Advertisment

ENTERPRISE NETWORK SECURITY: Is The Ghost For Real?

author-image
CIOL Bureau
Updated On
New Update

Advertisment

A

recent survey by the FBI found out that dealing with viruses, spyware, and other

computer-related crimes cost the US businesses $67.2 bn last year. By

comparison, the survey report says, telecommunication fraud losses were about $1

bn. Last year profits of the cyber hacking industry were more than that of the

illegal drugs industry.



While

viruses, worms, and botnets have remained popular tools of a hacker's trade,

they are now being used to far more devastating effects.



THE THREATS



That viruses, worms, spyware, spam etc are threats is now accepted by all.

What is new about them is the purpose they are being put to. The hacker today is

interested in all the information that the enterprise network and its end

terminals hold. Therefore, besides virus attacks, unauthorized use of network

resources is also a biggest threat for enterprises.



Advertisment

Probing

Attacks: With all the old tools (virus, worms, Trojans, etc) the hackers are now

trying to find entry points into the network.



Firewalls are today one of the most popular network security equipments being

deployed, and to good effect too. One of the effects has been that the hackers

are now looking to attack the network from within. This does not mean that the

interest in network attacks is going down, phishing for unprotected ports

remains a popular activity for the hackers.



EXPERTS

PANEL

A Prasad Babu, SE

manager (India & SAARC), Juniper Networks



Bernie Trudel, head of security business, APAC, Cisco Systems


Prosenjeet Banerjee, head of security services, HCL Comnet

The

probing could be tried in many ways. Today the hackers need not bother to hack

into a network with cleverly written malware. All they have to do is find an end

terminal that is less secure than the network it is in, and use it as a bot to

launch the attack on the network from within. This vulnerability could come from

outdated patches or antivirus definitions. This attack does not even have to be

a DoS, the hacker may simply be interested in theft of identity or business

information. Such attacks need not cause system-wide disruption and many of them

may go unnoticed. However, the damage they cause to the business, if not the

network, can be more devastating as a total system shutdown. They attack the

business a whole of which the network is a small part.



Advertisment

Another

way of gaining entry into a network is through mobile end terminals such as

laptops. If a laptop can be infected when outside the secure corporate network,

there is a possibility that it could act as a bot from inside the network.



It

is true that this type of hacking is targeted at the big enterprises, but the

SMBs are not safe either. It is a lot harder to get into large enterprises, so

the hacker can still stay in business by stealing from small enterprises: They

too have customer databases that can be hacked, identities that can be stolen,

and an IT infrastructure that can in effect become a bot of the hacker.



Organizations

need to take proactive steps both to curb these attacks and minimize the damage

from them. The hackers can keep modifying their malicious codes, use a botnet to

launch the attacks, and keep discovering newer vulnerabilities-sometimes even

before the security companies can.



Advertisment

Hackers

today have moved beyond the ICMP ports and are looking at any available port

such as SMTP, FTP, etc.



  • Speed

    Matters: The Nimda virus exploited a vulnerability that was more than 300

    days old; in practice the attack should never have been successful. The

    enterprises were too slow in responding to it. Today, a virus is ready

    almost the moment vulnerability is published. It is a literal race between

    the hackers and the security administrators as soon as vulnerability becomes

    known. Even if the enterprises and their security service managers

    consistently act with speed, they just have to miss once and the revenge of

    the hacker is upon them. Sometimes, as happened with the Windows Meta File (WMF)

    exploit, hackers can even research on their own vulnerability all by

    themselves and sell it to the underworld. This actually happened, and the

    vulnerability in question was sold to at least one spammer for $4,000.

  • Spoil

    Sports: Malware has the potential to devastate the best-laid business plans

    of the emerging broadband service providers. IP enables the service

    providers to oversubscribe their services, knowing fully well that not

    everybody will be using the bandwidth to full capacity all the time. But

    with the constant probing attacks and spam floating around in the networks,

    any available capacity is simply wasted. The service provider loses because

    the bandwidth that could have been a revenue generator is being wasted-it is

    serving the commands of a hacker. The customers lose out because it is their

    computer that is sending the malicious traffic, by becoming a bot. And, they

    may even have to pay for this spurious traffic because the billing software

    of the service provider would not differentiate between genuine and spurious

    traffic.



Everybody

in the business of IT knows that technology does not matter, application do. The

hacker understands this too, and is today putting the same old technologies to

newer uses.



Advertisment

So,

while DoS still remains a threat for an enterprise network, along with the cost

of network recovery the enterprise now also has to contend with the costs

associated with business recovery. While a DoS may shut down a corporate network

for two days, even after the recovery from the network attack it might find that

its customer database/profiles have either been tampered with or quite simply

clandestinely copied and sold to competitors or worst still, made public.



DEPLOYMENTS



Firewalls have remained the most popular. Like always, most of the

enterprises are using these for perimeter security. An enterprise may want to

give its database of customers a little more protection than just a few

firewalls. For this it would install not only for threats from outside the

network, but even from unauthorized users within the network. However, there is

now an increasing emphasis on endpoint security, so antivirus/antispyware tools

are receiving renewed interest.



The

IDS systems have also been deployed for protecting critical parts of the

network's resources.

 

Advertisment



Network

elements that have DoS prevention capabilities and those that have the

capability to filter traffic are also gaining attention, for example, the

feature of unicast reverse path forwarding. With this, when the router receives

traffic from a port, the router does a reverse path identification in the

routing table. It looks into whether the traffic supposed to come from where it

claims it is coming, is the source from within the network or outside the

network, which means it tries to look for spoofed IP addresses. This

functionality is today an integral part of most of the RFPs. The router can also

look at how to do rate limits, so that one person is not able to do a ping of

death to the router, and it is available to the other users too.



These

features protect the service providers' own infrastructure as well as the

subscribers, as the users cannot spoof addresses even unknowingly-a Trojan

sitting on a laptop or a bot may also spoof the IP address and send out the

attack without the subscriber's knowledge. These capabilities stop the malware

at the source itself so the threat does not spread in the network.



Advertisment

For

large organizations and data centers, the concept of layered or redundant

security is still holding good. However, with the businesses growing, there is

now also a need to network the branch office and obviously to give them some

sort of protection. The SMBs are also a major user of security services. These

segments may not want datacenter level of security, and may not even have the

expertise to manage the ensemble of point solutions. With them, therefore, the

unified threat management, single-box solutions are the current favourites.

These solutions are focused on securing the LAN and ensuring that every resource

on the network is safe enough to use network.



However,

the traditional security apparatus remains a reactive system, it needs pattern

files and signatures of the malware to be able to do the job. The new interest

of the vendor community is towards proactive tools such as IPS. These tools have

been available for sometime now, but are yet to catch the fancy of the

customers.



Focus

till now has been on ensuring a working network. Till now, the need for ensuring

the security of information on that network has not received the focus of

attention.



One

reason could be that many high-profile attacks have not happened. A lot

attacking and theft of information may well be happening, but its impact has not

been very drastic. That is one of the reasons the pain has not been felt at that

level. The attacks from spamming and virus activity have been more painful in

terms of bringing down servers and desktops. So most of the investment has gone

into that. People are more focused on host, the servers, and the desktops.

Security of information is still not on the forefront. The next step in security

is likely to be the stopping of threats before they hit the host. That is where

IPS comes in.



These

are proactive traffic mode of security measures. With IDS, when an alarm is

received, it has to be investigated. The IDS would not stop the attack. However,

the proactive IPS can drop spurious packets (according to the policies in it)

when they hit the network and then also raise an alarm.



While

vendors give out many success stories of such proactive solutions running

successfully without any patch management, most experts recommend that for now

it is better to go with tools that are a combination of the reactive and

proactive solutions.



Another

driver for deployments are going to be articles such as these and the security

vendors themselves. Both will likely create awareness (if not a fear psychosis)

among the user community about the threats and their dangerous effects. But

enterprise users must use their judgment to evaluate whether the cost of

preventing a threat is going to be greater than preventing that threat. If that

is true, let the hacker have his ego trip. His nuisance value to the business is

no more than the coffee machine running out of milk powder.



  • Drivers:

    Two kinds of regulatory drivers have driven the deployment of security

    measures. For the BFSI sector, the regulations have largely been driven by

    government regulation. For the IT/ITeS sector, the regulatory pressure has

    come from the customers. While the networks are of very high worth for both

    these sectors, their adoption of outsourcing is very different. While some

    of the banks are open to outsourcing, IT companies are unlikely to adopt

    it-due to their customers' fears of involving too many third-party players.



For

other sectors, awareness of the threats is the main driver of adoption of

security measures.



Limited

skill sets to manage growing networks, is also a driver for new deployments such

as UTM. This factor is also fueling the managed security services business.

Another possible cause could be that churn among the IT staff is high, and in

some of the stable enterprises this churn could be many times more than that

among the employees in the core functions of that business.



REACTIVE VERSUS PROACTIVE



The speed of new exploits being discovered is making the traditional

management of security expensive and unwieldy. The buzzword with equipment

vendors and service providers now is proactive. Interestingly, there are various

interpretations to this word. The important thing is that there is no escaping

it.

 

From a vendor

point of view, proactive technologies encompass automated systems that work by

analyzing the behavior of the malware. With the freely available hacker tools

(some of them even come with a GUI) and a host of compression formats, the

hacker no longer has to write the entire program. A virus compressed in a new

format looks different and has a different signature. Thus, the old viruses can

be reused, and they are being reused. With each reuse, the signature of the

virus is altered and the network has to face the fury of the same old virus, in

a new avatar.



Instead

of working with signature and pattern files, the new proactive technologies are

more around anomaly and behavioral based technologies.



One

of these technologies is intrusion prevention system. These systems will

basically be intelligent (though not necessarily equipped with artificial

intelligence) and with function such as automatic network administrators,

dealing with packets and forwarding or dropping them as per their policies.



These features protect the

service providers' own infrastructure as well as the subscribers, as the

users cannot spoof addresses even unknowingly

THE WEAKEST LINK



Tools and technologies can protect to an extent, but users within

enterprises need to be disciplined in using the IT resources that are in place

to achieve the business objectives, and availability of bandwidth. Technology

can ensure that outside factors don't adversely affect the availability of

network resources, but 'misuse' of these resources by users can have as bad an

impact on the network as a DoS. Policies for use of IT resources may even

require a change in the habits of people and no tool or technology can take

their place.



Sensitizing

the employees to use the network safely has been one area where most enterprises

are still trying to find their bearings. Mundane posters have been the best

efforts till now.



In

any organization, e-mail security is a basic requirement, 'Don't open

unauthorized mails.' One of the services available today is tracking of

behavioral patterns within an organization to check the awareness of the

employees. It checks how many people are adhering to the company's security

policies, eg, not opening a certain type of attachment. A tool sends mock virus

to the end terminals, and it helps track the departmental wise, user wise the

state of awareness. Further to this can be a more targeted awareness/education

of those sets of employees.



However,

due to the probable effects of these measures on the other aspects of business,

such as HR (employee motivation/disgruntlement), these measures are only taken

after explicit permission from the companies' top bosses. Involving the top

bosses could emerge as a best practice, because these measures must be

undertaken after a careful evaluation of the nature of the business-if not a

cost and benefit analysis.



LESSONS FROM LAST YEAR



Last year, the Zotob virus made a lot of headlines, in part because it

affected the servers and networks at many of the mass media organizations

worldwide. The tools used against it were mainly anti spamming tools. At the

second level, IPS was used, which was triggered by certain words in the email.

If the mail contained certain words, it was dropped. That protected the network.

These emails could not be stopped by the email filters, partly because they were

not coming from one email address and secondly, because the spam was coming from

addresses that the enterprises used legitimately. The attack was high profile,

and drove the business of anti-spamming tools to a great extent.



The

anti spamming tools reside on the server and the gateway, as the idea behind

them is to prevent the threat from reaching the desktops. These applications

monitor all the emails and according to their policies, any spurious email can

be dropped or quarantined. They can also send a message to the user, on how the

email can be accessed or on how it was processed.



The

measures taken to overcome that attack were successful and after that no attacks

was as successful. The enterprise network managers were able to respond to

attacks in very short time periods and secure their network. Enterprises also

learnt a lot about the attacks and the tools available to protect their

networks. But it must be understood that any tool or technology is only as

successful as its implementation. Just having an anti-spamming tool or IPS it

not enough. These devices could (it is always possible) fail to protect when

dealing with new or unknown attacks. The important thing is not just to stop the

attack, but also how quickly the spread of that attack can be checked. The tools

are only as effective as the policies on those tools. So, if there are certain

extensions that a business does not normally use, those could be build into the

list of extension and these could be disallowed to stop the threats on a

proactive basis.



  • Outsourcing

    of security management: This is emerging as growing business. But is it

    still not a hot favorite. Two interesting observations about this emerging

    trend have been noticed. The major SLA comes in response ties and resolution

    times. The measurable in the deals and SLAs were very different for

    different customers, sometimes even in the same industry or geography. The

    service providers did a due diligence to find out a base level from which

    they could assure that fewer than that number of attacks would take place

    the next year. This base number would vary from enterprise to enterprise.

    The service providers were measured on how they are responding to the

    queries and how fast they were resolving the problems. The security support

    for these activities was usually classified on the basis of geography-class

    A, B, or C city-and also the kind of transaction that each remote branch

    did. Another interesting trend seen was that the enterprises did not go for

    this 'less than x number of attacks' in their SLAs. They simply required

    their service provider to perform specified actions in a specified period of

    time. As long as those actions (such as daily patch updation) were

    performed, the security service provider was not to be penalized even if an

    attack or a breach was successful. Pricing is always a factor.



NEW CHALLENGES



Next big wave of network deployments is likely to come from VoIP networks.

Currently these networks are relatively safe, as their numbers are small but as

they grow in popularity, like everybody else, the hackers are also likely to be

attracted to them.



Thus,

while the current trend of dealing with VoIP like just another application will

need to be refined and upgraded. With or without security, it is important to

note that if the latency introduced by equipment is more than 120 milliseconds,

the voice application will perhaps not be used for business applications. If

latency goes up to 300 milliseconds, the ITU will refuse to recognize the data

transfer a VoIP.



The important thing is not

just to stop the attack, but also how quickly the spread of that attack

can be checked

While

firewalls of today are doing a good job of protecting the networks, firewalls

for VoIP will need application level gateways in for protocols like SIP or

H.323. These special requirements crop up due to issues like these protocols

using more than one port in a session and the extremely small size of the VoIP

packets. A VoIP packet is one of the smallest packets in IP and presents some

very unique challenges to the network security equipment.



When

vendors normally talk about the capability of the devices, they give the

capability of the firewall in terms of throughput. But this throughput is

calculated on the basis of packets that are much larger than a VoIP packet,

which may never exceed 50 KB. In each packet, today, only the header of the

packet is scanned by the firewall or even the IPS-the payload just passes

through. So, if the packet size is small, a much larger amount of scanning will

need to be done. However, throughout is also important, as the firewall still

has to be able to pass along large volumes of data to deliver the voice

application. The enterprise customer must understand the relationship between

packets per second and the throughput, and ensure that when they go for

equipment such as firewall or IPS, they look at devices that can give consistent

performance across packets of any size.



Not

just the firewalls, it will have to be ensured that even the next level of

equipments such as IPS should be aware of at least the documented

vulnerabilities of VoIP and it should block those behaviors on the network.



Just

like a PC or a server, there is also going to be a need for endpoint security

devices or software, because the IP phone is essentially a PC and by that logic

open to all the that are so common today vulnerabilities.



Also,

experts point out that all entire VoIP session should be encrypted, end-to-end.

It must be ensured that not only are the conversations in the VoIP network

encrypted, but the signaling protocols are also encrypted.



And

above all, VoIP communications carry with them the potential of misuse and

fraud, to an extent that is probably unimaginable in a traditional network.

Either through a bot or through a misled employee, outsiders could connect to

overseas destinations or even destinations that carry paid content. The

enterprise will have to foot the bill for this spurious traffic, knowingly or

unknowingly. Once the VoIP networks are allowed to connect to PSTN (discounting

the issues of ADC), besides toll fraud, enterprises themselves will run the risk

of being victims of fraud.



tech-news