Sunday, July 05, 2009
Google  
Web voicendata.com
 Archive    
• Ad :- Enterprise Connect Awards 09: Nominations Open
 Home > GOLDBOOK > GOLDBOOK 2006 > ENTERPRISE NETWORK SECURITY: Is The Ghost For Real?
  GOLDBOOK 2006
ENTERPRISE NETWORK SECURITY: Is The Ghost For Real?
The hacking industry has remained hugely profitable. Without any visible threats, should the enterprises be concerned?
Alok Singh
Monday, March 06, 2006
Print this article Comment This Email this article

A recent survey by the FBI found out that dealing with viruses, spyware, and other computer-related crimes cost the US businesses $67.2 bn last year. By comparison, the survey report says, telecommunication fraud losses were about $1 bn. Last year profits of the cyber hacking industry were more than that of the illegal drugs industry.

While viruses, worms, and botnets have remained popular tools of a hacker's trade, they are now being used to far more devastating effects.

THE THREATS
That viruses, worms, spyware, spam etc are threats is now accepted by all. What is new about them is the purpose they are being put to. The hacker today is interested in all the information that the enterprise network and its end terminals hold. Therefore, besides virus attacks, unauthorized use of network resources is also a biggest threat for enterprises.

nProbing Attacks: With all the old tools (virus, worms, Trojans, etc) the hackers are now trying to find entry points into the network.

Firewalls are today one of the most popular network security equipments being deployed, and to good effect too. One of the effects has been that the hackers are now looking to attack the network from within. This does not mean that the interest in network attacks is going down, phishing for unprotected ports remains a popular activity for the hackers.

EXPERTS PANEL

A Prasad Babu, SE manager (India & SAARC), Juniper Networks
Bernie Trudel, head of security business, APAC, Cisco Systems
Prosenjeet Banerjee, head of security services, HCL Comnet

The probing could be tried in many ways. Today the hackers need not bother to hack into a network with cleverly written malware. All they have to do is find an end terminal that is less secure than the network it is in, and use it as a bot to launch the attack on the network from within. This vulnerability could come from outdated patches or antivirus definitions. This attack does not even have to be a DoS, the hacker may simply be interested in theft of identity or business information. Such attacks need not cause system-wide disruption and many of them may go unnoticed. However, the damage they cause to the business, if not the network, can be more devastating as a total system shutdown. They attack the business a whole of which the network is a small part.

Another way of gaining entry into a network is through mobile end terminals such as laptops. If a laptop can be infected when outside the secure corporate network, there is a possibility that it could act as a bot from inside the network.

It is true that this type of hacking is targeted at the big enterprises, but the SMBs are not safe either. It is a lot harder to get into large enterprises, so the hacker can still stay in business by stealing from small enterprises: They too have customer databases that can be hacked, identities that can be stolen, and an IT infrastructure that can in effect become a bot of the hacker.

Organizations need to take proactive steps both to curb these attacks and minimize the damage from them. The hackers can keep modifying their malicious codes, use a botnet to launch the attacks, and keep discovering newer vulnerabilities-sometimes even before the security companies can.

Hackers today have moved beyond the ICMP ports and are looking at any available port such as SMTP, FTP, etc.

  • Speed Matters: The Nimda virus exploited a vulnerability that was more than 300 days old; in practice the attack should never have been successful. The enterprises were too slow in responding to it. Today, a virus is ready almost the moment vulnerability is published. It is a literal race between the hackers and the security administrators as soon as vulnerability becomes known. Even if the enterprises and their security service managers consistently act with speed, they just have to miss once and the revenge of the hacker is upon them. Sometimes, as happened with the Windows Meta File (WMF) exploit, hackers can even research on their own vulnerability all by themselves and sell it to the underworld. This actually happened, and the vulnerability in question was sold to at least one spammer for $4,000.

  • Spoil Sports: Malware has the potential to devastate the best-laid business plans of the emerging broadband service providers. IP enables the service providers to oversubscribe their services, knowing fully well that not everybody will be using the bandwidth to full capacity all the time. But with the constant probing attacks and spam floating around in the networks, any available capacity is simply wasted. The service provider loses because the bandwidth that could have been a revenue generator is being wasted-it is serving the commands of a hacker. The customers lose out because it is their computer that is sending the malicious traffic, by becoming a bot. And, they may even have to pay for this spurious traffic because the billing software of the service provider would not differentiate between genuine and spurious traffic.

Everybody in the business of IT knows that technology does not matter, application do. The hacker understands this too, and is today putting the same old technologies to newer uses.

So, while DoS still remains a threat for an enterprise network, along with the cost of network recovery the enterprise now also has to contend with the costs associated with business recovery. While a DoS may shut down a corporate network for two days, even after the recovery from the network attack it might find that its customer database/profiles have either been tampered with or quite simply clandestinely copied and sold to competitors or worst still, made public.

DEPLOYMENTS
Firewalls have remained the most popular. Like always, most of the enterprises are using these for perimeter security. An enterprise may want to give its database of customers a little more protection than just a few firewalls. For this it would install not only for threats from outside the network, but even from unauthorized users within the network. However, there is now an increasing emphasis on endpoint security, so antivirus/antispyware tools are receiving renewed interest.

The IDS systems have also been deployed for protecting critical parts of the network's resources.  

Network elements that have DoS prevention capabilities and those that have the capability to filter traffic are also gaining attention, for example, the feature of unicast reverse path forwarding. With this, when the router receives traffic from a port, the router does a reverse path identification in the routing table. It looks into whether the traffic supposed to come from where it claims it is coming, is the source from within the network or outside the network, which means it tries to look for spoofed IP addresses. This functionality is today an integral part of most of the RFPs. The router can also look at how to do rate limits, so that one person is not able to do a ping of death to the router, and it is available to the other users too.

These features protect the service providers' own infrastructure as well as the subscribers, as the users cannot spoof addresses even unknowingly-a Trojan sitting on a laptop or a bot may also spoof the IP address and send out the attack without the subscriber's knowledge. These capabilities stop the malware at the source itself so the threat does not spread in the network.

For large organizations and data centers, the concept of layered or redundant security is still holding good. However, with the businesses growing, there is now also a need to network the branch office and obviously to give them some sort of protection. The SMBs are also a major user of security services. These segments may not want datacenter level of security, and may not even have the expertise to manage the ensemble of point solutions. With them, therefore, the unified threat management, single-box solutions are the current favourites. These solutions are focused on securing the LAN and ensuring that every resource on the network is safe enough to use network.

However, the traditional security apparatus remains a reactive system, it needs pattern files and signatures of the malware to be able to do the job. The new interest of the vendor community is towards proactive tools such as IPS. These tools have been available for sometime now, but are yet to catch the fancy of the customers.

Focus till now has been on ensuring a working network. Till now, the need for ensuring the security of information on that network has not received the focus of attention.

One reason could be that many high-profile attacks have not happened. A lot attacking and theft of information may well be happening, but its impact has not been very drastic. That is one of the reasons the pain has not been felt at that level. The attacks from spamming and virus activity have been more painful in terms of bringing down servers and desktops. So most of the investment has gone into that. People are more focused on host, the servers, and the desktops. Security of information is still not on the forefront. The next step in security is likely to be the stopping of threats before they hit the host. That is where IPS comes in.

These are proactive traffic mode of security measures. With IDS, when an alarm is received, it has to be investigated. The IDS would not stop the attack. However, the proactive IPS can drop spurious packets (according to the policies in it) when they hit the network and then also raise an alarm.

While vendors give out many success stories of such proactive solutions running successfully without any patch management, most experts recommend that for now it is better to go with tools that are a combination of the reactive and proactive solutions.

Another driver for deployments are going to be articles such as these and the security vendors themselves. Both will likely create awareness (if not a fear psychosis) among the user community about the threats and their dangerous effects. But enterprise users must use their judgment to evaluate whether the cost of preventing a threat is going to be greater than preventing that threat. If that is true, let the hacker have his ego trip. His nuisance value to the business is no more than the coffee machine running out of milk powder.

  • Drivers: Two kinds of regulatory drivers have driven the deployment of security measures. For the BFSI sector, the regulations have largely been driven by government regulation. For the IT/ITeS sector, the regulatory pressure has come from the customers. While the networks are of very high worth for both these sectors, their adoption of outsourcing is very different. While some of the banks are open to outsourcing, IT companies are unlikely to adopt it-due to their customers' fears of involving too many third-party players.

For other sectors, awareness of the threats is the main driver of adoption of security measures.

Limited skill sets to manage growing networks, is also a driver for new deployments such as UTM. This factor is also fueling the managed security services business. Another possible cause could be that churn among the IT staff is high, and in some of the stable enterprises this churn could be many times more than that among the employees in the core functions of that business.

REACTIVE VERSUS PROACTIVE
The speed of new exploits being discovered is making the traditional management of security expensive and unwieldy. The buzzword with equipment vendors and service providers now is proactive. Interestingly, there are various interpretations to this word. The important thing is that there is no escaping it.  

From a vendor point of view, proactive technologies encompass automated systems that work by analyzing the behavior of the malware. With the freely available hacker tools (some of them even come with a GUI) and a host of compression formats, the hacker no longer has to write the entire program. A virus compressed in a new format looks different and has a different signature. Thus, the old viruses can be reused, and they are being reused. With each reuse, the signature of the virus is altered and the network has to face the fury of the same old virus, in a new avatar.

Instead of working with signature and pattern files, the new proactive technologies are more around anomaly and behavioral based technologies.

One of these technologies is intrusion prevention system. These systems will basically be intelligent (though not necessarily equipped with artificial intelligence) and with function such as automatic network administrators, dealing with packets and forwarding or dropping them as per their policies.

These features protect the service providers' own infrastructure as well as the subscribers, as the users cannot spoof addresses even unknowingly

THE WEAKEST LINK
Tools and technologies can protect to an extent, but users within enterprises need to be disciplined in using the IT resources that are in place to achieve the business objectives, and availability of bandwidth. Technology can ensure that outside factors don't adversely affect the availability of network resources, but 'misuse' of these resources by users can have as bad an impact on the network as a DoS. Policies for use of IT resources may even require a change in the habits of people and no tool or technology can take their place.

Sensitizing the employees to use the network safely has been one area where most enterprises are still trying to find their bearings. Mundane posters have been the best efforts till now.

In any organization, e-mail security is a basic requirement, 'Don't open unauthorized mails.' One of the services available today is tracking of behavioral patterns within an organization to check the awareness of the employees. It checks how many people are adhering to the company's security policies, eg, not opening a certain type of attachment. A tool sends mock virus to the end terminals, and it helps track the departmental wise, user wise the state of awareness. Further to this can be a more targeted awareness/education of those sets of employees.

However, due to the probable effects of these measures on the other aspects of business, such as HR (employee motivation/disgruntlement), these measures are only taken after explicit permission from the companies' top bosses. Involving the top bosses could emerge as a best practice, because these measures must be undertaken after a careful evaluation of the nature of the business-if not a cost and benefit analysis.

LESSONS FROM LAST YEAR
Last year, the Zotob virus made a lot of headlines, in part because it affected the servers and networks at many of the mass media organizations worldwide. The tools used against it were mainly anti spamming tools. At the second level, IPS was used, which was triggered by certain words in the email. If the mail contained certain words, it was dropped. That protected the network. These emails could not be stopped by the email filters, partly because they were not coming from one email address and secondly, because the spam was coming from addresses that the enterprises used legitimately. The attack was high profile, and drove the business of anti-spamming tools to a great extent.

The anti spamming tools reside on the server and the gateway, as the idea behind them is to prevent the threat from reaching the desktops. These applications monitor all the emails and according to their policies, any spurious email can be dropped or quarantined. They can also send a message to the user, on how the email can be accessed or on how it was processed.

The measures taken to overcome that attack were successful and after that no attacks was as successful. The enterprise network managers were able to respond to attacks in very short time periods and secure their network. Enterprises also learnt a lot about the attacks and the tools available to protect their networks. But it must be understood that any tool or technology is only as successful as its implementation. Just having an anti-spamming tool or IPS it not enough. These devices could (it is always possible) fail to protect when dealing with new or unknown attacks. The important thing is not just to stop the attack, but also how quickly the spread of that attack can be checked. The tools are only as effective as the policies on those tools. So, if there are certain extensions that a business does not normally use, those could be build into the list of extension and these could be disallowed to stop the threats on a proactive basis.

  • Outsourcing of security management: This is emerging as growing business. But is it still not a hot favorite. Two interesting observations about this emerging trend have been noticed. The major SLA comes in response ties and resolution times. The measurable in the deals and SLAs were very different for different customers, sometimes even in the same industry or geography. The service providers did a due diligence to find out a base level from which they could assure that fewer than that number of attacks would take place the next year. This base number would vary from enterprise to enterprise. The service providers were measured on how they are responding to the queries and how fast they were resolving the problems. The security support for these activities was usually classified on the basis of geography-class A, B, or C city-and also the kind of transaction that each remote branch did. Another interesting trend seen was that the enterprises did not go for this 'less than x number of attacks' in their SLAs. They simply required their service provider to perform specified actions in a specified period of time. As long as those actions (such as daily patch updation) were performed, the security service provider was not to be penalized even if an attack or a breach was successful. Pricing is always a factor.

NEW CHALLENGES
Next big wave of network deployments is likely to come from VoIP networks. Currently these networks are relatively safe, as their numbers are small but as they grow in popularity, like everybody else, the hackers are also likely to be attracted to them.

Thus, while the current trend of dealing with VoIP like just another application will need to be refined and upgraded. With or without security, it is important to note that if the latency introduced by equipment is more than 120 milliseconds, the voice application will perhaps not be used for business applications. If latency goes up to 300 milliseconds, the ITU will refuse to recognize the data transfer a VoIP.

The important thing is not just to stop the attack, but also how quickly the spread of that attack can be checked

While firewalls of today are doing a good job of protecting the networks, firewalls for VoIP will need application level gateways in for protocols like SIP or H.323. These special requirements crop up due to issues like these protocols using more than one port in a session and the extremely small size of the VoIP packets. A VoIP packet is one of the smallest packets in IP and presents some very unique challenges to the network security equipment.

When vendors normally talk about the capability of the devices, they give the capability of the firewall in terms of throughput. But this throughput is calculated on the basis of packets that are much larger than a VoIP packet, which may never exceed 50 KB. In each packet, today, only the header of the packet is scanned by the firewall or even the IPS-the payload just passes through. So, if the packet size is small, a much larger amount of scanning will need to be done. However, throughout is also important, as the firewall still has to be able to pass along large volumes of data to deliver the voice application. The enterprise customer must understand the relationship between packets per second and the throughput, and ensure that when they go for equipment such as firewall or IPS, they look at devices that can give consistent performance across packets of any size.

Not just the firewalls, it will have to be ensured that even the next level of equipments such as IPS should be aware of at least the documented vulnerabilities of VoIP and it should block those behaviors on the network.

Just like a PC or a server, there is also going to be a need for endpoint security devices or software, because the IP phone is essentially a PC and by that logic open to all the that are so common today vulnerabilities.

Also, experts point out that all entire VoIP session should be encrypted, end-to-end. It must be ensured that not only are the conversations in the VoIP network encrypted, but the signaling protocols are also encrypted.

And above all, VoIP communications carry with them the potential of misuse and fraud, to an extent that is probably unimaginable in a traditional network. Either through a bot or through a misled employee, outsiders could connect to overseas destinations or even destinations that carry paid content. The enterprise will have to foot the bill for this spurious traffic, knowingly or unknowingly. Once the VoIP networks are allowed to connect to PSTN (discounting the issues of ADC), besides toll fraud, enterprises themselves will run the risk of being victims of fraud.

Alok Singh
aloksi@cybermedia.co.in

Page(s)   1  

Print this article Comment This Email this article
ENTERPRISE: The Spooks Are Snooping Online
EMERGING TRENDS CONFERENCING/COLLABORATION: Towards Convergence
ENTERPRISE STRUCTURED CABLING: Gearing Up To Convergence
 





 

Current Issue


Innovation, Winning the future with ZTE

Reduce your TCO now with INGRES





Your Opinion Matters

Does cloud computing cast a cloud on the future of IT professionals?

Is your Accounts Payable Solution working for you? Think Again…

   CIOL Services
IT News | IT Jobs | IT Outsourcing | IT Shopping
 



  For Voice&Data Print Subscription
  [ Magazine Subscription ]  [ Contact Info ]  [ Advertise : Online | Magazine | Advertising Print | Mediakit Print ]
 
Other CyberMedia web sites
[Dataquest]  [PCQuest]  [CIOL]  [Living Digital]  [IDC India]
[DQ Channels]  [The DQweek]  [CyberMedia Events]
[CyberMedia Digital]  [Cyber Astro]  [CyberMedia India]
[Global Services]  [BioSpectrum]  [BioSpectrum Asia]
[Computer Shopper]   [College Buying Guide]   [Voice&DataConnect

CyberMedia India Ltd

 
  Copyright © CMIL. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.
Broken links? Problems with site? Send email to webmaster@ciol.com