Embed Size (px)
Citation preview
The Information Security Forum hasdefined a portable storage device (PSD) asany compact device with read/write storagecapabilities that can be connected to acomputer. Typical examples include USBmemory sticks, external hard disks andportable media players. PSDs themselvescan be classified into three different types:
1. Integrated storage devices where storage media and read/write components are housed within a single integrated unit such as externalhard disks
2. Personal electronic devices with datastorage capabilities such as digitalcameras or portable media players
3. Storage devices with separate removablemedia such as CD/DVD writers or zipdisk systems.
A recent survey of InformationSecurity Forum members indicated that asignificant proportion of employees used some form of PSD. Membersrevealed that almost 40% of theiremployees used PSDs for transferringdata between physical locations (such ashome to office) and approximately 20%used them to exchange data with clientsor business partners. The proliferation of PSDs has resulted in many employeespersonally owning such devices, but also using them for work - despite thedevices never having been issued by theorganization.
It is not hard to see why these deviceshave become so popular. PSDs offer arange of advantages: they are easy to use;capable of storing large amounts of data;can transfer data quickly; and often
XSS VIRUSES
PreventionA common preventative to viral infectionis a network level firewall. AsHTTP/HTTPS protocols are affordedunfettered access through common firewallconfigurations, these firewall barriers areineffectual. A potential remedy to this is anapplication firewall with the filtering ofappropriate XSS virus signatures. However,this method too will be ineffectual (on theclient site) when HTTPS is the protocolused. Whilst unlikely, the most obviousway to prevent XSS viruses is to removeXSS vulnerabilities from web applications.
Real-world Cross-Site Scripting virusesAll the discussion and theorizing is fine,but could this really happen on the web? Italready has! MySpace is a community sitewhich aims to help friends keep in contactand share resources. It has become one ofthe first casualties of cross-site scriptingself-propagating code.
Last October, a somewhat “over-friend-ly” member of MySpace called ‘Samy’ useda cross-site scripting virus/worm to forceother users to become his friend and addto their portfolio the phrase "but most ofall, Samy is my hero." Of course, his new
pals increased exponentially. In this bid toexpand his buddy list and his popularity,he amassed in excess of 1 million new vir-tual friends! Samy has become so popular(in real life) that his fans can purchase‘samy is my hero’ t-shirts. This is one ofthe first known cross-site scripting virusesto be discovered in the wild.
“As HTTP/HTTPS protocols are afforded unfetteredaccess through common firewall configurations, thesefirewall barriers areineffectual”
It is clear from the user’s own account theintentions were not malicious. However,shortly after Samy surpassed the 1 millionfriends mark, MySpace shut down for a cou-ple of hours for maintenance. There werereports of inaccessible sections of the webapplication. When the service returned, theXSS vulnerability was patched.
ConclusionA new relationship between cross-sitescripting and the computer virus has irrev-ocably been forged. XSS viruses distinguishthemselves from their conventional cousinsthrough the requirement for a server-clientsymbiotic relationship, their use of HTTPand their platform independence.
The infectious nature of XSS viruses hasbeen demonstrated in the wild. Even witha somewhat malign payload, the result ofthe MySpace XSS virus was to create aDoS attack forcing them to shut down fordisinfection. MySpace should serve as awarning of the potential impact of XSS.
XSS viruses are changing the face of webapplication attacks. It is likely we have notheard the last from this new attack vector.
About the authorWade Alcorn is a Senior SecurityConsultant, Next Generation SecuritySoftware. He has over 10 years experiencein IT security. Within his role at NGS heprovides security initiative consultancy forFortune 500 companies and performsresearch into emerging threats. Prior tojoining NGS, Wade was in the manage-ment team of one of London’s largest pene-tration testing teams.
Securing portable storage devices Ian Watson, Research Consultant, Information Security Forum
Recent research* shows that two thirds of IT professionals who use removable media at workadmit they do not protect them with encryption. As the use of portable storage devices continues to infiltrate the bound-aries of the organization, this article considers the threats that organiza-tions may face as a result of their proliferation.
Network Security July 20068
Ian Watson
PORTABLE STORAGE DEVICES
feature additional functionality. All ofthis in a compact, lightweight, stylishand fashionable package. Adding to theirubiquity, the cost of ownership of thesedevices is declining at a phenomenal rate,in line with the cost of the technologiesthat they utilise.
What are the risks associated with PSDs?Like many new technologies, the introduc-tion of portable storage devices brings withit increased security risks.
One of the key issues organizations faceis the continuing encroachment of person-al PSDs into the enterprise. The fact thatso many employees own devices for theirpersonal use means there can be a reduc-tion of management control over the flowof business and non-business informationinto and out of the enterprise.
Organizations can experience threatfrom malicious or detrimental activity as aresult of PSD use. Users may connectPSDs to workplace computers withoutpermission, bypassing security gatewaysand controls. As a medium for exchangingdata, PSDs are also susceptible to malwarefrom unsecured networks and in turn canbe responsible for spreading that malwareonto the corporate network.
PSDs may give rise to unauthorisedbehaviour by, for instance, encouraging the misuse of the corporate network for
downloading copyrighted material for usewith portable media players.
Due to the rapid proliferation of thesedevices, few PSDs have scalable security fea-tures that are compatible across a range ofplatforms. This lack of compatibility andavailability of security features can act as aninhibitor in realising the potential benefitsPSD use can have for organizations.
Although the use of PSDs in the work-place is new, many of the risks are not.Businesses have long used devices such asfloppy disks which, although slower, morefragile and of limited capacity, have thesame inherent risks. In many respects thePSD is the new floppy disk and, as a con-sequence, the solutions that can help tomitigate the risks remain largelyunchanged - a combination of policy,management and technology.
How to address the risksThe Information Security Forum advocatesa six step process to help protect organiza-tions against possible breaches in securitydue to PSDs:1. Understand PSD requirements
2. Carry out an information risk analysis
3. Determine the organization’s stance onbusiness and personal use of PSDs
4. Develop and implement PSD policyand management procedures
5. Deploy PSD technical controls
6. Conduct periodic security audits ofPSD use.
The process is fully described in the ISFreport Securing Portable Storage Devices.Step 5 is expanded below:
“Whilst many organizations haveimplemented aportable storagedevice policy, relatively few haveimplemented technicalcontrols to manageusage of the devices”
Deploying PSD technical controlsUntil recently organizations had littlechoice but to merely communicate theirPSD policy to staff, and hope they wereadhered to. Consequently many organiza-tions are still heavily reliant upon thetrustworthiness of their staff, and theirawareness of the issues surroundingPSDs. Whilst many organizations haveimplemented a PSD policy, relatively fewhave implemented technical controls tomanage PSD usage. Nonetheless there area number of technical security measuresthat can be taken by organizations inorder to exert a certain level of controland management over PSDs.
These technical controls can be deployedat three levels:
a. On the PSDs themselvesThere are several emerging technical solu-tions for securing PSDs at device level.Individual devices can be encrypted andrequire a password in order to access thedata. Some newer devices are alsoequipped with anti-virus functionality, andthe ability to update signature files for newthreats. Mechanisms even exist which erasethe data on the PSD if the incorrect pass-word is entered past a defined threshold.
b. On target devices to which thePSDs connectOrganizations can also take steps to ‘harden’their target devices, such that they are less
July 2006 Network Security9
Figure 1: ‘The culprits’
PORTABLE STORAGE DEVICES
susceptible to potential breaches in securitydue to PSDs. These steps include:• Implementing boot restrictions so that
higher level operating system andapplication controls cannot bebypassed
• Ensuring there is a password restrictionon boot settings so that other operatingsystems cannot be booted from exter-nal ports
• Terminating certain applications andoperating system services to preventunconventional use of PSDs
• Excluding certain device drivers fromthe corporate workstation build.
It is also necessary to ensure all corporateworkstations are equipped with anti virussoftware, and that virus signatures are reg-ularly updated.
c. Through enterprise wide PSD management softwareThere are several scalable software solutionsentering the market that allow organizationsto limit access and use of PSDs to a highdegree of granularity and at an enterpriselevel. Controls can be implemented to
restrict a user’s ability to read from/write toa PSD, therefore limiting the threat fromtheft and introduction or modification ofbusiness data.
‘White’ and ‘black’ lists may also bedefined in order to allow certain devices,but not others, to access corporate work-stations. Some products even allow theadministrator to block or allow devices onthe basis of their model or serial number.An important feature of these products isthe ability to monitor and log port usageof the workstations on the corporate net-work, and capture any malicious activity.
Looking to the futureWhilst many of the risks associated withPSDs are not new, the speed of adoptionof these devices and their ubiquity insidethe workplace, fuelled by consumerdemand for growing device sophistication,are likely to generate a number of futuretechnical challenges.
1. Dealing with malwarePSDs are likely to be equipped withmore sophisticated and function-richoperating systems and applications inorder to satisfy consumer demand forincreased functionality and interoperabil-ity. Linked with devices’ increased func-tionality, the addition of more technolo-gy-driven features will lead to a conver-gence of devices with high specificationsand shared protocols (e.g. smart phonessharing a common platform or smallelectronic devices installed with theLinux operating system).
Where use of high functionality devicesbecomes widespread, viruses or othermal-ware may be developed to specifical-ly attack these devices. (A recent exampleof this can be seen in the release of theLasco worm specifically designed toinfect smart-phones running the Symbianoperating system).
2. Managing connectivityThe connection interfaces to PSDs willdevelop to accommodate the devices’ addi-tional capabilities. They are likely tobecome easier to use and aid interoperabil-ity between PSDs and target devices. Notonly will enhanced connection interfaces(such as USB 2.0) aid the speed of transferfrom PSDs, but synchronisation with tar-get devices will require less know-how, astrue “plug and play” becomes reality.
Although many PSDs are aimed at theconsumer market, they can connect easilyinto the corporate technical infrastructure,and users with a consumer mindset maywell treat the corporate network as if itwere their own.
3. The wireless revolutionTechnology is becoming more ‘wireless’.Although additional ‘wired’ ports will nodoubt evolve, these are at least physical.The increasing use of wireless ports on tar-get devices removes the need for a poten-tial attacker to be in close physical proxim-ity to target devices.
The most noteworthy development isthat offered by Ultra Wideband (UWB)technology. Intel is currently developing aWireless USB (WUSB) interface technolo-gy which would allow high speed transferof data (at speeds of up to 480 Mb/s) forperipheral devices, based on a commonwireless platform.
While the high speed wireless transfer ofdata to and from PSDs raises additionalpotential security concerns, particularlyrelating to theft of data, some features ofUWB technology do reduce the securityrisk including: • random communication within a wide
frequency spectrum in very shortbursts, increasing the difficulty of cap-turing and deciphering the data
• performance drop-off with distance,reducing the risk of interception toonly those in closest proximity
• use of time-shift and phase-shift modu-lation encryption techniques.
4. Evolving storage technologiesStorage technology is likely to improve,expanding the storage capacity of PSDsand increasing the potential for loss ofhigh data volumes. For example,Holographic Storage will surpass currentmethods of optical storage, such as DVDtechnology, by storing information athigh density inside crystals utilising theentire volume of the disk as opposed tojust the surface.
The speed at which data can be trans-ferred between devices will increasewhich, in conjunction with higher stor-age capacities, may aid an attacker seek-ing to steal larger quantities of businessinformation. For example MagnetoResistive Random Access Memory(MRAM) technology is designed to
Network Security July 200610
PORTABLE STORAGE DEVICES
Figure 2: Tackling the risk
July 2006 Network Security11
20 years ago electronic identity wasconcerned with the management ofmainframe user IDs and passwords. Nowthe growth of the Internet has opened upenterprise IT systems to access by cus-tomers and consumers as well as partners.Organizations are under pressure tobecome more flexible, reduce operationalrisk, and comply with regulations whilemanaging costs and improving services.Security is a key factor in IT servicedelivery which supports these factors.
E-identity challenges
Inflexible infrastructureOrganizations often have an IT environ-ment which has grown over time, leadingto a number of challenges in the area ofsecurity. Security services are embeddedinto the logic of the individual platformsand applications, resulting in high mainte-nance costs and lack of flexibility. Eachplatform and application will typically have
its own identity and privilege store, whichneeds to be separately maintained andupdated. This embedded security modeldoes not scale and does not support theflexibility needed. Application softwaremaintenance becomes more difficultbecause of the lack of separation of businesslogic and security controls. The ability torespond to changing security requirementsand regulations, like Sarbanes Oxley, is alsoreduced because it is not possible to config-ure security independently.
Improving serviceThe processes for administering identityand access are often manual and do notprovide a service that matches thedemands of the business. With manualadministration, it can take days to getaccess rights set up for a new hire or tochange the access rights for an existingemployee moving jobs. This is not anacceptable level of service and in some cir-cumstances would breach compliance withregulations.
Managing operational risksOperational risk covers aspects such asprocesses being vulnerable to theft, fraud,
Unify and simplify:re-thinking identity managementMike Small, Director, Security Management Strategy, CA
The increased scale of network access in today’s business environment hasexceeded the original models for identity and access management. A newapproach is required with the emphasis on managing from the business,rather than IT, perspective. This paper discusses unifying and simplifyingthe processes and technologies related to identity and access management.
Mike Small
bridge the gap between traditional mem-ory, flash memory and hard disk.MRAM is six times faster than thesemediums, but at this stage incapable ofstoring similar volumes of data.
Meeting the challengeWhilst there are technical solutions tothe management of PSDs, ranging fromtraffic-type monitoring, port auditingand specific PSD security managementsolutions, the challenge will be to intro-duce these technical solutions faster thanthe speed at which these devices areevolving.
To help to address ‘portable problems’organizations should buy themselves somebreathing space by adopting a process thatsets a clear policy, helps to identify thetrue risk posed by PSDs, and addressesuser behaviour.
* Pointsec survey Removable Media inthe Workplace, carried out amongst 248
IT professionals at InfoSecurity, April2006 in London.
The Information Security Forum (ISF) hasproduced a Future Watch report that pro-vides an overview of the technology andsecurity issues associated with portable stor-age devices. It also suggests an approachthat Members can use for securing againstthe use of portable storage devices and con-cludes by considering future trends relatedto these devices. The report is available toISF members, along with over 150 reportson information security issues (www.securi-tyforum.org).
About the authorIan Watson is a director and project asso-ciate at the ISF, a global not-for-profitMembership organization, whichincludes over half of the Fortune 100companies as part of its 280+ member-ship. The ISF investigates topics of con-cern to its Members and shares goodpractice amongst them.
Survey exposes weaknesses
A survey carried out amongst 248 IT professionals by the mobile security firmPointsec, at Infosecurity Europe 2006,showed that:
• Only around 20% of removable devices inthe workplace are secured with passwordsor encryption.
• On average 56% of employees are down-loading corporate information onto theirmemory sticks, compared with 31% last year.
• 12% of organizations ban the use ofremovable media devices in the work-place.
• 65% of those surveyed were aware of thepotential danger that removable media presents.
• The most popular use of memory sticks isto store corporate data such as contracts,proposals and other business documentswith customer information coming in aclose second. 22% used them to storetheir customers’ names and addresses,with others using them to store presenta-tions, budgets and other documents.
IDENTITY MANAGEMENT
PORTABLE STORAGE DEVICES
