Nuclear Regulatory Commission Security Office Guidance

Office Instruction: CSO-GUID-0016

Office Instruction Title: Malicious Code Protection Guidance

Revision Number: 1.0

Effective Date: May 1, 2013

Primary Contacts: Kathy Lyons-Burke, SITSO

Responsible Organization: CSO/PST

Summary of Changes: CSO-GUID-0016, “Malicious Code Protection Guidance,” provides guidance for implementing controls to protect against malicious code.

Training: Upon request

ADAMS Accession No.: ML13107A777

Concurrences Primary Office Owner Policy, Standards, and Training Responsible SITSO Kathy Lyons-Burke Date of Concurrence Directors CSO Thomas Rich 17-APR-13 PST Kathy Lyons-Burke 17-APR-13

FCOT Paul Ricketts 17-APR-13

CSA Thorne Graham 17-APR-13

CSO Concurrence Meeting Conducted on 17-APR-13 Attendees: Thomas Rich Kathy Lyons-Burke Jonathan Feibus Ray Hardy Thorne Graham CSO Guidance CSO-GUID-0016 Page i

Contents 1 PURPOSE ...... 1

2 OVERVIEW ...... 1

2.1 DEFINITIONS ...... 1 3 TYPES OF MALICIOUS CODE ...... 2

3.1 ...... 2 3.2 KEYLOGGER ...... 2 3.3 ...... 3 3.4 MALICIOUS MOBILE CODE ...... 3 3.5 ...... 3 3.6 ...... 3 3.7 TRAPDOOR ...... 3 3.8 ...... 4 3.9 VIRUS ...... 4 3.10 WORM ...... 4 4 MOBILE CODE CATEGORIZATION ...... 4

5 PROTECTIONS AGAINST MALICIOUS CODE ...... 5

5.1 AWARENESS ...... 5 5.2 BEHAVIOR ANALYSIS ...... 6 5.3 BLACK LISTING ...... 6 5.4 CODE EXECUTION ANALYSIS TOOLS ...... 6 5.5 CODE REVIEWS ...... 6 5.6 FIREWALLS ...... 6 5.7 FLAW REMEDIATION ...... 7 5.8 HEURISTICS ...... 7 5.9 INFORMATION INPUT VALIDATION ...... 7 5.10 INFORMATION SYSTEM MONITORING ...... 8 5.11 INTRUSION PREVENTION SYSTEMS ...... 8 5.12 LEAST PRIVILEGE ...... 9 5.13 MOBILE CODE ...... 9 5.14 SECURE CONFIGURATION ...... 9 5.15 SIGNATURE-BASED DETECTION ...... 10 5.16 SIGNED CODE ...... 10 5.17 WHITELISTING ...... 11 5.18 SYSTEM INTEGRITY CHECKING ...... 11 5.19 SECURITY FUNCTION VALIDATION ...... 11 APPENDIX A PROTECTIONS AGAINST MALICIOUS CODE MATRIX ...... 13

Computer Security Guidance CSO-GUID-0016

Malicious Code Protection Guidance

1 PURPOSE

The purpose of CSO-GUID-0016, “Malicious Code Protection Guidance,” is to provide information to assist system owners in protecting systems against malicious code, including malicious mobile code. The information in this guidance is intended to be used by system designers, system implementers, Information System Security Officers (ISSOs), system administrators, system owners and end users.

2 OVERVIEW

Malicious code (also referred to as ) refers to a program or programming code inserted surreptitiously into a system with the goal of compromising the confidentiality, integrity, or availability of the system's information and resources. Mobile code or active content are broad terms used to describe web or host-based technologies that allow code, in the form of a script, macro, or other form of portable instruction, to execute when the file (e.g., , pdf) is rendered by the user via a web browser or specific application, often without the user explicitly triggering execution. Malicious forms of mobile code can be transmitted via a local or a remote source and may take the form of a virus, worm, Trojan horse, , or logic bomb. Malicious code that makes use of active content and is transmitted remotely over a network connection is known as malicious "mobile code" because it uses interconnected networks (e.g., the Internet, the NRC infrastructure) to infect the victim.

Readers should consult with Management Directive 12.5, “NRC Cyber Security Program” for policy the system must meet and the CSO web page for additional requirements. Contact CSO for additional information.

2.1 Definitions

Bootable Rescue A disk that is separate from a computer that the computer can boot Disk from. The rescue disk contains anti-malware tools as well as computer repair tools.

Code injection Where invalid data is presented to an application and the nature of the invalid data is such that the application processes the data as executable code.

Cross-site scripting Computer security exploit typically found in Web applications, such as (XSS) web browsers, that enable attackers to inject malicious client-side script into Web page links that appear to be from a trustworthy source. When the user clicks on the link, the script is executed on the user's computer, typically allowing the attacker to gain unauthorized access or steal CSO Guidance CSO-GUID-0016 Page 2

information.

Macro A single computer command that can be user defined that executes a specific series of computer commands or instructions.

Portable instruction Code that can execute on multiple and computer platforms.

Script A series of commands that are executed or interpreted by another program rather than by the computer processor (as a compiled program is). A script takes longer to run than a compiled program because of the program inserted between the command and the computer processor.

3 TYPES OF MALICIOUS CODE

This document discusses the following types of malicious code:

• Adware • Keylogger • Logic bomb • Malicious mobile code • Rootkit • Spyware • Trapdoor • Trojan horse • Virus • Worm

3.1 Adware

Adware is code that obtains information from the system users to enable targeted advertising and financial gain to the adware owners. Adware is often installed when a user purchases items via a web page or queries a web page about items for purchase. Companies that own the web pages can legally insert the Adware on the user’s computer during these activities, and the Adware provides the user with advertisement to purchase specific goods and services.

3.2 Keylogger

Keyloggers are specialized forms of spyware. Keyloggers record every keystroke and then provide the information to the malicious user. The information obtained using keyloggers includes usernames and passwords for Internet accounts such as bank accounts and credit card information. Keyloggers come in several forms. The most common form is specialized hardware that can be attached directly to a computer and collects keystrokes. The hardware is picked up and analyzed by the attacker. Keyloggers can also be programs that are installed with other malware, and send data to a remote computer for analysis.

CSO Guidance CSO-GUID-0016 Page 3

3.3 Logic Bomb

A logic bomb is code that has been placed onto a computer that has been designed to cause harm when a specific set of conditions exist (e.g., a date and time occur, specific data is entered). A logic bomb can be a virus or Trojan horse that only executes when the specific conditions exist. Logic bombs can perform any function for which the code has permission to perform and have been used to modify prices, send emails, delete data, modify web page content, etc. Logic bombs are often inserted by disgruntled employees to cause harm to the employer.

3.4 Malicious Mobile Code

Mobile code is software code that can be transferred from one computer to another and executed on a computer without being installed on the computer and without user knowledge. Mobile code is used frequently by web sites to provide the user with effective and entertaining transmission of information as well as capturing needed information from users. Most of these uses are legitimate. However, mobile code can be used to deliver malicious code to unsuspecting users with techniques such as malicious Structured Query Language (SQL) or other command injections, , or cross-site scripting attacks, and can be delivered as part of SQL, JavaScript, Applets, Embedded Open Type Fonts (trigger attacks), and ActiveX controls or through Plug-ins.

3.5 Rootkit

Rootkits are a collection of programs that enable complete and continued privileged access to a computer or computer network and that are extremely difficult and often almost impossible to detect. often modify the operating system and are adept at hiding code execution, including from the process list and the task manager. As a result, computers that are suspected to have a rootkit usually have to be destroyed or have all software and firmware completely replaced. Any computer where a rootkit is successfully installed is called a “rooted computer.”

3.6 Spyware

Spyware is code placed on the system to capture information without the user’s knowledge and provide it to the malicious user. The code secretly obtains information of value to the malicious user. Spyware is frequently bundled in with free software and often modifies the browser to redirect links and create pop-up windows while browsing. Some spyware is adware.

3.7 Trapdoor

A trapdoor is a method whereby a malicious user gains system access by bypassing system access controls and is then able to gain access at any time. Initial access is gained by exploiting a system vulnerability. Upon initial access, the malicious user inserts a method to gain access outside of the implemented access controls. Sometimes, system developers insert trapdoors that enable them to gain access to any system upon which the software is installed. Trapdoors can also be discovered and used by malicious users that did not install them.

CSO Guidance CSO-GUID-0016 Page 4

3.8 Trojan Horse

A Trojan horse is a program that performs a useful function, but also performs an unintended and most often malicious action that is hidden in its source code, much as Greek soldiers hid inside a horse statue that was given to the City of Troy. Many instances of freeware contain Trojan horses. Some Trojan horses are remote administration Trojans that allow the malicious user to have total control over a machine from a remote location.

3.9 Virus

A virus is code designed with the intent to damage files or disrupt hardware on a computer and replicates by attaching copies to existing executable files. This is the most common form of malicious software currently in use.

3.10 Worm

A worm is code designed with the intent to damage files or disrupt hardware on a computer and which replicates itself and causes execution of the new copy. They are often detected when system resources are exhausted.

4 MOBILE CODE CATEGORIZATION

Mobile code can be transferred from one computer to another and executed on a computer without being installed on the computer and without user knowledge. NRC has adopted the Department of Defense (DOD) mobile code designations to categorize mobile code technologies at NRC. DOD Instruction 8552.01, Use of Mobile Code Technologies in DOD Information Systems has defined and designates three (3) categories of mobile code based upon the characteristics of the mobile code and the level of vulnerability that can be introduced into a system by the code. The criteria for categorization are provided below.

Category 1 mobile code technologies:

• Exhibit a broad functionality, allowing unmediated access to workstation, server, and remote system services and resources • Have known security vulnerabilities with few or no countermeasures once they begin executing • Execution typically requires an all-or-none decision: either execute with full access to all system resources or do not execute at all • Pose a significant threat to IT systems; however, in some cases the risk can be mitigated.

Category 2 mobile code technologies:

• Have full functionality, allowing mediated or controlled access to workstation, server, and remote system services and resources • May have known security vulnerabilities but also have known fine-grained, periodic, or continuous countermeasures or safeguards • Can pose a moderate threat to IT systems

CSO Guidance CSO-GUID-0016 Page 5

Category 3 mobile code technologies:

• Support limited functionality, with no capability for unmediated access to workstation, server, and remote system services and resources • May have a history of known vulnerabilities, but also support fine-grained, periodic, or continuous security safeguards • Pose limited risk to IT systems

5 PROTECTIONS AGAINST MALICIOUS CODE

Malicious code protection requires many different types of tools. No single tool or method can provide adequate protection, and multiple methods must be used to provide appropriate protections for NRC systems and data. The following sections provide specific mechanisms to help protect against malicious code. Mechanisms should be applied to all areas where malicious code can enter a system. Appendix A contains a table outlining which protections are suited to specific types of attacks.

5.1 Awareness

All users are on the front lines of defense against malicious code. The greater the user’s awareness level, the less likely the user will inadvertently enable malicious code. For example, (sending email that entices the user to perform an action such as clicking on a link or opening an attachment that results in enabling malicious code on the user’s computer) is a common method of malware distribution.

Users need to be informed about the following:

• Agency specific rules of behavior • Current methods being used to distribute malware and how the user can detect them • The computer security protections that help but cannot stop all malicious code • Risks posed by using different devices in different environments • Techniques for avoiding risky behaviors: - Do not open suspicious e-mails or e-mail attachments from unknown or known senders - Do not open unexpected e-mails or e-mail attachments from known senders - Do not click on suspicious web browser popup windows - Do not visit Web sites that are at least somewhat likely to contain malicious content - Do not open files with file extensions that are likely to be associated with malware that are not from trustworthy sources. - Do not disable security controls - Do not use administrator-level accounts for regular user activities - Do not download or execute applications from untrusted sources - Never provide financial or personal information requested via email, but contact the requester using the organization’s official phone number • Where to report potential malicious attacks

CSO Guidance CSO-GUID-0016 Page 6

• Where users can ask questions to help them avoid malicious attacks

5.2 Behavior Analysis

Behavior analysis uses a combination of techniques to identify potentially malicious activities. First, the analysis has encoded behaviors that are often associated with malicious conduct. When those behaviors appear, they are flagged as potentially malicious. Second, the tool is used to baseline over a period of time common behavior patterns for systems and users. Deviations from those patterns are also flagged as potentially malicious. Heuristics engines continue to increase capability or “learn” over time.

5.3 Black Listing

Blacklisting is the process of blocking known threats, such as known malicious IP addresses. Most SPAM filtering uses blacklisting to block known SPAM addresses. Blacklisting requires knowledge of where the threats are coming from. If an application or executable file is not listed in the blacklist, the threat will not be blocked. Likewise, if a threat is coming from the same source as valid data, blacklisting that source will also block the valid data. Blacklisting is processing intensive and does not protect against unknown or new threats. Blacklisting is often used in combination with whitelisting.

5.4 Code Execution Analysis Tools

Code execution analysis tools analyze code prior to execution to identify potential threats. The analysis may entail stateful analysis or virtual code execution. Tools in this category can be deployed on the network to analyze suspicious behaviors exhibited by applications. They can also be deployed in a stand-alone environment where analysts will execute code that has been detected as suspicious by other tools. The result of this analysis is that infected systems can be quickly identified and remediated. The tools also provide information about how the malicious code is communicating outside of the agency, and allows additional steps to be taken to block the ports, protocols and callback domains used.

5.5 Code Reviews

Code review can include manual and automated review of custom applications to look for security vulnerabilities. Flaws discovered during these reviews can be mitigated or corrected prior to the applications’ release. Code review can be performed by manual or automated inspection of source code as well as by automated analysis of compiled or object code.

5.6 Firewalls

Firewalls examine network traffic and use rules to determine how to process the traffic. There are 2 basic types of firewalls: network and host-based firewall. Network firewalls reside between networks or network segments and host-based firewalls reside on a host that is on the network. A network firewall makes decisions as to what network traffic can pass from one network to another and a host-based firewall makes decisions as to what network traffic can be passed along to the host on which the firewall resides. Correctly configured firewalls can detect

CSO Guidance CSO-GUID-0016 Page 7 and prevent many types of malware from gaining access to the network or hosts. Deny by default rule sets (deny all network traffic that is not expressly permitted) are the most effective in protecting against malicious software. Rule sets should be reviewed regularly to ensure that network changes are correctly reflected in the current rules.

Next-generation firewalls have additional capabilities that add automated features that can detect applications that exhibit suspicious behaviors. This permits the blocking of traffic that would be otherwise permitted by static rules.

Firewalls should prevent all suspicious network traffic (e.g., packets from known false or malicious IP addresses) from entering and exiting the agency network.

Restrictions on network actions taken by external systems (computers that are not considered part of the agency network such as personally own devices) are also important to protect against malicious software.

5.7 Flaw Remediation

Malware exploits vulnerabilities and many of those vulnerabilities exist in code that runs on systems. Removing as many of those vulnerabilities as possible is essential to reduce susceptibility to malicious code.

Operating system and application software and firmware often have vulnerabilities that were not known when the software was provided for sale. As those vulnerabilities are identified, the software companies produce and make available “patches” to resolve the identified vulnerabilities. Application of the patches to the software closes the vulnerabilities and malicious software is then unable to exploit them and gain unauthorized access to the system. Applying patches is a very effective method to reduce the risk of malware incidents and thus reduce the cost and effort required to address vulnerability exploitation. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-40, “Creating a Patch and Vulnerability Management Program” provides additional information on how best to perform flaw remediation.

5.8 Heuristics

Heuristic analysis expands the use of signatures for detecting malicious software by looking for code that behaves in similar fashion to known malicious code. Static signatures allow the detection of a specific piece of code, but heuristic analysis allows for the detection of variants of malware that use similar code to perform similar behaviors.

5.9 Information Input Validation

A method used by malicious users to gain access to systems is to use invalid data that cause errors such as buffer overflow and result in the data being interpreted as a command. Effectively validating input to systems prevents this type of attack from succeeding since the user receives an error message instead of the system accepting the erroneous data.

Information input validation includes:

• Ensuring the information is entered by a user authorized to provide the information

CSO Guidance CSO-GUID-0016 Page 8

• Ensuring remote commands are authenticated as valid, are processed in the correct order, and are not a replay of the command from an unauthorized source • Entered information is validated by syntax and semantics (e.g., character set, length, numerical range, and acceptable values) before the values are accepted • Error messages are generated such that the user understands the issue but information that could assist a malicious user is not revealed.

5.10 Information System Monitoring

Monitoring an Information System may include a variety of manual and automated processes. These processes demonstrate that the security controls are functioning as planned, and can provide system administrators, ISSOs and users with reports and alerts. The inputs to monitoring are provided by the tools used to provide security controls, and there may be a single console where alerts and reports are consolidated to provide an overall view of the security posture of the system.

5.11 Intrusion Prevention Systems

Network-based intrusion prevention systems (IPS) perform packet sniffing and analyze network traffic to identify and stop suspicious activity. Network-based IPS products are typically deployed inline, which means that the software acts like a network firewall. It receives packets, analyzes them, decides whether they should be permitted, and allows acceptable packets to pass through. The network-based IPS architecture allows some attacks to be detected on networks before they reach their intended targets. Most network-based IPS products use a combination of attack signatures and analysis of network and application protocols, which means that they compare network activity for frequently attacked applications (e.g., e-mail servers, Web servers) to expected behavior to identify potentially malicious activity.

Network-based IPS products are used to detect many types of malicious activity besides malware, and typically can detect only a few instances of malware by default, such as recent major worms. However, some IPS products are highly customizable, allowing administrators to create and deploy attack signatures for many major new malware threats in a matter of minutes. Although there are risks in doing this, such as a poorly written signature triggering false positives that block benign activity inadvertently, a custom signature can block a new malware threat hours before antivirus signatures become available. Network-based IPS products can be effective at stopping specific known threats, such as network service worms, and e-mail–borne worms and viruses with easily recognizable characteristics (e.g., subject, attachment filename). However, network-based IPS products are generally not capable of stopping malicious mobile code or Trojan horses. Network-based IPS products might be able to detect and stop some unknown threats through application protocol analysis.

Host-based IPS products are similar in principle and purpose to network-based IPSs, except that a host-based IPS product monitors the characteristics of a single host and the events occurring within that host. Examples of activity that might be monitored by host-based IPSs include network traffic, system logs, running processes, file access and modification, and system and application configuration changes. Host-based IPS products often use a combination of attack signatures and knowledge of expected or typical behavior to identify known and unknown attacks on systems. For example, host-based IPS products that monitor attempted changes to files can be effective at detecting viruses attempting to infect files and

CSO Guidance CSO-GUID-0016 Page 9

Trojan horses attempting to replace files, as well as the use of attacker tools, such as rootkits, that often are delivered by malware. If a host-based IPS product monitors the host’s network traffic, it offers detection capabilities similar to a network-based IPS’s.

5.12 Least Privilege

Privilege escalation is a common tactic used by malicious code. Limiting the available privileges minimizes malicious code impact.

All user accounts should be configured with the principle of least privilege in mind. Each user account should have the minimum privileges required to perform authorized tasks. Users requiring additional permissions should be issued a separate account to use only while performing those specialized tasks. All standard (non-privileged) tasks must be performed using a standard user account.

This principle should also be applied to processes and hosts, ensuring that only required privileges are assigned to accounts and activities used by the processes and hosts.

5.13 Mobile Code

Mobile code should only be implemented as part of an authorized system or application. The security package should specifically indicate use of mobile code as part of the system and should clearly state the security controls implemented to minimize the potential for unauthorized use or disruption of system, network, or application resources and other breaches of computer security due to the use of mobile code. System owners of classified systems should ensure the system prevents the automatic execution of mobile code in electronic mail applications and requires prompting the user prior to executing the code.

System owners should ensure the acquisition, development, and/or use of mobile code to be deployed in IT systems meets the following requirements:

• Emerging mobile code technologies that have not undergone a risk assessment and been assigned to a Risk Category by the CIO are not used. • Category 1 mobile code is signed with a code signing certificate; no use of unsigned Category 1 mobile code; no use of Category 1 mobile code technologies that cannot block or disable unsigned mobile code (e.g., Windows Scripting Host). • Category 2 mobile code which executes in a constrained environment without access to system resources (e.g., Windows registry, file system, system parameters, and network connections to other than the originating host) may be used. • Category 2 mobile code that does not execute in a constrained environment may be used when obtained from a trusted source over an assured channel (e.g., SIPRNet, SSL connection, S/MIME, code is signed with an approved code signing certificate). • Category 3 mobile code may be used.

5.14 Secure Configuration

Hardware, software, and firmware should be configured in a secure fashion. NRC uses configuration standards (available on the CSO web page) to ensure NRC system configurations

CSO Guidance CSO-GUID-0016 Page 10 are secure. Default settings provided with the product are often very open and concerned more with enabling activities then with securing activities.

In addition to following NRC required configuration settings, the following principles should be applied:

• All unneeded services and capabilities should be disabled or removed. This may prevent successful execution of malicious software. • Remove all unsecured file shares. These areas are available for placement of malicious software such as worms. • Remove all default usernames and passwords for hardware, software, and firmware if they are not needed. This ensures that malicious software cannot use them. • Change all default usernames and passwords for hardware, software, and firmware if they are needed, reference the NRC Strong Password Standard (CSO-STD-001) for more guidance. This reduces the ability of malicious software to use them. • Ensure all services require before provision of the service. This ensures that malicious software without authentication information cannot use the service. • Disable any automatic execution of binaries and scripts. This ensures that malicious software obtain additional capabilities before execution can be achieved.

5.15 Signature-based Detection

Signature-based detection is where malicious software has been identified and a known unique component of the malicious software is used to identify it. That known unique component is the malicious software signature. Antivirus and antimalware software use a of these signatures to identify known malicious software. Antivirus and antimalware software are extensively used to protect against malicious software by scanning new messages and files as well as scanning storage media for malicious software that may reside as a separate file or within otherwise valid files located on the storage media. Many of these tools enable removal of the malicious software even when the software is embedded within an essential executable or other file. Signature files used by these tools should be updated frequently and at least daily. This technique does not protect against new or unknown malicious software.

5.16 Signed Code

Code signing relies upon the use of trusted digital certificates to allow the verification of the source of application code. The application uses a private key which is registered to an individual or company to verify the identity of the software’s source. Consumers can use the corresponding public key to confirm that the application has been created by the vendor, and additional tests, such as hash comparisons, can demonstrate that the application has not been modified.

Using signed code to verify software provides assurances that the application is authentic and has not been modified by unauthorized parties.

CSO Guidance CSO-GUID-0016 Page 11

5.17 Whitelisting

Whitelisting is the process of only allowing traffic and program execution that is specifically allowed. Only traffic on the list is permitted. This technique is a very effective protection against malicious software and eliminates the need to use other methods to block personal or unlicensed software, however, the extreme control requires complete knowledge of what users need to be able to do and messages that need to be received. Email from unknown individuals is essential to achieving NRC’s mission, so using just whitelisting is not feasible. However, whitelisting could be effectively used to identify code that is permitted to execute on NRC systems and thus protect against malicious software execution.

5.18 System Integrity Checking

System integrity checking is the process of reviewing the content and configuration of devices to provide assurance that unauthorized modifications have not taken place. Automated integrity checks include periodic scans of system devices to compare firmware, configuration settings and system files against a known baseline.

Automating this process will provide system administrators and ISSOs with alerts in the event that systems are modified. System baselines need to be maintained and updated when authorized configuration changes are made, and the baseline should be documented to note approved changes.

5.19 Security Function Validation

Verification of security functions will include a review of tools, logs, reports and control implementations, as well as active testing of the system. This can be conducted as part of a continuous monitoring program, specialized penetration testing, auditing, or a combination of processes. The goal of verification is to confirm that tools are working as they should.

CSO Guidance CSO-GUID-0016 Page 12

CSO-GUID-0016 Change History Date Version Description of Changes Method Used to Training Announce & Distribute 17-Apr-13 1.0 Initial issuance Distribution at ISSO forum Upon request and posting on CSO web page

CSO Guidance CSO-GUID-0016 Page 13

APPENDIX A PROTECTIONS AGAINST MALICIOUS CODE MATRIX

Shaded boxes denote mechanisms that can be effective against a given threat.

Adware Keylogger Logic Malicious Mobile Rootkit Spyware Trapdoor Trojan Virus Worm Bomb Code Horse Awareness Behavior Analysis Blacklisting Code Execution Analysis Tools Code Reviews Firewall Flaw Remediation Heuristics Information Input Validation Information System Monitoring Intrusion Prevention Systems Least Privilege Secure Configuration Security Function Verification Signature-based Detection

CSO Guidance CSO-GUID-0016 Page 14

Adware Keylogger Logic Malicious Mobile Rootkit Spyware Trapdoor Trojan Virus Worm Bomb Code Horse Signed Code Specific Tools System Integrity Checks Whitelisting