Subscribe

0

Features Telecom Services

Network Security: No Scope for Complacency

author-image
Voice&Data Bureau
New Update

Networks are expanding and they are running a plethora of
applications that in turn drive many of the businesses of enterprises. This
growth and expansion of enterprise networks, and increasing reliance of
businesses on them, have given rise to new challenges of securing these
networks. As the security environment worsens due to a complex set of threats
and vulnerabilities, network security must be dealt with at different levels and
in a much more comprehensive manner than it is being done today.

Advertisment

As the complexity and number of threats increases, the menace
cannot be fought just with complex solutions that most enterprises don't
understand. Network security can be best ensured by following a process,
assessing and determining risks, designing a security policy, building a
security architecture based on it and then looking for tools that are aligned
with it. An enterprise must constantly change and monitor the security policy
and system in accordance with the changes in the external environment and the
business model it follows.

Key Threats

There is nothing called minor or major threats for enterprises. Seemingly
minor threats turn out to be major ones only after attacks happen. There is no
way that enterprises can afford to ignore any of them. For enterprises, security
threats pour in from all directions. These threats could be in form of the
following: physical threats, environmental threats, unauthorized access,
malicious misuse, unintentional (Accidental) errors and omissions, intentional
which includes insiders, virtual insiders (by planting a Trojan inside the
infrastructure to obtain information) and outsiders; identity theft, virus, data
leakage, online banking fraud (for banking industry, and includes phishing,
farming and identity theft). Though the security threats remain almost the same
year by year, they simply assume new avatars every time they appear.

Advertisment

But the biggest threats, the enterprises should consider are:

  • Complacency: Many organizations fail to take threats to
    their security seriously, taking instead the view, "It won't happen to
    us". The first step towards safeguarding information from harm is
    recognizing that threats do exist and deciding that information warrants
    security measures

  • Poor execution: Half-hearted security measures are worse than none
    at all. An inadequate security system not only fails to keep out threats, but
    also offers a false sense of security to the organization

  • The naive employee: Human nature can be the weakest link in any
    security regime. Many users find security procedures a nuisance and skip them to
    get the job done. To combat this, nothing beats continued education and
    empowerment of users.

Experts
panel

Ajay
Kumar

, country manager, Aventail
India

Avnish Datt, country
manager, Orange Business Services India

Jari Heinonen, director,
Asia Pacific Region, F-Secure Security Labs

Mahendra Lalwani, managing
director, ZyXEL Technology

Mohammed Hayath C, business
development manager, Network Security, Cisco India & SAARC

Patrik Runald, senior
security specialist, F-Secure Security Labs

Prasad Babu, director,
Systems Engineering, Juniper Technologies

Prosenjeet Banerjee, head
of Information Security Services, HCL Comnet

Sai Gundavelli, CEO, Solix
Technologies

SR Kannan, head,Security, Sify

Vivek Sharma, general
manager, ESG, Wipro
Advertisment

Due to these threats, the enterprises would be facing data loss,
loss of service, negative publicity and loss of reputation.

New Challenges

The next big wave of network deployments is likely to come from VoIP
networks. Currently these networks are relatively safe, as their numbers are
small but as they grow in popularity, the hackers are also likely to be
attracted to them. Thus, the current trend of dealing with VoIP like just
another application will need to be refined and upgraded. With or without
security, it is important to note that if the latency introduced by equipment is
more than 120 milliseconds, the voice application will perhaps not be used for
business applications.

Advertisment

While firewalls of today are doing a good job of protecting the
networks, firewalls for VoIP will need application level gateways for protocols
like SIP or H.323. These special requirements crop up due to issues like
protocols using more than one port in a session, or the extremely small size of
VoIP packets. A VoIP packet is one of the smallest packets in IP and presents
some very unique challenges to the network security equipment.

Outsourcing Security Management

To outsource or not to outsource security management is a difficult call for
CIOs. The promised benefits of outsourced security are attractive. The potential
to significantly increase network security without hiring half a dozen people or
spending a fortune is impossible to ignore. In countries like Japan and South
Korea, the security of the networks has moved towards an outsourced management
kind of environment. A Pricewaterhouse Coopers report says that the SMB segment
would increasingly look at use of outsourced security management of their first
line of defense including firewall, IDS and incident reporting services. A
recent survey by Forrester estimates that 30% of SMBs outsource their enterprise
applications and 59% of those are concerned about the security of their data. In
India, outsourcing of security is still a tough decision for network managers.
Slowly the outlook is changing and there has been a rise in the management
services space. Though the enterprises are shying from completely handing over
the security to a third party, remote management from a central location is
taking off.

Advertisment
Major
Security Trends

  • Database security
    will receive more attention

  • Identity federation
    use will increase

  • Virtual directories
    will drive identity projects

  • End-to-end
    application security thinking will evolve

  • Role-based access
    controls will shake out

  • Business partners
    must prove their network security

  • Credit-reporting
    agencies will get involved in identity-theft prevention

  • Secure coding will
    get more attention

Also, the potential risks of outsourcing are considerable. Again
selecting a wrong vendor is a costly affair. There are stories of managed
security companies going out of business, and bad experiences with outsourcing
in other areas of IT. If deciding whether to outsource security is difficult,
deciding what to outsource and to whom seems nearly impossible. Over the past
few years, we've seen many different companies offering different capabilities
under the general category of "managed security services." The field
is so confusing that even the industry analysts can't agree on how to
categorize the services offered. One offers vulnerability scan, another managed
security policies and someone else offers network monitoring services, etc.

Security management should be outsourced to a reliable Managed
Security Service Providers (MSSPs). The business models that can be adopted
include: Managing Security Infrastructure from the partner's location Security
Operation Center (SOC), or building a captive Security Operation Center (SOC)
within the customer's premises. However, the business model finally adopted
needs to be chosen based on the customer's requirement and accepted service
level agreements (SLA).

Advertisment


Managed Security Service
Providers: Multifold Benefits

24x7 Monitoring



It is estimated that almost 60% of the attacks happen during the graveyard
shift-a period where availability of skilled resources is always in
question. To proactively detect and respond to attacks, 24x7 monitoring
becomes an imperative. 24x7 monitoring involves a three-shift operation.
Even if just one security expert per shift is enough, (which is a
difficult presumption considering high domain specialization required in
data security) an organization will require at least three security
experts for round-the-clock monitoring which would be a huge cash outflow.

Powerful Event Correlation

In a corporate environment, event handling tends to become people
dependent. Given the inconsistency in event occurrence, it becomes
difficult to co-relate similar incidents to detect an attack. Moreover,
organizations do not work on Standard Operating Procedures which are
required to effectively diffuse an attack. Even after having an inhouse
expert look at an event, one is not confident of the type of attack that
has happened and the effective method to resolve the same. MSSPs provide
automated event co-relation capabilities that list events with similar
patterns and co-relate them to detect an attack.

Managing False Alerts

False positives constitute 99% of total security alerts, making it
extremely difficult to segregate the 1% of real alerts. A typical firewall
generates thousands of alerts a day while an IDS can generate millions of
raw logs of data that becomes practically impossible to interpret. MSSPs
have automated tools that segregate the 1% actual attacks from the false
positives making security management a much easier task.

Emergency Response

Emergency response becomes difficult if an enterprise is managing its
security inhouse. The security team is either not available or doesn't
have adequate tools, processes, policies to respond to an attack. MSSPs
operate on Standard Operating Procedures that ensure near real time
response to all security incidents.

Reporting and Documenting
Events

Inhouse reporting tools provide limited or no visibility into the security
infrastructure. Either the organization tends to completely ignore the
reporting aspect or delegate it to lesser-qualified resources. Reporting
becomes extremely crucial for forensics and also to analyze the type of
event and method to counter it. MSSPs provide real-time visibility into
the security infrastructure letting a CIO know the status of his network
at any point of time.

Upgrades and Patches

Security vendors come out with new patches on a regular basis. The high
frequency of patch release and multiplicity of security products make it
difficult for the organization to upgrade these patches time to time.

Trained and Dedicated
Professionals

Certified security professionals at an MSSP undergo extensive security
training and rigorous background checks prior to managing or monitoring an
organization's equipment.

Guaranteed Responsiveness

An MSSP begins escalation the moment a problem is detected and the source
is identified. Aggressive Service Level Agreements (SLAs) ensure that an
organization will be notified immediately.

Enhanced Internet Security

This is critical, if governments and businesses are to move high-value
transactions and sensitive information online. For many organizations, a
managed security service represents the most effective approach to
deploying enhanced Internet security.

Advertisment

Ten
Commandments of Network Security

The following are
essential for your information security program to be effective:

  • Make sure the CXO
    "owns" the information security program and assign senior-level
    staff with responsibility for information security.

  • Establish a cross-functional information security governance board.

  • Establish metrics to manage the program.

  • Implement an ongoing security improvement plan.

  • Conduct an independent review of the information security program by
    conducing regular surveillance audits.

  • Implement suitable security technologies, example Layer security at
    gateway, server, and client.

  • Separate your computing environment into "zones".

  • Start with basics and then improve the program.

  • Consider information security an essential investment for your business.

  • Conduct regular Security Awareness program for the staff.

A Tough Job For The Network Managers

A CIO has a tough task. He has to ensure the security of the network, but
also work within a specified budget. He is under pressure to optimize the return
on investment on one hand, while having to serve the latest upgrades on the
other. He has to plan his security policy and architecture keeping long-term
goals in mind and also deal with multiple vendors in a fast-changing technology
environment.

Enterprises do not receive threats from only one source. Sample
this: About 26 to 32% of the causes of data-loss are due to human error such as
accidental deletion and lost passwords. About 44 to 56% of the causes of data
loss are due to hardware problems or malfunctions; 2 to 3% of the causes of data
loss are due to natural disasters including power surges.

Enterprises thus face threats from their employees, network and
applications, and natural disasters. Hence, CIOs face the challenge to decide
where exactly they should start implementing security. They have to consider all
the three factors while implementing any kind of security policy.

The advice to the CIO is to adopt the best practices in the
industry. However, he should also keep in mind his requirements. Adopting the
best of breed might not always be successful. Security solutions should be
custom-built and be very specific to each business' needs and infrastructure.
The key challenge for any CIO is to make the overall security strategy. And
while doing this he has to assess his current requirement looking at future
growth and also identify critical areas to be addressed. Preparing a road map
after taking into account escalations and scalability, is a good way to start.

The
Evolution of Mobile Viruses

Viruses affecting mobile
phones are a relatively new phenomenon. One of the first significant
attacks involving mobile phones occurred in June 2000 and focused on a
specific mobile operator. The first viruses to attack handheld device also
occurred in 2000. Viruses such as liberty, Phage, and vapor affected
devices using the palm OS has not been subject to further virus attacks.
However, malware affecting devices using other operating systems has
occurred since that time

NTT DoCoMo malware
attack: During August 2001, Japanese users of NTT DoCoMo's in mode found
their phones started to dial 110-the Japanese equivalent of 911 emergency
assistance if they answered 'yes' to a certain question during an
online quiz regarding love. Japanese police switchboards were swamped with
bogus calls that prevented authorities from responding to true
emergencies. NTT DoCoMo has now corrected the vulnerability exploited by
the attack.

Symbian Viruses:
Beginning in 2004 and continuing in 2005, viruses affecting symbian OS and
the Microsoft windows Mobile OS have significantly increased. Symbian OS
in particular has suffered from virus outbreaks affecting device using
Symbian OS 7.0s with the series 60 platform user interface, the software
used in most Nokia smartphones. The Cabir attack, which occurred in June
2004 was followed by a steady stream of variants and permutations
including Qdial, Skulls, Velasco, Locknut, and Dampig.

Cabir and its offspring
represent proof of concept malware that has propagated effectively and
cause little damage. These initial viruses represent the hacker community
experimenting with a new technology. Cabir used Bluetooth wireless
connectivity to transmit itself; Blue-tooth transmissions are limited to
10 meters in distance. The infected device would search for other
Bluetooth devices in discoverable mode and then the target device would
have to click through four dialog boxes to actually infect the mobile
device.

Although the Cabir virus
did not propagate to any significant degree, the increasing frequency of
its variants demonstrates that virus writers are becoming better at
writing viruses for mobile devices. Subsequent malware- Comwar and Mabir
used more effective methods particularly through MMS.

Smart phones and mobile
messaging malware: Built in messaging capabilities of smart phones make
them a natural target for messaging worms. A virus can leverage the phones
integrated messaging capability to propagate other phones. This malicious
code can use the phone's address book to finds new targets. For example,
devices infected with the Mabir virus, which affects Symbian 0S 7.0 with
the series 60 platform user interface, will attempt to infect other
devices supporting MMS by responding to received SMS or MMS messages and
sending a copy of the virus by MMS. This interrupts user productivity,
drains the battery, can increase MMS charges, and provides the potential
to damage a user's reputation among friends and business colleagues.
Although they are not yet common. Protecting phones from mobile messages
with malicious payloads, also known as mobile messaging malware, is an
essential component of any antivirus solution.

Security Trends

'The Bad guys are making money'-this is the trend. This is a really
dangerous trend that has been going on now for three years and since they are
making money, there is the incentive for them to continue. They also have more
resources to come up with even nastier threats. There has been a gradual
attitude change of customers who are going in for multiple products for
specialized purposes. Organizations are going in for Unified Threat Management
technologies, by which a single device performs the role of a firewall,
anti-virus and IDS equipment. CIOs are increasingly going in for Information
Security Management Systems which give them a 360 degree look at information
systems and data, and include measures to mitigate all forms of threats.

Many organizations are focusing on network security but the
trend is going to change as organizations have started giving priority to secure
their database. According to Noel Yuhanna, Senior Analyst Forrester,
"Database security will continue to gain importance across the industry,
especially for those storing private data, primarily driven by increased
intrusions and growing regulatory requirements." Add to this, increasing
compliance requirements, which increase the importance of implementing effective
security standards.

Gyan Ranjan Swain


gyanas@cybermedia.co.in