WWW.ABSTRACT.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Abstract, dissertation, book
 
<< HOME
CONTACTS



Pages:   || 2 | 3 |

«Table of Contents 1. Introduction 2. Types of Hosting 3. Types of Abuse 4. Prevention 5. Detection and Identification 6. Remediation Appendix 1: ...»

-- [ Page 1 ] --

Message, Mobile and Malware Anti-Abuse Working Group

M3AAWG Anti-Abuse Best Common Practices

for Hosting and Cloud Service Providers

March 2015

Executive Summary

System abuse drains time and revenue for hosting and cloud providers. Providers must maintain constant

vigilance to make sure systems are not compromised. Just as crucially, they must ensure that their customers

are vigilant. This document categorizes types of abuse, suggests appropriate responses and reviews practices

for dealing with customers and complaints. It provides current best common practices in use with the hosting, DNS and domain registration provider communities. The intended audience is anti-abuse technical operations staff and their management.

Table of Contents

1. Introduction

2. Types of Hosting

3. Types of Abuse

4. Prevention

5. Detection and Identification

6. Remediation

Appendix 1: Glossary of Standard Terms

Appendix 2: Legal and Other Resources

Appendix 3: A Note about Data Security

Appendix 4: Ticketing Systems

M3AAWG Messaging, Malware and Mobile Anti-Abuse Working Group P.O. Box 29920  San Francisco, CA 94129-0920  www.M3AAWG.org  info@M3AAWG.org

1. Introduction The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) and the Internet Infrastructure Coalition (i2C) offer these best practices for hosting, DNS and domain registration providers in support of the M3AAWG mission to reduce all types of messaging and other forms of network abuse. The goal of this paper is to educate providers about methods they can adopt in order to more efficiently use their resources to fight abuse.

Hosting providers must adhere to these requirements to avoid industry and regulatory actions and to avoid the risk of incurring additional regulations. Providers should also consider joining relevant coalitions and adhering to relevant self-regulatory initiatives, such as those prescribed by other industry trade associations.

Hosting providers must be in compliance with the requirements of all upstream network providers and applicable regional governments’ regulations. (See Appendix 2.) This document outlines industry best common practices. It is understood that not all hosting providers or reporting agencies will implement all of these practices due to the complexity of network infrastructures, public policy considerations, and the scalability of network platforms.

2. Types of Hosting Hosts offer varying levels of support, equipment provision and help with abuse issues related to their customers.

–  –  –

*Where the customer is the owner of the hardware, as it is in a hosting environment, responsibility for hardware maintenance will be shared between the hosting provider and the customer.

–  –  –

● Cloud hosting This is shared hosting with redundancy. (See below.) ● Dedicated Hosting The hosting provider owns and provides the server, physical space in a facility, connectivity, electricity and physical security. The customer controls and maintains the server, OS (operating system), software, administrative and end-user access. The hosting company provides a dedicated box that only has one customer assigned to it. Usually the customer has admin-level access to the box.

● Hosting Provider Any entity which offers end users the ability to create their Web presence on hardware they do not actually own.

● Managed Hosting The hosting provider owns and provides the server, the OS and the software and/or technical support. The customer controls administrative and end-user access.

● Reseller Hosting An arrangement under which the hosting company provides space to a customer who acts as an independent hosting company. The business arrangement can be either unmanaged or dedicated hosting, as detailed above. Customers can then position themselves as hosting providers in their own right and sell services to customers. Resellers can resell to other resellers, thus adding degrees of separation that create potential latency in the abuse-handling process.

● Shared Hosting The hosting provider owns and provides server, provides physical space in facility, connectivity, electricity, physical security, and provides OS and software. The provider controls administrative access. The customer controls end-user access. Abuse issues in a shared system require the provider to point the customer in the right direction to a resolution.

● Unmanaged Hosting The hosting provider provides physical space in a facility, connectivity, electricity and physical security. The customer owns, controls and maintains the server, OS, software, administrative and end-user access.

● Virtual Private Server (VPS) An arrangement under which customers are given a virtual server environment in which they usually have admin-level control of that environment. In some cases they may also have guaranteed processes or hardware allocations. The hosting provider owns and provides the virtual server environment and the OS. The customer controls administrative and end-user access and software.

M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers 3

3. Types of Abuse Below is a list of the types of abuse most commonly seen at hosting and cloud service providers. The list does not purport to be complete and will invariably change over time.





● Spam (outbound) Spam is any email sent to end users that the receiver has specified they did not want to receive.

Providers should ensure that customers are following the M3AAWG Sender Best Current Practices.1 Hosting providers will also want to subscribe to as many relevant Feedback Loop reports as it is possible to process. (See more about Feedback Loops in Section 5 below.) ● Spamvertising (hosted redirect and payloads) Spamvertising occurs when a hosting provider’s end user engages a third party to advertise its Web presence. Most spam complaints are caused by end users sending emails to potential customers that tout some overhyped product or service. Spamvertising is done via a third party. Providers who receive one of these complaints are most likely in the loop either as the sender of the email or the host of the site being advertised.

● Phishing outbound (hosting and inbound for client credentials) Phishing happens primarily when an end-user account has been compromised, almost always as a result of outdated scripts run by end users. A phishing site is a fraudulent site purporting to be a legitimate company, like Bank of America or PayPal, that directs the individual to enter confidential information. The phishers then have everything they need to rob the individual who has just been scammed.

● Hacked or defaced pages (hosted client-side) While phishing complaints will often fall into this category, not all hacked accounts will be used for phishing. Some may simply be defaced and the end users’ data corrupted or destroyed. Frequently hackers will also inject malicious code or upload bots that are set to cause additional problems. Third parties and law enforcement agencies analyze these events and provide information about how to repair hacked sites. Most accounts are compromised due to end users’ out-of-date CMS (Content Management System) installations such as Joomla or WordPress.

● Child sexual abuse material (hosted client-side) For appropriate handling of these issues, see the M3AAWG Disposition of Child Sexual Abuse Materials Best Common Practices (https://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Disposition_CAM-2015-02.pdf ).

● Copyright and trademark/intellectual property issues (hosted client-side) For online U.S. copyright law, see http://www.copyright.gov/reports/studies/dmca/dmca_executive.html.

Other copyright regimes apply in other jurisdictions.

● Distributed denial of service and other outbound hostile traffic (hosted amplification, redirect, botnet C&C hosts) ● Malicious signups (whack-a-mole/multi-account, multi-platform)

https://www.m3aawg.org/sites/maawg/files/news/MAAWG_Senders_BCP_Ver2a-updated .pdf

M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers 4

4. Prevention Vet customers before they cause problems.

Hosting providers are at the mercy of their clients’ worst practices. Providers must have some type of vetting process to proactively identify malicious clients before they undertake abusive activities. A sound vetting process prior to provisioning will help the provider determine the difference between the truly bad actors and the customer who simply needs some guidance on proper online conduct. Vetting of clients is integral to maintaining a good reputation, decreasing costs and decreasing online abuse.2 Require customers to keep software updated.

Failure to maintain up-to-date software and hardware or firmware in the environment is one of the primary causes of abuse in the hosting space. Customer agreements should specify that customers will make a best

effort to keep their systems up to date. This includes:

● OS/installs ● Plugins ● Content Management Systems (CMS) ● Themes ● Hardware/Firmware Agreements should specify that out-of-date software may violate the prevailing contract with customers, as it can cause risks to the security both of their own environment and that of others. Where possible, customers should have automatic software updates enabled for their environment.

Prevent abusers from becoming customers.

Stopping parties intent upon abusive activities before they even get into a host’s system must be given high priority when developing a prevention plan. The practices below will aid in preventing fraudulent accounts from gaining entrance to hosting systems.

● Institute preauthorization of new accounts.

● Personally contact accounts that are deemed suspicious.

● Keep records of previously terminated fraud accounts.

● Put limits on new accounts that require credible customer need to be raised.

● If possible, institute a fraud scoring system and automatically reject prospective accounts that fall below the specified threshold.

● Provide sales teams with specific questions and specific red flag statements made by prospective accounts to help identify potential fraud.

The M3AAWG Sender Committee “Vetting Best Common Practices” may be of some use in this regard.

https://www.m3aawg.org/sites/maawg/files/news/MAAWG_Vetting_BCP_2011-11.pdf M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers 5 Train customer-facing staff in security awareness.

Customer-facing teams such as support, sales and marketing do not face the majority of daily challenges that are the norm for the abuse or security teams. Training provides these teams with knowledge of when to tell a customer or prospect that their practices do not abide by the terms and Acceptable Use Policy of the system they are on or where they are trying to provision an environment. Making efforts to target clients who will be a good fit for the hosting company is another way to preserve the safety of the hosting environment. Overall, a training program for customer-facing teams can reduce the number of problematic customers and provide them with advice about what to tell customers to fix when they encounter an issue.3 Prevent abuse at the network edge.

1. Consider hardware-based intrusion detection systems (IDS).

At the highest levels, M3AAWG recommends exploring Intrusion Detection Protection measures on networks. These systems help prepare for and deal with attacks.

2. Use software-based security scans and firewalls.

Automated and configurable web application security and penetration testing tools can be used to mimic real-world hacking techniques and attack. This enables companies to analyze complex Web applications and services for security vulnerabilities. At a minimum, a hardware- or software-based firewall is required for every network. It is also common to protect individual networks and computers with additional softwarelayer firewalls.4

3. Promote the use of Web application firewalls.

Hosting providers should encourage use of Web application firewalls (WAF) such as ModSecurity for their hosted clients. Managed providers should also consider managing a core set of WAF rules on their client servers.5

4. Use tiered-rights allocation for valued customers.

Access to the provider’s network should be limited for new accounts. Seasoned, trusted accounts should be granted progressively wider access as their tenure and reputation within the system increases.

Reduced access restrictions can include, for example, limits to:

● API access ● server creation ● new domain creation ● bandwidth increases Access privileges should not be granted to the majority of customers. They can be reserved for customers

that are:

● proactive against any potential abuse ● have been hosted for an extended period of time (over 12 months) ● are responsive to your company’s requests

See M3AAWG Abuse Desk Common Practices document for more information:

http://www.maawg.org/sites/maawg/files/news/MAAWG_Abuse_Desk_Common_Practices.pdf NIST Guidelines on Firewalls and Firewall Policy http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf ModSecurity is an open source, cross-platform WAF.

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers 6 As with any privileges, these rights must be revoked in circumstances where customers previously in good standing commit multiple abuses or become non-responsive to company inquiries.

5. Contract with customers to protect security.

Hosting providers must require their clients to maintain a secure environment on their network and within the services they offer and the resources they consume from the provider. These requirements must be communicated to the client prior to provisioning and must form part of the contractual obligations. Clients must have a contractual obligation to notify the provider of breaches and issues.



Pages:   || 2 | 3 |


Similar works:

«Gerätehandbuch AS-i Gateway Profibus-DP 1 AS-i Master 2 AS-i Master AC1335 AC1326 Smart Link DP AS-i DP Gateway AS-i Master-Profil: M3 Firmware: RTS 1.x deutsch 2005-03-14 7390677_00_DE Gerätehandbuch AS-i Profibus DP-Gateways Wichtiger Hinweis! Dieses Handbuch berücksichtigt im Zeitpunkt der Drucklegung den aktuellen Stand der Technik und wendet sich an technisch geschulte Personen. Es wurde mit größtmöglicher Sorgfalt erstellt. Die im Handbuch gegebenen Informationen, Daten und Hinweise...»

«INTERNATIONAL JOURNAL OF SPORT BIOMECHANICS, 1987, 3, 47-62 Angular Momentum Requirements of the Twisting and Nontwisting Forward 1 112 Somersault Dive Ross H. Sanders and Barry D. Wilson This study investigated the in-flight rotation of elite 3m springboard divers by determining the angular momentum requirement about the transverse axis through the divers center of gravity (somersault axis) required to perform a forward 1 112 somersault with and without twist. Three elite male divers competing...»

«Masterarbeit zur Erlangung des Mastertitel der Technischen Fakultät der Albert-Ludwigs-Universität Freiburg im Breisgau Mitigating Feature Exclusion to Improve Hypernymy Recognition Max Lotstein 17.07.2015 Albert-Ludwigs-Universität Freiburg im Breisgau Technische Fakultät Institut für Informatik Dekan Prof. Dr. Hannah Bast Referenten Prof. Dr. Joschka Bödecker Datum der Promotion (only necessary for final publication) 07.01.2015 “I, for one, welcome our new computer overlords.” -Ken...»

«Материал Ра Книга 1 Говорит древний астронавт Закон Одного, переданный Ра – смиренным посланцем Закона Одного Дон Элкинс, Карла Рюкерт, Джим Маккарти Перевод: Любовь Подлипская (Lyubov) Copyright © 2010 L/L Research All rights reserved. No part of this work may be reproduced or used in any forms or by any means— graphic, electronic or mechanical,...»

«1 © Copyright 2010 by the authors, Dr. Jolly Holden, and Dr. Philip J.-L. Westfall. All Rights Reserved. No part of this publication may be reproduced or transmitted in any form or by any other means, electronic or mechanical, including photocopy, microfilm, recording or otherwise, without the written permission from the authors. Previous revisions were published under the title An Instructional Media Selection Guide for Distance Learning, Copyright © 2005, 2006, 2007, 2008, 2009 Printed in...»

«Möglichkeiten der Vibrationsverdichtung zur Herstellung von keramischen Werkstoffen mit gezielten Gefügemerkmalen Von der Fakultät für Maschinenbau, Verfahrensund Energietechnik der Technischen Universität Bergakademie Freiberg genehmigte DISSERTATION zur Erlangung des akademischen Grades Doktor – Ingenieur Dr. – Ing. vorgelegt von Dipl. – Ing. Floriana-Dana Börner geboren am 05. 04. 1969 in Timisoara (Rumänien) Gutachter: Prof. Dr. Wolfgang Schulle, Freiberg Prof. Dr. Jürgen...»

«Viva A Liberdade As a departments, there have raised maximum goals where you migrate established needs for title of paying features and identifying to check after interviews have borrowed as the filtration. Third and next peak the something's this poetry in construction for this advertising industry. Also in MAY, overseas recent sales, paying a heloc and UK, are secured in much small success 3.guru.com opportunity besides disaster information and fortune weather. VPS is translated about the...»

«Top Organomet Chem (2013) 44: 13–34 DOI: 10.1007/3418_2012_41 # Springer-Verlag Berlin Heidelberg 2012 Published online: 14 August 2012 Reinventing Amide Bond Formation Jeffrey W. Bode Abstract The chemical synthesis of peptides and proteins has long relied on innovative inventions of amide-forming reactions. Our group has discovered and developed an amide-forming ligation reaction by the coupling of a-ketoacids and hydroxylamine (KAHA ligation). This reaction does not require reagents or...»

«Curriculum Vitae Oliver M. O'Reilly http://www.me.berkeley.edu/faculty/oreilly/index.html Department of Mechanical Engineering University of California at Berkeley Berkeley California 94720 phone: 510/642-0877 email: oreilly@berkeley.edu SPECIALIZATIONS Professor O’Reilly’s interests span the fields of continuum mechanics and nonlinear dynamics. He has a broad range of specializations including directed (or Cosserat) theories of deformable bodies, constrained rigid body dynamics, contact...»

«Title: TOWARDS A COMPREHENSIVE STRATEGY FOR THE EFFECTIVE AND EFFICIENT MANAGEMENT OF INDUSTRIAL POLLUTION ALONG THE ATLANTIC COAST OF CAMEROON Dissertation submitted to the Faculty of Environmental Sciences and Process Engineering of the Brandenburg University of Technology Cottbus, in Partial fulfillment of the requirement for the award of a Ph.D Degree (according to the ERM Ph.D regulations) BY Dieudonne Alemagi (M.Sc) Born in Ebolowa, South Province, Cameroon Matr. Nos. : 2119268...»

«Rheinisch-Westf¨ lische Technische Hochschule Aachen a Implementing Automatic Addition and Verification of Fault Tolerance Implementierung einer Methode zur automatischen Synthese fehlertoleranter Systeme Diploma Thesis in Computer Science by Bastian Braun August 11, 2006 Advisor and First Examiner: Prof. Dr. Felix Freiling (University of Mannheim) Second Examiner: Prof. Dr. Ir. Joost-Pieter Katoen (RWTH Aachen University) Hiermit versichere ich, dass ich die Arbeit selbstst¨ ndig verfasst...»

«Integrationsaspekte der Simulation: Technik, Organisation und Personal Gert Zülch & Patricia Stock (Hrsg.) Karlsruhe, KIT Scientific Publishing 2010 Modellgenerierung im Kontext der Digitalen Fabrik Stand der Technik und Herausforderungen Model Generation in the Digital Factory Context State-of-the-Art and Challenges Steffen Straßburger, Sören Bergmann Technische Universität Ilmenau, Ilmenau (Germany) steffen.strassburger@tu-ilmenau.de Hannes Müller-Sommer Daimler AG, Sindelfingen...»





 
<<  HOME   |    CONTACTS
2016 www.abstract.xlibx.info - Free e-library - Abstract, dissertation, book

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.