- Email: [email protected]
Being a good security citizen
LAWFUL INTERCEPTION up to national governments, is the need to maintain interception capabilities. In the early days of telecommunications, investigators attached crocodile clips to a wire and retired to the van for a stakeout. The second generation emerged when telephone switches could produce call records, and analogue voice recorders could store the content. A third era arrived with the advent of digital switching and mobile voice and data communications. Today’s fourth generation of LI has a lot more to contend with. Fixed mobile convergence, migrations to IMS architectures, network based services, calling cards, distributed networks, VoIP and peer-to-peer protocols all contribute to the challenge of
covering different networks and criminal behaviours. Legislation is keeping pace with these changes. In May 2006, the Federal Communications Commission adopted a Second Report and Order that addressed issues regarding implementation of CALEA with regard to facilities-based broadband Internet access providers and interconnected voice over Internet protocol (VOIP) providers. All of these operators are now required to be CALEA compliant by 14 May 2007. With such critical legislation driving rapid compliance, and fourth generation solutions available to the market, law enforcement remains a step ahead of the most seasoned criminal.
About the author With worldwide responsibility for product management, portfolio strategy and marketing communications, Stephen Gleave positions SS8’s unified communications, signalling infrastructure and lawful interception solutions. He has worked in the telecommunications industry for more than 20 years, and prior to SS8 held senior marketing, sales and support roles at Network Equipment Technologies (NET, or net.com), Ubiquity Software, Jetstream Communications, Premisys Communications, Newbridge Networks and GEC. He was born in the UK, graduated with a first class honors degree in Electronic Engineering from the University of Bristol, England, and has lived and worked in Silicon Valley for the last 10 years.
SECURITY CITIZEN
Being a good security citizen Bruce Potter, founder, Shmoo Group It’s been said that the internet is a global community made of all the users on the network. Like Bruce Potter any community, there are businesses conducting commerce, individuals going about their daily lives, and even a few bad actors. But unlike our physical communities, there are no police cars roaming the neighbourhoods looking for these bad actors. There aren’t even boundaries that help law enforcement activities. At the end of the day, this global community without boundaries means that every enterprise has to be on the lookout for not just the security of their own systems, but also the security of the community as a whole. This is obviously a difficult situation. It’s hard enough to secure your own systems; being on the lookout for the entire internet is an impossible situation. Further, it is outside the commonly accepted mission of most IT security departments to be accountable for security beyond the network boundaries. So, how do you balance
May 2007
the need to be a good security citizen with the need to minimise operational costs and maximise the assurance of your systems?
Passive mechanisms Being a good security citizen starts with your local configurations and operational procedures. If your
networks and systems are vulnerable, they can become Petri dishes for attackers. Much like a pool without a fence, an insecure network is an attractive nuisance that will draw in attackers. These attackers will then use your systems to attack other networks. Botnets and zombies are a huge problem on the net, and the propagation of these types of malicious code is often due to known vulnerabilities and system weaknesses.
“To facilitate security communication with the outside world, you should create predictable and reliable contact mechanisms.” Applying patches, using strong passwords, and employing other industry best practices is the best thing you can do to be a good internet security citizen. Thankfully, these actions are the same actions we take every day to protect our assets and our employees.
Network Security
11
SECURITY CITIZEN So the first step in being a good citizen is one most of us have taken already. Even with industry best practices in place, the potential for security incidents still exists within your network. Also, if you are a product vendor, security researchers may find vulnerabilities in your products that they wish to disclose to you. To facilitate security communication with the outside world, you should create predictable and reliable contact mechanisms. The Organization for Internet Safety (OIS) recommends some simple solutions for communications. Foremost among them is the creation of a security page on your corporation’s primary webserver (for instance, http://www. yourcompany.com/security/ ) that provides appropriate information for those looking to contact you. Also, an alias of [email protected] should be set up and monitored for email communication in absence of web access. There is more information available on the OIS website at www. oisafety.org. Controlling rogue code within your enterprise is a critical aspect of being a good security citizen. Many worms and bots use spoofed IP addresses to obscure the location of the infection and decrease the likelihood of detection. Spoofed addresses can only be successfully stopped in the location of origin for the traffic. An enterprise knows the source addresses that should exist in outbound traffic. For instance, if your network is 192.168.0.0/24, your border router should only see outbound traffic with source addresses from that netblock. If a different source address is detected, then some entity is spoofing source addresses. Blocking spoofed source addresses at the outbound border is called egress filtering. Egress filtering, if done on a large scale across the internet, can have a profound effect on the detection and deletion of bots and worms.
Active mechanisms The passive mechanisms described
12
Network Security
above recommend the generally accepted minimum required to be considered a good security citizen. There are many other actions you can take if your budget and/or morals allow. If your network detects an active or attempted intrusion, you may chose to do more than just prevent the attack from being successful. Many times, attacks originate from other systems that have been compromised. By investigating the attack, you may find that another enterprise is a victim too. You may choose to notify system administrators of the other network in an effort to assist them in stopping an active infection. Note, however, that the act of notifying and conveying the needed information takes time and depending on the level of sophistication of the victim enterprise, you may be simply wasting your efforts.
“Attackers have the upper hand in protecting their identity and hiding their true location.” You may also choose to track down the original attacker in an effort stop the attack once and for all, and potentially to notify law enforcement. This action is likely even more time intensive than reaching out to other enterprises. Tracking down attackers and getting them to stop is a technically and politically difficult problem. Attackers have the upper hand in protecting their identity and hiding their true location. Even if you are successful in finding the attacker, if they are in a foreign country you may have no real recourse to law enforcement. Participating in a honeynet initiative is potentially a great way to give back to the community without the cost of tracking down attackers directly. Honeynets are systems where fake
hosts are set up to lure in attackers and deceive them into believing they have compromised legitimate systems. These systems then report back to a central authority on the actions and tools used by the attackers. In turn, the central authority can analyse input from many sensors in order to determine new attack techniques, changes in attack patterns, and overall threats to the internet. Honeynets can be a sophisticated mechanism for learning about attackers and providing intelligence to the broader security community. However, honeynets are also a distraction from the day to day operations of your enterprise and may represent a security risk as attackers are essentially invited into your network to perform malicious activities.
Parting shots The internet is still young, and from a security perspective it is still a bit like the wild west. Individual actors can cause great harm to networks and systems half a world away. The security of the internet is not the responsibility of a single organisation. Rather, security is the responsibility of every operator plugged into the network. There is no single set of actions that make a good security citizen. Rather, it is the intent of your actions and your ability to balance your needs versus the needs of the broader network community that ensure that you are positively contributing to the security of those around you.
About the author Bruce Potter is the founder of The Shmoo Group of security, crypto, and privacy professionals. He helps organise ShmooCon, a yearly information security conference in Washington DC that draws over 1000 attendees. Bruce has a background embedded system security, software assurance, and enterprise IT operations. He is a senior associate at Booz Allen Hamilton.
May 2007
covering different networks and criminal behaviours. Legislation is keeping pace with these changes. In May 2006, the Federal Communications Commission adopted a Second Report and Order that addressed issues regarding implementation of CALEA with regard to facilities-based broadband Internet access providers and interconnected voice over Internet protocol (VOIP) providers. All of these operators are now required to be CALEA compliant by 14 May 2007. With such critical legislation driving rapid compliance, and fourth generation solutions available to the market, law enforcement remains a step ahead of the most seasoned criminal.
About the author With worldwide responsibility for product management, portfolio strategy and marketing communications, Stephen Gleave positions SS8’s unified communications, signalling infrastructure and lawful interception solutions. He has worked in the telecommunications industry for more than 20 years, and prior to SS8 held senior marketing, sales and support roles at Network Equipment Technologies (NET, or net.com), Ubiquity Software, Jetstream Communications, Premisys Communications, Newbridge Networks and GEC. He was born in the UK, graduated with a first class honors degree in Electronic Engineering from the University of Bristol, England, and has lived and worked in Silicon Valley for the last 10 years.
SECURITY CITIZEN
Being a good security citizen Bruce Potter, founder, Shmoo Group It’s been said that the internet is a global community made of all the users on the network. Like Bruce Potter any community, there are businesses conducting commerce, individuals going about their daily lives, and even a few bad actors. But unlike our physical communities, there are no police cars roaming the neighbourhoods looking for these bad actors. There aren’t even boundaries that help law enforcement activities. At the end of the day, this global community without boundaries means that every enterprise has to be on the lookout for not just the security of their own systems, but also the security of the community as a whole. This is obviously a difficult situation. It’s hard enough to secure your own systems; being on the lookout for the entire internet is an impossible situation. Further, it is outside the commonly accepted mission of most IT security departments to be accountable for security beyond the network boundaries. So, how do you balance
May 2007
the need to be a good security citizen with the need to minimise operational costs and maximise the assurance of your systems?
Passive mechanisms Being a good security citizen starts with your local configurations and operational procedures. If your
networks and systems are vulnerable, they can become Petri dishes for attackers. Much like a pool without a fence, an insecure network is an attractive nuisance that will draw in attackers. These attackers will then use your systems to attack other networks. Botnets and zombies are a huge problem on the net, and the propagation of these types of malicious code is often due to known vulnerabilities and system weaknesses.
“To facilitate security communication with the outside world, you should create predictable and reliable contact mechanisms.” Applying patches, using strong passwords, and employing other industry best practices is the best thing you can do to be a good internet security citizen. Thankfully, these actions are the same actions we take every day to protect our assets and our employees.
Network Security
11
SECURITY CITIZEN So the first step in being a good citizen is one most of us have taken already. Even with industry best practices in place, the potential for security incidents still exists within your network. Also, if you are a product vendor, security researchers may find vulnerabilities in your products that they wish to disclose to you. To facilitate security communication with the outside world, you should create predictable and reliable contact mechanisms. The Organization for Internet Safety (OIS) recommends some simple solutions for communications. Foremost among them is the creation of a security page on your corporation’s primary webserver (for instance, http://www. yourcompany.com/security/ ) that provides appropriate information for those looking to contact you. Also, an alias of [email protected] should be set up and monitored for email communication in absence of web access. There is more information available on the OIS website at www. oisafety.org. Controlling rogue code within your enterprise is a critical aspect of being a good security citizen. Many worms and bots use spoofed IP addresses to obscure the location of the infection and decrease the likelihood of detection. Spoofed addresses can only be successfully stopped in the location of origin for the traffic. An enterprise knows the source addresses that should exist in outbound traffic. For instance, if your network is 192.168.0.0/24, your border router should only see outbound traffic with source addresses from that netblock. If a different source address is detected, then some entity is spoofing source addresses. Blocking spoofed source addresses at the outbound border is called egress filtering. Egress filtering, if done on a large scale across the internet, can have a profound effect on the detection and deletion of bots and worms.
Active mechanisms The passive mechanisms described
12
Network Security
above recommend the generally accepted minimum required to be considered a good security citizen. There are many other actions you can take if your budget and/or morals allow. If your network detects an active or attempted intrusion, you may chose to do more than just prevent the attack from being successful. Many times, attacks originate from other systems that have been compromised. By investigating the attack, you may find that another enterprise is a victim too. You may choose to notify system administrators of the other network in an effort to assist them in stopping an active infection. Note, however, that the act of notifying and conveying the needed information takes time and depending on the level of sophistication of the victim enterprise, you may be simply wasting your efforts.
“Attackers have the upper hand in protecting their identity and hiding their true location.” You may also choose to track down the original attacker in an effort stop the attack once and for all, and potentially to notify law enforcement. This action is likely even more time intensive than reaching out to other enterprises. Tracking down attackers and getting them to stop is a technically and politically difficult problem. Attackers have the upper hand in protecting their identity and hiding their true location. Even if you are successful in finding the attacker, if they are in a foreign country you may have no real recourse to law enforcement. Participating in a honeynet initiative is potentially a great way to give back to the community without the cost of tracking down attackers directly. Honeynets are systems where fake
hosts are set up to lure in attackers and deceive them into believing they have compromised legitimate systems. These systems then report back to a central authority on the actions and tools used by the attackers. In turn, the central authority can analyse input from many sensors in order to determine new attack techniques, changes in attack patterns, and overall threats to the internet. Honeynets can be a sophisticated mechanism for learning about attackers and providing intelligence to the broader security community. However, honeynets are also a distraction from the day to day operations of your enterprise and may represent a security risk as attackers are essentially invited into your network to perform malicious activities.
Parting shots The internet is still young, and from a security perspective it is still a bit like the wild west. Individual actors can cause great harm to networks and systems half a world away. The security of the internet is not the responsibility of a single organisation. Rather, security is the responsibility of every operator plugged into the network. There is no single set of actions that make a good security citizen. Rather, it is the intent of your actions and your ability to balance your needs versus the needs of the broader network community that ensure that you are positively contributing to the security of those around you.
About the author Bruce Potter is the founder of The Shmoo Group of security, crypto, and privacy professionals. He helps organise ShmooCon, a yearly information security conference in Washington DC that draws over 1000 attendees. Bruce has a background embedded system security, software assurance, and enterprise IT operations. He is a senior associate at Booz Allen Hamilton.
May 2007