Secure perimeter or final frontier?
1 April 2005 | 0
The voice of sweet reason, moderation and common business sense in regard to computer systems and security for the last decade or so insisted that what was needed was prudence, not paranoia. It is a phrase or even a mantra that this writer has used regularly to approving and sage-like agreement from the high priests of IT security. Now I am inclined to think that paranoia would be an essential job spec requirement for any Chief Security Officer (CSO) and that all directors and managers with any degree of responsibility for IT should live in fear—for their jobs and their business.
‘Since companies are very reluctant to talk about it, there are no hard statistics but we reckon that perhaps 70 per cent of larger Irish organisations have had significant or even catastrophic downtime in the last few years as a result of malware,’ says Conall Lavery, managing director of security specialists Entropy, who has been deeply involved with security issues since 1993. ‘The most common culprits have been the well-publicised global worm attacks. Networks have been brought down for hours, days—which certainly qualifies as catastrophic—or even longer.’ Organisations have built up defences incrementally and by and large have solved the orthodox perimeter defence of the corporate network, he says, but that has now almost become a false approach because it has been overtaken by changed working habits and tools.
‘We are seeing a rapid change, particularly in the last year or so, to a new focus on laptops, PDAs, teleworking and transient access sessions,’ says Lavery, ‘because the “perimeter” is now in every device outside the permanent physical network. The corporate IT system today is only as strong as its weakest link. That is more often than not a fleet of laptops, which should have individual firewalls, antivirus, anti-spyware and so on—properly configured and updated. Is that always the case? We all know the answer.’
What every organisation should have, Lavery believes, is an explicit and firmly administered Employee Internet Policy. Once again, security administration has moved on from simple solutions like barring Internet access or censoring that access with porn blocking, URL screening and so on. ‘We need to define and control what is “acceptable use” from e-mail content to personal Internet usage,’ he says. ‘For example, a peer-to-peer file sharing for music files is a prime route for all forms of malware.’
But Lavery points out that an increasing and insidious problem is the consumption of corporate bandwidth by activities such as downloading of MP3 music, movies and trailers and so on as well as streaming Web radio and even TV. Entropy has one client in the state sector where about 10 staff legitimately need to keep an ear to the RTE news. Keeping that many audio streams open simultaneously eats bandwidth. ‘We could and did organise sharing a single stream, but actually the real solution was to buy a few cheap radios!’
One topic that was mentioned by all of our interviewees as a fast-growing security concern is spyware. Spyware or adware secretly gathers information about users and systems and relays that information to another party over the Internet. In many cases, users unknowingly install spyware when they download freeware or shareware, or merely view a HTML e-mail or Web page. There may well be some obscure reference to it in the end-user agreement that is typically accepted—unread—with a click.
Spyware began as a simple tool used by advertisers to track users’ Web-surfing preferences. But essentially the same type of software (smaller and smarter today) can be used to monitor keystrokes, scan files, install additional spyware, reconfigure Web browsers, snoop through e-mail and other applications and more. Some of today’s spyware can even capture screenshots or turn on webcams. Clearly, in any corporate environment, these capabilities pose a major threat to corporate security, especially since much of this activity goes on without anyone’s knowledge.
‘We are seeing a huge increase in spyware with a growing demand for enterprise systems to counter it,’ says Vigne Kozacek, technical director in Ireland of Unit 4 Aggresso, the Dutch multinational that took over security specialist Priority Data here in 2003. ‘It is reported that at least one in three large US corporations suffered from a spyware attack in 2004. We are certainly seeing a similar level of attacks. The key thing that is not yet fully appreciated outside the security specialists is that so much of today’s spyware is actively malicious and is after more than marketing information. There are international hacker gangs that are getting more sophisticated in their methods all the time.’ Criminals in the cyberworld are targeting anything that may be of value, from inter-bank funds transfer to identity theft to mailing lists.
Kozacek points out that keystroke-logging components are a common feature of spyware. ‘This is a threat even in systems that encrypt corporate data because input is captured before it is encrypted. This can of course reveal personal passwords, which is often like being given the keys of the safe!’
Guarding the perimeter
The perennial question of how best to counter electronic security threats can be met with a traditional answer. ‘The job of the IT security people is to protect the corporate infrastructure and the traditional, military idea of the perimeter is still valid,’ says Tony Redmond, the Irishman who is Hewlett Packard Vice President and Security Strategy Head. ‘In fact there are well developed security tools and traditional strong, layered perimeter defences still deal with perhaps 90 per cent of the issues.’
The big change, the big challenge and increasingly the focus of development work, he continues, is dealing with transient connections. ‘Mobility, teleworking, multiple portable devices and multiple protocols have all introduced new complexity,’ says Redmond. ‘For example, our own iPaq 6315 is a handheld communicator that switches seamlessly between WiFi and GPRS, private and public networks. Wireless broadband routers are even being built into cars. The point, of course, is that the ‘perimeter’ is always shifting—in reality it is a concept rather than a specific electronic connection.’
All of the big players, says Redmond, are now working on some version of the idea of quarantine networks: each log-on invokes intensive checking, authentication of the user, querying of the device for any malware and ensuring up to date security configuration and so on. Only when the security tests have been passed is direct connection established.
HP is a founder member of the Trusted Computing Group, a 90-corporation alliance which is working to develop and promote open specifications that will help to protect all platforms against software-based attacks. ‘That will be more and more essential as we demand that our devices pass seamlessly from one connection or service provider to another,’ says Redmond. ‘The whole range of security issues has become an industry imperative. Once there is co-operation on common, open security standards there will still be plenty of scope for added value in specific products and brands.’
There is a growing school of thought that IT security is just one part of a spectrum of risk management across all aspects of the organisation. Since 9/11, US security professionals have begun talking of their role as ranging ‘from firewalls to firearms’. Experts in physical security and in IT systems have to at least collaborate professionally, the theory goes, and all of them may be required to co-operate with law enforcement agencies.
Dermot Williams, director of TopSec Technology (formerly Systemhouse) says that the universal principle is that ‘People should have the least level of privilege necessary to carry out their role and responsibilities. That applies to where you can go inside a building, what financial authority you have and with regard to IT systems, what data you can access, enter or change.’ He concedes that getting the ‘granularity’ right can be difficult. ‘Trying to insist on 10-character random alphanumeric passwords is just guaranteeing that some people will write them down to be found,’ he claims. ‘In the end of the day the human factor is always going to be the most important. Systems can be technically perfect but rendered ineffective by people’s behaviour, other systems can be relatively unsophisticated but effective because they are adhered to faithfully.’
Defence in depth is now one of the mantras of security professionals. ‘Larger corporations, for example, will typically have a policy of using equipment from at least two different vendors,’ explains Karl McDermott, systems engineering manager with Cisco Systems in Ireland. ‘The idea is that if a vulnerability is uncovered in one manufacturer’s system the second line of defence catches the intruder or malware attack for the hours, days or whatever it takes to patch the hole.’
The other key principle of today’s systems is that there needs to be some form of quarantine or isolated virtual LAN so that access control can sequester suspicious code until a decision is made by the system or a human intervention. ‘Some organisations escaped the global Slammer and Blaster attacks because their systems detected anomalous behaviour even though the worms were unknown entities at first,’ says McDermott. ‘Yet UK surveys, for example, have shown that up to 90 per cent of large organisations suffered system downtime of an hour to weeks in recent years because of these and other attacks.’
That Slammer worm hit over 250,000 SQL servers in a ten-minute period worldwide, according to John Mooney, business development manager of business continuity and security specialists Renaissance. ‘The time intervals between discovering a vulnerability and an exploit attacking it, or between a viable attack method and developing a defence mechanism, are decreasing all the time. Just a couple of years ago we were talking months, typically, then weeks and now days. Our defences have become much smarter but the attacks have grown a lot more sophisticated. We are seeing almost a merging of viruses and worms, the spam explosion and most recently spyware in hundreds of different guises.’
The sheer range of technology and more recently compliance in terms of best practice or legislation is becoming a challenge for all managements, not just the security specialists. According to Mathieu Gorge of VigiTrust, a specialist consultancy and training organisation in the broad security area, there is increased demand from organisations of all sizes for security audits and for security awareness training. ‘Vulnerability testing is important and so is assessing the overall picture of corporate security. Management is also becoming increasingly conscious of corporate compliance issues.’
Paddy Roberts, the current President of the Irish chapter of the Information Systems Security Association, the leading international professional organisation in the field, also highlights the growing importance of compliance. ‘The requirements of Sarbanes Oxley in the USA, are concentrating minds wonderfully in understanding the threats to systems and data and ensuring that proper security programmes are put in place,’ he says. This is coming into focus now as 2004 annual reports are being prepared with compliance statements now required and personal sanctions aimed at directors and others responsible for corporate governance.
On this side of the world, there are European and national requirements in the financial services sector but no great signs of a rush to embrace the new climate of proven, auditable governance. Directors’ liability across data protection and security, theft or release of confidential personal information, criminal behaviour using corporate resources (from child pornography to sexual harassment to libellous e-mail to unlicensed software) is another one of those appalling vistas for many senior managers, not all of the old school. It remains to be seen how this new governance environment is interpreted, implemented and policed. But the new ethos is that negligence is not a defence. So whether from threat or a desire to keep up with good practice, we should expect more leadership from the top across the whole spectrum of security and risk management.
Wireless networks cause security tangles
Wireless networks are popularly seen as one of the vulnerable areas of IT but that is in large measure a kind of urban mythology, according to Neil Wisdom, sales director of LAN Communications: ‘Wireless networks are no more inherently insecure than cabled ones. But they have been more vulnerable to attack in the last couple of years as they have become more widespread (and WiFi cards have become cheap and cheerful) simply because organisations install them without doing what they should. All good brands of WiFi gear have in-built protection such as firewalls, intrusion detection, etc. But an astonishing number of organisations never even reset default passwords, much less the next and simple levels of configuration like disallowing access by unlisted devices or switching on the encryption.’
Last February a LAN Comms team did a covert survey of detectable wireless networks at Dublin’s IFSC and the City West Business Park as well as the Cork Airport business park. Without going into the detail, which is clearly out of date, there were instances of wide open networks (manufacturers’ default settings) and more than half of the access points had no data encryption settings. The majority of the access points were broadcasting their network names, no great risk in itself but potentially useful to a determined hacker, but 15 per cent were broadcasting a default network name that could lead hackers to other configuration information, such as management passwords, if left at their default values.
‘We have no doubt the Irish situation has improved in the last year,’ Neil Wisdom says. ‘Business leaders are better informed, more organisations are investigating wireless solutions and learning in advance about what is necessary to protect them. In essence, of course, that does not greatly differ from the basic principles with all networks: you have to set up a clear, consistent policy for who has access to what. Then you give them the keys—usually passwords but these days there are many other options—and in the meantime secure your systems from unauthorised access with monitors, alarms and so on.’
For most organisations it is really like burglar alarm systems—they are deterrent enough to send the bad guys elsewhere. When an organisation is specifically targeted by smart hackers, he says, anti-intrusion measures that depend on pattern and signatures are no longer smart enough. ‘It may be Day Three or Day Five or later before remedies are developed for new malware, by which stage it is too late for some organisations. What are needed are ‘Day Zero’ tools that will detect anomalous behaviour characteristics within the system and stop, quarantine or whatever immediately. There is always the risk of false positives and human decisions may have to be called for at inconvenient times, but it is really the only way.’