Governments warn of cyber-security

network SECURITY

ISSN 1353-4858 November 2011

www.networksecuritynewsletter.com

Featured in this issue:

Contents

Beyond scan and block: an adaptive approach to network access control

NEWS Governments warn of cyber-security

T

he fast evolution of today’s networks – and the challenge of securing them – mean that Network Access Control (NAC) needs to evolve. This is given impetus by the rapidly changing nature of security threats on today’s networks, the proliferation of mobile devices and the ‘consumerisation’ of IT.

network security model, organisations can meet the challenge by integrating multiple existing security technologies, correlating a vast array of information for complete network visibility, and automating network control and security policy enforcement.

Frank Andrus of Bradford Networks argues that by evolving to an adaptive

Full story on page 5…

APTs: a poorly understood challenge

A

dvanced Persistent Threat (APT) attacks have been the subject of much debate, but there’s no escaping the fact that they’re real and widespread. Organisations are at extremely high risk and need advanced detection capabilities.

hardware solutions divining for APT, but relies more on asking the right questions and being able to effectively use the existing detection tools, according to Gordon Thomson of Cisco Security EMEA.

The state-of-the-art response to APTs does not involve new magic software or

Full story on page 9…

The benefits of application detection

S

ocial networks are vying for users’ attention, even at work. This presents security risks and sometimes takes up a great deal of bandwidth. With next-generation (NG) firewalls, administrators can at last analyse the traffic by application – blocking it if necessary.

How does the firewall identify various applications? How can the administrator manage rights and regulations?

And how should those responsible for the networks handle the control they have regained? NG firewalls allow administrators to create more complex and finely tuned rules for blocking or limiting certain types of traffic. Klaus Gheri of Barracuda Networks looks at how this works and how administrators can benefit. Full story on page 12…

Governments warn of cyber-security

T

he past weeks have witnessed a dramatically raised level of rhetoric around cyber-security from Western governments, perhaps not

unconnected with the recent London Conference on Cyberspace.

2

Nitro attack targets chemical firms

2

FEATURES Beyond scan and block: an adaptive approach to network access control 5 The fast evolution of today’s networks – and the challenge of securing them – mean that Network Access Control (NAC) needs to evolve. This is given impetus by the rapidly changing nature of security threats on today’s networks, the proliferation of mobile devices and the ‘consumerisation’ of IT. Frank Andrus of Bradford Networks argues that by evolving to an adaptive network security model, organisations can meet the challenge by integrating multiple existing security technologies, correlating a vast array of information for complete network visibility, and automating network control and security policy enforcement. APTs: a poorly understood challenge 9 Advanced Persistent Threat (APT) attacks have been the subject of much debate, but there’s no escaping the fact that they’re real and widespread. Organisations are at risk and need advanced detection capabilities. The state-of-theart response to APTs does not involve new magic software or hardware solutions divining for APT, but relies more on asking the right questions and being able to effectively use the existing detection tools, says Gordon Thomson of Cisco. The benefits of application detection 12 Social networks are vying for users’ attention, even at work. This presents security risks and sometimes takes up a great deal of bandwidth. With next-generation (NG) firewalls, administrators can at last analyse the traffic by application – blocking it if necessary. How does the firewall identify various applications? How can the administrator manage rights and regulations? And how should those responsible for the networks handle the control they have regained? Klaus Gheri of Barracuda Networks examines the issues. Cracking wireless networks 14 The security of wifi connections has been in and out of the news over the past few years as the integrity of the wifi encryption process has been progressively eroded. Wifi encryption is normally driven by the use of three flavours of passwords/ passphrases – Wired Equivalent Privacy (WEP), Wifi Protected Access (WPA) and WPA2 – which use different methodologies to ensure (to differing degrees) the integrity of the wifi IP-based communications path. But all have come under attack, with tools available to intercept and crack authentication. Does this mean that wifi should now be considered insecure asks Steve Gold. Who’s in control: a six-step strategy for secure IT 18 As more organisations encourage working policies that allow employees to work outside the office, the complexity surrounding remote access and support mechanisms for the IT helpdesk has also increased. There is a growing and unregulated market for solutions that can ‘fix’ IT issues quickly and efficiently no matter where workers are located: however, as with many solutions, these have their own inherent security risks that should not be underestimated. Stuart Facey of Bomgar looks at the issues. News in brief

Continued on page 2…

1

Certificate ecosystem suffers further blows

3

Reviews

4

Events

20

ISSN 1353-4858/11 1353-4858/10 © 2011 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Web: www.networksecuritynewsletter.com Publisher: Greg Valero E-mail: [email protected] Editor: Steve Mansfield-Devine E-mail: [email protected] Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, Hightower; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Support Manager: Lin Lucas E-mail: [email protected] Subscription Information An annual subscription to Network Security includes 12 issues and online access for up to 5 users. Prices: 1112 for all European countries & Iran US$1244 for all countries except Europe and Japan ¥147 525 for Japan (Prices valid until 31 December 2011) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 Email: [email protected], or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Network Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

Pre-press/Printed by Mayfield Press (Oxford) Limited

...Continued from front page In late October, Major General Jonathan Shaw, head of the UK Ministry of Defence’s cyber-security programme, was quoted in an interview by The Daily Telegraph as saying that hacking had cost the UK £27bn in the past year. The figures come from a Detica report, although there isn’t much detail about how the numbers were arrived at. Businesses took the brunt, apparently, losing £21bn, while citizens and government lost £3.1bn and £2.2bn respectively. Iain Lobban, director of the normally very secretive GCHQ – the UK’s communications spying agency – wrote an article in The Times a few days later in which he claimed that the country had come under a “disturbing” number of attacks over the previous few months. The targets, he said, were individuals’ financial information and companies’ intellectual property. He went as far as to say the country’s “continued economic well-being” is under threat. And Foreign Secretary William Hague claimed there were more than 600 “malicious” attacks on government systems each day. Meanwhile, a US intelligence report, ‘Foreign Spies Stealing US Economic Secrets in Cyberspace’, reported an alleged “onslaught” of mostly Chinese and Russian cyber-attacks that Robert Bryant, a US national counter-intelligence executive, described as “a quiet menace to our economy”. In the past year, the FBI has alerted more than 100 private US companies that their security had been compromised. The report is here: .

intermediate CA (and no relation to US-based DigiCert), after the firm issued 22 certificates with weak, 512-bit keys – the norm is at least twice that length – and missing certificate extensions and revocation data. Digicert was licensed to issue Secure Sockets Layer (SSL) and S/MIME certificates using a certificate signed by Dallas firm Entrust. It was the US company that discovered the poorly configured certificates and issued revocation notices for them. Subsequently, Mozilla has already said that it will revoke trust in all certificates issued by Digicert in updated versions of its browsers, and both Google and Microsoft followed suit soon after. The reason given is the poor quality of the certificates – there has been no suggestion of fraud. However, Entrust did detect the use of two of the certificates to sign malware used in a spear-phishing attack against another Asian CA. Meanwhile, KPN Corporate Market, a CA based in the Netherlands, has stopped issuing certificates while it investigates a security breach. The firm found ‘attack tools’ stored on one of its servers, presumably by hackers who had managed to gain access. There’s no evidence so far that any rogue certificates were generated by the attackers.

Certificate ecosystem suffers further blows

Dubbed the Nitro attacks by Symantec, the aim appears to have been to steal intellectual property, including design documents, formulae and manufacturing processes. Although this series of attacks began in July 2011, Symantec says that the same cyber-criminals have been behind previous campaigns against other groups, such as human rightsrelated NGOs. Symantec’s report is here:.

T

he encryption certificate ecosystem has suffered two more blows. Following the dramatic breach of Certificate Authority (CA) Diginotar, and the firm’s subsequent demise, two more CAs have encountered problems.

Mozilla, Microsoft and Google are revoking trust in Digicert, a Malaysian 2

Network Security

Nitro attack targets chemical firms

S

ymantec says it has uncovered a concerted campaign of attacks on around 50 private companies involved in research, development and manufacture of chemicals and advanced materials. Some of these organisations have defence connections.

November 2011