We are all well aware of the importance of securing an enterprise's IT setup and the measures to be taken to protect against the various security threats. But every year we come to know about some security disaster or the other that has struck a reputed organization. And the reason is the same; we don't update our security solutions regularly. Security devices and practices are not issues that you install once and forget the other day. You need to revisit those regularly. Even a minute change in the IT infrastructure would require a complete changeover in your security policies. For instance, imagine you have a web server running in your organization, and your e-mail server was outsourced/hosted, and now you decide to shift your mail server as well to your own datacenter. In such a scenario, the perimeter security you would be having might need a complete makeover, so that it can cope with the risks which a mail server possesses and those which were not there in case of a web server. Intel co-founder Andrew S. Grove once said, 'Only Paranoid Survives.' We have to be paranoid about security to survive against ongoing new threats taking birth every day. This story talks about some of the most common and uncommon threats that your enterprise faces each day and also what are the best approaches to combat them.
Blocking the gaping holes
As it is vital to safeguard your house at entry points, similarly it's always important to protect your IT infrastructure at all possible points of attack. But to do so, first you have to understand what could be the entry points in your IT infrastructure. Internet or the broadband gateway is not always the only point of entry for hackers. Rather hackers and worms are pretty smart now and know that today people use a firewall to restrict unwanted incoming connections. They would rather focus on other contemporary ways of getting into the network. And once they enter, they can open channels and ports through your Internet connection to go out and connect to the outside world.
Even a simple USB pen drive could be that entry point. These drives are capable of 'autorun' and are plugged into many machines each single day, and hence can get infected very easily. We have visitors coming to us with their own USB drives, with data, and share it with us by copying it to our production machines. And if that USB drive is compromised, it can easily upload a worm or a virus or a rootkit in a machine. And once it gets uploaded, it can easily start spreading across the network and infecting other machines. That's not all; these viruses can easily start opening up channels from your PC to hacker machines and can then start uploading sensitive data. Not just a pen drives but also portable devices such as digital cameras, laptops, mobile phones, PDAs and handhelds, all of them pose the same threat.
So, you must be figuring out how one to protect your infrastructure from these threats. One option could be to ban all portable data transfer devices in your organization, which many enterprises are actually doing. But that is not the right approach as by doing so you are completely avoiding the use of a great technology. Rather you should deploy solutions that can take care of the risk and at the same time you can keep using benefits of such portable devices.
|Tools such as this one called EtherApe are very handy to quickly determine worm attacks that flood the network. In one shot you can see the infected nodes|
Another solution would be a good end point security solution. Essentially an end point solution is nothing but an antivirus/antispyware which sits on all the workstations and laptops (even on mobile phones for that matter), but it connects back to a centralized server for upgrades, deployments and logging/reporting. There are plenty of such solutions available from different vendors such as Symantec, Micro World, Quick Heal, etc.
Other way of protecting against such type of attacks is by deploying a firewall or a UTM solution which not only scans for the inbound (incoming) traffic but also scans the outbound (outgoing) traffic. This will make sure that if by chance any malware or virus has entered your network and already spread itself, the device would prevent it from opening ports and channels to hackers' websites and also from inviting more worms or uploading sensitive data. There are quite a few organizations that deal with such UTM/Firewall solutions, which scan both inbound and outbound traffic. Some examples are Cyberoam, GajShield, etc.
The threat within
According to a survey which we did last year in the month of Jan, it was found that internal security threats can sometimes be more deadly than external ones. This is a very crucial point to remember. A disgruntled employee could give strategic information to you competition. It could even be done by an innocent employee 'unknowingly'. Such cases are equally dangerous and need to be tackled differently. Just imagine, if an employee turns hostile and passes strategic business information to competition? This is a spine chilling thought, but can become a reality at some point of time.
To learn about how you can protect your IT infrastructure from such threats the first thing to do is to understand the difference between an internal and an external attack. There are essentially two types of attacks which someone sitting inside the network can perform and which rarely occur through an outsider. These attacks are Ethernet sniffing and spoofing. The former is used to promiscuously listen to the flowing traffic on the network and gathering data from such activities, while the latter means faking the identity of some other machine to access data intended for that machine. Both are very serious scenarios that could result in loss of precious data.
The solutions for such issues are twofold. Either you secure the data or you secure the medium. For securing data, you have to encrypt each and every piece of sensitive data travelling across the network. For example your mail, passwords, files, etc all have to be encrypted; whenever they are copied or transferred over the network.
|A non-traditional way to check whether your site is being faked for a phishing attack is to use an online plagiarism checking website to see replicas of your site's content|
And to secure the medium, you have to replace your network switches with the once that is more secure. Yes! There are network switches which are secure and others which are not. To understand this, first you have to understand how data is switched inside a network switch. For switching data all switches have a cache table called the arp cache table, which keeps a log of all the machines connected to it, and keeps a pair of the machine's IP and MAC addresses. For spoofing data, a hacker manipulates this entry and changes the IP MAC pair which is called the ARP FlipFlop.
To protect against such kinds of attacks we do have switches which provide an encrypted arp cache table and hence can't be manipulated or read by hacking machines. These secure switches are easily available through most of the switch vendors but are slightly heavy on your pocket.
You obviously can't change your complete IT infrastructure by deploying new switches and at the same time it may not be feasible to even encrypt all data traveling on your network. In such a case, you can deploy an inward facing IPS solution with alerts. This IPS is essentially an intrusion detection and prevention system which checks for all types of spoofing, sniffing or other attacks on the network, and alerts you in case of a problem. It also tells you the source and destination of the attack. Once you get the source of such an attack, you can catch the attacker red handed. You can get an IPS solution as a part of a UTM solution or you can opt for a stand alone IPS system. Snort is one of the most famous IPS system for wired networks and Kismet is a renowned solution in the wireless domain.
However, while deploying an IPS solution you should always configure alerts in such a way that there is minimal delay between generation and delivery of the alert. So, for instance an SMS alert will be the quickest amongst the lot.
Faking of identity
Phishing or faked websites are always a key concern for users doing online transactions, but it is a bigger concern for enterprises who own websites that can be phishing targets. When a site is phished, it is out of the control of the owner of the actual site as he doesn't even know that his site has been phished, unless someone reports a scam about it. And such phishing sites are the biggest cause for loss of reputation for such websites.
So, if you own a website that is vulnerable to phishing, you must start thinking of measures to take towards preventing it. Yes, you would have to secure your site with digital certificates from known certification authorities, and would need to introduce multifactor authentication for your users and customers.
But other than doing all this there is another easy way to keep track of which sites are trying to phish your website. The technique doesn't use any security device or application; rather it works on the great power of today's search engines.
If you do a simple search on the net you will find lots of free and commercial web based plagiarism detection tools. Essentially these tools are used for checking copying of copyrighted material across websites. Such tools tally each and every sentence on a website and try to search for matching sentences on other websites, indexed on a given search engine.
During the process of phishing, the attacker copies the actual website to create an exact replica in terms of look and feel, and so he must be using the same text as the real site.
If you run your website through a plagiarism checker, it must show you all websites with the same text, including those that are likely to be phishing websites. This technique works pretty well with websites having fewer images and animations and more of text.
One such free website where you can check for plagiarism is http://copyscape.com. It gives you 10 tries in a one month, which should be good enough for a regular check.