Danger stalks the LAN

FEATURE

Danger stalks the LAN Marc Meulensteen, Spirent Communications In February 2012, at the Barcelona Mobile World Congress, the term Bring Your Own Device (BYOD) was coined. Unlike so many IT innovations that take time to filter into public consciousness, BYOD was suddenly everywhere – something that had crept up on us and, once given a name, was visible everywhere. The combination of smartphones with the public cloud is irresistible. It is nice to be free to choose your own device, and employees will even pay for the equipment themselves. BYOD comes over as a forward-looking, employee-friendly strategy that is good for the company image. Employees can now access work round the clock and raise productivity without extra pay. Little wonder then that IT department attitudes changed so quickly from totally banning BYOD to enthusiastically adopting it as the obvious, inevitable and desirable way forward. BYOD jumped from acceptable to unstoppable, embraced by around four out of five companies, mainly on the grounds that it improved productivity.

Classes of user Then the problems began to be noted. Enterprise networks were not originally designed to handle so many diverse devices, nor the sort and scale of traffic generated by the social media and YouTube generation. It led to a surge in wireless traffic, and a shift from providing ports to more focus on the user and what access they should be allowed. There are three main classes of user: UÊ iÌܜÀŽÊ“>˜>}iÀÃÊ>˜`Êi˜}ˆ˜iiÀÃÊ who need privileged access into the deep structure of the network. UÊ “«œÞiiÃÊ܅œÊV>˜Êœ}ʜ˜ÊvœÀÊvՏÊ access only to those network resources relevant to their department or work function. UÊ ÕiÃÌÊÕÃiÀÃÊ܅œÊ>ÀiÊ>œÜi`ʏˆ“ited use of the network for Internet access. 14

Computer Fraud & Security

Any access policy needs to take into account the user identity, their role in the organisation, resources they will need, and those areas they may not be allowed to access. Device identity takes second place, but it is still important because different devices make different demands on the network.

The shadow lies beyond BYOD can be seen as one part of a wider ‘shadow IT’ problem. Actually it is more like the ‘thin end’ of the shadow IT wedge, because it would now seem churlish of an IT department to forbid an employee from using their own phone to further company business. Once that culture of BYOD acceptability is in place, however, it extends to employees and departments implementing solutions themselves without consulting the IT department. This is what is meant by shadow IT – everything from the use of free online services to departmental decisions to adopt SaaS solutions, let alone the BYOD importing of users’ own hardware devices. With so many forms of shadow IT comes a similar array of challenges. These include compatibility between devices and software across the organisation – even if the same software is used, not every user is as diligent at upgrading to the latest version. Then there are legal issues: who is to blame if unregistered software is detected in the organisation? Then, of course, the sheer technical and security challenges of managing a network when you cannot control all of the applications and devices it connects.

Marc Meulensteen

There is no simple formula or set of rules that can address a problem like this, where a once-closed system is opening up to the unknown and fast-evolving world without. The problem with any rule book is that it can become a substitute for being alert and open to new threats and possibilities. So instead we will look at one or two sample scenarios where network security can be compromised.

Welcome, stranger Some of the trickiest shadow IT challenges arise when outsiders enter the premises. If they are regular contract workers, then suitable policies can be established in line with the terms of the contract, but many less formal interactions can also occur. Consider an in-house business meeting where a visitor asks for their laptop or tablet to be connected to the Internet. Is this available wirelessly, via a guest SSID with a known password? Or is it a question of plugging into a wall socket? Looking at the typical array of Ethernet sockets, which one offers a quarantined Internet link without compromising the corporate network? Wall sockets typically connect to ports on a switch that has been partitioned to provide different levels of access. Unless someone has labelled the plugs accordingly, there is no knowledge as to what access it will provide without a call to IT and a wait for a technician to arrive. Even if they are labelled, it does not prevent people from connecting where they should not. It matters, because the innocentseeming guest could turn out to be an investigative journalist, an industrial spy or simply someone who loves exploring August 2014

FEATURE forbidden territory. And yet no-one wants to hold up a productive meeting in a busy schedule to run security checks each time someone asks to connect. If IT leans too far towards the nay-saying policing role, these measures will be seen by users as oppressive rules to be worked around rather than respected. After all, the prime driver for shadow IT is the desire to do one’s job effectively and to use whatever tools can help – so an IT department that hinders this is no-one’s friend. Next, consider what happens when employees’ or company-owned devices start to roam. The finance director needs to be able to access all financial data from her tablet, but if the request comes when the device has moved outside the building – can we be sure it is still in her hands, or has it just been stolen? A growing problem arises with those who also work from home. Whether it is their own laptop or a company device, it is taken home so they can catch up on emails or other work during the weekend, and they log into the corporate network securely via a VPN – on a known device operated by someone who is reliably authenticated. How could this be a problem? The problem arises because that device is likely also on a home wifi network with other family members using the Internet and gaming and who may not

be so well defended against malware. The employee’s laptop becomes infected and then logs onto the corporate network. The question then is whether the corporate network has been set up to scan for malware arriving from a recognised company device in authorised hands via a secure VPN.

Bolting the stable door Neither of these examples is in itself a cause of great concern. With the right security policies in place, reasonable steps can be taken to reduce the risk of attack from such circumstances to an acceptable level. But the point is that there are so many possible variations on these examples that it is very easy to overlook or fail to anticipate some of them. What is needed is time to sit back from the fine detail of security management, such as defining and setting policies and locations for firewalls and IPS, and imaginatively consider the broader human interactions and likely behaviours of those that the network serves. For this is the ecology that shadow IT inhabits and in which it is constantly evolving. There are specialist companies that can bring to the table many years’ experience, skills and understanding of how to make networks secure and how to test

their security exhaustively by modelling any combination of realistic or extreme traffic conditions, plus every known form of cyber-attack. This is immensely reassuring, but you cannot just hand the problem over to them in one piece. What is truly needed is a combination of those expert outsourced skills plus in-house experience and understanding of your own business – the people who work there, what they are trying to achieve, the challenges they face and the means they will use to work round those challenges, and that includes shadow IT. Put the two sets of knowledge together and only then will you be able to bring all those potentially risky home-grown IT solutions out of the shadows, and integrate them back into company policy.

About the author Marc Meulensteen is EMEA business development manager for Layer 4-7 application and security testing at Spirent. He joined Spirent in 2001 as a system engineer and was responsible for technical sales support. In 2006 he changed to his current role. He is involved in the introduction of new testing methodologies to increase realism in the testing of application, security and user perception, in areas such as datacentre, cloud computing and streaming video.

Tor under attack Steve Mansfield-Devine, editor, Computer Fraud & Security A technology relied on by activists, whistleblowers, journalists and people operating under oppressive regimes is coming under attack from a number of directions. The Onion Router (Tor) technology was initially developed by the US Naval Research Laboratory, and is now supported by the Electronic Frontier Foundation (EFF) which distributes an easily used browser package. Yet, in spite of its impeccable credentials, Tor is the target of subversion attempts by governments and exploitation by criminals.

The dark side As well as protecting vulnerable members of society, Tor has its less-laudable August 2014

uses. It’s often claimed, by law enforcement and intelligence organisations, that the technology is widely employed by paedophiles and terrorists – the two

Steve MansfieldDevine

great bogeymen of our times. Certainly, it’s the basis of the ‘dark web’ – websites reachable only by using a special Torenabled browser. Such sites included the original Silk Road marketplace that connected buyers and sellers of illegal drugs, guns and underground services. Several Computer Fraud & Security

15