Embed Size (px)
Citation preview
FEATURE
In his 1985 book, The Man Who Mistook His Wife For A Hat, the neu-rologist Oliver Sacs described a patient who went effectively blind without noticing it. In this strange but true story, the patient – Doctor P – was convinced there was nothing wrong with him, yet on leaving the doctor’s waiting room he grabbed his wife’s head, which he mistook for a hat stand holding his hat.
Doctor P was suffering from visual agnosia, the inability to make sense of visual stimuli, which, in his case, was caused by a tumour in the part of his brain that processed sight. In other words, he could see, but he couldn’t recognise common things. Given a glove, he was at a loss to identify it – he could see it only in fragments; he counted five small sacks connected to a bigger sack and surmised it was some kind of specialist bag.
It’s hard for us to imagine what it must be like to be ‘blind’ in this way. ‘Normal blindness’, sure: just put on a blindfold. But not to know you’re blind? That sounds almost impossible. Or is it?
Making sense of informationJust as with visual agnosia, many organi-sations don’t know they have network blindness. Network blindness might be defined as the inability to make sense of network information.
Imagine your eyes being replaced by network sensors and your brain by the IT department, and you get the picture. You might have some of the basics – sta-tistics from your routers and switches, logs from your firewall. You might have some information from your Intrusion Detection System (IDS), if you have one. But it’s all rather fragmentary and – not knowing the full picture – it’s easy to jump to the wrong conclusions, or, worse still, not know there’s an issue in the first place.
Who can suffer from network blind-ness? There are many organisations that haven’t invested in awareness technolo-gies such as intrusion prevention systems or vulnerability awareness systems. They often don’t even know that intrusion events are happening on their network.
They don’t know who is doing what to whom and with what, and whether it’s an ‘inside job’.
What are the consequences of such blindness? What can happen to an organisation that can’t assemble a com-prehensive picture of what’s happening at the network level? Here’s a ‘Top Ten’ list of consequences.
“It is often the case that large sums of money are spent upgrading infrastructure without really addressing the core bottlenecks, resulting in no real gain from a user’s perspective”
Poor network performance: ‘the system’s so slow’It is really frustrating for a project man-ager to hear users lambast the new sys-tem for being slow, especially when huge amounts of money have been spent on hardware and software. In many cases, performance issues are seated in the net-work, not in the servers. Without good
August 2010 Network Security7
Ten consequences of network blindness
Dominic Storey
In part two of this report, we will be looking at alternatives to conventional passwords, including how quantum computing – while striking fear into the hearts of IT security experts everywhere – can also create an uncrackable pass-word system.
About the author
Steve Gold has been a business journal-ist and technology writer for 26 years. A
qualified accountant and former auditor, he has specialised in IT security, business matters, the Internet and communications for most of that time. He is technical editor of Infosecurity and lectures regularly on criminal psychology and cybercrime.
References
1. John Pazadzides. ‘How I’d Hack Your Weak Passwords’. Lifehacker. 31 March 2010. <http://www.lifehacker.com.
au/2010/03/how-i%E2%80%99d-hack-your-weak-passwords/>.
2. WPA Cracker. 13 Aug 2010. <http://www.wpacracker.com/>.
3. Church of WiFi. 3 Aug 2010. <http://www.churchofwifi.org/>.
4. Peter Shor. ‘Algorithms for Quantum Computation: Discrete Log and Factoring (Extended Abstract)’. 1994. <http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.53.4485>.
Dominic Storey, Sourcefire
There are many forms of blindness, including perceptual or psychological forms where people fail to see what’s right in front of them. Many organisa-tions have this disability when it comes to their networks but the problem with this condition is that sufferers often don’t know they have it.
FEATURE
network awareness, the ability to diag-nose such problems is limited.
It is often the case that large sums of money are spent upgrading infrastruc-ture without really addressing the core bottlenecks, resulting in no real gain from a user’s perspective.
External attack: ‘you’ve been hacked’If you don’t know what’s happening at the network level, you won’t know who is attempting to come in through your network access points. You may be relying on your firewall to keep out the offenders but many smaller compa-nies place too much faith in firewalls. They may restrict which services may be accessed over which ports, but most organisations have certain ports that have to be open, such as port 80 (web), port 443 (secure web) and port 25 (mail delivery). This is where intruders focus their efforts. For the majority of attacks other than denial of service, it’s as if the firewall wasn’t there at all.
Typically the attacker will scan a net-work looking for vulnerable hosts. Once he finds one, he will run exploit code against it and will have access to it via a root shell, often in seconds. Once he has this, he is king and the company is ‘owned’, for the attacker now has com-plete control of this machine. He will then use this machine as a jumping-off point to discover and launch attacks at other machines within this part of the network, often invisible to the outside.
Or perhaps the attacker doesn’t need to gain access to the machine at all. If it’s a web application server, he may be able to get all the information he needs by running a SQL injection attack against it, enabling him to gain access to a much larger section of the underlying applica-tion database (read: customer informa-tion) than he should be allowed to.
Don’t look a gift horse in the mouthA favourite means of gaining access to people’s networks is the network trojan. This form of attack works just like in the fable – a user is enticed into download-
ing an application that says it does one thing but really installs remote control software on his or her machine, which now is under command of the attacker.
Once this happens, to all intents and purposes the machine is now owned and can be called upon at any time to do the attacker’s bidding. Often, the machine is used for spamming and performing dis-tributed denial of service attacks against others. Such ‘zombie’ machines are usu-ally part of a botnet group controlled by the attacker.
Typically, trojans will check in periodi-cally at an Internet chat room, where they pick up instructions typed in the room. They then execute these instruc-tions. The signature of a botnet can be fairly clear (inbound trojan code, out-bound chat room access). What’s differ-ent about them compared with a direct attack is that the initial infection of the machine happens on the user’s home network and is brought into the corpo-rate network next time he or she is in the office – perhaps via a laptop or other mobile device.
Internal fraud Like it or not, there could well be staff within your organisation who are up to no good. If your company is of any significant size, then the number and type of malefactors may even begin to approximate national crime statistics – and some analysts estimate that about 6.5 per cent of the US population has a criminal record.
Your staff are likely to have a great deal of access to internal systems and this may include access to payment-process-ing systems. Staff may commit fraud by siphoning company funds, by using cus-tomer credit cards, or by selling internal information to external buyers.
An example of this kind of fraud is one that is often committed by helpdesk staff – obtaining customer records and selling them on to your competitors. Or it may be much more catastrophic – think of the rogue traders Nick Leeson and Jerome Kerviel, the former causing the demise of the UK bank Barings and the latter mortally wounding the French bank Société Générale.
“Imagine the damage someone could do if they had the means to erase your customer database, or even worse, corrupt the data in such a way that you didn’t notice until it was too late”
Disgruntled employees and ex-employeesStaff who bear a grudge or people who have recently been fired or laid off can inflict huge damage to an organisation. Probably the best-known example of this happened in Queensland, Australia in 2001. A recent-ly laid-off employee hacked into a sewage treatment plant over the company’s wireless LAN (he was in the car park using a lap-top). Using known passwords, he hacked the system that controlled the plant, releas-ing over 250,000 gallons of raw sewage into nearby rivers and parks.
This individual (erroneously) thought that by creating a series of problems, he would be hired back to solve them. But imagine the damage someone could do if they had the means to erase your cus-tomer database, or even worse, corrupt the data in such a way that you didn’t notice until it was too late.
Abuse of network policyStaff may often – knowingly or unknow-ingly – transgress your network policy. Your policy is there for a reason – usually to protect the company from unaccepta-ble risk. For instance, you may have some staff with, shall we say, unconventional tastes? So it’s important to be aware that this may mean they are storing anything from pornography to bomb-making manuals on their machines.
If they are stupid enough to download this stuff at work (and some people are that stupid) then there’s a good chance that they have attracted the interest of the authorities – and that won’t look good for your company in the press.
Or it may not be as extreme as this – instead, you might simply have a social networking epidemic on your hands. For example, research sponsored by Morse shows how office workers’ use of Twitter
8Network Security August 2010
FEATURE
and other social networking services is costing UK businesses £1.38bn a year in lost productivity. Or staff may be simply displaying unsuitable images on their terminals, causing distress to fellow workers, which may lead to legal actions against you.
Licence dodgers and peer-peer jockeysIT departments typically supply staff with machines and software suitable for doing their job. Unfortunately, the opin-ion as to what software is suitable often differs between the IT department and staff, with the staff taking it into their own hands to install their own (often pirated) copies of software.
This software may vary from newer copies of Microsoft Office to Torrent downloaders for peer-peer sharing. Many people think nothing of sharing their collection of films, music and so on (very easy to do with iTunes for exam-ple) and although much of the down-loadable content from Apple and others is protected by DRM, there are many ripper utilities that enable people to cre-ate copies of their own DVDs.
Many of these activities may be illegal.
Configuration jamboree, VM sprawlClosely related to licence dodging is the issue of VM sprawl. It’s easy (and free) to download many virtual machine environments and very easy to propagate entire operating systems and applications (they’re just files used by the VM). The VMs themselves may be legal and even the operating systems – but that doesn’t stop them being a security threat.
The real threat behind VMs is that they often operate outside the management domain of the IT department and there-fore may not be patched or audited. People can leave them powered down for months at a time, then power them up for a spe-cific task. The problem then shows itself – the virtual machines have missed months’ worth of patches and are often very vulner-able to threats in the network.
Another risk stems from the fact that most VMs have a snapshot facility that
can save the state of a virtual machine so that it can be restored at a later date. While useful in a development environ-ment, such snapshots also undo any security patches that have been applied since the snapshot was taken, again leav-ing a wide-open vulnerability.
One of the biggest issues with VMs is the false sense of security they can instil in their owners. Staff may believe they are secure, by having a fully patched or non-vulnerable host (for example a Macintosh), which is running an older, unpatched vulnerable VM (eg, Windows XP). In real-ity, they are merrily propagating worms around their workplace through the VM, without even suspecting it.
Data leakageEven well-meaning, honest staff may still cause unacceptable risk to your company by inadvertently leaking out confiden-tial information. This often occurs via email, especially when people forward mails without thoroughly reading the forwarded content. Even if the mail is non-confidential, there can still be leak-age – for example, the cc list of an email can provide an external recruiter with a bunch of names to head-hunt.
Other forms of inadvertent leakage may occur through simple mis-configu-ration – for example, an Internet bank-ing server may be accidently configured to respond to HTTP instead of just HTTPS. Nothing has failed, but cus-tomer confidential information will now be passed in the clear instead of being encrypted – a huge security hole.
Your liabilityThis brings us to the bottom line. Your company is liable and exposed in some way in all of the above scenarios. In not protect-ing your customer payment data, you fall foul of PCI regulations. In not protecting personal data (employee and customer) you fall foul of the Data Protection Act. In allowing peer-peer activity and other illegal software installations, you are opening your-self up to heavy fines and/or time in jail. When you really look at it, not having net-work visibility has so many downsides that it’s just not worth doing it.
So what should you do?Simply, put an end your blindness and learn to see. Implement a network-awareness system that is comprehensive and gives you an integrated picture of what’s happening on your network. For this, look at an Intrusion Prevention System (IPS) that is highly tuneable and gives you insight into why it is see-ing events. Look for an IPS that has a low false-positive rate and the best detection capabilities (if it can’t detect, there’s not much point in having it). Check out impartial reviews for good IPS systems, such as those from NSS Labs and ICSA.
Next, ensure you have a good grasp of the systems in your network. Look at discovery systems. Passive systems (ones that don’t scan) have the advantage over scanners for speed of discovery and net-work stability.
Next, look at Network Behavioural Anomaly systems (NBA). These will find unusual activity on your network and can identify threats that your IPS does not have rules for yet.
Next, look at configuration manage-ment and enforcement systems to iden-tify and lock down your systems against alteration.
Lastly, look for a system that is highly integrated, rather than lots of separate components from different suppliers. In doing so, you will reap the benefits of common management, a common oper-ator interface and an integrated, com-prehensive awareness system which will make a big difference in reducing your risk and lowering the cost of ownership for your business.
About the author
Dominic Storey is the EMEA technical director for Sourcefire. He has a strong back-ground in IT, with experience in enterprise networking, computer security, Unix systems, software development and support. He also has extensive experience in sales and market-ing. Storey joined Sourcefire in 2003, com-ing from RSA Security, where he held the post of director of technology in both Europe and the US. He trained as a plasma physi-cist at the Atomic Energy Authority, UK, specialising in nuclear fusion research.
August 2010 Network Security9
