- Email: [email protected]
Teleworkers – extending security beyond the office
TELEWORKING
Teleworkers – extending security beyond the office Angus Peacey, Pipex Business Services
Angus Peacey
Hackers are finding new and increasingly sophisticated ways of targeting teleworkers. Organizations must look at the new and emerging security options in order to ensure network security and prevent attacks when working away from the office environment. The number of workers remotely accessing corporate networks is constantly on the rise, and so are the threats to business critical information and the IT infrastructure. A new approach, “boundary networking”, allows organizations to extend the security perimeter to end point devices and help them remain secure in the teleworking age. Many IT directors, implementing and sustaining security measures onto the corporate network, spend hours making sure the network and critical information is protected from hackers, for staff to remove software or download unsecured files. It is also problematic keeping track of how the network or company–owned computers are used in the home or out of office hours. This is why IT directors need to address these issues, right now to ensure that remote users have the necessary security protection in place as threats become more virulent and widespread.
Identity theft, malware, keylogging and phishing are now commonly used terms that most businesses are familiar with, and are becoming major concerns for a number of organizations. 28,571 unique phishing reports were received by the APWG (anti-phishing working group) in June 2006 alone – an increase of over 8,000 compared to the previous month. As a result of online activity, growing e-commerce and increases in the use of the web, more and more personal information is being stored online, which presents an obvious security risk. All of these threats are now capable of bypassing more than one layer of security. The ability to stay one step ahead is key in the fight against hackers, and this includes increasing the measures in
place and changing the way security is implemented. As the locations for accessing the network remotely become more diverse, online information is becoming ever more vulnerable. End point devices can range from a PC with fully up to date security software, to Internet kiosks or computers with no security measures in place at all. This is where organizations need to realise that securing the corporate network outside of the office environment is vital.
Increased risks
Teleworking presents several security challenges that are not present in the fixed, internal environment, because remote users often utilise public infrastructure for example, when using a virtual private network. It is often difficult to dictate the configurations of a system that is not directly controlled by the IT department, which has implications for securing the systems. Remote users are also at an increased risk of viruses, DDoS attacks and worms, particularly if the system is being used for personal use as well as work purposes. The teleworker’s computer will also often differ in terms of installed software. Security software installed on the corporate office PC may not run on
Rising threats
According to the UK’s Office National Statistics Labour Force survey, there are over two million teleworkers in the country and 82 million requiring secure access to the corporate network across the United States and Western Europe. With so many workers opting to work away from the office, enterprises need to look separately at the security measures in place, and should not assume that those already protecting the internal network will be sufficient. This is becoming increasingly true as the number of threats continue to rise. 14
Network Security
Figure 1: The location of threats and attacks has moved from the edge of the network to user devices.
November 2006
TELEWORKING the home worker’s machine, or may have been uninstalled by the user or even a member of their family. Clearly, whilst the corporate network may well be protected, it is much harder to effectively manage and monitor the teleworker environment.
Problems of the ‘private’ network
VPNs (virtual private networks) are the most commonly used method for home or remote workers to connect to the corporate network. VPN traffic is carried over the public network (i.e. the Internet). The main security idea in creating a VPN is tunnelling, where data being transferred is encrypted between the two VPN endpoints, so that information cannot be viewed from the outside. For many businesses that have remote or home users, using a VPN facility is considered the most effective way of maintaining privacy and security. DSL has become an accepted platform for business critical applications, but businesses should be aware that VPNs are not always the best option to provide remote access capabilities, and they may
in fact be creating unintentional back doors into the corporate network for hackers. VPNs make use of public infrastructure, which means that they are not always completely secure.
“Security software installed on the corporate office PC may not run on the home worker’s machine, or may have been uninstalled by the user or even a member of their family.” Hackers are capable of putting malware or trojans onto the end PC device that is connected to the VPN. These viruses then capture information which is ‘dropped’ onto the public network. It then becomes all too easy for people to access this information and therefore gain entry to the virtual private network and all critical and sensitive information stored on it. In today’s changing security landscape, VPNs
Protecting the teleworker environment • Build up a layered security architecture by implementing several measures to protect the corporate network. • Extend the security perimeter all the way to the edge of the network. This will ensure the end user device, such as the laptop, is protected from viruses and hackers. This will also help guard against the vulnerabilities that can be associated with using a VPN. • Install and update anti-virus and anti-malware software • Install a hardware firewall, as this will provide more protection than a software firewall and can protect all the machines on a network. • In addition to firewalls, IT directors should consider an intrusion detection system. Always on, DSL connections pose a bigger risk and are targeted by hackers. Installing an intrusion detection system can alert staff to a possible attack and therefore enable IT managers to act to help combat the threat. • Ensure a corporate IT policy is in place and properly enforced. Clear guidelines on the use of company machines, IT systems and acceptable websites are needed to protect the company network. • Staff passwords and logins should be alphanumeric and contain enough characters. Using symbols in a password and non-dictionary words can also help prevent hackers using password-cracking software. • When working wirelessly, always ensure all information is encrypted, including data stored on a USB memory stick. Always use the highest possible level of encryption. • Carry out a regular and thorough risk assessment to address new threats and ensure the correct security measures are in place to combat emerging risks.
November 2006
should not be the only measure implemented to protect the network.
Building a defence
A traditional two-dimensional virtual private network security model, where perimeters are secured for running across the public network, is no longer adequate when using VPNs to counteract changing and emerging threats. Strong perimeters and password systems are not enough to provide the required level of security, and can easily be bypassed with hackers’ password-cracking software. What enterprises should be looking for is adding additional layers of security to the already existing two-dimensional approach. Adopting a layered defence system will help build up a security architecture and extend the security perimeter, right out to the edge of the network. Organizations need to restore the privacy to the teleworker environment, by building up a layered defence and move away from using a VPN tunnel that does not rely solely on encryption. Extending the boundary of the corporate network into teleworkers homes and on the move, could be key in the fight against hackers and viruses, by adding additional layers to the security architecture. This concept, or “boundary networking”, accounts for the changes in the locations of new threats and counteracts some of the more prominent and growing problems that are affecting corporate networks and the teleworker environment, such as phishing and worms. Whilst boundary networking may be an emerging concept that will help protect the network, other measures still need to be in place. Extending the security perimeter to the end user device does not mean the end of firewalls and anti virus software. A hardware firewall and virus-scanning software are still essential measures that need to be implemented. A number of software and anti-virus solutions may need to be combined in order to add extra layers of security to address the risks of working remotely. For example, web content filtering products that operate on the server level can provide additional levels Network Security
15
TELEWORKING of anti-virus protection, as can intrusion detection systems. There are key aspects to securing the corporate network that businesses should consider. Extending boundaries and securing the network to the end user device will help to counteract any threats. This will also help to prevent information being ‘dropped’ onto the public infrastructure and therefore, securing business critical data or customer details. In addition, one of the crucial aspects in ensuring the network is secure, is building up layers of security, rather on relying on a single firewall, or anti-virus software. The key to preventing such attacks is building up a combination of defences.
Conclusion: service delivery
As it is the Internet service providers who have control of the public Internet, only they can provide organizations with the capability to expand the security perimeters. The industry is challenging ISPs to offer this enhanced security capability. Enterprises need a true private network, which involves creating security measures embedded in the network. These also need to specifically address the new and emerging threats of today that are mostly likely to affect a business. The problem with teleworkers is that IT directors have a lack of control over the machine and what they are accessing. Businesses need to regain the
control by implementing an integrated, multi-layered approach to security measures that can counteract viruses, worms, identity theft etc, no matter what purpose the remote worker is using the end device for.
About the author Angus Peacey is head of product marketing at Pipex Business Services. Focusing on security and boundary networking products. He started his career as a software architect in South Africa, working for several corporate organizations. Prior to joining Pipex, worked at Cogenta Systems. His career also includes a two and a half-year stint at LANNET, Lucent Technologies and Avaya, where his roles included South Africa Country Manager.
ATTACK TRENDS
The changing face of IT security Bruce Potter Faced with multiple changes in the IT landscape, it is sometimes hard to keep track of where the technology trends are going. Some varieties of attacks occurring today leave traditional security measures standing. Protecting an enterprise can be a shockingly difficult task. The attackers that are attempting to gain access to your systems are a largely unknown quantity. One day they could be knocking loudly on your door, while the next it seems that your fortress is totally secure. Beyond that, budgets need to be drawn up, staff need to be trained on the latest techniques, and business units are constantly putting pressure on the integrity of your security architecture. The attackers that we face today are much more sophisticated than those in years past, and the types of attacks that are being executed are beyond the scope of the classic suite of security products to stop. When thinking of what products and services to use to protect your enterprise, you must first be aware of the recent developments in attack technology and the impact these 16
Network Security
developments have on your existing products and architecture.
Decreased exploit development timeframe
Exploits can be created through two different processes. A security researcher (or attacker depending on the person’s motivation) can find a vulnerability in a program through direct inspection methods such as code review, protocol fuzzing, or simple experimentation. Once a vulnerability is found, the researcher may then chose to build an exploit that leverages the vulnerability for system access or system disruption. The other way exploits get written is through examination of a patch or other artifact of the vulnerability. Rather than directly finding the location of the vulnerability, the researcher can reverse
engineer a security patch released by the vendor, determine what was changed and assume what was vulnerable. Patches can be either source code patches, common with open source software, or binary patches which are often seen with COTS software. Based on the researcher’s assumptions and their reverse engineering activities, a working exploit can then be created. The technology and methods for reverse engineering patches in order to develop an exploit have become more sophisticated in recent years. Data for worms created four or five years ago indicate that the exploit embedded within them was directed code that was patched weeks, if not months, prior. However, in more recent worms and virus outbreaks, the malicious payloads were targeted at patches that were released only days prior. Also, security researchers have repeatedly demonstrated their ability to reverse engineer patches and create malicious payloads for tools such as Metasploit in a matter of hours from patch release. The end result is that the release of a patch to the public is effectively the same as the release of an exploit. While patch management is a necessary part of any enterprises security architecture, it is unrealistic to expect that patches can be deployed in advance of an exploit being November 2006
Teleworkers – extending security beyond the office Angus Peacey, Pipex Business Services
Angus Peacey
Hackers are finding new and increasingly sophisticated ways of targeting teleworkers. Organizations must look at the new and emerging security options in order to ensure network security and prevent attacks when working away from the office environment. The number of workers remotely accessing corporate networks is constantly on the rise, and so are the threats to business critical information and the IT infrastructure. A new approach, “boundary networking”, allows organizations to extend the security perimeter to end point devices and help them remain secure in the teleworking age. Many IT directors, implementing and sustaining security measures onto the corporate network, spend hours making sure the network and critical information is protected from hackers, for staff to remove software or download unsecured files. It is also problematic keeping track of how the network or company–owned computers are used in the home or out of office hours. This is why IT directors need to address these issues, right now to ensure that remote users have the necessary security protection in place as threats become more virulent and widespread.
Identity theft, malware, keylogging and phishing are now commonly used terms that most businesses are familiar with, and are becoming major concerns for a number of organizations. 28,571 unique phishing reports were received by the APWG (anti-phishing working group) in June 2006 alone – an increase of over 8,000 compared to the previous month. As a result of online activity, growing e-commerce and increases in the use of the web, more and more personal information is being stored online, which presents an obvious security risk. All of these threats are now capable of bypassing more than one layer of security. The ability to stay one step ahead is key in the fight against hackers, and this includes increasing the measures in
place and changing the way security is implemented. As the locations for accessing the network remotely become more diverse, online information is becoming ever more vulnerable. End point devices can range from a PC with fully up to date security software, to Internet kiosks or computers with no security measures in place at all. This is where organizations need to realise that securing the corporate network outside of the office environment is vital.
Increased risks
Teleworking presents several security challenges that are not present in the fixed, internal environment, because remote users often utilise public infrastructure for example, when using a virtual private network. It is often difficult to dictate the configurations of a system that is not directly controlled by the IT department, which has implications for securing the systems. Remote users are also at an increased risk of viruses, DDoS attacks and worms, particularly if the system is being used for personal use as well as work purposes. The teleworker’s computer will also often differ in terms of installed software. Security software installed on the corporate office PC may not run on
Rising threats
According to the UK’s Office National Statistics Labour Force survey, there are over two million teleworkers in the country and 82 million requiring secure access to the corporate network across the United States and Western Europe. With so many workers opting to work away from the office, enterprises need to look separately at the security measures in place, and should not assume that those already protecting the internal network will be sufficient. This is becoming increasingly true as the number of threats continue to rise. 14
Network Security
Figure 1: The location of threats and attacks has moved from the edge of the network to user devices.
November 2006
TELEWORKING the home worker’s machine, or may have been uninstalled by the user or even a member of their family. Clearly, whilst the corporate network may well be protected, it is much harder to effectively manage and monitor the teleworker environment.
Problems of the ‘private’ network
VPNs (virtual private networks) are the most commonly used method for home or remote workers to connect to the corporate network. VPN traffic is carried over the public network (i.e. the Internet). The main security idea in creating a VPN is tunnelling, where data being transferred is encrypted between the two VPN endpoints, so that information cannot be viewed from the outside. For many businesses that have remote or home users, using a VPN facility is considered the most effective way of maintaining privacy and security. DSL has become an accepted platform for business critical applications, but businesses should be aware that VPNs are not always the best option to provide remote access capabilities, and they may
in fact be creating unintentional back doors into the corporate network for hackers. VPNs make use of public infrastructure, which means that they are not always completely secure.
“Security software installed on the corporate office PC may not run on the home worker’s machine, or may have been uninstalled by the user or even a member of their family.” Hackers are capable of putting malware or trojans onto the end PC device that is connected to the VPN. These viruses then capture information which is ‘dropped’ onto the public network. It then becomes all too easy for people to access this information and therefore gain entry to the virtual private network and all critical and sensitive information stored on it. In today’s changing security landscape, VPNs
Protecting the teleworker environment • Build up a layered security architecture by implementing several measures to protect the corporate network. • Extend the security perimeter all the way to the edge of the network. This will ensure the end user device, such as the laptop, is protected from viruses and hackers. This will also help guard against the vulnerabilities that can be associated with using a VPN. • Install and update anti-virus and anti-malware software • Install a hardware firewall, as this will provide more protection than a software firewall and can protect all the machines on a network. • In addition to firewalls, IT directors should consider an intrusion detection system. Always on, DSL connections pose a bigger risk and are targeted by hackers. Installing an intrusion detection system can alert staff to a possible attack and therefore enable IT managers to act to help combat the threat. • Ensure a corporate IT policy is in place and properly enforced. Clear guidelines on the use of company machines, IT systems and acceptable websites are needed to protect the company network. • Staff passwords and logins should be alphanumeric and contain enough characters. Using symbols in a password and non-dictionary words can also help prevent hackers using password-cracking software. • When working wirelessly, always ensure all information is encrypted, including data stored on a USB memory stick. Always use the highest possible level of encryption. • Carry out a regular and thorough risk assessment to address new threats and ensure the correct security measures are in place to combat emerging risks.
November 2006
should not be the only measure implemented to protect the network.
Building a defence
A traditional two-dimensional virtual private network security model, where perimeters are secured for running across the public network, is no longer adequate when using VPNs to counteract changing and emerging threats. Strong perimeters and password systems are not enough to provide the required level of security, and can easily be bypassed with hackers’ password-cracking software. What enterprises should be looking for is adding additional layers of security to the already existing two-dimensional approach. Adopting a layered defence system will help build up a security architecture and extend the security perimeter, right out to the edge of the network. Organizations need to restore the privacy to the teleworker environment, by building up a layered defence and move away from using a VPN tunnel that does not rely solely on encryption. Extending the boundary of the corporate network into teleworkers homes and on the move, could be key in the fight against hackers and viruses, by adding additional layers to the security architecture. This concept, or “boundary networking”, accounts for the changes in the locations of new threats and counteracts some of the more prominent and growing problems that are affecting corporate networks and the teleworker environment, such as phishing and worms. Whilst boundary networking may be an emerging concept that will help protect the network, other measures still need to be in place. Extending the security perimeter to the end user device does not mean the end of firewalls and anti virus software. A hardware firewall and virus-scanning software are still essential measures that need to be implemented. A number of software and anti-virus solutions may need to be combined in order to add extra layers of security to address the risks of working remotely. For example, web content filtering products that operate on the server level can provide additional levels Network Security
15
TELEWORKING of anti-virus protection, as can intrusion detection systems. There are key aspects to securing the corporate network that businesses should consider. Extending boundaries and securing the network to the end user device will help to counteract any threats. This will also help to prevent information being ‘dropped’ onto the public infrastructure and therefore, securing business critical data or customer details. In addition, one of the crucial aspects in ensuring the network is secure, is building up layers of security, rather on relying on a single firewall, or anti-virus software. The key to preventing such attacks is building up a combination of defences.
Conclusion: service delivery
As it is the Internet service providers who have control of the public Internet, only they can provide organizations with the capability to expand the security perimeters. The industry is challenging ISPs to offer this enhanced security capability. Enterprises need a true private network, which involves creating security measures embedded in the network. These also need to specifically address the new and emerging threats of today that are mostly likely to affect a business. The problem with teleworkers is that IT directors have a lack of control over the machine and what they are accessing. Businesses need to regain the
control by implementing an integrated, multi-layered approach to security measures that can counteract viruses, worms, identity theft etc, no matter what purpose the remote worker is using the end device for.
About the author Angus Peacey is head of product marketing at Pipex Business Services. Focusing on security and boundary networking products. He started his career as a software architect in South Africa, working for several corporate organizations. Prior to joining Pipex, worked at Cogenta Systems. His career also includes a two and a half-year stint at LANNET, Lucent Technologies and Avaya, where his roles included South Africa Country Manager.
ATTACK TRENDS
The changing face of IT security Bruce Potter Faced with multiple changes in the IT landscape, it is sometimes hard to keep track of where the technology trends are going. Some varieties of attacks occurring today leave traditional security measures standing. Protecting an enterprise can be a shockingly difficult task. The attackers that are attempting to gain access to your systems are a largely unknown quantity. One day they could be knocking loudly on your door, while the next it seems that your fortress is totally secure. Beyond that, budgets need to be drawn up, staff need to be trained on the latest techniques, and business units are constantly putting pressure on the integrity of your security architecture. The attackers that we face today are much more sophisticated than those in years past, and the types of attacks that are being executed are beyond the scope of the classic suite of security products to stop. When thinking of what products and services to use to protect your enterprise, you must first be aware of the recent developments in attack technology and the impact these 16
Network Security
developments have on your existing products and architecture.
Decreased exploit development timeframe
Exploits can be created through two different processes. A security researcher (or attacker depending on the person’s motivation) can find a vulnerability in a program through direct inspection methods such as code review, protocol fuzzing, or simple experimentation. Once a vulnerability is found, the researcher may then chose to build an exploit that leverages the vulnerability for system access or system disruption. The other way exploits get written is through examination of a patch or other artifact of the vulnerability. Rather than directly finding the location of the vulnerability, the researcher can reverse
engineer a security patch released by the vendor, determine what was changed and assume what was vulnerable. Patches can be either source code patches, common with open source software, or binary patches which are often seen with COTS software. Based on the researcher’s assumptions and their reverse engineering activities, a working exploit can then be created. The technology and methods for reverse engineering patches in order to develop an exploit have become more sophisticated in recent years. Data for worms created four or five years ago indicate that the exploit embedded within them was directed code that was patched weeks, if not months, prior. However, in more recent worms and virus outbreaks, the malicious payloads were targeted at patches that were released only days prior. Also, security researchers have repeatedly demonstrated their ability to reverse engineer patches and create malicious payloads for tools such as Metasploit in a matter of hours from patch release. The end result is that the release of a patch to the public is effectively the same as the release of an exploit. While patch management is a necessary part of any enterprises security architecture, it is unrealistic to expect that patches can be deployed in advance of an exploit being November 2006