, but 
this acceptance may inadvertently expose other organizations with which 
the organization interoperates to the same risk. Moreover, since active 
content is heavily oriented toward rendering information for an 
individual, the decisions made by an organization may affect the 
customers who are served by the organization's electronic pages. Once an 
assessment is made, safeguards can be put in place against those risks 
deemed significantly high, by either reducing the likelihood of 
occurrence or minimizing the consequences.

Maintain consistent system-wide security when configuring and 
integrating products involving active content into system environments.

When they procure new products, organizations should collect and analyze 
information about the features of those products that can be used to 
control active content. Products and software applications that handle 
active content often have built-in controls that can be used to control 
or prevent activation of related features. E-mail, spreadsheet, word 
processor, database, presentation graphics, and other desktop software 
applications have similar configuration settings that can be used to 
control the security capabilities of active content documents. It is 
important to examine the configuration settings carefully since many 
products are delivered with insecure default settings.

Network devices or other special purpose software should be used to 
supplement existing application-oriented controls. For example, 
firewalls can be augmented by gateway devices that filter certain types 
of e-mail attachments and Web content with known malicious code 
characteristics and that reject them at a point of entry. Desktop 
anti-malware software has also been developed with increasing 
capabilities for detecting malicious code signatures within active 
content. In addition, many active content technologies provide 
mechanisms for dynamically restraining the behavior of mobile code by 
quarantining it within a logical sandbox. Organizations should become 
familiar with available security options and use them in accordance with 
their organizational policies.

More Information

NIST publications assist organizations in planning and implementing a 
comprehensive approach to information security. See NIST's Web page for 
information about NIST standards and guidelines that are referenced in 
the Guidelines on Active Content and Mobile Code, and other 
security-related publications, covering related topics, such as security 
planning, risk management procedures, security controls, intrusion 
detection systems, incident handling, and firewalls. See 
http://csrc.nist.gov/publications/index.html.

Disclaimer
Any mention of commercial products or reference to commercial 
organizations is for information only; it does not imply recommendation 
or endorsement by NIST nor does it imply that the products mentioned are 
necessarily the best available for the purpose.



Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Tue Apr 29 2008 - 22:44:42 PDT