Modern Security Suite solutions: methods for protecting confidential data

Kaspersky Lab, a leading developer of secure content management solutions, has published a new analytical article by Nikolay Grebennikov, the deputy director of the company's department of innovative technologies. The article, called "Modern Security Suite solutions: methods for protecting confidential data" is available in full on Viruslist.com

The article provides a classification of the three ways in which data can be stolen, and examines the most effective methods for combating data theft.

The first method is when the victim himself provides a malicious user with data, having believed a fake request for personal information. Such requests usually arrive by email, having been mass-mailed. This type of data theft is called phishing.

The second method of data theft uses Trojan Spy programs to track and log user activity. Trojan-PSW programs can also be used to steal confidential information. These programs are designed to find personal data on the victim machine and secretly send it to a remote malicious user. These programs can be spread via ICQ, via attachments to email message, by malicious scripts on web pages etc. They harvest a range of information about the victim system and passwords to a wide range of applications and services.

Trojans usually encrypt harvested data, and compress it into a small binary file. This file is then either sent to the remote malicious user by email or placed on his/ her FTP server.

The article then goes on to examine the methods which modern security solutions use to protect confidential data. It looks in details at Norton Personal Firewall and Norton Internet Security from Symantec, and Kaspersky Internet Security.

Nearly all modern Security Suite programs include Privacy Control, a component designed to protect confidential data stored on the computer from unsanctioned access and transmission to third parties. Privacy Control works by having the user enter all information which s/he considers to be confidential on a list. The protection component will analyze all outgoing traffic and either 'cut up' or encrypt fragments of confidential data.

This technology is implemented in Norton360, Symantec's flagship product for 2007. However, this approach is ineffective, and merely creates an illusion of security. There are two reasons for this. Firstly, Privacy Control does not block the transmission of confidential data on secure websites, as they use a protocol which encrypts all data transmitted. This makes it impossible for a third party to analyze the data, and nothing prevents a Trojan from sending confidential data from the victim machine within the encrypted stream. The second reason that this method is ineffective is that keeping all confidential information in one place is not good security.

There is, however, an alternative approach to protecting confidential data. It is implemented in Kaspersky Internet Security 7.0 as a subsystem of the Anti-Spyware component which analyses the behavior of all processes in the system. If it detects any suspicious activity, the product will either warn the user, or block the action.

The author takes the example of Trojan-PSW.Win32.LdPinch, which can easily harvest the majority of passwords and other confidential data from a computer which is 'protected' using Privacy Control. The method implemented in KIS 7.0, which is based on activity analysis, both blocks the harvesting of data, and prevents the Trojan from secretly sending this data to the malicious user.

The author concludes that of the two methods used to protect confidential data, the approach based on analyzing application activity and tracking suspicious activity is more effective. The approach in which a component uses a list of confidential data and ensures that no fragment of this data is included in outgoing traffic is significantly less effective.