Speaking from personal experience, thetypical security manager is now bom-barded with information from a varietyof sources, both internal and external, every minute of every hour. There arefirewall logs, Intrusion Detection

System (IDS) logs, vulnerability reportsand patching levels, not to mentionbreaches of policy by staff to be dealtwith. Making sense of all this informa-tion, and acting on it effectively, is amonumental task.

Research shows that a typical mediumsized organization will, on average,receive 9.5 million log entries and alertsper month, generated by firewalls and IDS devices across the enterprise.After correlating the data from the various sources, an average of 620 security events will require further investigation. After weeding out the falsepositives – a major task in itself – some55 of these will be determined to constitute some sort of security threat.

wireless security

5

Nonetheless, attempting to detect theseAPs is an important part of yourinformation security procedures.Security personnel should be trained torecognize external rogue APs via foreignMAC addresses or other footprintswhich are available using tools such asirMagnet or Kismet.

Besides detecting external rogue APs,preventing damage from them is critical.First, make sure you are using WEP. Mostclients, including Windows XP andLinux, can be configured to only connectto specific SSIDs and further to only con-nect if the AP supports WEP encryption.Even though WEP keys can be cracked,using WEP raises the bar. The next step is to deploy end-to-endauthentication for all client associations.802.1x, a local network authenticationprotocol, provides mechanisms for bi-directional verification of both thewireless client and back-end authentica-tion server. 802.1x does not explicitlyauthenticate the AP. However, whenusing EAP-TLS, an authenticationmethod within 802.1x, the client is ableto verify the authenticity of the back-endserver. An external rogue AP will not be

able to connect to the back-end authenti-cation server because it is disconnectedfrom your internal network. The client,unable to successfully authenticate, willnot associate with the rogue AP.

Finally, educate your user-base to recognize when they may be under asocial engineering attack via a rogue AP. Advise them to not enter their credentials into non-standard interfaces,such as an unfamiliar Web page, whenthey are using the wireless network. They should report any unusual events toinformation security staff.

Inside or out, detect and preventWhen deploying a wireless network, it isimportant to remember that an attackercan do more than sniff traffic or attemptto gain access to your infrastructure.More and more, attackers are attemptingto fool wireless clients by pretending to be a valid access point. Further, yourown employees may be installing hugeholes in your network disguised as a personal access point brought in fromhome. By constantly monitoring for

rogue APs and deploying systems in amanner resistant to the threat posed bythem, your wireless and wired networkwill provide a secure foundation for yourenterprise’s activities.

1AirMagnet – An 802.11 network diag-nostic tool for Windows and PocketPC –www.airmagnet.com2Kismet – An 802.11 network analysistool for Linux. – www.kismetwireless.net

About the AuthorBruce Potter has a broad informationsecurity background that includesdeployment of wireless networks.Trained in computer science at theUniversity of Alaska Fairbanks, Bruceserved as a senior technologist at severalhi-tech companies. Bruce is the founderand President of Capital Area WirelessNetwork. In 1999 Bruce founded TheShmoo Group, a group of security pro-fessionals scattered throughout theworld. Bruce co-authored 802.11Security published through O'Reillyand Associates. He is co-authoring MacOS X Security to be published by NewRiders Publishing in May of 2003.

Early Alerts – MakingSense of Security Information OverloadKevin Hawkins, Senior Principal Consultant, Symantec Corp.

Knowledge is power – never more so than when it comes to security. Knowingwhat the threats are, and where vulnerabilities lie, will make the differencebetween a successful defence and an expensive security breach.

issue.qxd 10/04/2003 16:23 Page 5

And of these, two will pose a risk that iscritical enough to require immediateaction.

So, the good news is only two out of9.5 million events are serious potentialthreats. The bad news is that we have toidentify which two! Added to this is thefact that 450 new viruses and about 250 new vulnerabilities are discoveredevery month, and these require systemupdates and patches.

As security professionals, we are allaware that the best protection againstattack is an effective defence, combiningthe right security tools with a well-managed security policy. To be fore-warned is to be forearmed and intelli-gence is the key for companies today – “Is my system being attacked?” If so, when, where and how often? But to monitor and analyse the vast volumes of data produced by all of the security devices on a corporate network requires time, specialist knowl-edge and highly complex technical architecture. Increasingly, companies alsowant access to intelligence on globalattack activity that will help them movefrom simply reacting to attacks to proactively preventing them.

The security manager’s day job is todemonstrate that all reasonable steps havebeen taken to ensure that critical assetsare being protected to an appropriatelevel. This level will have been assessedduring the formalisation of a risk management plan, following a risk assessment based on business impact. This ensures that all mission-critical systems have been identified and anappropriate level of protection defined.However, no matter how well preparedthe plan is, it will not stop attempts atbreaching security. Therefore havingidentified the risks and the vulnerabili-ties, they have to be considered alongwith the threat.

By far the greatest threat to net-worked systems comes from maliciouscode – computer viruses, worms and Trojan horses. As a priority, all systems must have up-to-date anti-virusprotection. However, Symantec has seen a dramatic increase in the

number of blended threats over the past12 months. These are based on malicious code that may combine a sys-tem exploit with worm or virus-likeactivity. In some cases, as with CodeRed, what appears to be a virus threatcannot in fact be stopped by anti-virussoftware, but requires firewall andintrusion detection to prevent it spreading, together with a softwarepatch to prevent further infection. The ability to provide immediateupdates to all security software is now a priority.

An early alert and rapid reaction tosuch threats will reduce the risk to anorganization. Knowing that you have vulnerable systems and understandingtheir priority in business-critical systemsenables more effective deployment of resources.

Knowing that systems in Australia are being

infected with a new virus,gives a security manager in

Europe a few hours toreact.

Spotting the serious attacksThe average company network isattacked 30 times a week. The threat ofsecurity breach, either accidental, opportunistic or targeted, is very real. But understanding the type of attackand its source are paramount to effec-tive protection, and to ensure that timeand effort aren’t wasted on dealing with non-threatening attacks.

Attacks are nearly always preceded bysome form of information gathering, inthe form of a port scan, an attempt at DNS Zone Transfer, or simply runninga ‘who is’ to see what information is freelyavailable. Only a minority are serious attempts to breach security. Ofcourse this would not prevent a probeturning very quickly into a seriousattempt should the intruder discover thatsecurity is weak. The challenge is todetermine which attacks are serious,

which aren’t, and which are likely tobecome serious (for example, those thatcan be identified as a repeat reconnais-sance).

According to the latest SymantecInternet Threat Report (published inJanuary 2003), which analysed thethreats to 400 managed security servicecustomers over a six-month period, 85% of active attacks were classified as‘reconnaissance’ – the cyber equivalentof a burglar checking doors and win-dows to see if they are locked. Only15% of attacks were actual exploitationattempts – the burglar entering thebuilding. Most attackers are looking forcommonly known vulnerabilities in anetwork. If they fail to find them, theyare unlikely to pursue their attack;instead they will seek out an easier target.

Companies need to understand the potential attack types as they relateto their industry sector. Some indus-tries may attract a greater level of atten-tion from hackers looking for financialgain or those wanting to make a political statement (‘hacktivists’). Forthe security manager working in suchsectors, knowing whether you are look-ing at ‘background noise’ or experienc-ing a determined attack on yournetwork would help prioritise theattack.

Targeted attacks are those that appearto be directed at a particular organiza-tion. In these situations, the attackerscans only the network of the targetedorganisation. Furthermore, the attackerappears to be seeking to exploit specificvulnerabilities associated with the targetnetwork. Opportunistic attacks do nothave these characteristics. TheSymantec Internet Threat Report showsthat 76% of attacks over the six-monthperiod were opportunistic and 24%were targeted.

This type of information enables thesecurity manager to get some perspectiveon the data being received from defencesystems, which helps to cut down on thefalse positives and target essentialresources at what is important.

information overload

6

issue.qxd 10/04/2003 16:23 Page 6

Time is of the essenceIt is essential to have access to the attackinformation as events are occurring andwhen it is needed, rather than to read it ina quarterly report.

Information analysed from real-timedata can provide attack trends and some basic indicators to what to expectin the future. Specific information –such as which vulnerabilities have the most exploits – is crucial when pri-oritising patches and can help withstrategic network decisions. If the secu-rity manager knows that 85% of activeattacks on a wide range of Internet gate-ways can be classed as ‘reconnaissance’,then that helps classify some of theattacks, or possible attacks, being seenon the company gateways. With thisinformation, the security manager canbuild a picture of how often the recon-naissance attacks are taking place andperhaps even where they are comingfrom.

In the connected world it’s impossibleto exist in secure isolation. As soon as youconnect to the Internet, everyone on theInternet is connected to you. Whetherthey are hackers, suppliers or even customers, they can all pose a significantsecurity risk if not managed appropriately.

The time it takes for exploits and malicious code to travel across the globalnetwork is reducing all the time. Expertsestimate that it took just 15 minutes forthe recent Slammer worm to infect all theavailable and vulnerable systems on theInternet. An early alert process that givesadministrators crucial minutes to protecttheir own systems is vital against this kindof attack.

Slammer was an exception in its rapidspread. Most malicious codes tend to‘follow the sun’, infecting systems aseach business day begins. But knowing,for example, that systems in Australia arebeing infected with a new virus, gives asecurity manager in Europe a few hoursto react and configure security systemsbefore their own network users reach theoffice and start opening emails fromstrangers. Being part of a global community, sharing security intelli-gence and receiving early alerts for

rapid reaction, will help to reduce theamount of malicious code and effectiveexploits circulating the Internet. The broader and more educated thecommunity, the better information it contains.

One way to be part of such a commu-nity is by choosing a global security partner. Companies can benefit fromthe information gathered and analysedfrom across the world by experts, and anonymously circulated to the rest ofthe group in real-time. Other ways areto subscribe to vulnerability and alertdatabases such as Security Focus(www.securityfocus.com) where securitymanagers can choose from a range offree and subscription-based informationfeeds relevant to their general orbespoke needs.

Protection from withinAlerts and information need not onlycome from outside an organization. One important part of protecting againstmalicious code attacks is the education ofall computer users. The IT departmentshould be reaching out to the rest of theorganization and empowering everyonewith computer access to play their part inenforcing the security policy.

Social engineering is still the preferredmethod for most hackers and virusauthors to gain access to corporate networks, and the IT department canwork to prevent this type of activity andthe successful duping of employees.Building company-wide awareness ofthe impact of computer use is one of themost important and immediately beneficial aspects of protecting an orga-nization. Most employees do not wantto expose their business systems tothreats. Given the right education andongoing awareness programme, theycan respond effectively to reduce riskand be aware of the impact of theiractions.

Prevention better, and lesscostly, than cureBy understanding and knowing how touse their own – and others’ – security

information, IT departments can focustheir resources on attack prevention. By making the best use of proactive intelligence and response, companiescan deploy specific countermeasures to help prevent threats affecting their networks. They can also eliminatethe hours spent searching through hun-dreds of websites and emails to gather information. In this way,companies maximise their IT resources,while keeping operations runningsmoothly.

Having access to good security information will enable the security manager to make strategic decisionsabout business-critical applications.Making decisions that are supported bygood data will also enable the securitymanager to justify expenditure within theIT department and enable board members to understand the environment and requests for additional funding in this critical area of businessprotection.

Effective intelligence and the result-ing action benefit the bottom line. Theability to gather and act on largeamounts of security information in realtime not only reduces risk, but alsomaximises return on investment (ROI)from security products by targetingresources only where they are trulyneeded.

While the amount of data available to a security manager these days is virtually unmanageable, targeteddeployment of the right tools, trainingand, where necessary, external services,will provide early and complete protec-tion against cyber threats. Securitymanagers need to make sure that theyare immediately informed of vulnera-bilities as they are discovered, and insuch a way that enables them to takeaction in a timely manner. An intelli-gent early warning system will not onlybe of use to their own networks butcould be of global significance, andprovide advanced warning of new mali-cious code or vulnerabilities and theireffects on the Internet community atlarge.

information overload

7

issue.qxd 10/04/2003 16:23 Page 7