It’s not what you know, but who you know.
That statement is usually used when talking about closing a sale or getting a job, but it also applies to attacking a network.
Perimeter defenses are set up to keep out unauthorized traffic. If you can reach someone with trusted access to the corporate system, however, you’ve got a route inside. While this could involve bribing or blackmailing someone who works in the data center, historically, it was cheaper and easier to give an employee an infected floppy disk, or con someone into giving you their password.
But now the bigger threat is posed by a series of factors that vastly increase the number of routes into the network, and hence its vulnerability: the proliferation of mobile and teleworkers; the use of pocket-sized computing devices such as smart phones, PDAs and MP3 players; and the increasing practice of giving business partners and customers access to the network.
International Data Corp. (IDC), a Framingham, Mass.-based analyst firm, estimates that nearly two-thirds of all serious threats come from trusted sources, such as employees, partners, contractors and customers.
”Because these sources have established a level of trust, to a greater or a lesser degree, they already have legitimate access to corporate resources,” says IDC analyst Christian Christiansen. ”At a time when external hacks tend to garner attention, internal data threats are on the rise.”
In traditional warfare, it is easy to identify the enemy. They are those guys over there whose uniforms are a different color than your own. You simply set up a good border defense to keep them out. Guerilla warfare, however, is much harder. The enemy is already within the borders and looks just the same as the good guys. That is the challenge that security managers now face in protecting their networks. The increasingly porous network architecture makes it nearly impossible to define the perimeter and establish defenses. And it blurs the line between friend and foe.
”While the public’s attention remains focused upon the external threats, companies face far greater damage from insiders’ misconduct, omissions, oversights, or an organizational culture that violates existing standards,” says Edwin Bennett, global director of Ernst & Young’s Technology and Security Risk Services.
According to the 2004 CSI/FBI Computer Crime and Security Survey, despite the nearly universal use of antivirus software, viruses still accounted for more than a third of the organizational losses caused by security breaches. Frequently, these infections come from trusted, but insecure, sources. IDC estimates that more than half the rogue machines in a company — ones outside the company’s control and whose users disdain to follow company security policies — contain malware, including spyware, adware, zombies, worms and viruses. When these connect to the network, they bring that malware inside with them. Remote users who don’t have all the latest software patches, or whose antivirus signatures are out of date, are the most common source of nework re-infection.
Laptops and home computers also are a weak point for other types of attacks on the network core.
While hackers may never make it through the corporate perimeter, placing code on an unprotected home computer can give the hacker access when that employee logs onto the network. Further, connecting through a VPN and using authentication and authorization procedures doesn’t protect the network from malware already loaded on that PC. Nor does it prevent those machines from being used as zombies for other attacks.
”Clients are no longer the target for attacks designed to disable them,” Christiansen says. ”Instead, we see that clients are increasingly the transfer agents or intermediate facilitators for launching larger attacks on other networks.”
Closing the Doors
The problem with securing all these devices is that many of them are outside the control of the network administrators. Employees buy their own PDAs, laptops and home PCs for both work and personal use. Departments even sometimes set up their own wireless LANs without soliciting IT approval.
In addition, USB ports let users connect all sorts of devices to their workstations and download data to their hard drives. Windows makes it easy — the default setting is to recognize any device connected to a port and download any necessary drivers. Once recognized, a 60 GB iPod can install plenty of malware, or download a hard drive’s worth of customer information.
”There are certainly ways of disabling things, such as locking down the desktop definition so that it doesn’t include extra drives or USB devices,” says Gartner, Inc. analyst Ant Allan, ”but few organizations have put this in place.”
Another possible remedy is to deploy centralized software that enforces security procedures on all devices that connect to the network, even temporarily, whether they belong to the company or not. One approach is to use ”white lists” (lists of authorized devices) and block any devices not on the list. But that doesnt stop infected, but authorized, devices from connecting. The other is to examine the security status of any devices, even if they are authorized, before allowing them in.
”What we are seeing now is an interesting technology called ‘scan and block,’ ” says Allan. ”If a device shows any signs of being infected, it is blocked or put into a quarantine section of the network.”
Administrators have several approaches to take in ensuring the security of endpoint devices. Centrally managed personal firewalls such as San Francisco-based Zone Labs LLC’s Check Point Integrity suite will only allow a user to connect to the network if their antivirus software is current. Dublin, Ohio-based Endforce, Inc.’s Enterprise is a standalone security enforcement program for client devices. Administrators set policies for different classes of devices or users, and it scans the devices for compliance and messages the user with instructions on what to do in order to comply.
North Korean Security
Yes, it is an additional cost for the management software and a server to host it. And, yes, it also is an additional management burden to set and enforce policies for all these additional devices and users. But there really is no other option unless you want to take a North Korean-style approach of completely sealing the borders to keep everyone and everything out.
If you want the benefits offered by open information access and exchange, you also must take responsibility for securing all the possible routes of attack that an open architecture entails.