Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov> ITL BULLETIN FOR APRIL 2008 USING ACTIVE CONTENT AND MOBILE CODE AND SAFEGUARDING THE SECURITY OF INFORMATION TECHNOLOGY SYSTEMS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology U.S. Department of Commerce Private and public sector organizations face complex challenges every day in protecting the security of their information technology (IT) systems and their information. By adopting new technologies, organizations often can perform mission-critical functions and serve their customers more efficiently. But the new technologies that enable organizations to improve their system capabilities and provide better services can also introduce new threats and risks to IT systems. Active content is a technology that offers great convenience to the users who download files and electronic documents from the Internet. The Web pages that they retrieve are used as electronic counterparts to paper documents. However, the electronic documents that are downloaded are often more than just text. They are programs or they contain programs that can carry out or trigger actions automatically without the user directly or knowingly invoking the actions. Examples of electronic documents with active content are Web pages with digitally encoded multimedia information, such as interactive weather maps, stock ticker information, live camera views, and programmed broadcasts. Loading an encoded document into a word processor can have the same effect as executing a program. Active content is a form of mobile code -- a program such as a script, macro, or other portable instruction that can move from one platform to another where it is processed. The user is often unaware of the transfer of the code, which can contain malicious code inserted by an attacker. It is generally impractical for organizations to prohibit the use of active content by their staff members, but appropriate controls can be employed to minimize the risks and maintain the appropriate levels of security. The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) recently updated its guidelines on active content to help organizations protect their IT systems and information from the security risks that accompany the use of active content. The revised guidelines discuss the technology, the new security risks introduced, and the recommended secure solutions. NIST Special Publication (SP) 800-28 Version 2, Guidelines on Active Content and Mobile Code: Recommendations of the National Institute of Standards and Technology NIST SP 800-28 Version 2, Guidelines on Active Content and Mobile Code: Recommendations of the National Institute of Standards and Technology, replaces an earlier version of the guidelines which had been issued in 2001. The revised publication, written by Wayne A. Jansen and Karen Scarfone of NIST and by Theodore Winograd of Booz Allen Hamilton, provides updated information about active content and mobile code technologies, and discusses the components of the IT system's browsers and servers that handle active content. One major section of the publication covers the threats associated with the use of active content and mobile code. Threats are possible dangers to a computer system, which may result in the interception, alteration, obstruction, destruction, or other disruption of computational resources. Another principal section discusses the risks to systems that process active content. Risks are a measure of the likelihood and the consequence of events or acts that could cause a system compromise, including the unauthorized disclosure, destruction, removal, modification, or interruption to the availability of system assets. The safeguards that can protect system resources from attacks are covered in detail. Safeguards are approved security measures taken to prevent or reduce the risk of system compromise, and include management, operational, and technical controls. NIST's recommendations for managing and improving the security of IT systems that process active content are summarized in a section of the guide. NIST SP 800-28 Version 2 includes a list of references for both in-print and online resources that can be consulted for more information on active content and mobile code. The appendices provide a summary of available browser request methods, the categories of server response codes, a glossary of terms, and an explanation of the acronyms used in the publication. This ITL Bulletin summarizes NIST SP 800-28 Version 2, which is available at http://csrc.nist.gov/publications/nistpubs/800-28-ver2/SP800-28v2.pdf. Background on Active Content Active content technologies include built-in macro processing, scripting languages, and virtual machines. The use of these technologies blurs the distinctions between code and data. Examples of active content documents are PDF documents; Web pages conveying or linking to mobile code such as JavaScript, VBScript, Java applets, and ActiveX controls; desktop application files containing macros; Flash and Shockwave media files; and Hypertext Markup Language (HTML)-encoded e-mail bearing executable content or attachments. Web pages with active content can deliver digitally encoded multimedia information or even an interactive experience enabled by embedded computer instructions. For many people, being able to download files and electronic documents from the Internet is a useful function and a common practice. Users consult Web pages for items such as forms, brochures, magazines, and newspapers that they might previously have used in a paper format. Today, desktop and laptop computers, portable handheld devices, such as cell phones and personal digital assistants (PDAs), and Internet appliances can access the Web. Users are generating content for display on Web pages. Social networking, photo and video sharing, bookmarking, and knowledge-sharing sites are becoming increasingly popular. Many organizations operate knowledge-sharing Web site sites for both their internal and their external users. These Web sites are more interactive than previous Web pages, allowing users, who could be legitimate or malicious, to modify or add to existing content. This situation challenges organizations to secure their computer systems against potential threats that are associated with user-generated content. In the past, the flow of information on the Web was from Web sites to the user. Now user-generated content allows information to flow freely in both directions and makes it more difficult for an organization to control what information leaves or enters its networked systems. Both system browsers that allow users to view pages from various sources and the servers that interconnect to the Internet are associated with the processing of active content and mobile code. In addition, many different components of a system may be involved. For example, each implementation of active content technology may require a different interpreter to be installed as a browser component on the user's computer. This further complicates the security configuration position for organizations because each interpreter may be supplied by a different manufacturer. The installed browser components must be monitored and updated whenever vulnerabilities are discovered. If organizations do not have a centralized configuration management system to track these changes, they may be using systems that have not been patched with new controls. Similarly, new versions of active content implementations may alter how the interpreter presents active content. Patches to active content components may be incompatible with the active content generated by an organization's Web sites. To deal with these complex situations, organizations may have to choose between two potentially costly alternatives: to continue using incompatible and possibly vulnerable browser components, or to update the Web site. Active content technology provides excellent capabilities to the user, but it also results in vulnerabilities that an attacker could exploit. Many of the problems that organizations experience with malware on their systems may result from active content, which can be the delivery mechanism for mobile code. Risks and Threats Associated with Active Content Many computer technologies involve risk. Flaws or weaknesses in the technologies' design, implementation, or configuration can introduce vulnerabilities to a system. Vulnerabilities also result from the absence of security controls or weaknesses of controls, leading to violations of the organization's security policy for a system. While technology-related vulnerabilities are often subtle and do not affect either the overall functionality or performance of a product, they may be discovered and exploited by an attacker. Risk analysis can determine the impact of the vulnerability, depending on factors such as the value of the resource affected or the perceived harm to one's reputation. Organizations are exposed to technology-based risks because active content and mobile code allow systems to execute code that may not be trustworthy. All software contains defects, and some of these defects may be the source of vulnerabilities that an attacker could exploit. When determining the risks associated with active content, organizations have to consider the capabilities of the software to be implemented and the security controls provided by the environment. In some situations, it may be necessary to utilize an active content technology regardless of the determination of risk. For example, a critical system may require JavaScript or PDF support. Many threats are a result of security issues that were not addressed when Internet protocols were developed. These problems are exacerbated by the scale of the Internet, the complexity of software, and the prevalence of mobile code. Many Web interactions rely on mobile code, either running on a Web server or Web browser. These interactions are susceptible to the threats associated with mobile code. Attackers may exploit vulnerabilities in connected hosts, as well as other vulnerabilities existing in an operating system, Web server software, or a Web protocol. Voluntary standards efforts are addressing these issues to reduce the risks involved. Standards for Internet Protocol Security (IPsec), Secure Domain Name Server (DNS), and Public Key Infrastructure (PKI) have been implemented in products. Government-certified security evaluation laboratories have been established under regional and worldwide mutual recognition schemes. Organizations have established incident response teams, which have improved their effectiveness in combating intrusions. Commercial software is available for detecting and eliminating malware, filtering network protocols, patching computer systems, and detecting and preventing intrusions. By assessing the threats associated with the use of active content and mobile code, organizations can take steps to reduce them. The possibility of attacks, which can impact the confidentiality, integrity, accountability, or availability of IT resources, can then be reduced. NIST'S Recommendations for Managing Active Code NIST recommends that organizations adopt security policies based on their assessments of security needs and their level of acceptable risks. To mitigate the risks that are specifically associated with the use of active content, organizations should: Examine the concept of active content and understand how it affects the security of IT systems. The use of products with capabilities for producing and handling active content contributes to the functionality of a system as a whole and thus is an important factor in IT procurement and implementation decisions. Active content technologies allow code, in the form of a script, macro, or other kind of portable instruction representation, to execute when a document is rendered. Active content technology can be used to deliver essential services, but it can also become a source of vulnerability for exploitation by an attacker. E-mail and Web pages accessed through the Internet provide efficient ways to convey active content, but they are not the only means. Active content technologies span a broad range of products and services and involve various computational environments, including those of the desktop, workstation, server, and gateway devices. To understand their security ramifications, organizations are encouraged to consult needed technical information that is available from many information resources and to gain a sound understanding of the security implications of active content. NIST SP 800-28 Version 2 contains an extensive reference list of these information sources. Develop organizational policies regarding the implementation and use of active content. Information security in any organization is largely dependent on the quality of the security policy and the processes that an organization imposes on itself, including policy awareness and enforcement. As appropriate to their situation, organizations should develop policy for the procurement and use of products involving active content technologies. Active content should only be applied where it specifically benefits the quality of the services delivered and not simply for its ready and easy availability within products. Both the consumption and production of active content should be addressed by the policy. A badly implemented, poorly planned, or nonexistent security policy can have a serious negative security impact. The policy should be stated clearly and consistently, and made known and enforced throughout the organization. Putting an organizational security policy on active content in place is an important first step in applying effective safeguards and mitigating the risks involved. Assess the specific benefits that are gained from the use of active content, balance the benefits against the associated risks, and select appropriate controls. Since the use of active content brings both benefits and risks to the organization, it is essential that organizations analyze and manage the risks that are associated with the use of active content, as well as all other threats, on a continuing basis. Organizations should conduct periodic risk analyses to identify the threats to their systems and their systems' vulnerabilities to the threats. They should assess potential attacks and the chances of success, and estimate the potential damage to systems and information that could result from successful attacks. Then organizations can adopt policies and procedures to reduce the risks cost-effectively to an acceptable level and to maintain security throughout the life cycle of the system. See NIST SP 800-30, Risk Management Guide for Information Technology Systems, for details on the risk management process. Security involves continually analyzing and managing risks. A risk analysis identifies vulnerabilities and threats, enumerates potential attacks, assesses their likelihood of success, and estimates the potential damage from successful attacks. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk. Every organization must take into account its own needs for protecting the ability to carry out its mission and safeguarding assets, its budget, and its culture. As new products are selected and procured, organizations should consider the risk environment, cost-effectiveness, assurance level, and security functional specifications, and then make their decisions. Organizations should also be aware of the interconnectivity and associated interdependence of external as well as internal organizations. A risk may be accepted by one organization, but this acceptance may inadvertently expose other organizations with which the organization interoperates to the same risk. Moreover, since active content is heavily oriented toward rendering information for an individual, the decisions made by an organization may affect the customers who are served by the organization's electronic pages. Once an assessment is made, safeguards can be put in place against those risks deemed significantly high, by either reducing the likelihood of occurrence or minimizing the consequences. Maintain consistent system-wide security when configuring and integrating products involving active content into system environments. When they procure new products, organizations should collect and analyze information about the features of those products that can be used to control active content. Products and software applications that handle active content often have built-in controls that can be used to control or prevent activation of related features. E-mail, spreadsheet, word processor, database, presentation graphics, and other desktop software applications have similar configuration settings that can be used to control the security capabilities of active content documents. It is important to examine the configuration settings carefully since many products are delivered with insecure default settings. Network devices or other special purpose software should be used to supplement existing application-oriented controls. For example, firewalls can be augmented by gateway devices that filter certain types of e-mail attachments and Web content with known malicious code characteristics and that reject them at a point of entry. Desktop anti-malware software has also been developed with increasing capabilities for detecting malicious code signatures within active content. In addition, many active content technologies provide mechanisms for dynamically restraining the behavior of mobile code by quarantining it within a logical sandbox. Organizations should become familiar with available security options and use them in accordance with their organizational policies. More Information NIST publications assist organizations in planning and implementing a comprehensive approach to information security. See NIST's Web page for information about NIST standards and guidelines that are referenced in the Guidelines on Active Content and Mobile Code, and other security-related publications, covering related topics, such as security planning, risk management procedures, security controls, intrusion detection systems, incident handling, and firewalls. See http://csrc.nist.gov/publications/index.html. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 _______________________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Tue Apr 29 2008 - 22:44:42 PDT