VPNs (Virtual Private Nightmares)
by Steven Drew, EVP of Client Services, SecureWorksHere's a question: What's the number 1 vector for security outbreaks today? Given the title of the article we hope you answered Virtual Private Networks (VPNs). Today's convenient world of mobile access to critical applications and information has come with a hefty burden for the world's already overburdened security teams. Our Secure Operations Centers witness the same trend each time a new outbreak, such as Sasser, occurs. The first day, usually during a weekend, is eerily quiet given the large amount of outbreak activity we see outside of our clients' networks. But then Monday rolls around and our Analysts are rapidly working to prevent damage from internal outbreaks for the next couple of days. Almost every single one of these internal outbreaks can be traced back to an infected mobile user or external partner entering the corporate network through the VPN.There are a variety of ways security teams can address this problem. However, the right solution must be unobtrusive to the external party and err on the side of availability since most external users are either sales personnel, executives or business partners that cannot be denied access.Network SegmentationNetwork segmentation is the first basic step to address the VPN issue. Properly segmenting your VPN network and the networks most typically accessed by users will give you the ability to contain outbreaks when they occur. Segmentation can be performed at the network, sub-network and host level. At the network level, teams can utilize their Firewalls and IPS devices to segment major portions of the network. However, perhaps more importantly security teams need to properly segment individual subnets and limit who can access these networks and hosts. This can be performed easily using Virtual LANs and Access Control Lists. Performing proper segmentation across all three levels will enable security teams to contain outbreaks, control which users can access critical hosts and provide the fundamental level of security around their VPN segments.Intrusion PreventionIntrusion Prevention Systems (IPS) are an extremely useful solution to the VPN outbreak problem. Since an IPS is an inline device with automated blocking functionality there is always risk of falsely denying access. However, a properly tuned IPS looking for a discrete set of known malware can be highly effective in preventing outbreaks behind the VPN. Security teams should deploy an IPS device behind any and all VPN devices. Once an outbreak occurs these teams should move quickly to update their IPSs with the new attack signature and turn the blocking mode on when the device encounters this new threat. Security teams should then monitor the activity on this device to ensure that all malicious traffic is blocked, while not denying legitimate traffic. Managing this IPS process effectively will result in far fewer internal outbreaks and consequently security team headaches.Emerging SolutionsNew initiatives from leading network and security vendors hold the promise of easing the VPN outbreak burden in the future. Cisco's Network Access Control (NAC) is one such initiative. Essentially NAC will inform a Cisco router or VPN about the current state of the mobile user's security. Information such as patch levels and anti-virus signature updates are then used by the VPNs to determine whether or not this person is safe to enter your network. If they are not safe the device directs the user to an internal web page where they can download the latest patches or virus signatures. Other vendors are promising to deliver a similar set of functionality. These solutions should greatly help security teams control the number of outbreaks occurring through the VPN.SummaryVPNs will likely continue to be the weakest link in an organization's security infrastructure for some time to come. Implementing these recommended actions should help security teams minimize, and hopefully someday eliminate, the impact from outbreaks entering through the VPN. Although these methods will help to better defend your enterprise, they are by no means a substitute for an effective, comprehensive Threat Management strategy. Such a strategy must include prevention, discovery, assessment, detection, response and early warning. Implementing this strategy will provide a security team with the best chance of efficiently protecting your enterprise from existing and emerging threats.
Try The DR/BCP Smell Test
by Stephen Northcutt, Director of Training and Certification for the SANS InstituteIn this article we explore disaster recovery and business continuity of operations to both physical and virtual threats. I suggest that three major scenarios should be used as a reality check, or smell test against DR/BCP plans. They are:A widespread worm with a destructive payload that destroys dataA major weather or natural occurrence such as the Northridge Quake, tornado, or flooding. Sites in the Western USA should also consider fireA significant terrorist attack that includes an attack on the transportation networkMany organizations lack sufficient emphasis on business continuity of operations and do not seem to give sufficient focus to the risk from malware and worms. On May 2, 2004 Westpac's network of 800 branch computers was temporarily knocked out by Sasser and in Sydney, Australia the trains did not run on time stranding about 300,000 commuters with only 20 per cent of trains running. When a service provider fails, they impact thousands of other businesses.The British Coast Guard command and control system was paralyzed as well. Sasser, created by Sven Jaschan an 18 year old that apparently wrote the worm for some trivial reason such as to gain fame as a programmer or even drum up business for his mother's computer repair shop, was not a destructive worm that destroyed all of the data on hard drives. If it had been, we have to wonder how long would it have taken to restore train operations in Sydney?It is years after the terrorist attacks of 2001 and it would be reasonable to expect businesses would be prepared with force majeure class disaster recovery and business continuity of operations strategies. It is also clear that a DR/BCP terrorism scenario needs to be a focus and not just in the USA, but globally! According to Jess Garcia, Security Engineer, Spanish Aerospace Agency (INTA), "In the aftermath of the March 11th attacks in Madrid, risk perception has changed inside the EU: terrorism is now ranked equally with traditional threats, such as fire or power outage. While the financial markets continue to dominate BCP/DR, in part pushed by the need to comply with Basel II and new legislation, all types of organizations seem to be creating or reviewing their BC/DR plans. However, the EU is not a homogeneous reality and different countries tend to show different priorities and profiles, particularly the new EU members which will have to make a special effort to comply with EU standards."Historically, financial organizations have prioritized the business continuity of operations and, consequently, their disaster recovery plans worked during 9/11. Federal Reserve Vice Chairman Roger W. Ferguson, Jr. at the Conference on Bank Structure and Competition pointed out in his "Preparedness of the Financial Services Sector" speech that since the financial industry incorporates information technology into its business processes they are extremely knowledgeable about technology and the related operations risk. Ferguson also pointed out that financial institutions understand that it is in their best business interest to make business continuity planning an executive management issue, requiring top-level involvement and not insignificant investment. One of their primary recommendations is to consider geographic diversity.The SANS Institute decided after the east cost hurricane Floyd of September 2003 that to have both data centers on the East coast was a bad idea, and we decided to relocate the second center to the west coast. There is some evidence that global warming is contributing to additional weather events and while we cannot plan for a "Day after Tomorrow" scenario, we should take the increasing risk into account. Geographic diversity for critical operations and backup facilities should be a key consideration of business continuity plans, as it will help with two of the three reality scenarios. A quick look at Virginia hurricanes through the past three centuries http://www.vdem.state.va.us/library/vahurr/va-hurr.htm will probably quickly convince any manager that two east coast data centers is one too many.We suggest that it might be a great idea to clear a bit of time and review your organization's continuity of operations strategy and disaster recovery plans against these three scenarios. If they do not pass the smell test, maybe it is time for an update!Stephen is a graduate of Mary Washington College. Before entering the field of computer security, he worked as a Navy helicopter search and rescue crewman, white water raft guide, chef, martial arts instructor, cartographer, and network designer. Stephen is author/coauthor of Incident Handling Step-by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security, SANS Security Essentials and Network Intrusion Detection 3rd edition. He was the original author of the Shadow Intrusion Detection system before accepting the position of Chief for Information Warfare at the Ballistic Missile Defense Organization. Stephen currently serves as Director of Training and Certification for the SANS Institute, as well as their Global Information Assurance Certificationprogram.
Internet Threat Update
Provided by SecureWorks' Security Research TeamThis Month's Threat Overview:LSASS Exploit Still Going StrongNew IE Exploits Are A Boon to Phishers, AdwareLSASS Exploit Still Going StrongWorms continue to enjoy success targeting the LSASS vulnerability - corporate networks continue to see outbreaks despite patches being available. The scenario is almost always the same - an infected laptop comes in from the outside, or a VPN client is not properly protected.New IE Exploits Are Boon to Phishers, AdwareThe ADODB exploit patched yesterday by Microsoft is being used by Phishers to steal credit card numbers and bank logins. Adware vendors continue to utilize the same exploit to install annoying popup ads and other spyware. Several new vulnerabilities have been found this week, which are not affected by the latest patch. A kind of "critical mass" of attention has formed around IE, meaning more researchers are trying their luck at finding the next big security hole. They are having great success, it seems.Who Can You Trust? (No One, If You Have Active Scripting Enabled).Several high-traffic corporate websites were hacked in the last month in order to install IE exploits via scripting on their webpages. Common advice for use of Active Scripting or ActiveX is to disable it overall, then only enable it for "trusted" sites. But what happens when the site you trust is hacked?
No comments:
Post a Comment