/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
A
recent survey by the FBI found out that dealing with viruses, spyware, and other
computer-related crimes cost the US businesses $67.2 bn last year. By
comparison, the survey report says, telecommunication fraud losses were about $1
bn. Last year profits of the cyber hacking industry were more than that of the
illegal drugs industry.
While viruses, worms, and botnets have remained popular tools of a
hacker's trade, they are now being used to far more devastating effects.
THE THREATS
That viruses, worms, spyware, spam etc are threats is now accepted by all.
What is new about them is the purpose they are being put to. The hacker today is
interested in all the information that the enterprise network and its end
terminals hold. Therefore, besides virus attacks, unauthorized use of network
resources is also a biggest threat for enterprises.
nProbing Attacks: With all the old tools (virus, worms, Trojans, etc)
the hackers are now trying to find entry points into the network.
Firewalls are today one of the most popular network security equipments
being deployed, and to good effect too. One of the effects has been that the
hackers are now looking to attack the network from within. This does not mean
that the interest in network attacks is going down, phishing for unprotected
ports remains a popular activity for the hackers.
/vnd/media/post_attachments/ac2998fed6e8b1cdb29c4b8b59ee759813eaa15593c845b520339ac2ae37e840.jpg) | EXPERTS PANEL |
A Prasad Babu, SE |
The probing could be tried in many ways. Today the hackers need not bother
to hack into a network with cleverly written malware. All they have to do is
find an end terminal that is less secure than the network it is in, and use it
as a bot to launch the attack on the network from within. This vulnerability
could come from outdated patches or antivirus definitions. This attack does not
even have to be a DoS, the hacker may simply be interested in theft of identity
or business information. Such attacks need not cause system-wide disruption and
many of them may go unnoticed. However, the damage they cause to the business,
if not the network, can be more devastating as a total system shutdown. They
attack the business a whole of which the network is a small part.
Another way of gaining entry into a network is through mobile end
terminals such as laptops. If a laptop can be infected when outside the secure
corporate network, there is a possibility that it could act as a bot from inside
the network.
It is true that this type of hacking is targeted at the big enterprises,
but the SMBs are not safe either. It is a lot harder to get into large
enterprises, so the hacker can still stay in business by stealing from small
enterprises: They too have customer databases that can be hacked, identities
that can be stolen, and an IT infrastructure that can in effect become a bot of
the hacker.
Organizations need to take proactive steps both to curb these attacks and
minimize the damage from them. The hackers can keep modifying their malicious
codes, use a botnet to launch the attacks, and keep discovering newer
vulnerabilities-sometimes even before the security companies can.
Hackers today have moved beyond the ICMP ports and are looking at any
available port such as SMTP, FTP, etc.
Speed Matters: The Nimda virus exploited a vulnerability that was more
than 300 days old; in practice the attack should never have been successful. The
enterprises were too slow in responding to it. Today, a virus is ready almost
the moment vulnerability is published. It is a literal race between the hackers
and the security administrators as soon as vulnerability becomes known. Even if
the enterprises and their security service managers consistently act with speed,
they just have to miss once and the revenge of the hacker is upon them.
Sometimes, as happened with the Windows Meta File (WMF) exploit, hackers can
even research on their own vulnerability all by themselves and sell it to the
underworld. This actually happened, and the vulnerability in question was sold
to at least one spammer for $4,000.Spoil Sports: Malware has the potential to devastate the best-laid business
plans of the emerging broadband service providers. IP enables the service
providers to oversubscribe their services, knowing fully well that not everybody
will be using the bandwidth to full capacity all the time. But with the constant
probing attacks and spam floating around in the networks, any available capacity
is simply wasted. The service provider loses because the bandwidth that could
have been a revenue generator is being wasted-it is serving the commands of a
hacker. The customers lose out because it is their computer that is sending the
malicious traffic, by becoming a bot. And, they may even have to pay for this
spurious traffic because the billing software of the service provider would not
differentiate between genuine and spurious traffic.
Everybody in the business of IT knows that technology does not matter,
application do. The hacker understands this too, and is today putting the same
old technologies to newer uses.
So, while DoS still remains a threat for an enterprise network, along with
the cost of network recovery the enterprise now also has to contend with the
costs associated with business recovery. While a DoS may shut down a corporate
network for two days, even after the recovery from the network attack it might
find that its customer database/profiles have either been tampered with or quite
simply clandestinely copied and sold to competitors or worst still, made public.
DEPLOYMENTS
Firewalls have remained the most popular. Like always, most of the
enterprises are using these for perimeter security. An enterprise may want to
give its database of customers a little more protection than just a few
firewalls. For this it would install not only for threats from outside the
network, but even from unauthorized users within the network. However, there is
now an increasing emphasis on endpoint security, so antivirus/antispyware tools
are receiving renewed interest.
The IDS systems have also been deployed for protecting critical parts of
the network's resources.
Â
/vnd/media/post_attachments/4633df1d62c8f38bd8c6b7e7fb21def9f89010c21749745c6573995375c013e6.jpg)
Network elements that have DoS prevention capabilities and those that have
the capability to filter traffic are also gaining attention, for example, the
feature of unicast reverse path forwarding. With this, when the router receives
traffic from a port, the router does a reverse path identification in the
routing table. It looks into whether the traffic supposed to come from where it
claims it is coming, is the source from within the network or outside the
network, which means it tries to look for spoofed IP addresses. This
functionality is today an integral part of most of the RFPs. The router can also
look at how to do rate limits, so that one person is not able to do a ping of
death to the router, and it is available to the other users too.
These features protect the service providers' own infrastructure as well
as the subscribers, as the users cannot spoof addresses even unknowingly-a
Trojan sitting on a laptop or a bot may also spoof the IP address and send out
the attack without the subscriber's knowledge. These capabilities stop the
malware at the source itself so the threat does not spread in the network.
For large organizations and data centers, the concept of layered or
redundant security is still holding good. However, with the businesses growing,
there is now also a need to network the branch office and obviously to give them
some sort of protection. The SMBs are also a major user of security services.
These segments may not want datacenter level of security, and may not even have
the expertise to manage the ensemble of point solutions. With them, therefore,
the unified threat management, single-box solutions are the current favourites.
These solutions are focused on securing the LAN and ensuring that every resource
on the network is safe enough to use network.
However, the traditional security apparatus remains a reactive system, it
needs pattern files and signatures of the malware to be able to do the job. The
new interest of the vendor community is towards proactive tools such as IPS.
These tools have been available for sometime now, but are yet to catch the fancy
of the customers.
Focus till now has been on ensuring a working network. Till now, the need
for ensuring the security of information on that network has not received the
focus of attention.
One reason could be that many high-profile attacks have not happened. A
lot attacking and theft of information may well be happening, but its impact has
not been very drastic. That is one of the reasons the pain has not been felt at
that level. The attacks from spamming and virus activity have been more painful
in terms of bringing down servers and desktops. So most of the investment has
gone into that. People are more focused on host, the servers, and the desktops.
Security of information is still not on the forefront. The next step in security
is likely to be the stopping of threats before they hit the host. That is where
IPS comes in.
These are proactive traffic mode of security measures. With IDS, when an
alarm is received, it has to be investigated. The IDS would not stop the attack.
However, the proactive IPS can drop spurious packets (according to the policies
in it) when they hit the network and then also raise an alarm.
While vendors give out many success stories of such proactive solutions
running successfully without any patch management, most experts recommend that
for now it is better to go with tools that are a combination of the reactive and
proactive solutions.
Another driver for deployments are going to be articles such as these and
the security vendors themselves. Both will likely create awareness (if not a
fear psychosis) among the user community about the threats and their dangerous
effects. But enterprise users must use their judgment to evaluate whether the
cost of preventing a threat is going to be greater than preventing that threat.
If that is true, let the hacker have his ego trip. His nuisance value to the
business is no more than the coffee machine running out of milk powder.
Drivers: Two kinds of regulatory drivers have driven the deployment of
security measures. For the BFSI sector, the regulations have largely been driven
by government regulation. For the IT/ITeS sector, the regulatory pressure has
come from the customers. While the networks are of very high worth for both
these sectors, their adoption of outsourcing is very different. While some of
the banks are open to outsourcing, IT companies are unlikely to adopt it-due
to their customers' fears of involving too many third-party players.
For other sectors, awareness of the threats is the main driver of adoption
of security measures.
Limited skill sets to manage growing networks, is also a driver for new
deployments such as UTM. This factor is also fueling the managed security
services business. Another possible cause could be that churn among the IT staff
is high, and in some of the stable enterprises this churn could be many times
more than that among the employees in the core functions of that business.
REACTIVE VERSUS PROACTIVE
The speed of new exploits being discovered is making the traditional
management of security expensive and unwieldy. The buzzword with equipment
vendors and service providers now is proactive. Interestingly, there are various
interpretations to this word. The important thing is that there is no escaping
it.
Â
/vnd/media/post_attachments/21bc4ffe99b3603d65ad0a8c5bcc898907737fc87907e0b79ac7f655e8294c85.jpg)
From a vendor point of view, proactive technologies encompass automated
systems that work by analyzing the behavior of the malware. With the freely
available hacker tools (some of them even come with a GUI) and a host of
compression formats, the hacker no longer has to write the entire program. A
virus compressed in a new format looks different and has a different signature.
Thus, the old viruses can be reused, and they are being reused. With each reuse,
the signature of the virus is altered and the network has to face the fury of
the same old virus, in a new avatar.
Instead of working with signature and pattern files, the new proactive
technologies are more around anomaly and behavioral based technologies.
One of these technologies is intrusion prevention system. These systems
will basically be intelligent (though not necessarily equipped with artificial
intelligence) and with function such as automatic network administrators,
dealing with packets and forwarding or dropping them as per their policies.
| These features protect the service providers' own infrastructure as well as the subscribers, as the users cannot spoof addresses even unknowingly |
THE WEAKEST LINK
Tools and technologies can protect to an extent, but users within
enterprises need to be disciplined in using the IT resources that are in place
to achieve the business objectives, and availability of bandwidth. Technology
can ensure that outside factors don't adversely affect the availability of
network resources, but 'misuse' of these resources by users can have as bad
an impact on the network as a DoS. Policies for use of IT resources may even
require a change in the habits of people and no tool or technology can take
their place.
Sensitizing the employees to use the network safely has been one area
where most enterprises are still trying to find their bearings. Mundane posters
have been the best efforts till now.
In any organization, e-mail security is a basic requirement, 'Don't
open unauthorized mails.' One of the services available today is tracking of
behavioral patterns within an organization to check the awareness of the
employees. It checks how many people are adhering to the company's security
policies, eg, not opening a certain type of attachment. A tool sends mock virus
to the end terminals, and it helps track the departmental wise, user wise the
state of awareness. Further to this can be a more targeted awareness/education
of those sets of employees.
However, due to the probable effects of these measures on the other
aspects of business, such as HR (employee motivation/disgruntlement), these
measures are only taken after explicit permission from the companies' top
bosses. Involving the top bosses could emerge as a best practice, because these
measures must be undertaken after a careful evaluation of the nature of the
business-if not a cost and benefit analysis.
LESSONS FROM LAST YEAR
Last year, the Zotob virus made a lot of headlines, in part because it
affected the servers and networks at many of the mass media organizations
worldwide. The tools used against it were mainly anti spamming tools. At the
second level, IPS was used, which was triggered by certain words in the email.
If the mail contained certain words, it was dropped. That protected the network.
These emails could not be stopped by the email filters, partly because they were
not coming from one email address and secondly, because the spam was coming from
addresses that the enterprises used legitimately. The attack was high profile,
and drove the business of anti-spamming tools to a great extent.
The anti spamming tools reside on the server and the gateway, as the idea
behind them is to prevent the threat from reaching the desktops. These
applications monitor all the emails and according to their policies, any
spurious email can be dropped or quarantined. They can also send a message to
the user, on how the email can be accessed or on how it was processed.
The measures taken to overcome that attack were successful and after that
no attacks was as successful. The enterprise network managers were able to
respond to attacks in very short time periods and secure their network.
Enterprises also learnt a lot about the attacks and the tools available to
protect their networks. But it must be understood that any tool or technology is
only as successful as its implementation. Just having an anti-spamming tool or
IPS it not enough. These devices could (it is always possible) fail to protect
when dealing with new or unknown attacks. The important thing is not just to
stop the attack, but also how quickly the spread of that attack can be checked.
The tools are only as effective as the policies on those tools. So, if there are
certain extensions that a business does not normally use, those could be build
into the list of extension and these could be disallowed to stop the threats on
a proactive basis.
Outsourcing of security management: This is emerging as growing
business. But is it still not a hot favorite. Two interesting observations about
this emerging trend have been noticed. The major SLA comes in response ties and
resolution times. The measurable in the deals and SLAs were very different for
different customers, sometimes even in the same industry or geography. The
service providers did a due diligence to find out a base level from which they
could assure that fewer than that number of attacks would take place the next
year. This base number would vary from enterprise to enterprise. The service
providers were measured on how they are responding to the queries and how fast
they were resolving the problems. The security support for these activities was
usually classified on the basis of geography-class A, B, or C city-and also
the kind of transaction that each remote branch did. Another interesting trend
seen was that the enterprises did not go for this 'less than x number of
attacks' in their SLAs. They simply required their service provider to perform
specified actions in a specified period of time. As long as those actions (such
as daily patch updation) were performed, the security service provider was not
to be penalized even if an attack or a breach was successful. Pricing is always
a factor.
NEW CHALLENGES
Next big wave of network deployments is likely to come from VoIP networks.
Currently these networks are relatively safe, as their numbers are small but as
they grow in popularity, like everybody else, the hackers are also likely to be
attracted to them.
Thus, while the current trend of dealing with VoIP like just another
application will need to be refined and upgraded. With or without security, it
is important to note that if the latency introduced by equipment is more than
120 milliseconds, the voice application will perhaps not be used for business
applications. If latency goes up to 300 milliseconds, the ITU will refuse to
recognize the data transfer a VoIP.
| The important thing is not just to stop the attack, but also how quickly the spread of that attack can be checked |
While firewalls of today are doing a good job of protecting the networks,
firewalls for VoIP will need application level gateways in for protocols like
SIP or H.323. These special requirements crop up due to issues like these
protocols using more than one port in a session and the extremely small size of
the VoIP packets. A VoIP packet is one of the smallest packets in IP and
presents some very unique challenges to the network security equipment.
When vendors normally talk about the capability of the devices, they give
the capability of the firewall in terms of throughput. But this throughput is
calculated on the basis of packets that are much larger than a VoIP packet,
which may never exceed 50 KB. In each packet, today, only the header of the
packet is scanned by the firewall or even the IPS-the payload just passes
through. So, if the packet size is small, a much larger amount of scanning will
need to be done. However, throughout is also important, as the firewall still
has to be able to pass along large volumes of data to deliver the voice
application. The enterprise customer must understand the relationship between
packets per second and the throughput, and ensure that when they go for
equipment such as firewall or IPS, they look at devices that can give consistent
performance across packets of any size.
Not just the firewalls, it will have to be ensured that even the next
level of equipments such as IPS should be aware of at least the documented
vulnerabilities of VoIP and it should block those behaviors on the network.
Just like a PC or a server, there is also going to be a need for endpoint
security devices or software, because the IP phone is essentially a PC and by
that logic open to all the that are so common today vulnerabilities.
Also, experts point out that all entire VoIP session should be encrypted,
end-to-end. It must be ensured that not only are the conversations in the VoIP
network encrypted, but the signaling protocols are also encrypted.
And above all, VoIP communications carry with them the potential of misuse
and fraud, to an extent that is probably unimaginable in a traditional network.
Either through a bot or through a misled employee, outsiders could connect to
overseas destinations or even destinations that carry paid content. The
enterprise will have to foot the bill for this spurious traffic, knowingly or
unknowingly. Once the VoIP networks are allowed to connect to PSTN (discounting
the issues of ADC), besides toll fraud, enterprises themselves will run the risk
of being victims of fraud.