New age security threats and how to Protect your enterprise

It's a pity that despite having firewalls, UTMs, antiviruses, spam filters,
and the works, organizations still fall prey to hackers. This is because there
is no single standard available to protect each deployment, due to which some
flaw always go unnoticed. Then it's completely upto a hacker's skills on how
quickly he can exploit it. The moral of the story therefore is that no network
can be 100% secure. So you need to go beyond hardening the security of your
network. What you also need is a proper incident response management strategy.
This comprises of a set of measures you'll take to do damage control. The damage
could be financial in nature, or it could be loss of reputation. Or worse still,
if the hacker is from a terrorist organization, then you'll also have to deal
with law enforcement agencies. How ready is your security team to do all
this? Do you have measures in place, which would allow you to gather sufficient
data to track the hackers?

This might have sounded unrealistic a few years ago, but today, you seriously
need to think about it. And when it is about terrorism, computer forensics
becomes extremely important, because even a single evidence can save a lot of
lives.

So, this time we are not going to tell you how to deploy the right security
devices but discuss how exactly you can isolate a compromised machine on your
network and get as much of an evidence from it as possible.

Before we start going into detail, one has to understand the difference
between standard information and evidence. Essentially an evidence in computer
forensics is a piece of information which is retrieved from a compromised device
in such a way that one can proove the data has not been changed or modified
after the retrieval. So, in simple terms forensics tools are nothing but data
recovery tools but while recovering the data they save checksums at every level
so that at any point of time and at any level the consistency of data can be
checked.

Evidence collection

One you receive an alert from your IDS or some other sources that a machine has
been compromised, the first thing to do is to isolate the machine from the
network so that it can't be accessed remotely by anyone. Remember that you
musn't restart the affected machine. This would destroy any volatile data in the
main or virtual memory, thereby reducing chances of finding evidence.

Backing up the Pagefile

The first thing you would like to do is to take a backup image of your pagefile
(Windows) or Swap (Linux) so that whatever data is there can be analyzed later
on. Usually, a hacker not only runs a script on your computer, but also removes
that script from your hard disk. But, you can find such scripts in the swap
area, unless the system has been rebooted. Before running any command, if it is
a Linux machine, run the script command so that a log can be maintained about
what all you did on the system. This will help you track the steps you've
followed. The command is as follows:

Data leakage and loss prevention What are some common cyber terrorism threats an enterprise is facing today? Cyber terrorism is the misuse of cyber space for different kinds of activities. The current threats posed by cyber terrorism have attained monumental proportions, and for many reasons. First, Wi-Fi misuse has generated a lot of debate, as it's a key tool through which people can get into corporate or individual networks. Over the past few years, hacking attacks have been on the rise, mainly due to improper configuration of Wi-Fi systems in organizations. They have default admin names and passwords, and fall easy prey to hackers. Second, know your employees and external customers. Proper monitoring of employees is necessary. You need to pay attention to their activities. How can an enterprise effectively monitor its users and prevent misuse of resources? Many enterprises today are aware of external threates like hackers, worms, viruses and deploy solutions to secure against them, but internal threats to security are equally important. To combat those, three key security management solutions could be deployed:   Identity and access management Security information management Threat management Integrating these components into a comprehensive solution helps you achieve operational efficiencies and regulatory compliance, as well as contain costs, mitigate risks and ensure continuous business operations. What policies could make us secure? Policies that are based on international standards such as BS7799-1, ISO 17799 set out the requirements of good practices for Information Security management. ISO 27001 defines the specifications for an Information Security Management System (ISMS). It was developed from BS 7799 Part 2:2002. The scope of any ISMS includes people, processes, IT systems and policies. Your comments on data leakage detection? Data leakage is the unauthorized transmission of data (or information) from within an organization to an external destination or recipient. This may be electronic or via a physical method. Data Leakage is synonymous with Information Leakage. The term 'Unauthorized Use' does not automatically mean intentional or malicious; unintentional or inadvertent data leakage also comes under its purview. There are several examples of information/data leakage. Most involve important and confidential information leaving an organization due to accidental emails or other means. A high profile example is the confidential memo leak in the Hillary Clinton campaign. How can organizations prevent data leakage? Data loss prevention or DLP solution are available that can offer information leak prevention, content monitoring & filtering, IP protection, outbound content compliance, Information discovery and policy enforcement. Rajendra Dhavale, Director, Technical Sales CA India

#script /script.log

Now, for a Linux machine, to take the backup, first mount a removable disk on
your machine or a network share and run the command like this:

#dd bs=1024 if=/dev/hdxy of=/mnt/output/swap.out

Here /dev/hdxy stands for the partition mounted as your swap partition. You
can find it by running fdisk�l command. And the /mnt/output is no-local media
mounted for taking the backup and swap.out is the file that will contain the
image of the swap partition.

If it is a Windows machine just check the path of the pagefile.sys and copy
it. Once done you can use tools such as grave-robber (Linux) or mac-robber
(Windows) to get information from the images. Further the steps for all the OSs
will be similar. Now you can easily reboot the machine as the volatile data has
already been saved.

Next you have to take a backup image of the compromised disk. The image is
required because if something goes wrong during the investigation, you will
still have the data intact. For this, the best approach will be to connect the
compromised disk to a fresh Linux machine, run the script command again and
create an image of the disk by running the dd command. Once the image is taken
you can start recovering data from it. There are many tools for doing so, but
the one which can work on both Linux and Windows is called Sleuthkit. It is
essentially a combination of different tools for doing forensics testing. You
can even get a browser based front end for Sleuthkit which can even record
multiple forensics cases. This frontend is called Autopsy. Some things which
autopsy can do is include recovere deleted files from both page file images and
disk images. It can create an activity timeline so that one can see what all has
happened on the machine between two distinct points in time. And obviously it
creates and saves checksums of the image at every stage. The usage is pretty
simple. All you have to do is to download Sleuthkit and autopsy from sleuthkit's
website http://www.sleuthkit.org/”, then install it on a fresh Linux machine and
start accessing it through any web browser on the network.

Controlling mobile devices

The other thing which is very important for an enterprise is to keep a very
strict watch on mobile devices like mobile phones and laptops that it allots to
its users. This can cause risk in two different ways. First if the laptop is
stolen it can be misused, and second, the original himself might be disgruntled
or involved in suspicious activities.

Preventing infrastructure misuse After the terror email racket was busted last week, the biggest challenge for any enterprise today is to know how can they make sure their infrastructure will not be exploited by terrorists. How to go about it? Enterprise networks are becoming quite complex with mobility aspects like Wi-Fi, Laptops, blackberry and work from infrastructure. A comprehensive approach is needed for enterprise security and should cover the following: Have a clear security policy and among other things the guidelines should cover identity and access management, confidentiality and privacy aspects. Employee awareness:the processes and guidelines need be backed by awareness of employees and constant reinforcement of policies. Technology: Networks and resources need to be supported by suitable technologies in terms of Identity implementations, encryptions and enforcement of policies etc. Regular security audits: These need to be conducted to measure and maintain the security posture. In quite a few countries today, keeping a backup of each and every email for at least three years is compulsory for enterprises. But, doing this alone is of no use if there is no alerting mechanism attached to it. How can one deploy alert mechanisms to control email misuse? Keeping a back up will not be the solution for alerts. backups are kept for regulatory comliance. Intrusion detection systems need to be installed along with firewalls to keep track of access of critical resources like email servers, web servers, etc. Again depending on the criticality, 24*7 monitoring will also need to be implemented for alerts and logs. Organizations take all possible measures to secure their endpoints and prevent their misuse. But what do you do when there are solutions like Live OS distros that completely bypass OS security? How can organizations prevent their usage? That is why it is important to control the enterprise computing environment. Depending on the criticality, Internet access needs be restricted, access rights for installing software needs to be controlled, and Media (pen drives, mobile phones etc) needs to be banned in work place. What are the implications for an organization, if their IT infrastructure is found to have been misused? Enterprises should be concerned about this for multiple reasons: Some regulatory aspects might actually implicate the enterprise if misuse has happened by one of its own employees. Loss of credibility with customers. Brand value destruction and loss of face. Misuse might also indicate the vulnerabilities in the network and criminals might target the Enterprise.

How should you keep an eye on these devices which are not actually within the
perimeter of your network? There are multiple solutions available for that.
Let's first talk about mobile phones. A very good example here could be
Motorola's Good Messaging. This application is essentially meant to synchronize
your Exchange folders with a PDA phone and is essentially a messaging solution.
It also provides you a lot of customization options for viewing content. The
application integrates with your PDA and works as if it were part of the
embedded OS itself. It handles the security very well. The application uses FIPS
certified 192-bit AES encryption for the data which is being transferred over
the air, and also for data which is stored on the mobile device. But the real
beauty lies in the kind of control it provides to the administrator over the
PDA, in addition to providing synchronized messaging with the PDA. With GMM you
can create policies for mobile devices (handsets) and allocate them to users.
For example, let's say you don't want your R&D team to use their phone's camera
and snap pictures of your valuable IP. Or let's say you don't want your
employees to send out or copy data using Bluetooth, then you can create
restricted policies for them by disabling the appropriate functionalities in the
devices. You can create such a policy for a single user or you can apply such
policies to a group of users depending upon the requirement. Which essentially
means you can keep tab of the device from anywhere and even monitor the
activities in the form of logs. And if in case something suspicious happens you
can even completely lock down the phone. Not only that, in case your device gets
stolen, you can even remotely delete all the data from the device. All you need
is a Net connection with the device.

Now imagine, if the application is coupled with GSM triangulation based
tracking software which are very easily available how easy is it going to be to
track such a device and the person using itFor laptops also, a lot of similar
applications are available, but the working is slightly different, there quite a
few free software/services which are available today which you can download and
install into the laptop. The service works at the background and whenever the
laptop is connected to the internet it sends the name and IP of Router and the
access point where the laptop is connected. It also tells you the public IP
which the machine is using for internet. With this information one can easily
trace the machine and figure out its approximate location. We have covered one
such software called Adeona in this issue. The article talks about how exactly
one can use it.

The Truth Behind WiFi Security

A lot of noise is happening around WiFi networks being hacked by terrorists
to send terror mails. Well, a lot of news channels are talking about and
advising home users to secure their WiFi networks, but none are talking about
how one can do that. So, we thought of taking the mantle to explain that. There
are essentially three ways in which you can configure a WiFi access point. One
is through a completely unencrypted way, where anybody with a WiFi enabled
device can connect to your access point if he is inside its range. This is the
most insecure way of having configuring an access point (AP) and you should
never leave your access point in such a mode. The second way is by using WEP
where you secure all the data communication through the access point using
encryption and only through a passkey can one connect to the AP. But
unfortunately this is a very insecure mechanism to protect WiFi and can be
easily cracked. Around three years back we had talked about how exactly one can
crack a WEP key. At that time it used to take around a day to crack a WEP key
but today it's just a matter of minutes. Now hackers have tools which can replay
ARP requests which generate interesting packets for cracking the key and hence
the time taken to gather such data streams reduces, and as a result the key can
be cracked quickly.

Then you must be wondering, what's the benefit of using such a key and how
could someone really secure his/her WiFi network? But, don't worry, we have a
third method through which you could feel perfectly secure.The third option of
deploying a WiFi AP is by securing it using WPA2. WPA2 is till date the only
WiFi security technology which can't be hacked and is present in most of the APs
available today, ranging from a simple home AP to an enterprise class AP. So,
the Point to note over here is that it's not only necessary to secure your WiFi
network but also important to secure it correctly.

Surveillance

We have been talking about the importance IP surveillance since our last few
issues. Surveillance, be it CCTV or IP has become an integral part of an
enterprise security strategy. In terms of battling terror through surveillance,
there are two major factors. One is the placement of cameras and second is the
storage of surveillance footage. Again with the placement of cameras there are
various factors in play, such as the needs of an enterprise, their type,
resolution and the number of cameras to be deployed. The most commonly monitored
locations are data centers and entrance of an enterprise. Ideally all peripheral
walls of a company should be monitored along with mission critical areas.

Simply putting cameras and monitoring isn't enough. We really don't need to
remind you about the recent incident in Delhi where cameras were in place but
only one of them was actually storing images. Vendors now have plenty of
solutions dedicated for storage of surveillance footage. However, the biggest
question before enterprises is related to their storage. How long should they
store the video footage, as even a single camera can generate more than 10 GB of
data in a single day. Here technologies such as motion sensing/detection can
help a little, as it will only record and store that part where some amount of
motion has been detected. How long they keep the video surveillance footage will
vary depending upon company policies. Retaining the footage for at least 40 days
is recommended, and in case some untoward incident does happen, for even longer
periods. These days there are endless technologies to ensure cameras work all
times. There are cameras available which will clean themselves automatically, if
something falls on their lens. Similarly there are special cameras available
which can give decent quality pictures even in the darkest of all conditions.
Then comes the management part, ie if your camera is at a mission critical place
and someone manages to tamper, say by cutting the wire or blocking its lens with
something, or even if it goes off due to some technical problem then immediately
a backup camera will start to ensure that 24x7 monitoring is in place. These are
just a few things that you must ask the vendor for when choosing a surveillance
solution.

Threats to web applications and Websites

There has been a significant increase in the attacks on Web applications and
websites. The obvious reason behind it is that as most of enterprises are
looking for ways to automate their businesses and make them available from
anywhere, bad guys are looking for ways through which they can benefit from all
of this. There are a few attacks that have come up especially to target web
applications ranging from XSS attacks to Zero Day attacks. Let's look at some of
these attacks

Web based Malware

This has been one of the major threats in 2008 to websites. According to
latest security threat report from sophos, it finds a newly infected webpage in
every 14 seconds and 83% of these malware has been on legitimate website. This
much has been rate of malware infection on legitimate websites in fast of 2008.
The cause of this has been mainly unpatched web server, which has exploited by
attackers. Once a website has been infected, next it will start looking for
users coming with unpatched browsers and in-turn infect. Most common techniques
used to infect websites have been iframe and SQL injection, which we take a look
at below.

SQL Injection attacks

Just incase you don't know already, SQL injection means inserting raw sql
injection data to a web application, which might cause it to malfaction. There
are many automated tools available online, which lets users test their website
against SQL injection. Just like any other techniques SQL injection techniques
have also matured and many new variations of SQL injection exist now such deep
blind SQL injection or Lateral SQL Injection. This technique is commonly used by
attackers and botnets to break into a website and at times infect them. Most
recent example of this is asprox botnet which used sql injection attack on web
portals made asp and gain access. Once it has infected a website, it infects all
users PC coming to it and once infected these machines become part of asprox
botnet.

Phishing attacks

Protection against phishing and pharming attacks is very critical as most of
these attacks target end users. Most of the gateway level solutions offer
protection against phishing but majority of these solutions use blacklisting
techniques to detect such attacks. Same technique is used for anti-spam
solutions to detect phishing emails. However, this technique isn't always
successful especially in case of targeted phishing attacks. Once a phishing
email or URL manages to bypass an anti-phishing solution, it can even drop a
malware into a user's machine which might even spread into other nodes of the
network.

Clickjacking

This is relatively new threat and yet to make a big impact but has been
discussed a lot by security researchers in past few months. Clickjacking
exploits vulnerability present in browsers and can even allow an attacker to
take control of users audio as well as webcam. Basically with this vulnerability
attacker can trick the user to click on something that's barely visible on a
webpage, which will direct it to a malicious website. Whether this will actually
make an impact or it will be patched with much noise is something to watch out
for. More details about this can be found at http://www.whitehatsec.com.