ISSN 1353-4858 January 2014 www.networksecuritynewsletter.com
Protecting your identity when working remotelyFeatured in this issue:
To ensure security, many compa-nies use authentication, typically
with a username and password. And many firms have turned to two-factor authentication – but even this approach is not perfect.
Hardware tokens require the use of a
pre-programmed seed, a record of which is kept by the issuer of the token – and this is a weak point in the security. Steve Watts of SecurEnvoy explains why more people are now turning to soft tokens to avoid this problem.
NEWS More NSA revelations: backdoors, snooping tools and worldwide reactions 1
Yahoo ads spread malware 20
CryptoLocker success leads to more malware 20
FEATURES
Protecting your identity when working remotely 5 To ensure security, many firms have turned to two-factor authentication. However, even this approach has built-in vulnerabilities. Steve Watts of SecurEnvoy explains why more people are now turning to soft tokens to avoid this problem.
Why CMS platforms are breeding security vulnerabilities 7 Content management systems (CMS) raise many security concerns and offer hackers a large attack surface. But, as Barry Shteiman of Imperva explains, there are steps you can take to improve your security.
An index for network threat detection 9 Threat indexes help to make sense of suspicious activities through a scoring system. And this can be implemented very easily using flow technologies built into all recent networking equipment, explains Mike Patterson of Plixer International.
Interview: Corey Nachreiner, WatchGuard – security visibility 11 It’s sometimes difficult to know what’s happening on your network, but with the help of visualisation tools we can start making sense of all that log data, explains Corey Nachreiner of WatchGuard to Steve Mansfield-Devine.
The global data protection conundrum 16 Organisations need to take responsibility for protecting their own data regardless of where it resides. And the best way of doing that is through encryption, allied with careful key management, argues Richard Moulds of Thales e-Security.
Big data: an information security context 18 From a security perspective, exploiting the benefits of big data requires a certain set of technical skills that are only hastily covered in the current educational tracks for infosecurity, explains Conrad Constantine of AlienVault.
REGULARSNews in brief 3
Reviews 4
Events 20
Contents
networkSECURITY
ISSN 1353-4858 January 2014 www.networksecuritynewsletter.com
Why CMS platforms are breeding security vulnerabilities
Content management systems (CMS) have become far more popular in the
past couple of years. But like all software, CMSs have many security concerns.
Third-party software like this is out of your control. The popularity of CMSs
has been a boon for hackers, giving them a much larger surface area to attack. But, as Barry Shteiman of Imperva explains, there are steps you can take to improve your security when using CMSs.
Full story on page 7…
An index for network threat detection
It can be difficult to decide what constitutes malicious behaviour on
a network. And if we respond too quickly to alerts from security systems, time, money and resources are wasted in chasing false positives.
Threat indexes provide a more measured
and reliable indication of problems. And they can be implemented very easily using flow technologies already built into all recently networking equipment, explains Mike Patterson of Plixer International.
Full story on page 9…
More NSA revelations: backdoors, snooping tools and worldwide reactions
There currently seems to be no end to the revelations about spying by
the US National Security Agency (NSA), most of them coming, of course, from documents leaked by former contractor Edward Snowden. And the steady flow of divulged secrets continues to have repercussions – some serious, some not.
There have been two conflicting legal judgments in the US concerning the NSA’s activities. One federal judge, US District Judge Richard Leon in
Washington DC, held the spying to be an infringement of the US Constitution and “almost-Orwellian”.
“I cannot imagine a more ‘indiscrimi-nate’ and ‘arbitrary invasion’ than this systemic and high-tech collection and retention of personal data on virtually every single citizen for purposes of query-ing and analysing it without prior judicial approval,” he wrote in a case brought by five people against the US Government.
Continued on page 2...
NEWS
2Network Security January 2014
Editorial Office:Elsevier Ltd
The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom
Subscription InformationAn annual subscription to Network Security includes 12 issues and online access for up to 5 users.Prices: E1112 for all European countries & Iran US$1244 for all countries except Europe and Japan ¥147 525 for Japan (Prices valid until 31 January 2014)To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971Email: [email protected], or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Network Security, 365 Blair Road, Avenel, NJ 07001, USA
Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments.Derivative WorksSubscribers may reproduce tables of contents or prepare lists of arti-cles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations.Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above.NoticeNo responsibility is assumed by the Publisher for any injury and/or dam-age to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advan ces in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
Pre-press/Printed by Mayfield Press (Oxford) Limited
Editorial Office:Elsevier Ltd
The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom
Subscription InformationAn annual subscription to Network Security includes 12 issues and online access for up to 5 users.Prices: E1282 for all European countries & Iran US$1435 for all countries except Europe and Japan ¥170 100 for Japan (Prices valid until 31 December 2014)To subscribe send payment to the address above. Tel: +44 (0)1865 843687or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is received.
Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments.Derivative WorksSubscribers may reproduce tables of contents or prepare lists of arti-cles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations.Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above.NoticeNo responsibility is assumed by the Publisher for any injury and/or dam-age to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advan ces in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
12987
Pre-press/Printed by Mayfield Press (Oxford) Limited
...Continued from front pageHowever, US District Judge William Pauley of New York ruled that the NSA’s bulk interception of phone metadata was lawful. It’s not clear whether the US Supreme Court will rule on this contra-diction.
A Presidential Task Force set up by Barack Obama to examine the NSA issue has issued its first report and has concluded that: “Excessive surveillance and unjustified secrecy can threaten civil liberties, public trust, and the core pro-cesses of democratic self-government.”
It acknowledges the need for surveil-lance, but recommends the imposition of new guidelines and restrictions.
Meanwhile, two academics have examined the NSA programmes and concluded that they are probably not ‘cost-effective’. Their research can be found here: http://politicalscience.osu.edu/faculty/jmueller/NSAshane3.pdf.
Among the recent discoveries to come out of the Snowden documents is a catalogue of tools available to NSA operatives. These details came from a document prepared by an NSA division called ANT and were reported by jour-nalist Jacob Appelbaum and Der Spiegel magazine.
Many of these tools have been devel-oped by the NSA’s Tailored Access Operations (TAO) unit and include DROPOUTJEEP – iPhone bugging software (which requires physical access to the phone to implant). This led to Apple making a public statement that it has never worked with the NSA to facili-tate backdoors on its devices.
Other tools allow for the exploitation of zero-day vulnerabilities on network-ing and other equipment. Many of these exploitable flaws are not known outside the NSA, or have been bought from companies such as Vupen. It has also been revealed that the NSA intercepts Windows crash reports – which are sent over the Internet in clear text – as a way of building a profile of potential vulner-abilities on target systems. In addition, it has been alleged that the TAO office has intercepted shipments of PCs in order to install malware on them. And it seems the NSA is working on a quantum computer that would be able to crack all
encryption – although it’s likely that’s some way off yet.
In the first parliamentary inquiry into the NSA’s activities, a 51pg draft report by the European parliament’s civil liber-ties committee condemned the spying in the “strongest possible terms”, and said that both the NSA and the UK’s GCHQ appeared to be guilty of illegal actions. Further examination by the European parliament could include testimony from Edward Snowden, via video link, after MEPs voted overwhelmingly to invite him to participate. Only two MEPs, both Conservative members from the UK, voted against it, with 36 votes in favour and one abstention.
A study by Peer 1 Hosting has found that a quarter of the UK companies they surveyed intend to move the host-ing of their data beyond US borders, as a direct result of the Snowden affair. Canadian firms are even more leery of keeping their information where the US Government can easily poke around: a third of them plan to move away from US datacentres.
That said, among UK and Canadian firms, the US remains the most popular location for storing any data that they don’t keep at home, with just over half definitely planning to keep information stored there. The top three concerns for firms, when it comes to hosting, are security (96%), performance (94%) and reputation (87%). Nearly 70% would be prepared to sacrifice some performance in return for data sovereignty.
Among the information in the Snowden leaks is the claim that the NSA secretly paid security vendor RSA $10m in return for the latter adopting the Dual_EC_DRGB random number generator algorithm as the default option for its BSAFE cryptographic toolkit. Following the Snowden leaks, RSA sug-gested that organisations no longer use the algorithm which many believe to have been weakened by the NSA. RSA issued a denial, but only went as far as to say that it had never knowingly put a backdoor in its toolkit at anyone’s behest – which is not quite what was being alleged. Security researchers have been dubious about Dual_EC_DRGB since 2006.
Continued on page 19...
NEWS
January 2014 Network Security3
Bot traffic bigger than human web activity…For the first time in the US, the amount of Internet traffic generated by malicious bots was greater than that caused by human activ-ity, according to Solve Media. The firm said that 51% of US web traffic in Q3 of 2013 was the result of malicious activity. And mobile data is starting to suffer from the same effect: 27% of mobile traffic was thought to be malicious, the firm claims, up from 22% in the previous quarter. Some other countries have it worse, though: Solve’s report says that bots account for 83% of web activity in Estonia, 79% in Singapore and 77% in China. The report is available here: http://news.solvemedia.com/post/70487101632/us-bot-traffic-q4-2013.
…as bots take over the InternetA similar report from Incapsula, the cloud-based application security arm of Imperva, also concludes that automated web traffic is on the rise and data from bots now accounts for as much as 61.5% of all website traffic. Its ‘Bot Traffic Report’ for 2013 analysed 1.45 billion site visits over a 90-day period and found a 21% increase in automated traffic compared to the previous year’s report. This is by no means all malicious: much of the automated traffic consists of search engines and other legitimate applications. However, a significant propor-tion of it is due to malicious traffic such as site scrapers, hacking tools, comment spammers and other home-grown bots. Incapsula also notes, however, that the proliferation of web services has also brought about an increase in bots scouring the Internet for information, all of which consume bandwidth and degrade service levels. The report is available here: http://www.incapsula.com/the-incapsula-blog/item/820-bot-traffic-report-2013.
Two-thirds of banking apps have flawsAn examination of 60 iOS home bank-ing apps from some of the top banks in the world found that 40 had serious flaws. Aerial Sanchez, a security consultant with IOActive, said that most of the apps had some kind of flaw – for example, 90% contained non-SSL links and 40% do not validate SSL certifi-cates. Half were vulnerable to JavaScript injec-tions and 70% do not allow any out of band or multi-factor authentication. Log files and crash reports for many of the apps exposed sensitive information. And when he disas-sembled the apps, using IDA Pro and the Clutch decryption tool, Sanchez found hard-coded credentials in many of the apps. There’s more information at: http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html.
LinkedIn profiles scraped by hackersAn unknown group of hackers has used Amazon’s Elastic Compute Cloud (EC2) to run multiple virtual machines that generated thou-sands of fake LinkedIn accounts. These accounts were then used to scrape profile information for hundreds of thousands of LinkedIn users each day, for an unspecified period. They were also, somehow, able to bypass a number of security mechanisms, such as Captchas, designed to stopped this kind of activity. LinkedIn said it has now closed the fake accounts and has lodged a lawsuit against a number of ‘John Does’ – an action that will allow it to use discovery rules to pursue information about the attackers, such as payment methods and IP addresses used with their Amazon accounts. LinkedIn also said it has implemented new technical safeguards.
Robbing ATMs via USBCrime gangs have been using nothing more vio-lent than USB memory sticks to empty ATM machines, according to research presented at the recent Chaos Communication Congress. The method involves cutting a hole in the plastic facia of certain types of ATM to reveal a USB socket. After inserting a USB stick loaded with boot software and malware, the attackers reboot the machine, then cover the hole. Those who know the right codes can then access mainte-nance menus for the machine and withdraw cash. This has happened for real in Brazil, the researchers said, with the criminal gangs going so far as to build a challenge-response mechanism into the software. This means that lower-level members of the gangs cannot withdraw cash without obtaining a secret code from their superiors. It also stops rival gangs from exploiting the hacked machines. It has not been revealed which types of ATM are affected – since a presentation by the now-deceased Barnaby Jack at the Black Hat conference three years ago, most banks have hardened their machines against this kind of attack.
Backdoors in network devices…Yet more backdoor vulnerabilities have been discovered in networking equipment. An exploit published by Eloi Vanderbeken on Github is capable of forcing broadband routers to do a factory reset. This then allows an attacker to take over the device by using the default login credentials. The exploit affects a number of devices manufactured by Sercomm and sold under the brands Cisco, Linksys, Netgear, Diamond, LevelOne and OpenWAG. The flaw involves an undocumented listening service on TCP port 32764 – previously noted by other researchers. By reverse engineering the router’s code, Vanderbeken found he was able to issue commands to the router without needing to be
authenticated as an administrator. The details and proof of concept Python code are available here: https://github.com/elvanderb/TCP-32764.
The SANS Institute’s Internet Storm Centre (ISC) has said that it is now seeing a lot of scans against this port on the Internet coming from three IP addresses and the Shodan search engine, which suggests that cyber-criminals – or perhaps government intelligence agencies – are searching for routers vulnerable to this attack. In one morning, nearly 20,000 scans against more than 4,000 targets were logged.
…and spy satellitesThe United Arab Emirates (UAE) may cancel a €700m deal with the French suppliers of two Falcon Eye spy satellites over fears that the spacecraft contain US technology that could be fitted with backdoors. It’s not clear specifically what was discovered, but the announcement included a reference to “security compromising components”, and a source quoted by Defense News said that the French firms – Airbus Defence and Space and Thales Alenia Space – had been asked to change the components. Some commentators have expressed surprise that the satellites contained any US-sourced parts, and speculated whether this could be a negotiating ploy by the UAE.
ICO to focus only on serious breachesJust as new data protection laws are threaten-ing to come into action in Europe, the UK’s Information Commissioner’s Office (ICO) has said it will limit the complaints it investigates. Under newly proposed complaint-handling procedures, the ICO will seek to hand off cases to other bodies rather than pursue them itself if the data protection element is not strong enough. It said that it currently becomes involved in too many cases where compliance with data protection laws is “peripheral”. “We want to focus on those who get things wrong repeatedly, and take action against those who commit serious contraventions of the legisla-tion,” the ICO said. The draft proposals are contained in a consultation document avail-able here: www.ico.org.uk/news/blog/2013/~/media/documents/library/Corporate/Research_and_reports/A-new-approach-consultation.pdf
SEA claims credit for Skype hacksThe Syrian Electronic Army, a pro-Assad hacker group, has claimed responsibility for breaches of Skype’s blog, Facebook and Twitter accounts. This was the first action by the group that seems to have no apparent link to the civil war in Syria. The group said it carried out the hacks in order to protest against what it alleges is collaboration by Microsoft, Skype’s owner, in NSA spying activities.
In brief
REvIEWS
4Network Security January 2014
Reviews
Cyber-securityThomas Mowbray. Published by Wiley. ISBN: 9781118697115. Price: $42.50, 336pgs, paperback. E-book edition also available.
Securing the enterprise requires a multi-faceted approach encompass-
ing strategic, technical and managerial elements, all of which have to work in harmony if any reasonable level of security is to be achieved. Most books on security content themselves with covering just a single domain, often divorced from the wider context. This one attempts much more than that.
According to the introduction by author Thomas Mowbray, the book is aimed at grad-uate and undergraduate students, information security practitioners and IT professionals who want to know more about cyber-security. To that end, his approach here is highly practical – and yet this is not another of those books that simply give you a to-do list of services to shut down or ports to close. In this case, structure and context are all-important.
That’s because Mowbray is working to a framework – in fact, more than one. Before moving into information security, Mowbray’s speciality was as an enterprise architect – and it shows, being echoed not only in the approach to security but also in the structure of the book itself.
The first of its three parts introduces network security concepts and the key challenges you will face. It also introduces the Zachman Framework, a way of breaking down the complexity of the enterprise into a grid that, among other things, tells you who does what, providing a clear analy-sis of responsibilities and domains.
Another example of Mowbray’s enterprise architecture background is his emphasis on the use of ‘antipatterns’. This is going to be something of a shock for anyone accustomed to dealing with network security in the cut and dried context of technology. Antipatterns
are concerned with behaviours, particularly those that become habitual or embedded in the workplace culture. Even the security busi-ness itself is not immune: Mowbray makes a convincing case that much security activity is about box-ticking, or achieving certifica-tion and compliance, rather than tackling the problems themselves.
Recognising and breaking our bad habits is essential if real progress is to be made in secu-rity, the author asserts. Once the problem is properly identified, a more accurate and effec-tive remedy – known as a ‘refactored solution’ – can be applied. This might seem an uncomfort-ably ‘soft’ way of dealing with a subject that has – to many, at least – always seemed like a hard science. But the truth is, even though threats like social engineering, poor password practices and other human-oriented issues have been recognised for a long time, most information security still focuses on the technical aspects of ports, protocols, permissions and programming. Yet anyone who has spent any amount of time in the trenches of corporate network security will tell you that people are the problem.
Part two is where the practical work really begins, so it’s no surprise this is the long-est section. Areas covered include: network administration; protocol analysis and network programming; vulnerability analysis and pen-etration testing; and log analysis. There’s also a chapter on configuring and using BackTrack. Although this security-oriented Linux dis-tribution has now been superseded by Kali, which is likely to make following some step-by-step instructions tricky, most of the ideas should translate easily enough.
The final part looks at specific domains, such as small businesses, datacentres, cloud and healthcare. There’s a chapter on cyber-war and another that goes to the opposite end of the spectrum to focus on end users, the use of social media and other issues at what might be termed the personal level. There’s also another theme that crops up in many places in the book – that of education, and particularly the challenge of producing appropriately trained information security professionals.
With its combination of hard subjects – such as analysing logs and scanning a network with Python – and the apparently soft subject of behaviour, this is an unusual approach to infor-mation security. But it’s one in which everything is set within a more comprehensive context. As such, it’s one of the best books I’ve read in terms of seeing security as a multi-dimensional prob-lem, having a multi-faceted solution.
For more information, go to: http://eu.wiley.com/WileyCDA/WileyTitle/pro-ductCd-1118697111.html.
– SM-D
Investigating Internet CrimesTodd Shipley and Art Bowker. Published by Syngress. ISBN: 9780124078178. Price: $49.95, 496pgs, paperback. E-book edition also available.
The world’s law enforcement agen-cies have come a long way since
the early days of PCs and the Internet. Many countries now have specialised e-crime units and awareness of cyber-crime has improved. Yet there is still often a lot of confusion about how to respond to incidents.
Outside the law enforcement community, the situation is pretty similar. Network managers, for example, may understand that they have been hacked, or are targets for phishing and other malicious activities. But how do you go about building a detailed picture of what’s going on? And where do you start with collecting evidence?
After some introductory chapters detailing what the authors mean by cybercrime, how to profile the criminals and a brief history of the Internet and how it works, the book delves into the practicalities of gathering and docu-menting evidence.
You’re given plenty of detail about the tools you’ll need, but there’s an equal emphasis on procedure. That’s important if you want to ensure that you conduct as thorough an investigation as possible, and that what evidence you accumulate
will be admissible in court, if it ever comes to that.Among the topics covered are: tracing emails
and IP addresses; investigating websites and social networking services; and examining other communications protocols, such as instant mes-saging and P2P.
This book is written by two authors with extensive, real-world experience in the field, and it shows. Anyone who has felt the need to trace the origins of an attack – police officer, network specialist or individual – will find this an invaluable manual.
There’s more information here: http://store.elsevier.com/Investigating-Internet-Crimes/Todd-Shipley/isbn-9780124078178/.
– SM-D
BOOK REVIEW BOOK REVIEW
Protecting your identity when working remotely
FEATURE
January 2014 Network Security5
Steve Watts
Companies need to make sure that their information is secure and that they know exactly who has access to it. This is becoming increasingly difficult, espe-cially when businesses have many remote workers all logging on to a company system from different locations, at differ-ent times.
“A token manufacturer storing a copy of the seed record represents a fundamental flaw within the architecture of its authentication technology”
To ensure such security, many compa-nies use authentication, the process of identifying a user before granting access to information, typically by a username or password. Two-factor authentication requires something that the user knows, which is the username and password, and a physical object that the user owns. This is either a hardware token (like the kind used to access online banking) or it can form part of an employee’s personal device (for example, in the form of an app on a smartphone).
Weak pointIronically, data can often be accessed via the very security company that a busi-ness uses to make its data secure – eg, a provider of hardware tokens or two-factor authentication.
When providing a hardware token, the manufacturer pre-loads a seed record or secret key onto the device, which is the basis of two-factor authen-tication. The secret key is constant
but works in synchronisation with a moving factor to produce a six digit passcode for secure log-in. In the case of authentication, the moving factor is time (Universal Coordinated Time, or UTC – the time standard used for many Internet and web standards).
A moving factor is a value that must be changed each time a new passcode is gen-erated in order to ensure that a different passcode is always created. So a passcode generated at 12:00:01 will be different than one generated at 12:00:31. That passcode, generated from these two factors – the seed record and the correct time – when put through an algorithm (usually OATH TOTP, a one-time passcode algorithm that is used by companies worldwide), results in the one-time passcode for log-in flashing up on the screen of the token.
Seed records are produced when a token is first developed and, within that process, a copy is made and kept with the
manufacturer. The secret key is specific to the device it was programmed on but the copy remains with the original developer. A token manufacturer storing a copy of the seed record represents a fundamental flaw within the architecture of its authen-tication technology, and storing them anywhere elsewhere other than the device they’re programmed to work with poses a potential security risk. As the secret keys are generated prior to the customer needing them, and not on demand as end users enrol their devices, the authentica-tion company is required to store custom-er seed records on file, which threatens the security of their customers’ data.
The threat emerges when the seed record is accessed and synchronised by an unauthorised person with the exact conditions that will produce the user’s one-time passcode. However, because the time is something that is always a known factor, once someone gets hold of the secret key or seed record – for example, via a targeted attack on the authentica-
Steve Watts, SecurEnvoy
Businesses are becoming increasingly concerned with the amount of personal and company data that is available to government authorities. And with good cause: unbeknown to many business leaders and employees, it is possible for government organisations to access business data not only without having to ask permission from anyone in the company, but without anyone even finding out about it.
A typical hardware token, which needs to be pre-loaded with a seed record.
FEATURE
6Network Security January 2014
tion company’s data – they can synchro-nise the code to the corresponding time, put them through the necessary algo-rithm and then access that individual’s information. The algorithm is not the hard part – anyone can access this from the Internet and simply by joining the seed record and correct time together and running it through the algorithm the code can be divined.
“Businesses need to know that if their own security systems are going to be watertight, their security suppliers’ must be as well”
Imagine if the authentication com-pany that holds copies of your business’ seed records suffers a data breach and those seed records are released onto the Internet or into the hacker community. The breach is not of your infrastructure, so you might never learn of it, but it is your data at risk. Businesses need to know that if their own security systems are going to be watertight, their security
suppliers’ must be as well. There is a demand, therefore, from companies, to be able to be in complete control of their whole security without needing to intro-duce a third party into the security pro-cess. Knowing that if the company that provided you with your secure devices had a data breach or was attacked by cyber-criminals and your data had the potential to fall into the wrong hands would frighten any company.
Government requestsThere is another risk, and one less likely to be in the forefront of an IT manager’s mind than a malicious attack. Under current laws, particularly in the US and UK, government organisations can request copies of specific secret keys that businesses use to access their corporate data. However, the Government can also request them from the authentication companies that automatically store copies of their customers’ codes when created.
This means that, without the knowl-edge of the customer, government organ-isations can access their information via the seed records obtained from the manufacturer simply by running them through an algorithm with the correct time. The customer of the authentication token manufacturer does not have to be informed of this and could easily have no knowledge if the Government chose to investigate their data. Even if your business is based in a country where this is not a concern, if your hardware token supplier is based in a country where it is a possibility, their government will be able to gain access to your data legally, without your permission.
“What happens when the user’s phone gets passed on or lost? If the seed record is still on the device, then the individual’s corporate identity goes with it”
This not only compromises the integ-rity of the manufacturer but of your business too as, in turn, your customers’ data is compromised. The authentication manufacturers aren’t required to let their customers know that the Government has accessed their information, lessening the
trust their customers will have for them.But why do two factor authentica-
tion companies keep seed records if it potentially puts their customers at risk and therefore limits the trust placed in the company? Because pre-programing authentication codes in hardware tokens is far less labour intensive in this static device than programing them to produce a new and unique seed record once in the ownership of the employee.
More attractive solutionBecause they do not have to be pre-pro-gramed, software tokens are a becoming a more attractive solution to businesses. A soft token is one that is downloaded as an app or program to the user’s device – this could be a smartphone, laptop or even landline telephone, which they can then use as an authentication tool in the same way they would a physical token. However, many soft token manufacturers also store seed records. This is unnecessary – a soft token, whether an app or SMS, starts with a completely blank token. It is then seeded with the secret key after it has been assigned to its owner and there is no benefit to the manufacturer of pre-programing or storing the records.
Nevertheless, even with the soft token method, most users will have stored on their devices a complete seed record, which raises another concern – what happens when the user’s phone gets passed on or lost? If the seed record is still on the device, then the individual’s corporate identity goes with it.
The solution for this is to only pro-duce seed records on premise as the employee enrols. Doing this means no copy of the seed record is stored with the manufacturer – instead it resides only in the device and the company’s security server, meaning it is much harder to gain access to a copy and therefore synchro-nise through an algorithm to access the one-time passcode.
Additional securityThis technology exists but is yet to be used universally by authentication firms. The method works whereby the seed records are split into two sections for
Software tokens can be provided via mobile apps.
FEATURE
January 2014 Network Security7
additional security. One half of the seed record is a preprogramed code and the other half is derived from a characteristic unique to the user’s device – for exam-ple, information from the SIM card or CPU that is passed back to the server when the user enrols their device. From those inherent characteristics, the solu-tion can derive the second part of the seed record so that only half of the seed is stored on the phone itself .
Each time a passcode is required by the user, the device decrypts the first part and then re-fingerprints the device to derive the second part. These seed records are only ever known to the local security server that resides within the customer’s own computer room and only part-known to the end user’s device. Therefore, the authentication provider never even knows what the secret keys are and if someone were to hack into the phone, there would not be enough information on the device to generate the whole seed record.
By operating this way, authentication companies cannot give out copies of seed records to government authorities or any other organisations, because the
records simply won’t be in their posses-sion. This technology shouldn’t over-whelm business leaders. Put simply, it stops data breaches which can otherwise be easily achieved, and have catastroph-ic effects on a business.
“It would be like buying a combination padlock where the hardware shop kept a record of the code required to unlock it”
If you liken this situation to a security scenario that everyone is familiar with – for instance, home security – you can see how safe this technology is. Nobody would ever invest in a house alarm sys-tem and keep the pre-loaded code that the alarm comes with. Everybody resets the code so that they have a combina-tion of digits which only they know, because it offers higher home security. Or it would be like buying a combina-tion padlock where the hardware shop kept a record of the code required to unlock it. Of course, none of us would ever protect our physical possessions without changing the padlock or alarm
code to something known only to our-selves, so why do we not take the same security precautions when it comes to our corporate digital assets?
The reality is that there will be ever more devices to access information on, so the need to protect company data and corporate identity is higher than ever. Businesses are right to be concerned about what data government authori-ties can obtain, but invest in the right security technology and this concern can be dramatically reduced. Failure to look into how the technology works could mean that you are paying for a security solution which isn’t actually secure at all.
About the authorSteven Watts is the co-founder and sales and marketing director of SecurEnvoy. Before setting up SecurEnvoy, which invented tokenless two-factor authentica-tion, he worked in the Channel, clocking up over 18 years’ experience in security and networking sales. His particular value is to market and partner strategy, having assisted in the development and design of the six products in the suite and designing a recurring revenue model.
Why CMS platforms are breeding security vulnerabilities
Let’s take a closer look at a research paper published by Checkmarx. We learn that in WordPress (which is the most widely deployed CMS right now) seven of the top 10 e-commerce plugins and 20% of the top plugins are vul-
nerable to attack. These are sobering numbers. When a company chooses a CMS to support online transactions, it rarely gives thought to the fact that the shopping cart mechanism, for instance, can be easily hacked, resulting in PCI
violations and theft of credit card and personally identifiable information (PII). This has the potential to become a really big problem that we cannot ignore.
“Roughly 20% of vulnerabilities discovered in third-party code are found in the CMS core while 80% are found in plugins and extensions”
In other research conducted by BSI in Germany, we learn that roughly 20% of vulnerabilities discovered in third-party
Barry Shteiman, Imperva
Several statistics-gathering engines on the web reveal an interesting picture. Content management systems (CMS) have become far more popular in the past couple of years. A trend graph over at builtwith.com shows that over 20% of the top 10,000 websites rely on CMS.1 And it’s fair to assume that the number is higher for companies that use a CMS as a middleware between their content and their front-end website. But like all software, and this is without exception, CMSs have many security concerns.
Barry Shteiman
FEATURE
8Network Security January 2014
code are found in the CMS core while 80% are found in plugins and extensions.2
One of the most interesting devel-opments we’ve seen is the addition of item A9 to the OWASP Top 10. This change describes the threat of ‘Using known vulnerable components’, which means that OWASP recognises the problem of using third-party code and applications (like a CMS) with known vulnerabilities and weaknesses embed-ded in them, raising the risk of being breached. In brief, CMSs are a petri dish of vulnerabilities.
Path of least resistanceThe popularity of CMSs has been a boon for hackers. They give hackers a much larger surface area to attack. This
is fundamentally changing the way they operate. In the past, a hacker would identify a single target, like an academic institution, a bank, or an e-commerce site, find a vulnerability in that target, and then exploit it to compromise or steal data. That is to say, a hacker had to be a fairly enterprising individual willing to put in some long, hard hours.
“Once weaknesses are identified, hackers use a search engine to easily fingerprint websites based on a CMS that harbours the known vulnerability”
Now with the vast opportunities presented by CMS, hackers don’t break a sweat at all. They simply take
the path of least resistance. Because CMS is greased for their success, hackers don’t waste precious time and resources identifying targets. Instead of identifying one specific target, hackers use search engines to identify com-mon security vulnerabilities in a CMS platform as a means to accomplish server takeover and data theft. And there are literally thousands of them. Once these weaknesses are identified, hackers use a search engine to easily fingerprint websites based on a CMS that harbours the known vulnerability and then exploit it in multiple CMSs in many companies, fast.
As part of our hacker research process, we investigate different botnets managed by cyber-criminals and closely monitor their activity. We definitely see a huge opportunity for hackers to move from manually infecting computers online to simply adding them to larger botnet schemes, using different identification mechanisms, such as ‘Google dorks’ (using Google searches for tell-tale signs), to identify CMSs and other third-party vulnerabilities. This makes it very easy for hackers to inject malware and onboard infected servers for later use.
In the past, hackers focused on hack-ing personal computers. Nowadays it makes a lot more sense to focus on CMS servers. First, it’s fairly easy to hack into a CMS server where vulner-ability options are massive. By compari-son, it takes a lot more time and effort to breach a PC or device. Second, hack-ing a CMS server is cost-efficient. If a botnet’s goal is to create DDoS attacks, 100 severs could potentially have the same impact as 100,000 infected PC and devices. From a hacker’s perspec-tive, it just makes good business sense to focus on servers as targets. It’s quick-er, easier and cheaper.
Steps to protect your businessAlthough the security threat landscape is constantly shifting, businesses can defend themselves with some simple tactics. Awareness is always key. It’s a good idea to ‘dork’ yourself – run searches for known vulnerabilities that
Figure 1: Usage statistics for websites using CMS technologies. Source: Builtwith.com.
Figure 2: Vulnerabilities in CMS platforms according to frequency. Source: BSI, Germany.
FEATURE
January 2014 Network Security9
affect the platform you’re using. And you should learn as much as possible from experts who know what the evolv-ing risks and threats are, and what the necessary precautions are to protect your data and your business from today’s industrialised hacker.
Be vigilant. Carefully monitor your applications. Have real-time alerting on your web applications that track against a baseline of behaviour so that any strange anomaly can be promptly investigated, because reviewing your logs every now and then won’t fend off attackers.
“Don’t assume that your software development life cycle will automatically fix these problems, because it won’t”
Lastly, assume that all third-party code, including the CMS your web-site is based on, has countless security vulnerabilities – because it does. And don’t assume that your software devel-opment life cycle will automatically fix these problems either, because it won’t. Specific code authored by someone else is not controllable within your environ-ment. It’s impossible to fix code you don’t own. Vigilantly patching vulner-abilities, coupled with physical and vir-tual patching of CVEs, can help protect your business from these evolving secu-rity threats.
Just because CMS attracts hackers doesn’t mean you can’t protect your business.
About the authorBarry Shteiman is Imperva’s senior security strategist where he works directly with the CTO office and Imperva’s dedicated security research organisation, the Application Defense Centre. He has also authored several application security tools and contributed code to a number of open source security projects. He is a dedicated contributor to Imperva’s s ecurity blog as well as an active tweeter (@bshteiman).
References1. ‘CMS Usage Statistics’. Builtwith.
com. Accessed Jan 2014. http://trends/builtwith.com/cms.
2. ‘Content Management System (CMS)’. BSI (in German). Accessed Jan 2014. https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html.
3. ‘Top 10 2013’. OWASP. Accessed Jan 2014. https://www.owasp.org/index.php/Top_10_2013-Top_10.
OWAP Top 10 – 2013The top 10 vulnerabilities defined by OWASP in 2013 included a new entry at number nine:A1 – Injection.A2 – Broken authentication and session management.A3 – Cross-Site Scripting (XSS).A4 – Insecure direct object references.A5 – Security misconfiguration.A6 – Sensitive data exposure.A7 – Missing function-level access controls.A8 – Cross-Site Request Forgery (CSRF).A9 – Using components with known vulnerabilities.A10 – Unvalidated redirects and for-wards
Mike Patterson
An index for network threat detection
Perhaps someone in your office today is showing signs of a cold – coughing, sneez-ing or perhaps they made a sudden sniffle. After all, these are the indicia of a common cold. We know this because we maintain a personal profile of what the symptoms of this virus are. Certainly a single cough or a sudden sneeze doesn’t definitively mean that a virus is manifesting itself in that per-son’s body but, it does send a warning sign
that the individual could be getting sick. But, warning signs usually do not necessi-tate quarantining the person, asking them to leave work or even suggesting that they sport an influenza mask. Suspicions that someone is getting sick simply increases our awareness to perhaps give the person a bit more space to help minimise our risk of the potential virus from spreading into our body.
One warning sign gets our attention but, if not followed by more warnings, the impact of the event diminishes rather quickly. If however, the warning is followed by more sneezing, cough-ing and possibly complaints from the person about not feeling well then, our awareness increases and we start to more closely associate that co-worker with being sick. If the employee doesn’t leave the office or ask to go home to work remotely, others in the office may try to avoid that individual until the infection
Mike Patterson, Plixer International
When looking at the challenge of detecting threats, such as viruses, on our networks, we can make a useful analogy with something in the real world with which we are all familiar. What are the chances that one of the employees at your company is carrying a biological virus?
FEATURE
10Network Security January 2014
passes. Let’s compare this analogy to threat detection on a corporate network.
Single event detection and false positivesIf a device on the local network reaches out to the Internet to a host with a repu-tation of being part of a botnet, does that mean it is somehow infected? Probably not. What if the same local PC also receives a few ICMP (Internet Control Message Protocol) redirects from the router supporting the subnet? Now can we discern that we have an infection that needs to be addressed? Again, probably not but, suspicions are rising.
“In the world of threat detection, reacting to any single odd behaviour generally leads to tail chasing because, in data networking, normal communications often lead to an occasional odd connection”
What if a machine is routinely reach-ing out to known bots on the Internet and starts scanning ranges of IP address-es, scanning specific hosts or starts com-municating in ways that is not typical of its normal behaviour? Certainly we still can’t definitively deduce that we are dealing with malware, but we can take action and look more closely at the suspected device. In the world of threat detection, reacting to any single odd behaviour generally leads to tail chas-ing because, in data networking, normal communications often lead to an occa-sional odd connection.
“If a solution serves up excessive false positives, admins perceive little to no value when trying to positively identify malware”
Given enough data and time, some security appliance somewhere will ascertain that the host is distrustful. When this happens that threat detection solution may trigger what’s commonly known as a false positive. If a solution serves up excessive false positives, it becomes associated with the boy who
cries ‘wolf ’ and when that happens, admins perceive little to no value when trying to positively identify malware. No one wants to chase their tail.
Associating infection with a single event is an effective means to identify-ing malware just as a blood test can positively identify many viruses. But, threat detection can’t rely solely on single events to stop all insurgencies. To be more effective at keeping our networks clean of sophisticated intrusions such as Advanced Persistent Threats (APTs) we must consider the collective odd behav-iour episodes from every machine on the network. This is done through the use of threat indexes.
Threat IndexesThe idea behind threat indexes is that they rise for an individual host each time it participates in a behaviour that is suspicious. Depending on the type of behaviour (eg, scanning the network) the event may increase the index by a higher value than others (eg, receiving an ICMP redirect). If the threat index of a host hits a threshold, a notification can be triggered. Keep in mind that the index is a moving value because indi-vidual events age out over time. For this reason, an IP address must reach the threat index threshold within a configur-able window of, say, 14 days because the same events that increased the counter are also aging out and as a result, the index is reduced.
What’s key to the threat index approach is all-encompassing awareness. To obtain this, we need data and ideally all of it. Threat detection at this level can’t be limited to what is coming and going to the Internet. It needs to be fed all internal communications on all net-worked devices to ensure that all hosts not just laptops, servers and personal mobile devices are being profiled. How do we get the data?
What’s wrong with packet probes?To gather the data needed to build a proper index, we could deploy packet probes. These devices grab 100% of the
communications passing under their watchful eye. However, they face several conundrums. Packet probes are costly to purchase, costly to deploy and even more costly to maintain. Even if they are deployed at every major uplink, they still lack visibility on local subnets and create massive amounts of data that needs to be aggregated and often simply can’t be dealt with at a scalable level for large enterpris-es. There is a better, more insightful and cost-effective alternative to packet probes. It’s called flow technology.
Introducing flow technologiesFlow technologies are available on nearly all routers and some switches shipped from all vendors in the past four years. Specifically we’re talking about NetFlow and IPFIX. Unlike the sampled approach of sFlow, true flow technolo-gies provide details on 100% of all traf-fic passing through the router or firewall. Although they don’t provide all of the packet details, they do provide the most important information necessary to dis-tinguish good from bad traffic patterns.
NetFlow v9 and IPFIXNetFlow v9 and the IETF standard for NetFlow called IPFIX blew open flow technology and made it capable of exporting any detail extractable from packet communications. Details can include but, are not limited to: Caller ID, jitter, codec, packet loss, round trip time, total connection time, compres-
FEATURE
January 2014 Network Security11
sion, URL, Layer 7 application, etc. There is no limit to what it can be used to export – and individual vendors decide what they want to share. Even syslogs and Microsoft event logs can be converted and exported as IPFIX. When the amount of flows is too voluminous for any single collector, distributed col-lection systems can be deployed. This is a push technology which means no poll-ing and less overhead for the collection architecture.
By pointing the flows from all of the routers, switches and even servers back to the flow collector(s), we obtain a cen-tral repository of all communications in every corner of the network. The flows are then passed through algorithms which baseline and profile behaviours in an effort to start building up the threat indexes for suspicious hosts. Even when distributed collectors are employed, all events are reflected in a single view.
Threat detection with flowsAlthough flows don’t contain the entire packet, they do contain the details necessary to detect many types of threats such as net-work scanning, receiving ICMP redirects, participating in a denial of service attack and dozens of other unwanted behaviours.
Some vendors use flow data to pro-file normal behaviours on the network. Subsequently, when a host communicates outside of its behaviour in the past, this too leads to an increase in its unique threat index. Flows can also be used to detect banned applications such as Skype and BitTorrent. And the list of ways to use flow data to detect abnormal traffic is growing.
Unfortunately, network security has evolved to the point where we’re living with threats on the network. Traditional methods of detecting them still work but, relying on anti-virus, firewalls or an IDS that per-
forms Deep Packet Inspection (DPI) and compares bit patterns to regularly updated malware libraries will not detect all threats. We have to focus on the loudest and most frequently reoccurring trouble makers, and to do this we need to leverage flow tech-nologies that build threat indexes based on a series of unwanted events.
The threat index approach to threat detection is not infallible. Malware can, and will, slip past it; but, combined with existing single event detection mechanisms, the corporate defences against unauthor-ised data exfiltration are vastly improved.
About the authorMichael Patterson is CEO of Plixer International (www.plixer.com), providers of Scrutinizer NetFlow-based network traf-fic monitoring and threat detection technol-ogy. He is a nationally recognised flow tech-nology expert and the author of ‘Unleashing the Power of NetFlow and IPFIX’.
The end of one year and the start of another has always been a time for predictions. Certainly, security ven-dors and pundits show little restraint in issuing proclamations of what the next 12 months holds in store for us all. Such soothsaying rarely rises above the obvious or mundane – much of it boils down to ‘more of the same’ – and in an industry where Fear, Uncertainty and Doubt (FUD) are standard marketing materials, it’s not surprising that security vendors tend towards doom and gloom in their pre-dictions.
However, among the flood of press releases and blog posts, one stood out. Corey Nachreiner, director of security strategy at WatchGuard Technologies, picked up on one potential development not mentioned by the others, perhaps because it offers a positive outlook.
Security pendulumNetwork Security (NS): You say that 2014 is going to be the year of security visibility. What do you mean by that?
Corey Nachreiner (CN): “Well, I think three things are going on in the
security industry right now, and I kind of agree with you – a lot of predictions, my predictions even, sound like doom and gloom. Really, information security is a pendulum that’s kind of swinging back and forth between the attack-ers winning and us winning. Over the last two years, I feel strongly that the pendulum was on the attackers’ side. They’ve been, for lack of better words, kicking our butts. I think some of the problem is, we’ve been kind of relying on security technologies to protect us against everything, but information security is more than just a techno-logical problem. It’s a user problem, it’s a human problem. As you know, I’m sure, there’s lots of ways advanced
Steve Mansfield-Devine, editor, Network Security
Do we really know what’s going on in our networks? There is plenty of infor-mation, not least in the logs, but making sense of it has always been a struggle. Perhaps 2014 is the year all that could change.
Steve Mansfield-Devine
FEATURE
12Network Security January 2014
attackers get in that may not have anything to do with flaws; it may have more to do with social engineering.
“When you have 20,000 logs being generated a day, how do you find that one important security event that might be an advanced attack coming into your network?”
“So there’s really three things going on. One, businesses are relying on old defences. They think a stateful packet firewall is going to block modern attacks, when really modern attacks are happening in the traffic we allow every day, mainly web traffic. A second issue is that they put a firewall, or a security appliance of some sort, or any security software into their network, and they kind of just put it there and forget it, thinking it’s protecting them, but they may not have configured it right. They may not be adjusting the policies for their business needs. In fact, Gartner says 95% of firewall breaches are due to misconfiguration. And a report I love to follow is from the Verizon risk team. They do an annual data breach report, and they too say, at this point, 98% of breaches were preventable by simple or intermediate controls, security things, that these organisations had, but just didn’t configure properly.
“I think that the real problem that IT and security people are suffering from is, they have these devices, they put them in and forget about them, and the devices are probably generating thousands and thousands of pages of logs. There’s really oceans of logs. If you look at your intru-sion prevention system, your firewall, your network routers … if your security device does authentication, anti-virus, there’s tons and tons of logs and detailed information there, but really that ocean of data is half the problem. When you have 20,000 logs being generated a day, how do you find that one important security event that might be an advanced attack coming into your network?
“So that is really why I think this year we’re going to see that people have decent security controls – if you have modern, unified threat management devices, or next-generation firewalls, or you have a combination of layers like intrusion prevention, anti-virus firewalls, URL reputation capabilities, command and control detection capa-bilities – if you have all this stuff, you have the right protection. The problem is getting it set up with the policies that will definitely protect you, and then being able to identify and respond to incidents as they happen. So that’s why, this year, we believe it’s going to be the year of security visibility, where you’re going to see the security industry put a lot of focus on creating visual tools that help you identify events.”
Visibility in actionNS: Can you give an example of how that might work in practice?
“It’s not until you have the visualisation tools, that you can find that thimbleful of useful information in all the oceans of data”
CN: “You might have a case where your IPS system is probably going off all day. There’s some pretty regular automated attacks that might hit your network every day. Those may not be that interesting to you, because these are attacks being blocked by your IPS,
and they’re just automated attacks, they’re kind of Internet background noise at this point. But if you sud-denly see a particular IPS trigger from a certain source, and right after that, you see a couple of AV triggers going off from that same source, and then, maybe 10 minutes later, you start to see a user trying to authenticate from the computer that was affected, and failing a couple of times, now that is an inci-dent. Now you realise this isn’t just an intrusion that has been blocked – this is some sort of incident happening in my network right now, and it’s not until you start to correlate all these different security controls that you can really start to find that.
“It’s not until you have the visualisa-tion tools, that you can find that thim-bleful of useful information in all the oceans of data. So I really think there’s a lot of great security tools out there, that can catch even the most advanced attacks nowadays. At this point, I think what we need is better analyt-ics in security, better tools to help us identify issues that our devices are probably finding every day, and start to do more than, just tell us about them – start to correlate some of those events, start to relate it to the users in our networks, so that we can go and proactively clean up.”
Wrong adviceNS: People have been talking forever about checking logs and configuring systems properly. Why do you think that’s suddenly going to happen in this coming year?
CN: “That’s a good question. I’ve been in the industry for 15 years, and you see the same problems happen over and over. It seems like you’re never going to be able to get people to do the best thing. But I will say, while we do tell people to look at their logs, I think looking at their logs is kind of the wrong advice. Maybe this is a general issue in security: we often give advice that’s too hard to do in the real world. So I’m going to digress a little bit … we often say, don’t worry about passwords. As long as you create this really long,
Corey Nachreiner, WatchGuard: “Information security is a pendulum that’s kind of swinging back and forth between the attackers winning and us winning.”
FEATURE
January 2014 Network Security13
random password, it’s never going to get cracked. So how practical is that, though? If you have a 20-character pass-word, that’s random characters, with caps – how are you going to remember that? So that’s a perfect example of good security best practice, that is kind of bad human advice, because it’s impractical.
“So telling people to look at oceans of logs to find data is bad advice. In the past we’ve just been giving them logs – and by logs, I mean these line-level, ‘it comes from this source to this IP’, detailed information about the packet. So that is the problem – looking at thousands of lines of logs is not going to help you. I think the SANS organ-isation recently did a survey on logging. What they found was, we’ve been tell-ing people you should log stuff, and the good news is, they found that 77% of businesses did turn on logging, so that’s kind of good. I wish it were 90% or higher, but 77% is a big percentage. But here’s the problem – when they then asked how many of those people actually looked at their logs on a regu-lar basis, that number dropped to 24%, so less than a quarter of people were actually paying attention to them. Then they asked the kicker question: of the people looking at their logs, how many feel confident that they can use logs to identify security incidents? And that dropped to 10%.
“You can’t make heads or tails of any of this data unless it’s delivered to you in a way that allows you to see immediately the important trends”
“I don’t think the problem is getting people to log, and maybe the problem’s not getting them to look at it. The prob-lem is, we’re delivering it in a way that’s not consumable by a human. So the key there is visibility, and by visibility I mean visualisation. Big data is a big technology industry trend right now. We are suffering under piles of big data, and security controls and security devices are part of that big data, delivering all kinds of interesting intelligence, but you can’t make heads or tails of any of this data unless it’s delivered to you in a way
that allows you to see immediately the important trends, or to see immediately the incident that kind of is different than the other incidents.
“At WatchGuard, when we talk about visibility as a defence, what you’re going to see is us delivering analytic tools for our logs in a different way. It’s going to be a heavy concentration on visualisa-tion. Rather than just a bunch of log lines, you’re going to see different kinds of graphs, different kinds of top trend reports, based on users, based on secu-rity events, and we’re going to use things like tree map views, which is a specific way to graph out data – a great way that kind of minimises 950 of the smaller pieces of information, and maximises the 50 top ones that you really want to pay attention to.
“So I think the difference this year is, it’s going to move from just log data to actual visualisation and analytic-type tools. We’ve just released something called WatchGuard Dimension, and this is a tool that’s designed to just do this.1 If you have our security appli-ance, for instance, it’s been logging data forever, and we’ve wanted people to look at the logs forever. But now, with WatchGuard Dimension, we take those logs and we visualise them in execu-tive summary reports, CSO reports – a bunch of different reports that help you quickly identify who’s the top band-width user, what applications are being used in your network, what security
incidents are rising to the top, and what particular attacks are affecting your net-work the most.
“So the key part of visibility is changing the model from just text log lines, to visualisation and analytics”
“You can pivot on this, for instance, if you see there’s a particular Java exploit that’s getting used against your network a lot, you can actually click on that, and then it will show you a pivot of what users are being affected by this exploit. I’ve done this before, and sometimes one user pops to the top. What that’s showing you is actionable security intel-ligence. If I suddenly see there’s one par-ticular exploit in my network that’s used the most, I know I’d better make sure to have that patch applied to all my users. If I then click on it, and I see there’s one user that’s really generating all the hits to that particular exploit, I then know I have some sort of problem that I can proactively go and fix. Either that user is doing something wrong – maybe she walked her kids’ laptop into the back door, whatever the case may be – it’s the fact that I can suddenly see that user rise to the top, rather than having to find this incident.
“That incident I just described has been hidden in your logs, but it was hid-den in hundreds of thousands of lines over many days of usage. So the key part
WatchGuard Dimension in use – in this case, drilling down to a single user.
FEATURE
14Network Security January 2014
of visibility, of your visibility, is chang-ing the model from just text log lines, to visualisation and analytics.”
Complicated environmentsNS: It’s all very well getting people to use the security they have properly, which is basically what you’re talking about, but is it that simple? Putting tools into people’s hands is all very well, but often they’re too busy or under too much pressure to use what they already have. Even where security budgets are rising, they’re often lagging behind the increasing size and complexity of the IT estate. Security professionals are spend-ing a lot of their time just trying to catch up. Now people are talking about the Internet of Things, and there’s IPV6 which may or may not see proper adoption –
“Unfortunately security is always kind of the red-headed stepchild, because it doesn’t directly make a business money, right?”
CN: “ – Yeah, maybe one day!”NS: The security people are getting
left behind by the pace at which things change, aren’t they?
CN: “Yeah, I definitely get that, depending on the organisation you’re dealing with. Most small to medium businesses do not have a security special-ist. It’s typically the one or two normal network IT infrastructure guys that are dealing with security too. With mid to large enterprises, those folks do tend to have more security specialists, maybe even a CISO. But in either case, the IT guys are definitely overwhelmed with fires they have to put out, and security is kind of an afterthought. I think that’s why they’re used to putting in security controls, whatever they may be, as fire and forget-type things – put them in, and forget about them. While, on the one hand, there are many security con-trols that work okay – if they’re config-ured properly they can keep chugging along for a long time – there’s really a lot of value they’re missing.
“I don’t know the full solution to this, but I can tell you that WatchGuard’s solution is to provide business intel-ligence that these IT admins are going to like to see every day. Our visibility tool doesn’t only tell you about security events, it tells you a whole lot about your network: who are your top band-width users? What are they doing on the network? What URL categories are people going to regularly? If you have a good visibility tool, if you have a tool that is showing you the right top events – maybe how much of your traffic is your critical e-commerce server, versus how much of your traffic is Johnny in tech support BitTorrenting some file – if you have that visibility, you’re actually going to want to visit that tool every day, because besides helping you find important security events, it’s also going to help you do your normal everyday ‘fire-fighting’ job. That’s because the fires they’re putting out are things like the four-in-the-morning call from the CEO saying that our customers are complaining that our e-commerce site is too slow – go fix it. Our tools can even help you troubleshoot that problem by maybe finding a user that happens to be sucking up your bandwidth, and as you find this stuff, it invites you to take action, and to actually change policy, and maybe put some sort of throttle on BitTorrent, or block it, or whatever your business policy ends up being.
“The cool thing about visibility tools is they can teach you what your business is doing. Things like, what applications are being used by your network, and by who”
“They’re doing many things. Security is just one of those things, and unfor-tunately security is always kind of the red-headed stepchild, because it doesn’t directly make a business money, right? And yet it is necessary for businesses to have if they want to continue making money, because if you do get popped or pwned you’re going to lose quite a bit of your money. But in any case, if we make security more useful, not just as a security tool, but to help identify business events too, I think it might
encourage administrators to look at the tools more regularly. I’ve found, just using our own visibility tool, I’m learn-ing all kinds of things.
“To give you an example, you might have heard of application control, which is one of the things many securi-ty tools now have. It’s not really directly a security functionality. Application control is the ability to recognise dif-ferent network applications, no mat-ter what ports or protocols they use. There’s lots of applications like Skype and Ultrasurf and Tor and Torrent, that are very sneaky at getting around fire-walls and old-school security applianc-es. So these application control features allow you to recognise different appli-cations and, besides recognising them, you can even recognise granular features of an application – like, for Facebook, you can recognise a Facebook view ver-sus a post, versus a game, etc. That’s an interesting new productivity or business tool.
“There’s different ways you can use that, but one of the problems with these new tools is, a normal business, if they suddenly have access to the ability to control applications, how do you know what to do? Does the average business know what their users are using every day? Some of it may be for business – for instance, Facebook is used heavily by marketing. Maybe they might see something like Tor, which is an ano-nymising network, but maybe it’s used for some valid purpose; or maybe they see Torrent, which some people associ-ate with pirated software, but maybe it’s an engineer using Torrent to download Linux ISOs. So the point is, how you use application control differs from busi-ness to business, depending on what your business is doing.
“The cool thing about visibility tools is they can teach you what your busi-ness is doing, if you have the right tools. Things like, what applications are being used by your network, and by who, pop up very quickly, very immediately. I think the only other challenge that these cool tools will offer people is, they’re suddenly going to see so much visibility into their network, that they might have to start talking to HR, and they won’t
FEATURE
January 2014 Network Security15
know how to handle certain things that you see pop up. The point I’m really trying to get to is, if you can provide them value, some sort of useful value, to help identify business incidents in their network as well, I think they’ll come back to the security tools every day, the visualisation tools, and besides seeing the business incidents, the security incidents are in the same place, so just naturally it will also help them become a more secure, or at least more aware, organisa-tion naturally.”
Internet of ThingsNS: Let’s come back to the Internet of Things. As I understand it, the Internet and things, to take off properly, has to be built on IPv6, because there aren’t enough addresses in IPv4?
CN: “Well, they’ve been playing with NAT forever. I guess ISPs on mobiles can do their own internal levels of NAT, but ultimately, the Internet of Things is what’s going to force us to run out of address space, for sure.”
NS: So, given the glacially slow take up of IPv6, isn’t this year a little early for an Internet of Things apocalypse to happen?
“I think researchers and attackers are really going to focus on the Internet of Things in 2014”
CN: “Well, I don’t think the Internet of Things apocalypse is going to hap-pen yet. When I’m talking about the Internet of Things, I’m talking about any sort of ‘stealthy’ computer devices. People automatically associate phones and tablets with the Internet of Things, which is good. It means that people realise a phone or a tablet is a network device. But have they realised that pacemakers can now be network devices? Have they realised that that cool little video monitor that they can move around for their baby is actually an IP webcam? Have they figured out that the neat quadracopter they bought, that can connect to their wireless network, and they can drive it with their iPhone or upload way-
points, is a computer? And, of course, you’ve heard of the fridges, and the smart TVs. So I’m more concerned with the things that don’t look at all like computers, but really all they are, are embedded computers that often have wireless chips to get all kinds of neat innovative features and the innovative features are very cool. But the problem is, these stealthy computers end up on our networks just like any other device, and sometimes they’re even publicly-available. They might even use UPnP, the automatic plug-and-play protocols, to get network access out. You may have heard, last year, about the baby camera hacks.2 A particular baby cam-era monitor is really just an IP webcam, which was pretty easy to allow public access to the world, so you could check up on your baby at home from your iPhone. A cool tool, but it was pretty trivial for anyone to override the pass-word log in, and get onto those baby cams, and many other IP cameras.
“So I don’t think we’ll have the apocalypse, but I think researchers and attackers are really going to focus on the Internet of Things in 2014. Rather than seeing all the attacks against a par-ticular flavour of software, whether it be Mac or PC, I think you’re going to see a lot more people coming out with, oh look, I can hack this quadracopter, or people that are doing more detailed research into car hacking, and anything else that is really a small, embedded computer. You already saw some of that in 2013, but I really think it’s the new vogue, a place for researchers to go, and the attack community do follow the researchers.
“Now, that being said, as far as the criminal part of hacking the Internet of Things is concerned, for criminals to do it, it has to be monetisable. There has to be some way for them to make money. Hacking baby monitors is not really going to make them a lot of prof-it immediately, so the type of Internet of Things they will focus on is defi-nitely the smartphones and the tablets, for the near future. But later on, when you start having Google Glasses, when you start having various other devices that we use on a daily basis, and we do
start storing sensitive information, I do think you will see criminals move in that direction.
“I will also mention, there are some-times other ways malicious criminals have used hacking the Internet of Things, such as IP webcams, to not make money but to extort people to do things they really shouldn’t be doing online, and sharing that publicly, or at least extorting them further after that. So even when you’re attacking something like a webcam, there are ways you can at least make money, or do something that is bad.
“We’re seeing the explosion of the Internet of Things. I just want people to be aware of all the devices beyond just smartphones and laptops, that have computers and wireless access nowadays. Now, the cool thing about the Internet of Things is they all speak TCP/IP, so many of our security controls still apply to them. The key thing security firms and security vendors have to do is make sure that we keep up with protections that are focused on these things too. So rather than just having, for instance, IPS signatures for Windows and Macintosh attacks, we need to have it for IP cam-eras. We need to have it for NAS storage devices and the multiple other things that really are networked to computers on our networks.”
About the authorSteve Mansfield-Devine is the editor of Network Security, and its sister publica-tion Computer Fraud & Security. He also blogs and podcasts on information security issues at Contrarisk.com.
Resource• WatchGuardTechnologieshome
page. www.watchguard.com.
References1. ‘WatchGuard Dimension’. Accessed
Jan 2014. www.watchguard.com/products/dimension.
2. Honan, Mat. ‘Hackers are exploiting baby monitors, but we know how to stop them’. Wired, 15 Oct 2013. Accessed Jan 2014. www.wired.com/gadgetlab/2013/10/baby-monitor-hacking/.
FEATURE
16Network Security January 2014
In fact, just this past autumn, David Smith, deputy commissioner with responsibility for the Data Protection supervisory functions of the Information Commissioner’s Office (ICO) in the UK, remarked that: “for our part we are still hopeful that we will see a new and sensible framework emerge. Modernisation of the law is needed ... It’s crucial that it is not just a political result but also a result that genuinely enhances the protection of everyone’s personal information while providing a clear, proportionate and workable solution for businesses to apply.”1
Just why is it that data protection requirements are causing a headache, surely it can’t be that complicated?
“Different people care about different data and data in one context may be completely benign while exactly the same data in another context is highly sensitive”
The unfortunate truth is that it is – and even more so than it may first appear. The challenge stems from the sheer diversity of the problem – even the phrase ‘data protection’ is so wide rang-ing that it is almost useless. What do we actually mean by ‘data’ and what do we mean by ‘protection’? Different people care about different data and data in one context may be completely benign while exactly the same data in another context is highly sensitive. Different protection methods are responses to a
huge array of different threats – threats that change over time in unpredictable ways and potentially with dramatic con-sequences. However, with the EU data protection reforms looming, it is crucial to grapple with the problem and decide how data protection will be governed. In the following, we will examine three perspectives that might arise from data legislation decisions and explore the opportunities and challenges associated with sole reliance on each.
Location, location, location?It’s been well known in the housing market that location really matters and the same is becoming true for data. Data ‘residency’ – controlling where the data actually resides – has become one of the most common aspects for ensuring sensitive data remains pro-tected. Regulations might mandate that certain data must be stored only where the local government has legal jurisdic-tion over it. Taken to the extreme, this would mean that data cannot leave national borders. We might even expect to see coalitions of countries with data repatriation treaties and black lists of countries that provide inadequate security – just like with air travel. If you did wish to move data abroad you would likely be required to choose a country with data protection laws at least as strong as those of your own jurisdiction.
There is some logic to this approach; we already have national legal sys-
tems so it could be natural to become nationalistic when it comes to data protection. This approach might have been fine 100 or even 50 years ago but surely we now live in a globally connect world – companies and even individuals are multi-national.
This type of legislation requires all concerned to at least have a thorough understanding of both international and domestic regulations, which can often be conflicting. In the extreme, data residency laws might form the dig-ital equivalent of import/export tariffs and barriers and even play a role in the free-trade debate.
Assuming we could agree the bounda-ries, how many organisations actually know where their data is at any given point in time? Data is routinely repli-cated across regions to achieve resiliency against disaster and when you consider the cloud and virtualisation techniques in general, the situation becomes even murkier. Cloud economics rely on scale and in most cases that scale can only be achieved by addressing a global market. Forcing providers to place artificial con-straints on the market is bad for business and might stifle innovation – after all, without a global market would we have a Google, Twitter or Skype?
It’s all about me!Of course there’s another way of look-ing at national boundaries – the people rather than the geography. On the front line of the crusade for tighter secu-rity around national assets is German Chancellor Angela Merkel, recently calling for the US Government to observe German law on data belonging to Germans whether or not that data is
The global data protection conundrum
Richard MouldsRichard Moulds, Thales e-Security
Given the relentless stream of news stories around state-sponsored attacks, spying and cybercrime, both on a national and global scale, it is hardly surprising that international data protection laws and regulations have come under increasing scrutiny. Politicians and the public alike are calling for greater privacy, transpar-ency and security – yet there seems to be little consensus on a clear path forward.
FEATURE
January 2014 Network Security17
inside German territory. However, even Merkel acknowledges that the differ-ent regulations currently in place across the EU make it difficult to establish a universal framework to control access to Internet users’ data.
Once again, there’s a logical argument that we should treat data as an extension of the individual to whom it belongs – and protecting it according to the laws that relate to that individual. Doesn’t an email sent in the US deserve the same protection as the same email sent by the same person when she travels to France? This approach, while somewhat utopian, comes with a whole host of dangers and challenges.
“In the case of anonymous accounts, one of the core properties of the Internet, how is a national identity even meaningful?”
Firstly, the question of how to estab-lish and, in the extreme, prove one’s nationality would move into the fore-ground. Would the task of validation fall to the service provider or the user? In the case of anonymous accounts, one of the core properties of the Internet, how is a national identity even mean-ingful? Is there a chance we could cre-ate data privacy havens just like tax havens where countries with tighter security would constitute a more attrac-tive option for individuals or organisa-tions that wish to place their data into the cloud with maximum protection? Maybe even identity fraud would take on a new dimension as stolen identities that are tied to ‘data friendly’ countries become highly sought after?
Even on a more basic level, this par-ticular approach doesn’t hold up. While it would be straightforward enough for a data owner to understand the law governing him as an individual or as an organisation, the situation would be far more complex for data custodians and service providers. For global cloud giants such as Amazon, Google and Facebook to carry out the mammoth task of classifying each and every piece of data according to whom it pertains to is just unfeasible.
The real value of dataAs we debate the appropriate legislation for any set of data, it is easy to overlook the most important aspect – the value of the data itself. The starting point for any data protection strategy has to be an assessment and characterisation of the types of data within an organisation and the impact of any loss.
Of course, the vast majority – maybe even 80% of all data – is relatively unin-teresting to external parties, with only the remaining 20% being either moder-ately or highly sensitive. By determining the sensitivity of each data set and apply-ing appropriate security to each category it is possible to build a data protection strategy – regardless of overarching resi-dency or ownership regulations.
It sounds easy but data has the nasty habit of being contextual. A happy birthday email might seem innocu-ous, but as a security credential for authentication or password reset process your birth date is valuable social data. There’s always a bigger picture. Even fragments of less crucial data can be pieced together to create information that is more valuable than the sum of the parts. What is valuable data to one person, one application, one country might be worthless to another and vice versa, and that assessment will change over time.
The answer?An obvious approach is to somehow render your data useless, desensitise it, so that debates about its ownership, residency or apparent value become irrelevant. The most well-proven and trusted way of achieving that is through encryption, but as always, things are never that simple.
“The only way data can truly be secured is by encrypting it and never relinquishing control of the keys”
With any encryption system – in fact anything that uses cryptography – there is an Achilles heel, which is key manage-ment. Having your keys stolen obviously
exposes your data and even losing your keys might make your data unrecover-able. But on a positive side, provid-ing data owners, whether individuals or organisations, retain control of the encryption keys, any authorities will need to turn to the data owner if they want to access the information.
"It appears that the only aspect of data protection we are truly in control of is the data itself”
By using the power of encryption and sound key management, organisations can harness the benefits of a global IT infrastructure – and, in particular, cloud services – without having to worry about third parties unknowingly accessing sen-sitive information. Quite literally, if they look after their keys, their keys will look after them.
With the current uncertainty about a ‘right’ solution, it appears that the only aspect of data protection we are truly in control of is the data itself. Whether governments decide on legislation per-taining to a country or an individual, the only way data can truly be secured is by encrypting it and never relinquishing control of the keys.
About the authorAs vice president strategy, Richard Moulds contributes his well-respected data protection expertise and thought leadership to the information technology security activities of Thales e-Security. He has helped Thales redefine the boundaries of encryption management for global enterprises. Moulds holds a bachelor’s degree in electrical engineering from Birmingham University and anMBA from Warwick University, UK.
Reference1. Smith, David. ‘EU data protec-
tion reforms: the latest news from Brussels’. Information Commissioner’s Office, 23 Aug 2013. Accessed Jan 2014. www.ico.org.uk/news/blog/2013/eu-data-protection-reforms-the-latest-news-from-brussels.
FEATURE
18Network Security January 2014
Big data: an information security context
Conrad Constantine
We love parroting the line that silver bullets don’t exist in infosecurity – and yet every time something new and shiny comes along, excitement trumps reason every time. The information security field has always suffered from a very special form of hubris – that feeling that somehow our problems are so unique to us that no other field could possibly have encountered anything of the scope or scale of intrinsic complexity and innumerate factors determining the outcome of any action. Yet here we are, welcoming in a new age of mathematically-driven analysis of our data.
And there’s the rub. Information security people, by and large, are not good at mathematics, data modelling or programming. Infosecurity has become the new hotness for people looking to go into university for something that will get them a guaranteed career with lots of money. The hand-wringing among old hands over the transition of our field from craft to trade can fill volumes. Infosecurity rookies come fresh from university with a smattering of familiarity with core concepts and skills, into a field that demands mastery of them all.
“We put people fresh out of a two-year technical security degree into front-line defence positions for the world’s largest corporations and wonder why the news is full of stories of major breaches”
A decade ago our problem was the lack of skilled penetration testers, a
problem we no longer face – breaking into systems has become a rather deterministic skill that takes ‘a minute to learn, a lifetime to master’ – and yet the defensive side of thing presents an obliquely different learning curve.
Time on the streetsA skilled police detective will point to their time on the streets, learning all the things that only direct experience with the public and the criminal mind can teach. No matter how extensive the courses at the academy are, they can only present information, not the understanding and empathic ability to read between the lines that experience brings. As any good police drama will emphasise – acceptance to the homicide division only comes after an officer has worked in every other area of the department’s operations beforehand.
And yet, every day we put people fresh out of a two-year technical security degree into front-line defence positions for the world’s largest corporations and wonder why the news is full of stories of major breaches that went unnoticed by these security teams for months. You can’t protect what you don’t understand after all, and with the massive influx of academy rookies into the field, should we be so surprised when it’s so difficult to find those people with the 10,000 hours widely held to be required for mastery?
In a field like network defence, where the attacker only has to be correct once, but a defender must be correct every time, mastery is an unfortunate prerequisite to effectiveness.
Big queriesBut let’s bring this back around to big data – an easily digestible name for the emergence of commodity software designed to allow synchronous N-dimensional analytics – quite the mouthful to anyone without a background specialising in the data sciences. Data has always been ‘big’: an intrinsic side-effect of Moore’s law can be expressed as ‘utilisation will always expand to fill capacity’. No, the real nature of big data is ‘big queries’ – the ability to ask questions of our data that have been computationally unfeasible before.
Ask anyone working frontline security operations and analysis – we’ve had big data for years – terabytes of logs we need to sift through to find that single log entry that delivers the smoking gun to us. And we’ll regale you with stories of waiting hours, days even, for that search to return results. If big data were nothing more than a leap beyond isometric increases in the speed of querying our vast repositories of data in accordance to their volume, the average security analyst would be quite happy with that.
“The convergence of data science with security analytics was not an overnight event, more so because it was not a creation of the information security world”
And yet, big data becomes ‘the next big thing’ – a critical re-evaluation and re-tooling of our analytical abilities. This is not about being able to query more data – but being able to query all data; beyond being able to ‘grep’ through log data faster, is the ability to distil everything we have ever recorded
Conrad Constantine, AlienVault
It looks like ‘big data’ is here to stay. When it first emerged as the ‘next big thing’ a few years ago, it didn’t take too long for the information security industry to realise it had applications within the field and quickly it was being pitched as yet another ‘silver bullet’ solution.
FEATURES/NEWS
January 2014 Network Security19
A SUBSCRIPTION INCLUDES:• Onlineaccessfor5users• Anarchiveofbackissues
www.networksecuritynewsletter.com8
from our information systems, into information pictures that no single human mind could perceive from the uninstalled source material.
And here is where the two observations collide. The convergence of data science with security analytics was not an overnight event, more so because it was not a creation of the information security world to begin with. The path of convergence first came with an overlapping field – fraud detection and investigation – where data analytics has been a key driver for many years now in identifying what constitutes normal and abnormal patterns of activity. For anyone who has ever found their debit card locked out after a transaction they consider ‘normal’, well there’s the data analytics in action, running into an edge case. These algorithms are refined over time, iteration by iteration, and their designers learn to ask ever more elegant questions about their datasets.
Better questionsBig data can achieve nothing by itself, it is merely an engine to enable the asking of better questions – questions that arise only through experience with real world data. To express those questions programmatically from big data systems requires a certain set of
technical skills that are only hastily covered in the current educational tracks for infosecurity.
If ‘security big data’ is going to do more than keep buzzword-pace with the rest of the technology world, it will inevitably draw upon prior expertise from other fields. True, they will have to acquire some of the experience and domain knowledge of the security field – a task that may be far less challenging to people with a background in data science than for our current crop of security graduates to replicate in reverse.
“Information security expertise requires experience and competence across a wide variety of information technology domains”
The hubris of the infosecurity field – to believe it deals with entirely unique and unsolvable problems – may finally see new light as other domains of expertise come to accept that security is everybody’s problem. Information security has matured – after two decades of relevance we should expect nothing less – but are we following suit with it? Big data was not our creation, and there exists far more talent for asking the right questions from data, outside of our field.
If this is our new normal, the core technology that drives all workflow and action – how are we going to address that in education, training and certification? Information security expertise requires experience and competence across a wide variety of information technology domains, yet how will we address the incursion of a skill so few of us are qualified with beyond cursory familiarity, only to find ourselves exclaiming: “Help, a data scientist took my security job!”?
About the authorFor Conrad Constantine, research team engineer at AlienVault, an early background in searching for forbidden knowledge, pushing computing hardware to its limits and a nose for the truth, made for a perfect storm toward a career in incident response, where, for over a decade and a half, he has been on the front lines of defence work in telecom, medical and media corporations, not least of which being at ground zero for the 2011 RSA Breach. A firm believer that incident response must become an accessible and effective discipline available to all, he works on bringing the mysteries of open source intelligence generation and defensive agility to those willing to take the leap from fear to action.
...Continued from page 3Many people in the security industry
remain unconvinced by RSA’s denials. These include Mikko Hyppönen, chief research officer at F-Secure, who recently cancelled his planned presentation at this year’s RSA conference. He was due to give a talk on ‘Governments as Malware Authors’.
Now several other researchers and speakers have followed his lead. They include: Jeffrey Carr, chief executive of Taia Global; Josh Thomas of Atredis
Partners; Chris Palmer, a software security engineer at Google; Adam Langley, a Google cryptographer; Chris Soghoian, principal technolo-gist with the ACLU’s Speech, Privacy and Technology Project; Alex Fowler, Mozilla’s global privacy and public policy leader; and Marcia Hofmann, a digital rights lawyer at the
There has been an attempt to remove an NSA employee from an influen-tial cryptographic standards body. The Crypto Forum Research Group
(CFRG) is part of the Internet Research Task Force (IRTF) and is co-chaired by Kevin Igoe, who works for the NSA. Some members of the group wanted him to step down following his part in the adoption of a weakened version of the Dragonfly key exchange protocol. This followed the revelation that the NSA has been active in trying to pro-mote flawed technologies in order that it could develop backdoors in widely accepted protocols and products.
Continued on page 20...
NEWS/CALENDAR
20Network Security January 2014
EVENTS CALENDAR
4-6 February 2014Smart SurveillancePerth, Australiahttp://fp7.ecu-sri.org/
12–15 February 2014NullConGoa, Indiahttp://nullcon.net/website/
24–28 February 2014RSA Conference 2014San Francisco, USwww.rsaconference.com
26–28 February 2014Engineering Secure Software and SystemsMunich, Germanyhttps://distrinet.cs.kuleuven.be/events/essos/2014/
17–21 March 2014TroopersHeidelberg, Germanywww.troopers.de
24–25 March 2014International Conference on Cyber Warfare and Security (ICCWS)West Lafayette, Indiana, USAhttp://academic-conferences.org/iciw/iciw-home.htm
25–28 March 2014Black Hat AsiaSingaporewww.blackhat.com
1–3 April 201413th European Security Conference & ExhibitionThe Hague, Netherlandshttp://bit.ly/18uLlPn
7–9 April 2014InfoSec World Conference & ExpoOrlando, Florida, UShttp://bit.ly/infosecworld
...Continued from page 19However, David McGrew, the other
co-chair of the CFRG, said that Igoe was not in a position to directly influ-ence the adoption of standards – at least, no more than any other member of the group.
Yahoo ads spread malware
Thousands of users of Yahoo.com have had their PCs infected due to
malicious iframes in advertisements. Nearly a quarter of the infections were in the UK.
The iframes, buried in ads served up by third-party ad networks, directed visitors to a dubious website capable of drive-by infections created with the Magnitude exploit kit. The site used the IP address 193.169.245.78, hosted in the Netherlands.
Victim PCs were infected with a range of malware, including the Zeus banking trojan, Dorkbot and a click-fraud trojan. Israeli firm Light Cyber said it also saw evidence of bitcoin-mining malware. And Cisco said this campaign was one of several from the same group. The ads focused on European users, with 24% of victims being in Romania, 23% in the UK and 20% in France.
Security firm Fox-IT believes that this may have caused as many as 27,000 infections an hour, and the attacks may have run for at least a week. Yahoo sub-sequently removed the malicious ads.
Yahoo later announced that it is turn-ing on SSL/TLS encryption by default for its Yahoo Mail service. However, the firm has still come in for criti-cism – and not just for being slow to implement a feature that others, such as Google and Microsoft, have had enabled for some time.
“I can’t think of a legitimate reason to prefer this weaker encryption strategy”
Unlike some companies – Google again, plus Facebook and Twitter – Yahoo has not enabled Perfect Forward Secrecy (PFS). This is a technology in which keys are constantly changed so that, should a
key be obtained at a later date (by hackers or a government agency), it would not allow an attacker to decrypt any earlier messages that had been intercepted and stored. The companies that have imple-mented PFS have generally employed Elliptical Curve Diffie-Hellman Exchange (ECDHE) functionality that generates one-time keys.
“The fact that Yahoo! is ignoring the current wisdom on Perfect Forward Secrecy, which solves the retrospective decryption problem, is worrisome,” said Tod Beardsley, engineering manager for Metasploit at Rapid7. “I can’t think of a legitimate reason to prefer this weaker encryption strategy.”
CryptoLocker success leads to more malware
The CryptoLocker ransomware has proven to be hugely successful,
and has recently evolved in order to snare even more victims, according to researchers. And it may soon have a successor.
The malware encrypts data on infect-ed machines and demands a ransom from their users before they can get their files back. The ransom is paid in bitcoins. Analysis by Dell SecureWorks suggests that, in the first 100 days of its life, CryptoLocker achieved up to 250,000 infections. This could have netted the cyber-criminals at least $380,000, although the real figure could be in the millions.
Until now, the malware has been a standard trojan – to be infected you had to open a file attached to an email or visit a malicious web page. But now, according to researchers at Trend Micro, it has evolved into a worm, capable of spreading via USB-connected devices such as hard drives and memory sticks. On the plus side, the worm variant has its command and control servers hard-coded into it, making it easier to block.
Recently, postings on underground forums suggests that a derivative of CryptoLocker – dubbed PrisonLocker – may be in the offing. At the moment, however, it seems this is little more than a work in progress.
![Page 1: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/1.jpg)
![Page 2: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/2.jpg)
![Page 3: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/3.jpg)
![Page 4: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/4.jpg)
![Page 5: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/5.jpg)
![Page 6: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/6.jpg)
![Page 7: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/7.jpg)
![Page 8: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/8.jpg)
![Page 9: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/9.jpg)
![Page 10: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/10.jpg)
![Page 11: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/11.jpg)
![Page 12: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/12.jpg)
![Page 13: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/13.jpg)
![Page 14: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/14.jpg)
![Page 15: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/15.jpg)
![Page 16: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/16.jpg)
![Page 17: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/17.jpg)
![Page 18: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/18.jpg)
![Page 19: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/19.jpg)
![Page 20: An Index for Network Threat Detection [Page 9] - Plixer International](https://reader042.documents.pub/reader042/viewer/2022021207/62061ec28c2f7b173004bf86/html5/page/20.jpg)
