Computerworld

Future-proof your IT security

A new wave of attacks is challenging conventional wisdom about security

Asymmetric warfare is hell. Sure, you may have night-vision goggles, body armor, and air support, but you're also working for a bureaucratic organization built to fight a war that doesn't look much like the one you're in. Your adversary, on the other hand, is poorly equipped, yet nimble, resourceful, and adept at spotting and exploiting the slightest weakness. So much so, you may not even know you're under attack.

Take the U.S. Department of Commerce's Bureau of Industry and Security, which just this month confirmed that intruders, traced to servers in China, had spread a massive rootkit infection that will result in the replacement of hundreds of desktop computers. The attack, first discovered in July, eventually forced the Department of Commerce to suspend employee Internet access. A Department of Commerce spokesman admitted that, at first, the Department didn't recognize the extent of the problem.

The Department of Commerce hack is just the latest in a string of attacks of U.S. government agencies, including the State Department and the Department of Defense. The attacks, about which the government has said little, use phishing e-mails to get employees to open e-mail attachments or visit Web sites that download Trojans targeting "zero-day" vulnerabilities in common apps such as Microsoft Word or Internet Explorer. After they gain access to one system inside the network, the hackers fan out across the entire network, harvesting sensitive information and planting rootkit and backdoor programs to ensure they keep their foothold.

And government agencies aren't alone. Security company WebSense reported this month that it recorded many instances of spear-phishing attacks on customers and employees of ISPs, e-commerce, and banking sites. The company also noted a 100 percent increase, in the first half of 2006, in the number of Web sites distributing "crimeware" such as keyloggers and screen scrapers, which capture images of victims' desktops.

Cybercriminals are "more creative, organized, and business savvy" than ever before, WebSense found, noting that true "companies" have emerged, producing and selling toolkits and developing business partner programs that enable less technical criminals to steal data and make money.

The new wave of attacks is challenging conventional wisdom about the effectiveness of signature-based security products. An unknown number of low-intensity attacks from inside networks are often being missed.

So what's an IT manager to do? Security experts say that there's no easy fix. Although traditional layered security is still the best defense, the coming years will demand investment in technologies and processes that might seem "out of the box" or that have often been overlooked, such as insider-threat detection and secure coding. For those on the front lines, new and more effective defenses can't arrive soon enough.

Developing an infiltration profile

In his work for the National Intelligence Research and Applications Group at BBN Technologies, Peiter Zatko -- aka Mudge -- sees parallels between the new generation of attacks and the asymmetric warfare of Vietnam, Afghanistan, and Iraq: Attackers use a high volume of separate, targeted assaults that often prevent victims from seeing the larger threat profile.

Neither government nor enterprise IT security defenses, says Mudge, are geared for such low-key incursions. "They have a fixed mind-set, which is border defense and standard kinds of probing and port scans. The idea that a foreign cyberforce could infiltrate over the period of a few years, then stand up and deny you the use of your own systems is foreign to them," he says. "But that's the scenario we have to start working on."

Alan Paller, research director at the SANS Institute, agrees. "With spear phishing and [zero-day] vulnerabilities there's really no perimeter. And once somebody's in, if nobody is watching, this stuff spreads like a metastasis."

Not to mention that the perpetrators may be very close to home. Cybertrust data shows that, in about 10 percent of all incidents it is asked to investigate, insiders are the source of the trouble. In another 30 percent, attacks come by way of connections with business partners and other trusted parties, says Kerry Bailey, senior vice president of global services at Cybertrust.

"The first problem is that these people didn't necessarily break in. They may already have access, so devices like firewalls and IDS aren't going to do anything. You've got to allow employees to have access to do their job," says network-defense expert Eric Cole, CTO of The Sytex Group and an adjunct professor at New York Institute of Technology and Georgetown University.

That means IT staff must understand how attacks play out within the network: how software vulnerabilities in programs can allow attackers to gain a foothold and how, from there, they can compromise other systems, access sensitive data, and "exfiltrate" it from your network, Mudge says.

Page Break

In other words, nameless hackers have penetrated your network and covered their tracks, but they're not invisible. In most cases, infiltrators of enterprise networks don't know where the information they want is located and have to look for it. In so doing, they often give away their presence by violating what Mudge terms the physics of networks.

"Think about your internal environment. It's pretty well defined compared to the Internet, where you truly have distributed data. If I saw somebody accessing a bunch of diff databases or database servers for finance, marketing, R&D, that doesn't make any sense," Mudge says, providing one example.

Companies such as Intrusic, which Mudge helped found, sell products that look for those kinds of "tells." And more companies are investing in SEM (security event management) tools that correlate data from multiple security products.

But security experts agree that effective technology to combat the insider threat is still off in the future. Meanwhile, IT managers should train qualified internal incident response teams to look for telltale signs -- and prepare dynamic and resilient responses to attacks so that panic doesn't ensue when things start breaking.

Wars of attrition

What about preventing attacks before they start? Unfortunately, effective prosecution of organized cybercrime groups and state-sponsored hackers is a long way off. Realistically, the best strategy is a smart, flexible defense that makes attacks increasingly costly, causing hackers to simply move on.

Booze Allen Hamilton recently experienced just such a phenomenon with a major overseas bank whose customers were being targeted in phishing attacks and were having funds wired out of their compromised accounts. Booze designed a solution for the bank that used honeypots to identify compromised accounts but also told the client that patching that hole would just force the attackers to use different channels.

"A month or two later, the attackers moved into the telephony channel -- phone phishing," says Ron Ritchey, an expert on secure network design at Booz Allen Hamilton. "It's like you throw a rock in the stream to redirect it to another area." Still, because the bank had forewarning, it had a response plan ready for the phone phishing attacks when they happened.

The idea is akin game theory's "war of attrition," in which contestants incur progressively increasing costs as they compete. At some point, the cost of staying in the game for one party outweighs the value of what they're trying to win, Mudge says. Fixing obvious problems can go a long way because at this point most enterprises are easy prey.

"Large enterprises are interested in business continuity, not catching crooks," says Tim Keanini, CTO of nCircle Network Security. "If they can find a way to raise the cost to the adversary, it becomes a way to make it just a hair too costly for them to figure it out." Keanini says that technologies such as virtualization could be used to introduce enough diversity and variability within and between enterprise architectures to make it too expensive and time consuming to try to break in.

Cover your assets

With so many avenues of attack, the biggest problem many companies have is determining what they need to protect most. "When I talk to executives, it's scary," Sytex's Cole says. "I'll ask them: 'What are your critical assets? What pieces of data will cause you the most damage if they got into the wrong hands?' And they don't know. They'll kind of dance around the question."

This lack of visibility makes executives prey to investing in security technology for technology's sake, without considering whether it's actually making their organization more secure. "Executives may feel good. They may say, 'I have firewalls and IDS,' and sleep well at night, but it means nothing if they don't know what their IP is and whether those security products are really working," Cole adds.

Page Break

Bailey says Cybertrust frequently encounters "multimillion-dollar" security projects that do little to reduce risk because they fail to protect critical assets effectively. "I recently saw a US$30 million project to put encryption on the network to protect data, but the core data they were trying to protect could be accessed with just a four-digit PIN code. If you're an attacker, it's a lot easier to crack the four-digit PIN than to crack the network encryption," he says.

"You've got to start to understand where the data is and how to apply it back to your business objectives," Sytex's Cole says. "Ask yourself, 'Do we understand what our critical data is and what our critical exposure points are? What are the five worst possible things that could happen that would put us out of business?' " Identifying critical assets and applying the concept of "user least privilege" -- that is, assigning key personnel the least amount of access to that data needed to perform a job -- is a good start, he explains.

It's the software, stupid

Ultimately, experts agree that ridding software of vulnerabilities at the code level is the best defense. The underlying insecurity of software has become particularly nettlesome in the past two years as hackers have developed more sophisticated methods for teasing out remotely exploitable holes.

One example is the increased reliance on software "input fuzzing," a kind of software testing that throws a steady stream of input at software applications in the hope of creating a software exception and uncovering an underlying vulnerability, Booz Allen Hamilton's Ritchey says. With serious organized-crime money behind such activities, the number of application holes has increased, even for well-vetted applications such as Microsoft's Internet Explorer and Office.

With the shift in focus to application holes, sophisticated application attacks have become part of the regular repertoire for hackers. "People literally have hundreds of exploits available, and it's changed the calculus. They've gone from the musket to the machine gun," Ritchey says. According to Cybertrust, new hacker tools for application penetration outnumber those for network penetration by 2:1 in the past year.

Making applications more resistant to attack would solve many enterprise IT headaches at once. "Look, you have a firewall to begin with because your applications were written lousy. It's a recognition, after the fact; 'Oh my god, our stuff sucks we need to protect it.' If the applications were good, you wouldn't need a firewall because there wouldn't be any packets that you need to block," says Bruce Schneier, CTO of Counterpane Internet Security.

Unfortunately, the underlying problem of software quality is a vexing one. "We've been working on it for a long time, and we haven't solved it," Ritchey notes. "Once you get past a couple hundred thousand lines of code, the complexity reaches a point where understandability goes out window."

Schneier says that real, provable software assurance won't be available for 20 or 30 years. "We have no idea how to do that. Proving security? Forget it. We don't have a clue. Security assurance as a craft? Sure. But as a science? Not for a long time."

Software assurance methodologies are a wise investment for organizations that put a high value on secure software -- such as the NSA. For other companies that don't put as high a value on security and data integrity, the benefits of instituting security methodologies might not outweigh the costs, Schneier said.

And in the final analysis, that's what matters for companies more than eradicating threats: spending the appropriate amount to get the security they need. For the foreseeable future, that will almost certainly mean relying on a diverse mix of "layered" defenses for external and internal threats.

"If you look at it, physical security is a patchwork of stuff, too. How could it ever change?" Schneier asks.