- Email: [email protected]
Early Alerts — making sense of security information overload
issue.qxd
10/04/2003
16:23
Page 5
wireless security Nonetheless, attempting to detect these APs is an important part of your information security procedures. Security personnel should be trained to recognize external rogue APs via foreign MAC addresses or other footprints which are available using tools such as irMagnet or Kismet. Besides detecting external rogue APs, preventing damage from them is critical. First, make sure you are using WEP. Most clients, including Windows XP and Linux, can be configured to only connect to specific SSIDs and further to only connect if the AP supports WEP encryption. Even though WEP keys can be cracked, using WEP raises the bar. The next step is to deploy end-to-end authentication for all client associations. 802.1x, a local network authentication protocol, provides mechanisms for bi-directional verification of both the wireless client and back-end authentication server. 802.1x does not explicitly authenticate the AP. However, when using EAP-TLS, an authentication method within 802.1x, the client is able to verify the authenticity of the back-end server. An external rogue AP will not be
able to connect to the back-end authentication server because it is disconnected from your internal network. The client, unable to successfully authenticate, will not associate with the rogue AP. Finally, educate your user-base to recognize when they may be under a social engineering attack via a rogue AP. Advise them to not enter their credentials into non-standard interfaces, such as an unfamiliar Web page, when they are using the wireless network. They should report any unusual events to information security staff.
Inside or out, detect and prevent When deploying a wireless network, it is important to remember that an attacker can do more than sniff traffic or attempt to gain access to your infrastructure. More and more, attackers are attempting to fool wireless clients by pretending to be a valid access point. Further, your own employees may be installing huge holes in your network disguised as a personal access point brought in from home. By constantly monitoring for
rogue APs and deploying systems in a manner resistant to the threat posed by them, your wireless and wired network will provide a secure foundation for your enterprise’s activities. 1AirMagnet
– An 802.11 network diagnostic tool for Windows and PocketPC – www.airmagnet.com 2Kismet – An 802.11 network analysis tool for Linux. – www.kismetwireless.net
About the Author Bruce Potter has a broad information security background that includes deployment of wireless networks. Trained in computer science at the University of Alaska Fairbanks, Bruce served as a senior technologist at several hi-tech companies. Bruce is the founder and President of Capital Area Wireless Network. In 1999 Bruce founded The Shmoo Group, a group of security professionals scattered throughout the world. Bruce co-authored 802.11 Security published through O'Reilly and Associates. He is co-authoring Mac OS X Security to be published by New Riders Publishing in May of 2003.
Early Alerts – Making Sense of Security Information Overload Kevin Hawkins, Senior Principal Consultant, Symantec Corp. Knowledge is power – never more so than when it comes to security. Knowing what the threats are, and where vulnerabilities lie, will make the difference between a successful defence and an expensive security breach. Speaking from personal experience, the typical security manager is now bombarded with information from a variety of sources, both internal and external, every minute of every hour. There are firewall logs, Intrusion Detection
System (IDS) logs, vulnerability reports and patching levels, not to mention breaches of policy by staff to be dealt with. Making sense of all this information, and acting on it effectively, is a monumental task.
Research shows that a typical medium sized organization will, on average, receive 9.5 million log entries and alerts per month, generated by firewalls and IDS devices across the enterprise. After correlating the data from the various sources, an average of 620 security events will require further investigation. After weeding out the false positives – a major task in itself – some 55 of these will be determined to constitute some sort of security threat.
5
issue.qxd
10/04/2003
16:23
Page 6
information overload And of these, two will pose a risk that is critical enough to require immediate action. So, the good news is only two out of 9.5 million events are serious potential threats. The bad news is that we have to identify which two! Added to this is the fact that 450 new viruses and about 250 new vulnerabilities are discovered every month, and these require system updates and patches. As security professionals, we are all aware that the best protection against attack is an effective defence, combining the right security tools with a well-managed security policy. To be forewarned is to be forearmed and intelligence is the key for companies today – “Is my system being attacked?” If so, when, where and how often? But to monitor and analyse the vast volumes of data produced by all of the security devices on a corporate network requires time, specialist knowledge and highly complex technical architecture. Increasingly, companies also want access to intelligence on global attack activity that will help them move from simply reacting to attacks to proactively preventing them. The security manager’s day job is to demonstrate that all reasonable steps have been taken to ensure that critical assets are being protected to an appropriate level. This level will have been assessed during the formalisation of a risk management plan, following a risk assessment based on business impact. This ensures that all mission-critical systems have been identified and an appropriate level of protection defined. However, no matter how well prepared the plan is, it will not stop attempts at breaching security. Therefore having identified the risks and the vulnerabilities, they have to be considered along with the threat. By far the greatest threat to networked systems comes from malicious code – computer viruses, worms and Trojan horses. As a priority, all systems must have up-to-date anti-virus protection. However, Symantec has seen a dramatic increase in the
6
number of blended threats over the past 12 months. These are based on malicious code that may combine a system exploit with worm or virus-like activity. In some cases, as with Code Red, what appears to be a virus threat cannot in fact be stopped by anti-virus software, but requires firewall and intrusion detection to prevent it spreading, together with a software patch to prevent further infection. The ability to provide immediate updates to all security software is now a priority. An early alert and rapid reaction to such threats will reduce the risk to an organization. Knowing that you have vulnerable systems and understanding their priority in business-critical systems enables more effective deployment of resources.
Knowing that systems in Australia are being infected with a new virus, gives a security manager in Europe a few hours to react. Spotting the serious attacks The average company network is attacked 30 times a week. The threat of security breach, either accidental, opportunistic or targeted, is very real. But understanding the type of attack and its source are paramount to effective protection, and to ensure that time and effort aren’t wasted on dealing with non-threatening attacks. Attacks are nearly always preceded by some form of information gathering, in the form of a port scan, an attempt at DNS Zone Transfer, or simply running a ‘who is’ to see what information is freely available. Only a minority are serious attempts to breach security. Of course this would not prevent a probe turning very quickly into a serious attempt should the intruder discover that security is weak. The challenge is to determine which attacks are serious,
which aren’t, and which are likely to become serious (for example, those that can be identified as a repeat reconnaissance). According to the latest Symantec Internet Threat Report (published in January 2003), which analysed the threats to 400 managed security service customers over a six-month period, 85% of active attacks were classified as ‘reconnaissance’ – the cyber equivalent of a burglar checking doors and windows to see if they are locked. Only 15% of attacks were actual exploitation attempts – the burglar entering the building. Most attackers are looking for commonly known vulnerabilities in a network. If they fail to find them, they are unlikely to pursue their attack; instead they will seek out an easier target. Companies need to understand the potential attack types as they relate to their industry sector. Some industries may attract a greater level of attention from hackers looking for financial gain or those wanting to make a political statement (‘hacktivists’). For the security manager working in such sectors, knowing whether you are looking at ‘background noise’ or experiencing a determined attack on your network would help prioritise the attack. Targeted attacks are those that appear to be directed at a particular organization. In these situations, the attacker scans only the network of the targeted organisation. Furthermore, the attacker appears to be seeking to exploit specific vulnerabilities associated with the target network. Opportunistic attacks do not have these characteristics. The Symantec Internet Threat Report shows that 76% of attacks over the six-month period were opportunistic and 24% were targeted. This type of information enables the security manager to get some perspective on the data being received from defence systems, which helps to cut down on the false positives and target essential resources at what is important.
issue.qxd
10/04/2003
16:23
Page 7
information overload
Time is of the essence It is essential to have access to the attack information as events are occurring and when it is needed, rather than to read it in a quarterly report. Information analysed from real-time data can provide attack trends and some basic indicators to what to expect in the future. Specific information – such as which vulnerabilities have the most exploits – is crucial when prioritising patches and can help with strategic network decisions. If the security manager knows that 85% of active attacks on a wide range of Internet gateways can be classed as ‘reconnaissance’, then that helps classify some of the attacks, or possible attacks, being seen on the company gateways. With this information, the security manager can build a picture of how often the reconnaissance attacks are taking place and perhaps even where they are coming from. In the connected world it’s impossible to exist in secure isolation. As soon as you connect to the Internet, everyone on the Internet is connected to you. Whether they are hackers, suppliers or even customers, they can all pose a significant security risk if not managed appropriately. The time it takes for exploits and malicious code to travel across the global network is reducing all the time. Experts estimate that it took just 15 minutes for the recent Slammer worm to infect all the available and vulnerable systems on the Internet. An early alert process that gives administrators crucial minutes to protect their own systems is vital against this kind of attack. Slammer was an exception in its rapid spread. Most malicious codes tend to ‘follow the sun’, infecting systems as each business day begins. But knowing, for example, that systems in Australia are being infected with a new virus, gives a security manager in Europe a few hours to react and configure security systems before their own network users reach the office and start opening emails from strangers. Being part of a global community, sharing security intelligence and receiving early alerts for
rapid reaction, will help to reduce the amount of malicious code and effective exploits circulating the Internet. The broader and more educated the community, the better information it contains. One way to be part of such a community is by choosing a global security partner. Companies can benefit from the information gathered and analysed from across the world by experts, and anonymously circulated to the rest of the group in real-time. Other ways are to subscribe to vulnerability and alert databases such as Security Focus (www.securityfocus.com) where security managers can choose from a range of free and subscription-based information feeds relevant to their general or bespoke needs.
Protection from within Alerts and information need not only come from outside an organization. One important part of protecting against malicious code attacks is the education of all computer users. The IT department should be reaching out to the rest of the organization and empowering everyone with computer access to play their part in enforcing the security policy. Social engineering is still the preferred method for most hackers and virus authors to gain access to corporate networks, and the IT department can work to prevent this type of activity and the successful duping of employees. Building company-wide awareness of the impact of computer use is one of the most important and immediately beneficial aspects of protecting an organization. Most employees do not want to expose their business systems to threats. Given the right education and ongoing awareness programme, they can respond effectively to reduce risk and be aware of the impact of their actions.
Prevention better, and less costly, than cure By understanding and knowing how to use their own – and others’ – security
information, IT departments can focus their resources on attack prevention. By making the best use of proactive intelligence and response, companies can deploy specific countermeasures to help prevent threats affecting their networks. They can also eliminate the hours spent searching through hundreds of websites and emails to gather information. In this way, companies maximise their IT resources, while keeping operations running smoothly. Having access to good security information will enable the security manager to make strategic decisions about business-critical applications. Making decisions that are supported by good data will also enable the security manager to justify expenditure within the IT department and enable board members to understand the environment and requests for additional funding in this critical area of business protection. Effective intelligence and the resulting action benefit the bottom line. The ability to gather and act on large amounts of security information in real time not only reduces risk, but also maximises return on investment (ROI) from security products by targeting resources only where they are truly needed. While the amount of data available to a security manager these days is virtually unmanageable, targeted deployment of the right tools, training and, where necessary, external services, will provide early and complete protection against cyber threats. Security managers need to make sure that they are immediately informed of vulnerabilities as they are discovered, and in such a way that enables them to take action in a timely manner. An intelligent early warning system will not only be of use to their own networks but could be of global significance, and provide advanced warning of new malicious code or vulnerabilities and their effects on the Internet community at large.
7
10/04/2003
16:23
Page 5
wireless security Nonetheless, attempting to detect these APs is an important part of your information security procedures. Security personnel should be trained to recognize external rogue APs via foreign MAC addresses or other footprints which are available using tools such as irMagnet or Kismet. Besides detecting external rogue APs, preventing damage from them is critical. First, make sure you are using WEP. Most clients, including Windows XP and Linux, can be configured to only connect to specific SSIDs and further to only connect if the AP supports WEP encryption. Even though WEP keys can be cracked, using WEP raises the bar. The next step is to deploy end-to-end authentication for all client associations. 802.1x, a local network authentication protocol, provides mechanisms for bi-directional verification of both the wireless client and back-end authentication server. 802.1x does not explicitly authenticate the AP. However, when using EAP-TLS, an authentication method within 802.1x, the client is able to verify the authenticity of the back-end server. An external rogue AP will not be
able to connect to the back-end authentication server because it is disconnected from your internal network. The client, unable to successfully authenticate, will not associate with the rogue AP. Finally, educate your user-base to recognize when they may be under a social engineering attack via a rogue AP. Advise them to not enter their credentials into non-standard interfaces, such as an unfamiliar Web page, when they are using the wireless network. They should report any unusual events to information security staff.
Inside or out, detect and prevent When deploying a wireless network, it is important to remember that an attacker can do more than sniff traffic or attempt to gain access to your infrastructure. More and more, attackers are attempting to fool wireless clients by pretending to be a valid access point. Further, your own employees may be installing huge holes in your network disguised as a personal access point brought in from home. By constantly monitoring for
rogue APs and deploying systems in a manner resistant to the threat posed by them, your wireless and wired network will provide a secure foundation for your enterprise’s activities. 1AirMagnet
– An 802.11 network diagnostic tool for Windows and PocketPC – www.airmagnet.com 2Kismet – An 802.11 network analysis tool for Linux. – www.kismetwireless.net
About the Author Bruce Potter has a broad information security background that includes deployment of wireless networks. Trained in computer science at the University of Alaska Fairbanks, Bruce served as a senior technologist at several hi-tech companies. Bruce is the founder and President of Capital Area Wireless Network. In 1999 Bruce founded The Shmoo Group, a group of security professionals scattered throughout the world. Bruce co-authored 802.11 Security published through O'Reilly and Associates. He is co-authoring Mac OS X Security to be published by New Riders Publishing in May of 2003.
Early Alerts – Making Sense of Security Information Overload Kevin Hawkins, Senior Principal Consultant, Symantec Corp. Knowledge is power – never more so than when it comes to security. Knowing what the threats are, and where vulnerabilities lie, will make the difference between a successful defence and an expensive security breach. Speaking from personal experience, the typical security manager is now bombarded with information from a variety of sources, both internal and external, every minute of every hour. There are firewall logs, Intrusion Detection
System (IDS) logs, vulnerability reports and patching levels, not to mention breaches of policy by staff to be dealt with. Making sense of all this information, and acting on it effectively, is a monumental task.
Research shows that a typical medium sized organization will, on average, receive 9.5 million log entries and alerts per month, generated by firewalls and IDS devices across the enterprise. After correlating the data from the various sources, an average of 620 security events will require further investigation. After weeding out the false positives – a major task in itself – some 55 of these will be determined to constitute some sort of security threat.
5
issue.qxd
10/04/2003
16:23
Page 6
information overload And of these, two will pose a risk that is critical enough to require immediate action. So, the good news is only two out of 9.5 million events are serious potential threats. The bad news is that we have to identify which two! Added to this is the fact that 450 new viruses and about 250 new vulnerabilities are discovered every month, and these require system updates and patches. As security professionals, we are all aware that the best protection against attack is an effective defence, combining the right security tools with a well-managed security policy. To be forewarned is to be forearmed and intelligence is the key for companies today – “Is my system being attacked?” If so, when, where and how often? But to monitor and analyse the vast volumes of data produced by all of the security devices on a corporate network requires time, specialist knowledge and highly complex technical architecture. Increasingly, companies also want access to intelligence on global attack activity that will help them move from simply reacting to attacks to proactively preventing them. The security manager’s day job is to demonstrate that all reasonable steps have been taken to ensure that critical assets are being protected to an appropriate level. This level will have been assessed during the formalisation of a risk management plan, following a risk assessment based on business impact. This ensures that all mission-critical systems have been identified and an appropriate level of protection defined. However, no matter how well prepared the plan is, it will not stop attempts at breaching security. Therefore having identified the risks and the vulnerabilities, they have to be considered along with the threat. By far the greatest threat to networked systems comes from malicious code – computer viruses, worms and Trojan horses. As a priority, all systems must have up-to-date anti-virus protection. However, Symantec has seen a dramatic increase in the
6
number of blended threats over the past 12 months. These are based on malicious code that may combine a system exploit with worm or virus-like activity. In some cases, as with Code Red, what appears to be a virus threat cannot in fact be stopped by anti-virus software, but requires firewall and intrusion detection to prevent it spreading, together with a software patch to prevent further infection. The ability to provide immediate updates to all security software is now a priority. An early alert and rapid reaction to such threats will reduce the risk to an organization. Knowing that you have vulnerable systems and understanding their priority in business-critical systems enables more effective deployment of resources.
Knowing that systems in Australia are being infected with a new virus, gives a security manager in Europe a few hours to react. Spotting the serious attacks The average company network is attacked 30 times a week. The threat of security breach, either accidental, opportunistic or targeted, is very real. But understanding the type of attack and its source are paramount to effective protection, and to ensure that time and effort aren’t wasted on dealing with non-threatening attacks. Attacks are nearly always preceded by some form of information gathering, in the form of a port scan, an attempt at DNS Zone Transfer, or simply running a ‘who is’ to see what information is freely available. Only a minority are serious attempts to breach security. Of course this would not prevent a probe turning very quickly into a serious attempt should the intruder discover that security is weak. The challenge is to determine which attacks are serious,
which aren’t, and which are likely to become serious (for example, those that can be identified as a repeat reconnaissance). According to the latest Symantec Internet Threat Report (published in January 2003), which analysed the threats to 400 managed security service customers over a six-month period, 85% of active attacks were classified as ‘reconnaissance’ – the cyber equivalent of a burglar checking doors and windows to see if they are locked. Only 15% of attacks were actual exploitation attempts – the burglar entering the building. Most attackers are looking for commonly known vulnerabilities in a network. If they fail to find them, they are unlikely to pursue their attack; instead they will seek out an easier target. Companies need to understand the potential attack types as they relate to their industry sector. Some industries may attract a greater level of attention from hackers looking for financial gain or those wanting to make a political statement (‘hacktivists’). For the security manager working in such sectors, knowing whether you are looking at ‘background noise’ or experiencing a determined attack on your network would help prioritise the attack. Targeted attacks are those that appear to be directed at a particular organization. In these situations, the attacker scans only the network of the targeted organisation. Furthermore, the attacker appears to be seeking to exploit specific vulnerabilities associated with the target network. Opportunistic attacks do not have these characteristics. The Symantec Internet Threat Report shows that 76% of attacks over the six-month period were opportunistic and 24% were targeted. This type of information enables the security manager to get some perspective on the data being received from defence systems, which helps to cut down on the false positives and target essential resources at what is important.
issue.qxd
10/04/2003
16:23
Page 7
information overload
Time is of the essence It is essential to have access to the attack information as events are occurring and when it is needed, rather than to read it in a quarterly report. Information analysed from real-time data can provide attack trends and some basic indicators to what to expect in the future. Specific information – such as which vulnerabilities have the most exploits – is crucial when prioritising patches and can help with strategic network decisions. If the security manager knows that 85% of active attacks on a wide range of Internet gateways can be classed as ‘reconnaissance’, then that helps classify some of the attacks, or possible attacks, being seen on the company gateways. With this information, the security manager can build a picture of how often the reconnaissance attacks are taking place and perhaps even where they are coming from. In the connected world it’s impossible to exist in secure isolation. As soon as you connect to the Internet, everyone on the Internet is connected to you. Whether they are hackers, suppliers or even customers, they can all pose a significant security risk if not managed appropriately. The time it takes for exploits and malicious code to travel across the global network is reducing all the time. Experts estimate that it took just 15 minutes for the recent Slammer worm to infect all the available and vulnerable systems on the Internet. An early alert process that gives administrators crucial minutes to protect their own systems is vital against this kind of attack. Slammer was an exception in its rapid spread. Most malicious codes tend to ‘follow the sun’, infecting systems as each business day begins. But knowing, for example, that systems in Australia are being infected with a new virus, gives a security manager in Europe a few hours to react and configure security systems before their own network users reach the office and start opening emails from strangers. Being part of a global community, sharing security intelligence and receiving early alerts for
rapid reaction, will help to reduce the amount of malicious code and effective exploits circulating the Internet. The broader and more educated the community, the better information it contains. One way to be part of such a community is by choosing a global security partner. Companies can benefit from the information gathered and analysed from across the world by experts, and anonymously circulated to the rest of the group in real-time. Other ways are to subscribe to vulnerability and alert databases such as Security Focus (www.securityfocus.com) where security managers can choose from a range of free and subscription-based information feeds relevant to their general or bespoke needs.
Protection from within Alerts and information need not only come from outside an organization. One important part of protecting against malicious code attacks is the education of all computer users. The IT department should be reaching out to the rest of the organization and empowering everyone with computer access to play their part in enforcing the security policy. Social engineering is still the preferred method for most hackers and virus authors to gain access to corporate networks, and the IT department can work to prevent this type of activity and the successful duping of employees. Building company-wide awareness of the impact of computer use is one of the most important and immediately beneficial aspects of protecting an organization. Most employees do not want to expose their business systems to threats. Given the right education and ongoing awareness programme, they can respond effectively to reduce risk and be aware of the impact of their actions.
Prevention better, and less costly, than cure By understanding and knowing how to use their own – and others’ – security
information, IT departments can focus their resources on attack prevention. By making the best use of proactive intelligence and response, companies can deploy specific countermeasures to help prevent threats affecting their networks. They can also eliminate the hours spent searching through hundreds of websites and emails to gather information. In this way, companies maximise their IT resources, while keeping operations running smoothly. Having access to good security information will enable the security manager to make strategic decisions about business-critical applications. Making decisions that are supported by good data will also enable the security manager to justify expenditure within the IT department and enable board members to understand the environment and requests for additional funding in this critical area of business protection. Effective intelligence and the resulting action benefit the bottom line. The ability to gather and act on large amounts of security information in real time not only reduces risk, but also maximises return on investment (ROI) from security products by targeting resources only where they are truly needed. While the amount of data available to a security manager these days is virtually unmanageable, targeted deployment of the right tools, training and, where necessary, external services, will provide early and complete protection against cyber threats. Security managers need to make sure that they are immediately informed of vulnerabilities as they are discovered, and in such a way that enables them to take action in a timely manner. An intelligent early warning system will not only be of use to their own networks but could be of global significance, and provide advanced warning of new malicious code or vulnerabilities and their effects on the Internet community at large.
7