JOINING THE DOTS

Joining the dots

In one case, an office multi-function device (MFD) was used to scan sensi-tive documents to PDF and email them direct to an external recipient by entering their email address on the

LCD screen of what was essentially a sophisticated photocopier. In another, a customer services manager asked all team members for their passwords just in case anything arose when they were off sick

or on holiday, subsequently using those accounts to defraud the company of hundreds of thousands of pounds.

Data leakage vectorsThe number of data leakage vectors avail-able to the internal user is increasing. Removable media and email are reason-ably well addressed, while other vectors

Richard Walters, product director, Overtis Systems

Data loss continues to grab the headlines. For those of us in the information security industry, these stories are testament to the fact that we are failing. Data is being removed intentionally, and disseminated unintentionally, from UK organi-sations on an unprecedented scale. Examples we’ve seen range from gaining physi-cal access to restricted areas (through access card theft, lack of anti-passback on turnstiles, and plain simple tailgating), to data theft over instant messenger using file transfer, and social networking sites (uploading a file from the corporate net-work during office hours, and downloading it to another location later).

16Network Security May 2009

Richard Walters

An on-off feedback control approach, IEEE Transactions on Systems, Man, and Cybernetics Part A, Systems and Humans, Vol. 31, No. 4, pp. 228–293, July 2001.

9. G. Badishi, I. Keidar, A. Sasson: Exposing and eliminating vulnerabilities to deni-al of service attacks in secure gossip-based multicast, IEEE Transactions on Dependable and Secure Computing. Vol. 3, No. 1, pp. 45–61, January–March 2006.

10. T.M. Gil, M. Poletto: Multops. A data structure for bandwidth attack detection. Proc. of the 10th USENIX Symposium, pp. 23–38, 2001.

11. A. Householder, A. Manion, L. Pesante, G.M. Weaver: Meaning the threat of deni-al of service attacks. CERT Coordination Centre, White Paper, 2001.

12. A.B. Kulkarni, S.F. Bush, S.C. Evans: Detecting Denial of Service attacks using Kolmogorow complexity metrics. Technical report CRD176, GE Research and Development Centre, 2001.

13. K. Park, H. Lee: On the effective-ness of route based packet filtering for distributed DoS attack prevention in power-law internets. Proc. of ACM (SIGCOMM), 2001.

14. Kent, W.T. Strayer: Hash-based IP trace-back. Proc. of ACM (SIGCOMM), 2001.

15. D.X. Song, A. Perring: Advanced and authenticated marking schemes for IP traceback. Proc. of the IEEE Information

and Communications (Infocom), 2001.16. S. Malliga, A. Tamilarasi: A defensive

mechanism to defend against DoS/DDoS attacks by IP traceback with DPM. Proc. of the International Conference on Computational Intelligence and Multimedia Applications, 2007.

17. T. Peng, C. Leckie, K. Ramamohanarao: Protection from distributed denial of service attacks using history-based IP Filtering, Proc. of the IEEE, 2003.

18. A. Ramanathan: WADeS. A tool for dis-tributed denial of service attack detection. TAMU-ECE, Master of Science thesis, 2002.

19. H. Wang, D. Zhang, K.G. Shin: Detecting SYN flooding attacks. Proc. of IEEE INFOCOM, pp. 1530–1539, 2002.

20. S. Noh, G. Jung, K. Choi, C. Lee: Compiling network traffic into rules using soft computing methods for the detection of flooding attacks. Elsevier, Applied Soft Computing, Vol. 8, pp. 1200–1210, 2008.

21. A. Kuzmanovic, E.W. Knightly: Low rate TCP targeted denial of service attacks and counter strategies. IEEE/ACM Transactions on Networking, Vol. 14, No. 4, pp. 683–696, August 2006.

22. S. Seufert, D. O’Brien: Machine learning for automatic defence against distributed denial of service attacks. IEEE International Conference on Communications, 2007.

23. F. Ferreri, M. Bernaschi, L. Valcamonici: Access point vulnerabilities to DoS attacks

in 802.11 networks. IEEE Wireless Communications and Networking Conference, March 2004.

24. Y. Bouzida, F. Cuppens, S. Gombault: Detecting and reacting against distributed denial of service attacks. IEEE International Conference on Communications (ICC), pp. 2394–2400, 2006.

25. F. Lau, S.H. Rubin, M.H. Smith, L. Trajkovic: Distributed Denial of Service attacks. IEEE International Conference on Systems, Man and Cybernetics, pp. 2275–2280, 2000.

26. J. Bellardo, S. Savage: 802.11 Denial-of-Service attacks: real vulnerabilities and practical solutions. Proc. of the 12th USENIX security symposium, pp.15–28, August 2003.

27. J. Felix, C. Joseph, A. Das, B.-C. Seet, B.-S. Lee: Cross-layer versus single layer approaches for intrusion detection in MANETs. Proc. of the IEEE, ICON 2007.

28. M. Malekzadeh, A.Z.A. Ghani, Z.A. Zulkarnain, Z. Muda: Security improve-ment for management frames in IEEE 802.11 wireless networks, International Journal of Computer Science and Network Security, Vol. 7, No. 6, June 2007.

29. J. Wright: Detecting wireless LAN MAC address spoofing. White Paper, 2003. May 2009 <http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf>

JOINING THE DOTS

are not. Organisations spend considerable amounts on device control, but do noth-ing to restrict the copying of sensitive files to local hard drives in notebook PCs.

In some respects, this disjointed response is driven by specific com-pliance requirements within stand-ards such as PCI DSS, or HMG Information Assurance (IA) Standard 6, which are highly prescriptive in the technical controls that organisations must use. This causes organisations to lose sight of the policy-led end-to-end ISMS approach laid out in ISO/IEC 27001 and 27002.

Attempting to address the insider threat, of which data loss is a part, with a network/gateway based approach, is fundamentally flawed. Smashing and hashing of files stored on a gateway appliance comes with an unacceptable level of false positives and false negatives, echoing back to the days of early intrusion detection systems when signatures gave rise to false positive rates of up to 70%.

Admittedly, document fingerprinting techniques are developing, driven prima-rily by the need to stem the plagiarism of content on the internet. But these are at best a data loss detection, rather than a data loss prevention solution. And pre-vention is always better than cure.

Some network/gateway based vendors talk about unique statistical and pattern matching algorithms to identify attributes, characteristics and patterns in data that highlight sensitive information, at the same time suggesting that basic keyword matching is too basic (although this can be highly accurate if context is taken into account). From a network-based view-point, the volume of traffic and speeds the technologies have to cope with are simply too great to make keyword matching a viable solution. Surely the logical place for controls to address insider threat is not on the network but on the endpoint – close to the user – and critically, between the user and the information assets?

Limited protectionNetwork security solutions provide strong protection against DoS and DDoS attacks, DNS attacks, port scanners, IP,

ICMP and RIP based attacks. But to prevent data loss, protection needs to be at the endpoint. Adapting existing net-work based products – such as firewalls or IDS sensors – is not the answer. These products give limited or no protection to mobile PCs or other mobile devices out-side the corporate perimeter.Similarly, protection of untrusted / third party systems is scant and so the use of terminal services is highly recommended. Analysis of encrypted traffic (certainly outside of http and smtp, depending on where SSL or email encryption is terminated) is also often unavailable. Network-based solutions are also limited to specific network protocols (i.e. email, webmail, http, IM, internet relay chat, FTP and P2P) and file types (the file format must be understood and stripped away in order to reach the content, and analyse it in real time).

At the endpoint, there’s greater visibility of how users access, process, store and transmit information. Response is more immediate, with the ability to warn the user of the risk associated with a particular action, capture a screenshot of the desktop, block or prevent a specific activity, or even to freeze the workstation. This response can be proportional and appropriate based on content and context (such as time, loca-tion, and group membership).

However, there is still significant value to be extracted from network-based pro-tection. One evolutionary path may be security convergence or integration with access control and CCTV systems to

reduce the amount of data that is walking out of the door, either in hard copy or on mobile devices and removable media.

Convergence is being driven at the macro and micro level. Organisational changes are seeing a move away from the disconnected individual elements of security. And individuals that previously held isolated positions with a narrow logical (IT) or physical security focus are moving to broader based multi-discipli-nary roles to manage risk across the busi-ness as a whole.

Convergence and segmentationOn the micro level, physical and elec-tronic security systems are becoming increasingly IP based. This is true of major systems such as video surveillance networks and physical access control systems, but also other systems such as intercoms and alarm systems. To date, concerns have been raised over the risks posed by these technologies on the same network. But this is simply not the way these technologies are converging.

A mid-range video camera using a typical H.264 codec may stream video over IP at the rate of about 4Mbps. It therefore only takes a relatively small number of cameras to create a significant load on an already stressed 100Mbps network. For this reason alone, many physical security systems archi-tects deploy video surveillance systems on a separate dedicated network. Troubleshooting is also considerably easier and faster.

May 2009 Network Security17

Figure 1: Video system integration can provide the eyes and ears to other security systems.

JOINING THE DOTS

Integration between physical security IP networks and the data LAN is generally very limited, with any routing kept to a mini-mum, allowing only a small number of PCs to run software to view video footage from an network video recorder (NVR) or access events, such as alerts and alarms at network or systems management consoles.

As a result, the opportunity to access or attack the data LAN from the physi-cal security network is contained. Many physical security systems are not advanced in the IT security services they run; some, such as telnet and FTP, would be unac-ceptable to most information security managers as well as being in breach of many standards and information security best practice. Therefore segmentation, for the time being at least, must remain.

Visual audit trailThat said, security convergence can still drive a holistic approach to security by drawing upon logical and physical systems to monitor the building, network and the user. CCTV systems, physical access con-trol systems, biometric devices, and other technologies such as RFID can provide the eyes and ears of the organisation.Extending the security net in this way can make it easier to enforce policy management for visitor and contractor access, entry to computer rooms and data centres, and access to secure cages or racks within facilities. It’s also simpler to visually monitor hosting environ-ments and collate camera shots of who was at a given terminal or PC when a particular operation was carried out.

The value of convergence lies in the fact that a full visual audit trail of date and time stamped events can be created with supporting evidence from door entry and/or camera systems, providing proof of hardware tampering or theft. Integration with access control systems enables the enforcement of ‘low man count’ poli-cies, with the option to prevent access to sensitive data, or to certain applications or application functions, if occupancy of a given area drops below pre-determined levels. Or it’s possible to freeze user sessions if the user leaves a given area to prevent unauthorised access through session hijack-ing or to freeze all workstations in a secure

area if the area is empty (overnight, during breaks, or as the result of a fire alarm).

But security convergence is still in its infancy. There is a total lack of standards which poses a major challenge. As a result, groups such as the Open Network Video Interface Forum (ONVIF) and American Public Transport Association (APTA) are looking to standardise protocols, APIs and other systems elements to make integration and management of these systems easier. Until they succeed, it’s necessary to assess whether there is an API available from the vendor and if so what it supports.

Video system advantagesWhen considering integration with video systems, look at the digital video recorder (DVR) or NVR for the avail-ability of an API and TCP interface. A small number of systems provide both inbound and outbound capabilities. More basic APIs support a ‘web cam mode’ enabling periodic image upload (typically via FTP) while the more advanced support parameterised video streaming and export. This makes it pos-sible to attach video footage to events linked to information security incidents, such as running a sensitive application, or a hardware device change.

Some APIs also support the ability to inject text-based tags into the video stream. This has significant advantages when reviewing 30, 60 or 90 days of stored video material if you’re looking for a particular event. It is then possible to skip through hours of video to the exact

frames associated with a misdemeanour.Video system integration can consist of

one or more elements. These include text alerts sent by the server to the DVR/NVR on receipt of a relevant notification. Such alerts can be used by the DVR/NVR to alert operators and/or bookmark pertinent video sequences. Or images can be sent intermittently from the DVR/NVR to the information security server for inclusion in server attachments for time synchroni-sation and anti-tamper purposes. Or you may wish to create link files via the server, also for inclusion in server attachments, on receipt of a relevant notification. The link files can be subsequently used by the information security server for displaying videos sequences directly from the DVR in the context of a particular notification.

As with video system integration the degree to which an information security solution can be integrated with a par-ticular access control system depends to a large extent on the capabilities of the access control system. With physical access control systems, APIs can vary con-siderably but some offer location change event export, including badge number, old location, and new location. In other examples, location occupancy counts are also provided. Periodic upload of access control logs to the information security server via FTP is also usually supported.

Typically, physical access control system integration consists of either access control message routers or a devolved agent-based (endpoint) processing model. Access control mes-sage routers (which have been adapted

18Network Security May 2009

Figure 2: Access control integration is still problematic due to variations in vendor APIs.

PHISHING ATTACKS

Mass mailingsAfter having created and published the web site, the next step in the phish-ing attack is to send out mailings. As alluded to above, there are different ways to obtain an email address that can be used for this purpose. The user can either create an ad hoc account, or obtain an email address from the web.

The first alternative produces a more convincing phishing attack, since the attacker may incorporate the name of the defrauded bank into the account name, thus increasing the likelihood of tricking the user. Once a valid account has been established, the next thing to do is to generate a mailing list. This is facilitated with tools known as ‘crawl-

ers’ that allow targeted searches within websites to extract email addresses. This is why you should be discouraged from including explicit references to your mailbox or leaving your email address in discussion forums. The last thing to do in the phishing attack is to compose the message to be sent out. As for the web site, the message should imitate the style and content of official messages from the mimicked institution. An example is illustrated below.

New attack scenariosBefore turning to a discussion of coun-termeasures, it is opportune to discuss three current offshoots of phishing:

MD5 hash algorithm.

VishingDiscovered in early 2006, ‘vishing’, a portmanteau word of ‘voice’ + ‘phishing’, is a natural outgrowth of phishing. The Internet Crime Complaint Center (IC3) states that this type of attack is increas-ing at an alarming rate.

Online fraud, as we have discussed earlier, is carried out through the use of bogus emails and web sites. The fraud-ster sends out an email message mas-querading as the user’s bank, hoping to convince us to click on a link and pro-vide our username, password or other information for ‘security reasons’.

With a vishing attack, however, instead of sending an email asking us to click on a link, the attacker sends out a telephone call asking us call a telephone number. When we do, a recorded voice asks us to key in our personal informa-tion. Let us analyse briefly the details of a vishing attack.

The initial phase entails configuring the computer using VoIP technology so that it can call a long list of telephone numbers in a given area. Given the low cost of telephone calls, distance no longer constitutes an obstacle. The call

May 2009 Network Security19

Phishing in depthDario Forte, CFE, CISM, founder and CEO, DFLabs, Italy

In the first of this two-part series, published last month, we explained the initial process of how phishers prepare the ground for their attacks. As stated in that article, phishing attacks can be subdivided into three phases:

target of the attack.

existing site.

The combination of these three elements allows an attacker to carry out an attack. The success of the attack depends on many factors, such as the credibility of the site, the contents of the email message, and the final user’s critical analysis capacity and IT proficiency. This article will go into more depth on these issues.

for use with a particular type of access control system) read configuration information from the server and route status change events (such as loca-tion and occupancy changes) from the access controller to the relevant policy processors.

Transaction and authen-tication recognitionFollowing a devolved agent-based (endpoint) processing model, each individual policy processor determines what it should do on receipt of an access control status change event.

For example, if the policy processor belongs to a user who has just left the building it can determine whether it should freeze (i.e. block keyboard and mouse events) for that session.

Convergence is also now combin-ing recognition of specific transactions with authentication solutions. Using endpoint agents it’s possible to monitor everything a user does and, by integrat-ing with biometric devices such as fin-gerprint and finger vein readers, require them to re-authenticate on carrying out a certain action – such as printing a sensitive document, putting though an unusually high value stock move-

ment, or a financial transaction above a certain value. This type of transaction level authentication would have stopped Jerome Kerviel at Société Générale in his tracks.

To date, solutions to data loss and the wider insider threat have been piece-meal. A combination of network and endpoint based controls are required to prevent data literally walking out of the door. Integrating physical and logi-cal security systems maximises existing investment, improves risk management and gives operational benefits. With these systems already in play, don’t we just need to join the dots?