Blog‎ > ‎

Mitigating Botnet Information Security Risks through EA and the ITSA - Part 2 of 4

posted Apr 1, 2015, 1:48 PM by Christopher Furton   [ updated Dec 13, 2015, 10:36 AM ]

Written by: Christopher Furton
Mitigating Botnet Information Security Risks through Enterprise Architecture (EA) and the Information Technology Security Architecture (ITSA)

Part 2 of 4


Part II – The Mitigation

This section of the paper proposes an approach to mitigating the threat of botnets to the enterprise environment. In this part, the term ‘organization’ is used to describe any enterprise environment including government, corporate, or non-profit sector. The proposed approach to mitigating botnet risks involves usage of the Enterprise Architecture framework developed by Dr. Scott Bernard (Bernard S. A., 2005) and the Information Technology Security Architecture (Bernard & Ho, 2008). A list of 19 botnet related risks has been developed by reviewing the literature included in Part I of this paper and can be found in table 1. Part II will apply the ITSA framework found within EA and offer mitigation recommendations in context.

Botnet Table 1

Enterprise Architecture and the Information Technology Security Architecture Overview


Enterprise Architecture is the “analysis and documentation of an enterprise in its current and future states from an integrated strategy, business, and technology perspective” (Bernard S. A., 2005, p. 31). EA, as a management program, enables organizations to have a holistic view from top-level strategy down to the lowest level of technology infrastructure. These vertical components of the framework help organizations understand the ties between strategy, information, and technology. Additionally, the EA framework introduces threads which define common activities always present across all levels of the framework: namely security, standards, and workforce considerations. In addition to being a management program, the EA is also a documentation program that provides a methodology for developing current and future views of the enterprise (Bernard S. A., 2005).

Within the EA3 cube, another integrated framework exists that provides confidentiality, integrity, and availability of information throughout the enterprise. The Information Technology Security Architecture (ITSA) defines corresponding layers: (1) information security governance; (2) operations security; (3) personnel security; (4) information and data flow security; (5) systems security; and (6) application development security; (7) infrastructure security; and (8) physical security (Bernard S. , 2008-2009). The ITSA works in the context of EA by relating security concepts and goals to the corresponding EA3 Framework level (Bernard & Ho, 2008).

Mitigating Factors – Information Security Governance

According to Bernard & Ho (2008), this layer of the ITSA is to “define security strategies, policies, standards and guidelines for the enterprise from an organizational viewpoint” (p. 11). The activities associated with this layer include both procedural and documentation functions. Traditionally, this layer includes high level policy statements, access definition policies, fair information practices, and security lifecycle charts (Bernard & Ho, 2008).

In relation to protection for botnet-related risks, this layer of the ITSA directs the high level strategic approach. Success at this layer requires well rounded procedures and policies aimed at protecting the enterprise environment through defense in depth. In table 2, the following list of botnet security concerns from table 1 represents a list of some risk areas that can be partially mitigated within the information security governance layer of the ITSA.

Generally speaking, drafting security policies should focus on the principles needed to meet the required compliance level. This ensures that there is a required need for such a policy and that it aligns with the mission statement. Other concerns to keep in mind and avoid are contradictions with other policies, unintended loopholes, excessive cost in terms of time and resources, and over complicated wording (Bernard & Ho, 2008).

Risk Area Topics

Governance Mitigation

1.      Data exfiltration (information theft) through file system infiltration

2.      Packet Sniffing

3.      Key Logging

4.      Disabling of AntiVirus

5.      Original programmer backdoors

6.      Vulnerabilities in operating systems

7.      Vulnerabilities in applications

8.      Relaxed Security processes

9.      Blocking access to Security Vendor websites

10.  Zero-day malware distribution

11.  Remote Control

12.  Spamming

13.  Distributed Denial of Service

These risk areas can be mitigated through usage of standards defined by Bernard & Ho (2008) as “a set of rules and regulations that control how information systems, materials, products, services, technologies, and management processes, etc. should be developed, managed and operated” (p. 12).  Since most of these risks are technical in nature with corresponding layers lower in the ITSA, governance can help define the guidelines, policies, and baselines to govern systems, service, applications and the technology on which they reside (Bernard & Ho, 2008).

 

Adopting industry best practices and proven standards at the top level of the ITSA results in higher organizational maturity and a better security posture.  For example, an organization may reduce the risk of botnet propagation by adopting standards related to vulnerability management.  In particular, the Common Vulnerability and Exposures Initiative (CVE) and Open Vulnerability Assessment Language (OVAL) initiative defines conventions to make organizing information related to security vulnerabilities “less of a labor intensive art and more of an engineer practice” (Martin, 2003).

14.  Social engineering attacks on instant messaging programs

15.  Social engineering attacks in malicious email

16.  Use of personal equipment in workplace

17.  Web browsing to malicious websites (even legitimate websites that have been exploited)

18.  Extortion and blackmail (Ransomware)

This risk area can be mitigated through strong policy governing user actions and appropriate usage agreements.  Having users agree to and sign acceptable use policies may result in reduced risk of virus and other malicious activity (Zavoina, 1998).

 

The key to mitigating botnet risks in these risk areas is development and compliance with policy aimed to keep users away from potential malicious websites and learn the best responses to social engineering attempts.  These policies link back to the organization’s strategic goals and affect many other subordinate ITSA layers.

Table 2: Botnet Risk Area topics and corresponding governance mitigation.


Mitigating Factors – Operations Security

According to Bernard & Ho (2008), this layer of the ITSA is to “define the enterprise’s intra-organizational and operational needs as they interact with and require access to the enterprise IT services, in order to identify and address security needs at the enterprises organizational level” (p. 12). The activities associated with this layer include both procedural and documentation functions. Traditionally, this layer includes risk assessments, authorization models, access control user requirements, business impact analysis, disaster recovery and business resumption planning (Bernard & Ho, 2008).

In relation to protection for botnet-related risks, this layer of the ITSA addresses risk management and continuity of operations. In table 3, the following list of botnet security concerns from table 1 represents a list of some risk areas that can be partially mitigated within operations security layer of the ITSA.

Risk Area Topics

Operations Security Mitigation

1.      Data exfiltration (information theft) through file system infiltration

2.      Packet Sniffing

3.      Key logging

4.      Zero-day malware distribution

5.      Disabling of AntiVirus

6.      Remote Control

7.      Web browsing to malicious websites

8.      Blocking access to Security Vendor websites

As discussed in Bernard & Ho (2008), one focus of the Operations Security layer is on the Incident Handling Team’s ability to resolve security incidents by amending vulnerabilities, quarantining malicious codes and viruses, restoring infected information systems, and to prevent future damages (p. 14).   The impact of each of these risk area topics can be reduced by successful usage of an incident handling team.  For example, the impact of blocked access to security vendor websites can be reduced if proper handing occurs of outdated antivirus notifications.  By properly handling this type of incident, the incident handling team can identify associated botnet malware and take remediation attempts ultimately reducing overall botnet risk.

 

Additionally, Bernard & Ho (2008) advocate creation of a Security Operations Center (SOC) within the Operations Security Layer of the ITSA (p. 14).  Within the SOC, the organization further reduces impact of these risk area topics by assigning responsibility to an organization for centralized management of the incident response processes.

9.      Vulnerabilities in operating systems

10.  Vulnerabilities in Applications

As discussed in Bernard & Ho (2008), another focus of the Operations Security Layer is on vulnerability assessment.  By conducting self-assessments across the four phases - Discovery, Manual Inspection, Vulnerability Testing, and Process Validation - (p. 13), organizations may reduce the overall number of vulnerabilities in operating systems and application impacting the ability for a botnet to propagate.

11.  Distributed Denial of Service

As discussed in Bernard & Ho (2008), another focus of the Operations Security Layer is on contingency planning and disaster recovery planning.  A contingency refers to “incidents that may disrupt systems or business operations.  Contingency planning means that [the] business has [an] immediate incident handling/response plan at both management as well as technical support level” (Bernard & Ho, 2008, p. 13).  Because a botnet initiated distribute denial of service attack will disrupt systems and business operations, this layer of the ITSA can help mitigate that risk by defining actions to take during a DDoS attack.  See Part IV – Case Study for an example of a botnet initiated DDoS attack subverted through use of a continuity plan. 

Table 3: Botnet Risk Area topics and corresponding Operations Security mitigation

Mitigating Factors – Personnel Security

According to Bernard & Ho (2008), this layer of the ITSA is to “ensure that enterprise personnel are accessing and utilizing its information and technology services safely, securely, and in accordance with their predefined roles and responsibilities of their job functions, through proper access control plans and detection of employee anomalous behavior” (p. 15). The activities associated with this layer include both procedural and documentation functions. Traditionally, this layer includes user authentication, role-based access control, awareness training, desktop security policies, and procedural training (Bernard & Ho, 2008).

In relation to protection for botnet-related risks, this layer of the ITSA is important for setting expectations of employee behavior and responsibility for information security practices. This layer will emphasize personnel security threats in relation to botnet risk areas. Additionally, this layer establishes an information security training process which can contribute to reducing risk introduced by the human element. In table 4, the following list of botnet security concerns from table 1 represents a list of risk area topics that can be partially mitigated within the personnel security layer of the ITSA.

Risk Area Topics

Personnel Security Mitigation

1.      Extortion and blackmail (Ransomware)

As discussed in Bernard & Ho (2008), the personnel security layer of the ITSA is concerned with threats in personnel security, specifically physical threat from terrorists by kidnaping or extortion (p. 15).   Although not to the same level of severity, botnet activity by the Bredolab and Pushdo botnets has been tied to extortion of money from victims ((IN)Secure, 2010).  Ransomware techniques vary.  One technique convinces the user into downloading and installing malware by tricking her into thinking she has already been infected and her download will fix the problem.  Other ransomware malware blatantly disables systems until the user pays money to the attacker (Scambusters, 2006).  Either way, ransomware is a form of extortion which can be mitigated through the personnel security layer of the ITSA.

2.      Web browsing to malicious websites (even legitimate websites that have been exploited)

3.      Relaxed Security processes

4.      Use of personal equipment in workplace

5.      Social engineering attacks on instant messaging programs

6.      Social engineering attacks in malicious email

As discussed in Bernard & Ho (2008), another important aspect of the personnel security layer of the ITSA is annual security awareness training for all employees (p. 16).  This includes the signing of security  awareness agreements that explicitly state that monitoring and auditing of employee and administrator behavior is standard practice and should be expected (Bernard & Ho, 2008).

 

To help mitigate the botnet risk areas related to social engineer attacks, specific material related to identification of attacks should be included in the organization’s security training package.  “Raising awareness and conducting regular training are key, given that the only truly effective control is through people” (Hinson, 2008)  Educating employees on phishing and spear phishing trends and inventing innovative ways to increase employee knowledge can help reduce the possibility of occurrence of these botnet related risk area topics.

Table 4: Botnet Risk Area topics and corresponding Personnel Security mitigation

Mitigating Factors – Information and Data Flow Security

According to Bernard & Ho (2008), this layer of the ITSA is to “identify and classify information and data as it moves through the enterprise – in order to justify adequate security controls” (p. 16). Within this layer, information needs to be valued and classified into levels depending on risk. Traditionally, this layer includes data design, dataflow assurance, information classification forms, logical access controls, and associative access controls (Bernard & Ho, 2008).

In relation to protection for botnet-related risks, this layer of the ITSA indirectly affects several risk area topics. Information classification is a necessity for identifying appropriate levels of protection. In table 5, the following list of botnet security concerns from table 1 represents a list of some risk areas that can be partially mitigated within the information and data flow security layer of the ITSA.

Risk Area Topics

Information and Data Flow Security  Mitigation

1.      Data exfiltration (information theft) through file system infiltration

2.      Packet Sniffing

3.      Key logging

4.      Distributed Denial of Service

5.      Spamming

6.      Zero-day malware distribution

7.      Extortion and blackmail (Ransomware)

8.      Remote Control

9.      Disabling of AntiVirus

10.  Blocking access to Security Vendor websites

11.  Original programmer backdoors

12.  Web browsing to malicious websites (even legitimate websites that have been exploited)

13.  Relaxed Security processes

14.  Use of personal equipment in workplace

15.  Social engineering attacks on instant messaging programs

16.  Social engineering attacks in malicious email

17.  Vulnerabilities in operating systems

18.  Vulnerabilities in Applications

The information and data flow security layer of the ITSA has an indirect impact on every identified botnet risk area topic.  According to Bernard & Ho (Bernard & Ho, 2008), justifying adequate levels of security controls requires classification of information and data as it moves through the enterprise (p. 16).  The level of classification drives which controls are needed.  For example, preventing data exfiltration of a company’s trade secrets will require more security controls than protecting publicly available information from exfiltration.  Furthermore, having relaxed security processes may not be important if the information being protected does not have a requirement for high levels of availability, confidentiality, and integrity.

 

Also relevant for this layer is the role that security models play in the overall protection of information from botnets.  For example, the Biba Integrity Model prevents unauthorized users from making modifications (Bernard & Ho, 2008).   Based off this model, botnet activity would not have adequate permissions to make changes to a system which, for example, could disable anti-virus software or remote control the computer.

 

Lastly, the process of risk management, analysis, and assigning risk controls resides in this layer of the ITSA model (Bernard & Ho, 2008).  Since the overall functioning of a security program and protecting an organization’s information is risk based, the ITSA can help mitigate botnet risks and protect the organization’s resources.  The overall risk management program oversees the analysis and assignment of risk controls to reduce vulnerabilities, prevent information exfiltration, protect from social engineering attacks, and determine remedial actions for distributed denial of service attacks.   Risk management and botnet mitigation activities go hand and hand.

Table 5: Botnet Risk Area topics and corresponding Information and Data Flow Security mitigation

Mitigating Factors – Systems Security

According to Bernard & Ho (2008), this layer of the ITSA is to “protect sensitive applications and provide granularity of access controls to sensitive resources” (p. 20). The activities associated with this layer include both procedural and documentation functions. Traditionally, this layer includes user account management, certificate request management, password storage and management, remote access, authorization models, file system hardening procedures, patching, and security repositories (Bernard & Ho, 2008).

In relation to protection for botnet-related risks, this layer of the ITSA protects systems and operating systems through the use of host intrusion detection, authentication and authorization models, and public key infrastructure. In table 6, the following list of botnet security concerns from table 1 represents a list of some risk areas that can be partially mitigated within the systems security layer of the ITSA.

Risk Area Topics

Systems Security Mitigation

1.      Data exfiltration (information theft) through file system infiltration

2.      Packet Sniffing

3.      Key logging

4.      Spamming

5.      Extortion and blackmail (Ransomware)

6.      Remote Control

7.      Disabling of AntiVirus

8.      Blocking access to Security Vendor websites

9.      Original programmer backdoors

 

According to Bernard & Ho (Bernard & Ho, 2008), a Host-based Intrusion Detection System (HIDS) monitors incidents occurring in an information system or on a network.  HIDS monitors system files, logs, logon activity, and processing with the kernel and other resources” (pg. 22).  The use of a HIDS can substantially impact both botnet propagation and the ability for infected systems to communicate back to the botmaster.  The HIDS can deny unexpected outbound traffic preventing data exfiltration and effectively disable command and control covert channels including original programmer backdoors.

 

10.  Vulnerabilities in operating systems

This layer of the ITSA addresses system hardening which is essential in the prevention of vulnerability exploitation.  Hardening the system is accomplished by determining unused services and closing unnecessary ports (Bernard & Ho, 2008).

11.  Distributed Denial of Service

Authentication and Authorization information can be used to mitigate distribute denial of service attacks.  By use of an Expert System model, the system uses access control information to create a filter policy during a DDoS attack (Zhang, Li, & Gu, 2004).  By using access control lists and blacklisting, Zhang et. al. (2004) proposes that DDoS attack effectiveness can be reduced.

12.  Social engineering attacks on instant messaging programs

13.  Social engineering attacks in malicious email

14.  Web browsing to malicious websites (even legitimate websites that have been exploited)

This layer of the ITSA also addresses Public Key Infrastructure (PKI) enabling of applications.  The use of digital signatures within applications like instant messaging and email can reduce the likelihood of exploit through social engineering deception.  Additionally, PKI can help prevent malicious websites from deceiving users into entering sensitive information by providing a mechanism to validate the legitimacy of the website.

Table 6: Botnet Risk Area topics and corresponding Systems Security mitigation

Mitigating Factors – Application Development Security 

According to Bernard & Ho (2008), this layer of the ITSA is to “design authentication, authorization and accounting (AAA) components into the applications used in the enterprise; to enforce the application process flow throughout the enterprise; and to ingrain security in the [Software Development Life Cycle] SDLC” (p. 18). The activities associated with this layer include both procedural and documentation functions. Traditionally, this layer includes design and development, application development security, application gateways, and application security placement (Bernard & Ho, 2008).

In relation to protection for botnet-related risks, this layer of the ITSA can minimize in-house developed software application vulnerabilities with potential for botnet exploitation. In table 7, the following list of botnet security concerns from table 1 represents a list of some risk areas that can be partially mitigated within the application development security layer of the ITSA.

Risk Area Topics

Application Development Security Mitigation

1.      Original programmer backdoors

Although organization’s can’t directly reduce the risk of botnet programmer backdoors within this layer of the ITSA, the organization can still implement establish programming best practices preventing applications developed in house from containing backdoors.  According to Haag et. al. (2004), “programmers routinely create programming backdoors when they develop software.  They close most of the backdoors before releasing the program… [but] occasionally programmers forget to close all of the backdoors.”  Having a backdoor created during software development may increase risk of botnet exploitation. 

2.      Vulnerabilities in Applications

This layer of the ITSA includes best practices for development and inclusion of security throughout the software lifecycle subsequently reducing number of vulnerabilities’ in applications.  Furthermore, the defense-in-depth concept includes designing secure applications that understand environmental risks so that applications can be developed securely (Bernard & Ho, 2008).  Less vulnerabilities means less potential exploits that a botnet can use to establish a foothold within an enterprise.

3.      Zero-day malware distribution

This layer of the ITSA also can help reduce the impact of zero-day malware exploits in applications.  By implementing sandboxing, application developers may create a safe environment for which the application relies separating it from the underlying operating system.   The sandbox encases and contains the exploit attempt for unknown zero-day vulnerabilities (Damballa, 2011).

Table 7: Botnet Risk Area topics and corresponding Application Development Security mitigation


Mitigating Factors – Infrastructure Security

According to Bernard & Ho (2008), this layer of the ITSA is to “develop a secure infrastructure that meets all security requirements of the enterprise and can safeguard against future attacks against the enterprise” (p. 22). The activities associated with this layer include both procedural and documentation functions. Traditionally, this layer includes network partitioning, VLANs, firewalls, packet filtering, circuit level gateways, PKI architectures, VPNs, SSL, and stateful inspections (Bernard & Ho, 2008).

In relation to protection for botnet-related risks, this layer of the ITSA is where the figurative rubber meets the road. In table 8, the following list of botnet security concerns from table 1 represents a list of some risk areas that can be partially mitigated within the infrastructure security layer of the ITSA.

Risk Area Topics

Infrastructure Security Mitigation

1.      Data exfiltration (information theft) through file system infiltration

2.      Distributed Denial of Service

3.      Spamming

4.      Zero-day malware distribution

5.      Click Fraud for profit

6.      Extortion and blackmail (Ransomware)

7.      Remote Control

8.      Original programmer backdoors

9.      Relaxed Security processes

10.  Use of personal equipment in workplace

11.  Social engineering attacks on instant messaging programs

12.  Social engineering attacks in malicious email

Network Intrusion Detection Systems can be a critical tool for botnet prevention and detection.  As described by Bernard & Ho (2008), the NIDS “detects probing, network configuration vulnerabilities, and monitors for attacks to and from nodes while having little impact on network traffic” (p.23).  By analyzing traffic trends, a NIDS may detect data being exfiltration.  NIDS can also check for signatures of known botnet malware identifying ransomware, remote control, and usage of backdoors.  Some NIDS can also help detect unauthorized systems such as personal equipment as seen in the McAfee NIDS product ePolicy Orchistrator and Rogue System Detection (McAfee, Inc.).

1.      Web browsing to malicious websites (even legitimate websites that have been exploited)

Firewall Security provides perimeter security with stateful inspection of each packet deciding whether to accept, deny, or discard that packet (Bernard & Ho, 2008).  The infrastructure layer of the ITSA offers mitigation of botnet risks related to malicious attacks from websites by blocking access to known malicious domains.

1.      Packet Sniffing

 

Lastly, network partitioning offers a defense against the sniffing risk area topic.  By “creating logical groups and users/system to contain the flow of information, these virtual networks prevent sniffing activities because nodes are not allowed to see each other’s ports without permission” (Bernard & Ho, 2008).

Table 8: Botnet Risk Area topics and corresponding Infrastructure Security mitigation

Mitigating Factors – Physical Security

According to Bernard & Ho (2008), this layer of the ITSA is to “construct a perimeter physical defense system that safeguards the facility and physical resources for the enterprise” (p. 25). The activities associated with this layer include both procedural and documentation functions. Traditionally, this layer includes building and facility security, physical access controls, network operation centers server rooms, wiring closets, and cable plants (Bernard & Ho, 2008).

In relation to protection for botnet-related risks, this layer of the ITSA can reduce the risk of botnet propagation. In table 9, the following list of botnet security concerns from table 1 represents a list of some risk areas that can be partially mitigated within the physical security layer of the ITSA.

Risk Area Topics

Physical Security Mitigation

1.      Vulnerabilities in operating systems

As described by Bernard & Ho (2008), the physical security layer of the ITSA is an essential part of the information security architecture (p. 25).  One direct way that this layer of the ITSA can reduce botnet risks is through management of removable media.  As seen in the Conflicker botnet, USB removable storage is a successful propagation method (Singer, 2010).  An organization that has strict physical security policy preventing usage of removable media can reduce botnet propagation risks.

2.      Use of personal equipment in workplace

At the physical layer, banning employees from using personal equipment and from allowing employees to have said equipment in their possession can reduce the likelihood of botnet propagation. 

Table 9: Botnet Risk Area topics and corresponding Physical Security mitigation

About the Author

Christopher Furton author bio picture
Christopher Furton

is an Information Technology Professional with over 12 years in the industry.  He attended The University of Michigan earning a B.S. in Computer Science and recently completed a M.S. in Information Management from Syracuse University.  His career includes managing small to medium size IT infrastructures, service desks, and IT operations.  Over the years, Christopher has specialized in Cyber Security while working within the Department of the Defense and the United States Marine Corps. His research topics include vulnerability management, cyber security governance, privacy, and cyber risk management.  He holds active IT Certifications including the CISSP, CEH, ITIL Foundations, Security+CE and Network+CE.  He can be found on , , and .  

Additional information available on Christopher Furton's website at
Comments