A
recent survey by the FBI found out that dealing with viruses, spyware, and other
computer-related crimes cost the US businesses $67.2 bn last year. By
comparison, the survey report says, telecommunication fraud losses were about $1
bn. Last year profits of the cyber hacking industry were more than that of the
illegal drugs industry.
While
viruses, worms, and botnets have remained popular tools of a hacker's trade,
they are now being used to far more devastating effects.
THE THREATS
That viruses, worms, spyware, spam etc are threats is now accepted by all.
What is new about them is the purpose they are being put to. The hacker today is
interested in all the information that the enterprise network and its end
terminals hold. Therefore, besides virus attacks, unauthorized use of network
resources is also a biggest threat for enterprises.
Probing
Attacks: With all the old tools (virus, worms, Trojans, etc) the hackers are now
trying to find entry points into the network.
Firewalls are today one of the most popular network security equipments being
deployed, and to good effect too. One of the effects has been that the hackers
are now looking to attack the network from within. This does not mean that the
interest in network attacks is going down, phishing for unprotected ports
remains a popular activity for the hackers.
EXPERTS PANEL |
|
A Prasad Babu, SE |
The
probing could be tried in many ways. Today the hackers need not bother to hack
into a network with cleverly written malware. All they have to do is find an end
terminal that is less secure than the network it is in, and use it as a bot to
launch the attack on the network from within. This vulnerability could come from
outdated patches or antivirus definitions. This attack does not even have to be
a DoS, the hacker may simply be interested in theft of identity or business
information. Such attacks need not cause system-wide disruption and many of them
may go unnoticed. However, the damage they cause to the business, if not the
network, can be more devastating as a total system shutdown. They attack the
business a whole of which the network is a small part.
Another
way of gaining entry into a network is through mobile end terminals such as
laptops. If a laptop can be infected when outside the secure corporate network,
there is a possibility that it could act as a bot from inside the network.
It
is true that this type of hacking is targeted at the big enterprises, but the
SMBs are not safe either. It is a lot harder to get into large enterprises, so
the hacker can still stay in business by stealing from small enterprises: They
too have customer databases that can be hacked, identities that can be stolen,
and an IT infrastructure that can in effect become a bot of the hacker.
Organizations
need to take proactive steps both to curb these attacks and minimize the damage
from them. The hackers can keep modifying their malicious codes, use a botnet to
launch the attacks, and keep discovering newer vulnerabilities-sometimes even
before the security companies can.
Hackers
today have moved beyond the ICMP ports and are looking at any available port
such as SMTP, FTP, etc.
-
Speed
Matters: The Nimda virus exploited a vulnerability that was more than 300
days old; in practice the attack should never have been successful. The
enterprises were too slow in responding to it. Today, a virus is ready
almost the moment vulnerability is published. It is a literal race between
the hackers and the security administrators as soon as vulnerability becomes
known. Even if the enterprises and their security service managers
consistently act with speed, they just have to miss once and the revenge of
the hacker is upon them. Sometimes, as happened with the Windows Meta File (WMF)
exploit, hackers can even research on their own vulnerability all by
themselves and sell it to the underworld. This actually happened, and the
vulnerability in question was sold to at least one spammer for $4,000. -
Spoil
Sports: Malware has the potential to devastate the best-laid business plans
of the emerging broadband service providers. IP enables the service
providers to oversubscribe their services, knowing fully well that not
everybody will be using the bandwidth to full capacity all the time. But
with the constant probing attacks and spam floating around in the networks,
any available capacity is simply wasted. The service provider loses because
the bandwidth that could have been a revenue generator is being wasted-it is
serving the commands of a hacker. The customers lose out because it is their
computer that is sending the malicious traffic, by becoming a bot. And, they
may even have to pay for this spurious traffic because the billing software
of the service provider would not differentiate between genuine and spurious
traffic.
Everybody
in the business of IT knows that technology does not matter, application do. The
hacker understands this too, and is today putting the same old technologies to
newer uses.
So,
while DoS still remains a threat for an enterprise network, along with the cost
of network recovery the enterprise now also has to contend with the costs
associated with business recovery. While a DoS may shut down a corporate network
for two days, even after the recovery from the network attack it might find that
its customer database/profiles have either been tampered with or quite simply
clandestinely copied and sold to competitors or worst still, made public.
DEPLOYMENTS
Firewalls have remained the most popular. Like always, most of the
enterprises are using these for perimeter security. An enterprise may want to
give its database of customers a little more protection than just a few
firewalls. For this it would install not only for threats from outside the
network, but even from unauthorized users within the network. However, there is
now an increasing emphasis on endpoint security, so antivirus/antispyware tools
are receiving renewed interest.
The
IDS systems have also been deployed for protecting critical parts of the
network's resources.
Network
elements that have DoS prevention capabilities and those that have the
capability to filter traffic are also gaining attention, for example, the
feature of unicast reverse path forwarding. With this, when the router receives
traffic from a port, the router does a reverse path identification in the
routing table. It looks into whether the traffic supposed to come from where it
claims it is coming, is the source from within the network or outside the
network, which means it tries to look for spoofed IP addresses. This
functionality is today an integral part of most of the RFPs. The router can also
look at how to do rate limits, so that one person is not able to do a ping of
death to the router, and it is available to the other users too.
These
features protect the service providers' own infrastructure as well as the
subscribers, as the users cannot spoof addresses even unknowingly-a Trojan
sitting on a laptop or a bot may also spoof the IP address and send out the
attack without the subscriber's knowledge. These capabilities stop the malware
at the source itself so the threat does not spread in the network.
For
large organizations and data centers, the concept of layered or redundant
security is still holding good. However, with the businesses growing, there is
now also a need to network the branch office and obviously to give them some
sort of protection. The SMBs are also a major user of security services. These
segments may not want datacenter level of security, and may not even have the
expertise to manage the ensemble of point solutions. With them, therefore, the
unified threat management, single-box solutions are the current favourites.
These solutions are focused on securing the LAN and ensuring that every resource
on the network is safe enough to use network.
However,
the traditional security apparatus remains a reactive system, it needs pattern
files and signatures of the malware to be able to do the job. The new interest
of the vendor community is towards proactive tools such as IPS. These tools have
been available for sometime now, but are yet to catch the fancy of the
customers.
Focus
till now has been on ensuring a working network. Till now, the need for ensuring
the security of information on that network has not received the focus of
attention.
One
reason could be that many high-profile attacks have not happened. A lot
attacking and theft of information may well be happening, but its impact has not
been very drastic. That is one of the reasons the pain has not been felt at that
level. The attacks from spamming and virus activity have been more painful in
terms of bringing down servers and desktops. So most of the investment has gone
into that. People are more focused on host, the servers, and the desktops.
Security of information is still not on the forefront. The next step in security
is likely to be the stopping of threats before they hit the host. That is where
IPS comes in.
These
are proactive traffic mode of security measures. With IDS, when an alarm is
received, it has to be investigated. The IDS would not stop the attack. However,
the proactive IPS can drop spurious packets (according to the policies in it)
when they hit the network and then also raise an alarm.
While
vendors give out many success stories of such proactive solutions running
successfully without any patch management, most experts recommend that for now
it is better to go with tools that are a combination of the reactive and
proactive solutions.
Another
driver for deployments are going to be articles such as these and the security
vendors themselves. Both will likely create awareness (if not a fear psychosis)
among the user community about the threats and their dangerous effects. But
enterprise users must use their judgment to evaluate whether the cost of
preventing a threat is going to be greater than preventing that threat. If that
is true, let the hacker have his ego trip. His nuisance value to the business is
no more than the coffee machine running out of milk powder.
-
Drivers:
Two kinds of regulatory drivers have driven the deployment of security
measures. For the BFSI sector, the regulations have largely been driven by
government regulation. For the IT/ITeS sector, the regulatory pressure has
come from the customers. While the networks are of very high worth for both
these sectors, their adoption of outsourcing is very different. While some
of the banks are open to outsourcing, IT companies are unlikely to adopt
it-due to their customers' fears of involving too many third-party players.
For
other sectors, awareness of the threats is the main driver of adoption of
security measures.
Limited
skill sets to manage growing networks, is also a driver for new deployments such
as UTM. This factor is also fueling the managed security services business.
Another possible cause could be that churn among the IT staff is high, and in
some of the stable enterprises this churn could be many times more than that
among the employees in the core functions of that business.
REACTIVE VERSUS PROACTIVE
The speed of new exploits being discovered is making the traditional
management of security expensive and unwieldy. The buzzword with equipment
vendors and service providers now is proactive. Interestingly, there are various
interpretations to this word. The important thing is that there is no escaping
it.
From a vendor
point of view, proactive technologies encompass automated systems that work by
analyzing the behavior of the malware. With the freely available hacker tools
(some of them even come with a GUI) and a host of compression formats, the
hacker no longer has to write the entire program. A virus compressed in a new
format looks different and has a different signature. Thus, the old viruses can
be reused, and they are being reused. With each reuse, the signature of the
virus is altered and the network has to face the fury of the same old virus, in
a new avatar.
Instead
of working with signature and pattern files, the new proactive technologies are
more around anomaly and behavioral based technologies.
One
of these technologies is intrusion prevention system. These systems will
basically be intelligent (though not necessarily equipped with artificial
intelligence) and with function such as automatic network administrators,
dealing with packets and forwarding or dropping them as per their policies.
These features protect the service providers' own infrastructure as well as the subscribers, as the users cannot spoof addresses even unknowingly |
THE WEAKEST LINK
Tools and technologies can protect to an extent, but users within
enterprises need to be disciplined in using the IT resources that are in place
to achieve the business objectives, and availability of bandwidth. Technology
can ensure that outside factors don't adversely affect the availability of
network resources, but 'misuse' of these resources by users can have as bad an
impact on the network as a DoS. Policies for use of IT resources may even
require a change in the habits of people and no tool or technology can take
their place.
Sensitizing
the employees to use the network safely has been one area where most enterprises
are still trying to find their bearings. Mundane posters have been the best
efforts till now.
In
any organization, e-mail security is a basic requirement, 'Don't open
unauthorized mails.' One of the services available today is tracking of
behavioral patterns within an organization to check the awareness of the
employees. It checks how many people are adhering to the company's security
policies, eg, not opening a certain type of attachment. A tool sends mock virus
to the end terminals, and it helps track the departmental wise, user wise the
state of awareness. Further to this can be a more targeted awareness/education
of those sets of employees.
However,
due to the probable effects of these measures on the other aspects of business,
such as HR (employee motivation/disgruntlement), these measures are only taken
after explicit permission from the companies' top bosses. Involving the top
bosses could emerge as a best practice, because these measures must be
undertaken after a careful evaluation of the nature of the business-if not a
cost and benefit analysis.
LESSONS FROM LAST YEAR
Last year, the Zotob virus made a lot of headlines, in part because it
affected the servers and networks at many of the mass media organizations
worldwide. The tools used against it were mainly anti spamming tools. At the
second level, IPS was used, which was triggered by certain words in the email.
If the mail contained certain words, it was dropped. That protected the network.
These emails could not be stopped by the email filters, partly because they were
not coming from one email address and secondly, because the spam was coming from
addresses that the enterprises used legitimately. The attack was high profile,
and drove the business of anti-spamming tools to a great extent.
The
anti spamming tools reside on the server and the gateway, as the idea behind
them is to prevent the threat from reaching the desktops. These applications
monitor all the emails and according to their policies, any spurious email can
be dropped or quarantined. They can also send a message to the user, on how the
email can be accessed or on how it was processed.
The
measures taken to overcome that attack were successful and after that no attacks
was as successful. The enterprise network managers were able to respond to
attacks in very short time periods and secure their network. Enterprises also
learnt a lot about the attacks and the tools available to protect their
networks. But it must be understood that any tool or technology is only as
successful as its implementation. Just having an anti-spamming tool or IPS it
not enough. These devices could (it is always possible) fail to protect when
dealing with new or unknown attacks. The important thing is not just to stop the
attack, but also how quickly the spread of that attack can be checked. The tools
are only as effective as the policies on those tools. So, if there are certain
extensions that a business does not normally use, those could be build into the
list of extension and these could be disallowed to stop the threats on a
proactive basis.
-
Outsourcing
of security management: This is emerging as growing business. But is it
still not a hot favorite. Two interesting observations about this emerging
trend have been noticed. The major SLA comes in response ties and resolution
times. The measurable in the deals and SLAs were very different for
different customers, sometimes even in the same industry or geography. The
service providers did a due diligence to find out a base level from which
they could assure that fewer than that number of attacks would take place
the next year. This base number would vary from enterprise to enterprise.
The service providers were measured on how they are responding to the
queries and how fast they were resolving the problems. The security support
for these activities was usually classified on the basis of geography-class
A, B, or C city-and also the kind of transaction that each remote branch
did. Another interesting trend seen was that the enterprises did not go for
this 'less than x number of attacks' in their SLAs. They simply required
their service provider to perform specified actions in a specified period of
time. As long as those actions (such as daily patch updation) were
performed, the security service provider was not to be penalized even if an
attack or a breach was successful. Pricing is always a factor.
NEW CHALLENGES
Next big wave of network deployments is likely to come from VoIP networks.
Currently these networks are relatively safe, as their numbers are small but as
they grow in popularity, like everybody else, the hackers are also likely to be
attracted to them.
Thus,
while the current trend of dealing with VoIP like just another application will
need to be refined and upgraded. With or without security, it is important to
note that if the latency introduced by equipment is more than 120 milliseconds,
the voice application will perhaps not be used for business applications. If
latency goes up to 300 milliseconds, the ITU will refuse to recognize the data
transfer a VoIP.
The important thing is not just to stop the attack, but also how quickly the spread of that attack can be checked |
While
firewalls of today are doing a good job of protecting the networks, firewalls
for VoIP will need application level gateways in for protocols like SIP or
H.323. These special requirements crop up due to issues like these protocols
using more than one port in a session and the extremely small size of the VoIP
packets. A VoIP packet is one of the smallest packets in IP and presents some
very unique challenges to the network security equipment.
When
vendors normally talk about the capability of the devices, they give the
capability of the firewall in terms of throughput. But this throughput is
calculated on the basis of packets that are much larger than a VoIP packet,
which may never exceed 50 KB. In each packet, today, only the header of the
packet is scanned by the firewall or even the IPS-the payload just passes
through. So, if the packet size is small, a much larger amount of scanning will
need to be done. However, throughout is also important, as the firewall still
has to be able to pass along large volumes of data to deliver the voice
application. The enterprise customer must understand the relationship between
packets per second and the throughput, and ensure that when they go for
equipment such as firewall or IPS, they look at devices that can give consistent
performance across packets of any size.
Not
just the firewalls, it will have to be ensured that even the next level of
equipments such as IPS should be aware of at least the documented
vulnerabilities of VoIP and it should block those behaviors on the network.
Just
like a PC or a server, there is also going to be a need for endpoint security
devices or software, because the IP phone is essentially a PC and by that logic
open to all the that are so common today vulnerabilities.
Also,
experts point out that all entire VoIP session should be encrypted, end-to-end.
It must be ensured that not only are the conversations in the VoIP network
encrypted, but the signaling protocols are also encrypted.
And
above all, VoIP communications carry with them the potential of misuse and
fraud, to an extent that is probably unimaginable in a traditional network.
Either through a bot or through a misled employee, outsiders could connect to
overseas destinations or even destinations that carry paid content. The
enterprise will have to foot the bill for this spurious traffic, knowingly or
unknowingly. Once the VoIP networks are allowed to connect to PSTN (discounting
the issues of ADC), besides toll fraud, enterprises themselves will run the risk
of being victims of fraud.