New age security threats and how to Protect your enterprise

It's a pity that despite having firewalls, UTMs, antiviruses, spam filters,

and the works, organizations still fall prey to hackers. This is because there

is no single standard available to protect each deployment, due to which some

flaw always go unnoticed. Then it's completely upto a hacker's skills on how

quickly he can exploit it. The moral of the story therefore is that no network

can be 100% secure. So you need to go beyond hardening the security of your

network. What you also need is a proper incident response management strategy.

This comprises of a set of measures you'll take to do damage control. The damage

could be financial in nature, or it could be loss of reputation. Or worse still,

if the hacker is from a terrorist organization, then you'll also have to deal

with law enforcement agencies. How ready is your security team to do all

this? Do you have measures in place, which would allow you to gather sufficient

data to track the hackers?

This might have sounded unrealistic a few years ago, but today, you seriously

need to think about it. And when it is about terrorism, computer forensics

becomes extremely important, because even a single evidence can save a lot of

lives.

So, this time we are not going to tell you how to deploy the right security

devices but discuss how exactly you can isolate a compromised machine on your

network and get as much of an evidence from it as possible.

Before we start going into detail, one has to understand the difference

between standard information and evidence. Essentially an evidence in computer

forensics is a piece of information which is retrieved from a compromised device

in such a way that one can proove the data has not been changed or modified

after the retrieval. So, in simple terms forensics tools are nothing but data

recovery tools but while recovering the data they save checksums at every level

so that at any point of time and at any level the consistency of data can be

checked.

Evidence collection



One you receive an alert from your IDS or some other sources that a machine has
been compromised, the first thing to do is to isolate the machine from the

network so that it can't be accessed remotely by anyone. Remember that you

musn't restart the affected machine. This would destroy any volatile data in the

main or virtual memory, thereby reducing chances of finding evidence.

Backing up the Pagefile



The first thing you would like to do is to take a backup image of your pagefile
(Windows) or Swap (Linux) so that whatever data is there can be analyzed later

on. Usually, a hacker not only runs a script on your computer, but also removes

that script from your hard disk. But, you can find such scripts in the swap

area, unless the system has been rebooted. Before running any command, if it is

a Linux machine, run the script command so that a log can be maintained about

what all you did on the system. This will help you track the steps you've

followed. The command is as follows:

Data leakage and loss prevention What are some common cyber terrorism threats an enterprise is facing today? Cyber terrorism is the misuse of cyber space for different kinds of activities. The current threats posed by cyber terrorism have attained monumental proportions, and for many reasons. First, Wi-Fi misuse has generated a lot of debate, as it's a key tool through which people can get into corporate or individual networks. Over the past few years, hacking attacks have been on the rise, mainly due to improper configuration of Wi-Fi systems in organizations. They have default admin names and passwords, and fall easy prey to hackers. Second, know your employees and external customers. Proper monitoring of employees is necessary. You need to pay attention to their activities. How can an enterprise effectively monitor its users and prevent misuse of resources? Many enterprises today are aware of external threates like hackers, worms, viruses and deploy solutions to secure against them, but internal threats to security are equally important. To combat those, three key security management solutions could be deployed:   Identity and access management Security information management Threat management Integrating these components into a comprehensive solution helps you achieve operational efficiencies and regulatory compliance, as well as contain costs, mitigate risks and ensure continuous business operations. What policies could make us secure? Policies that are based on international standards such as BS7799-1, ISO 17799 set out the requirements of good practices for Information Security management. ISO 27001 defines the specifications for an Information Security Management System (ISMS). It was developed from BS 7799 Part 2:2002. The scope of any ISMS includes people, processes, IT systems and policies. Your comments on data leakage detection? Data leakage is the unauthorized transmission of data (or information) from within an organization to an external destination or recipient. This may be electronic or via a physical method. Data Leakage is synonymous with Information Leakage. The term 'Unauthorized Use' does not automatically mean intentional or malicious; unintentional or inadvertent data leakage also comes under its purview. There are several examples of information/data leakage. Most involve important and confidential information leaving an organization due to accidental emails or other means. A high profile example is the confidential memo leak in the Hillary Clinton campaign. How can organizations prevent data leakage? Data loss prevention or DLP solution are available that can offer information leak prevention, content monitoring & filtering, IP protection, outbound content compliance, Information discovery and policy enforcement. Rajendra Dhavale, Director, Technical Sales CA India

#script /script.log

Now, for a Linux machine, to take the backup, first mount a removable disk on

your machine or a network share and run the command like this:

#dd bs=1024 if=/dev/hdxy of=/mnt/output/swap.out

Here /dev/hdxy stands for the partition mounted as your swap partition. You

can find it by running fdisk�l command. And the /mnt/output is no-local media

mounted for taking the backup and swap.out is the file that will contain the

image of the swap partition.

If it is a Windows machine just check the path of the pagefile.sys and copy

it. Once done you can use tools such as grave-robber (Linux) or mac-robber

(Windows) to get information from the images. Further the steps for all the OSs

will be similar. Now you can easily reboot the machine as the volatile data has

already been saved.

Next you have to take a backup image of the compromised disk. The image is

required because if something goes wrong during the investigation, you will

still have the data intact. For this, the best approach will be to connect the

compromised disk to a fresh Linux machine, run the script command again and

create an image of the disk by running the dd command. Once the image is taken

you can start recovering data from it. There are many tools for doing so, but

the one which can work on both Linux and Windows is called Sleuthkit. It is

essentially a combination of different tools for doing forensics testing. You

can even get a browser based front end for Sleuthkit which can even record

multiple forensics cases. This frontend is called Autopsy. Some things which

autopsy can do is include recovere deleted files from both page file images and

disk images. It can create an activity timeline so that one can see what all has

happened on the machine between two distinct points in time. And obviously it

creates and saves checksums of the image at every stage. The usage is pretty

simple. All you have to do is to download Sleuthkit and autopsy from sleuthkit's

website http://www.sleuthkit.org/”, then install it on a fresh Linux machine and

start accessing it through any web browser on the network.

Controlling mobile devices



The other thing which is very important for an enterprise is to keep a very
strict watch on mobile devices like mobile phones and laptops that it allots to

its users. This can cause risk in two different ways. First if the laptop is

stolen it can be misused, and second, the original himself might be disgruntled

or involved in suspicious activities.

Preventing infrastructure misuse After the terror email racket was busted last week, the biggest challenge for any enterprise today is to know how can they make sure their infrastructure will not be exploited by terrorists. How to go about it? Enterprise networks are becoming quite complex with mobility aspects like Wi-Fi, Laptops, blackberry and work from infrastructure. A comprehensive approach is needed for enterprise security and should cover the following: Have a clear security policy and among other things the guidelines should cover identity and access management, confidentiality and privacy aspects. Employee awareness:the processes and guidelines need be backed by awareness of employees and constant reinforcement of policies. Technology: Networks and resources need to be supported by suitable technologies in terms of Identity implementations, encryptions and enforcement of policies etc. Regular security audits: These need to be conducted to measure and maintain the security posture. In quite a few countries today, keeping a backup of each and every email for at least three years is compulsory for enterprises. But, doing this alone is of no use if there is no alerting mechanism attached to it. How can one deploy alert mechanisms to control email misuse? Keeping a back up will not be the solution for alerts. backups are kept for regulatory comliance. Intrusion detection systems need to be installed along with firewalls to keep track of access of critical resources like email servers, web servers, etc. Again depending on the criticality, 24*7 monitoring will also need to be implemented for alerts and logs. Organizations take all possible measures to secure their endpoints and prevent their misuse. But what do you do when there are solutions like Live OS distros that completely bypass OS security? How can organizations prevent their usage? That is why it is important to control the enterprise computing environment. Depending on the criticality, Internet access needs be restricted, access rights for installing software needs to be controlled, and Media (pen drives, mobile phones etc) needs to be banned in work place. What are the implications for an organization, if their IT infrastructure is found to have been misused? Enterprises should be concerned about this for multiple reasons: Some regulatory aspects might actually implicate the enterprise if misuse has happened by one of its own employees. Loss of credibility with customers. Brand value destruction and loss of face. Misuse might also indicate the vulnerabilities in the network and criminals might target the Enterprise.

How should you keep an eye on these devices which are not actually within the

perimeter of your network? There are multiple solutions available for that.

Let's first talk about mobile phones. A very good example here could be

Motorola's Good Messaging. This application is essentially meant to synchronize

your Exchange folders with a PDA phone and is essentially a messaging solution.

It also provides you a lot of customization options for viewing content. The

application integrates with your PDA and works as if it were part of the

embedded OS itself. It handles the security very well. The application uses FIPS

certified 192-bit AES encryption for the data which is being transferred over

the air, and also for data which is stored on the mobile device. But the real

beauty lies in the kind of control it provides to the administrator over the

PDA, in addition to providing synchronized messaging with the PDA. With GMM you

can create policies for mobile devices (handsets) and allocate them to users.

For example, let's say you don't want your R&D team to use their phone's camera

and snap pictures of your valuable IP. Or let's say you don't want your

employees to send out or copy data using Bluetooth, then you can create

restricted policies for them by disabling the appropriate functionalities in the

devices. You can create such a policy for a single user or you can apply such

policies to a group of users depending upon the requirement. Which essentially

means you can keep tab of the device from anywhere and even monitor the

activities in the form of logs. And if in case something suspicious happens you

can even completely lock down the phone. Not only that, in case your device gets

stolen, you can even remotely delete all the data from the device. All you need

is a Net connection with the device.

Now imagine, if the application is coupled with GSM triangulation based

tracking software which are very easily available how easy is it going to be to

track such a device and the person using itFor laptops also, a lot of similar

applications are available, but the working is slightly different, there quite a

few free software/services which are available today which you can download and

install into the laptop. The service works at the background and whenever the

laptop is connected to the internet it sends the name and IP of Router and the

access point where the laptop is connected. It also tells you the public IP

which the machine is using for internet. With this information one can easily

trace the machine and figure out its approximate location. We have covered one

such software called Adeona in this issue. The article talks about how exactly

one can use it.

The Truth Behind WiFi Security



A lot of noise is happening around WiFi networks being hacked by terrorists

to send terror mails. Well, a lot of news channels are talking about and

advising home users to secure their WiFi networks, but none are talking about

how one can do that. So, we thought of taking the mantle to explain that. There

are essentially three ways in which you can configure a WiFi access point. One

is through a completely unencrypted way, where anybody with a WiFi enabled

device can connect to your access point if he is inside its range. This is the

most insecure way of having configuring an access point (AP) and you should

never leave your access point in such a mode. The second way is by using WEP

where you secure all the data communication through the access point using

encryption and only through a passkey can one connect to the AP. But

unfortunately this is a very insecure mechanism to protect WiFi and can be

easily cracked. Around three years back we had talked about how exactly one can

crack a WEP key. At that time it used to take around a day to crack a WEP key

but today it's just a matter of minutes. Now hackers have tools which can replay

ARP requests which generate interesting packets for cracking the key and hence

the time taken to gather such data streams reduces, and as a result the key can

be cracked quickly.

Then you must be wondering, what's the benefit of using such a key and how

could someone really secure his/her WiFi network? But, don't worry, we have a

third method through which you could feel perfectly secure.The third option of

deploying a WiFi AP is by securing it using WPA2. WPA2 is till date the only

WiFi security technology which can't be hacked and is present in most of the APs

available today, ranging from a simple home AP to an enterprise class AP. So,

the Point to note over here is that it's not only necessary to secure your WiFi

network but also important to secure it correctly.

Surveillance



We have been talking about the importance IP surveillance since our last few
issues. Surveillance, be it CCTV or IP has become an integral part of an

enterprise security strategy. In terms of battling terror through surveillance,

there are two major factors. One is the placement of cameras and second is the

storage of surveillance footage. Again with the placement of cameras there are

various factors in play, such as the needs of an enterprise, their type,

resolution and the number of cameras to be deployed. The most commonly monitored

locations are data centers and entrance of an enterprise. Ideally all peripheral

walls of a company should be monitored along with mission critical areas.

Simply putting cameras and monitoring isn't enough. We really don't need to

remind you about the recent incident in Delhi where cameras were in place but

only one of them was actually storing images. Vendors now have plenty of

solutions dedicated for storage of surveillance footage. However, the biggest

question before enterprises is related to their storage. How long should they

store the video footage, as even a single camera can generate more than 10 GB of

data in a single day. Here technologies such as motion sensing/detection can

help a little, as it will only record and store that part where some amount of

motion has been detected. How long they keep the video surveillance footage will

vary depending upon company policies. Retaining the footage for at least 40 days

is recommended, and in case some untoward incident does happen, for even longer

periods. These days there are endless technologies to ensure cameras work all

times. There are cameras available which will clean themselves automatically, if

something falls on their lens. Similarly there are special cameras available

which can give decent quality pictures even in the darkest of all conditions.

Then comes the management part, ie if your camera is at a mission critical place

and someone manages to tamper, say by cutting the wire or blocking its lens with

something, or even if it goes off due to some technical problem then immediately

a backup camera will start to ensure that 24x7 monitoring is in place. These are

just a few things that you must ask the vendor for when choosing a surveillance

solution.

Threats to web applications and Websites



There has been a significant increase in the attacks on Web applications and
websites. The obvious reason behind it is that as most of enterprises are

looking for ways to automate their businesses and make them available from

anywhere, bad guys are looking for ways through which they can benefit from all

of this. There are a few attacks that have come up especially to target web

applications ranging from XSS attacks to Zero Day attacks. Let's look at some of

these attacks

Web based Malware



This has been one of the major threats in 2008 to websites. According to

latest security threat report from sophos, it finds a newly infected webpage in

every 14 seconds and 83% of these malware has been on legitimate website. This

much has been rate of malware infection on legitimate websites in fast of 2008.

The cause of this has been mainly unpatched web server, which has exploited by

attackers. Once a website has been infected, next it will start looking for

users coming with unpatched browsers and in-turn infect. Most common techniques

used to infect websites have been iframe and SQL injection, which we take a look

at below.

SQL Injection attacks



Just incase you don't know already, SQL injection means inserting raw sql
injection data to a web application, which might cause it to malfaction. There

are many automated tools available online, which lets users test their website

against SQL injection. Just like any other techniques SQL injection techniques

have also matured and many new variations of SQL injection exist now such deep

blind SQL injection or Lateral SQL Injection. This technique is commonly used by

attackers and botnets to break into a website and at times infect them. Most

recent example of this is asprox botnet which used sql injection attack on web

portals made asp and gain access. Once it has infected a website, it infects all

users PC coming to it and once infected these machines become part of asprox

botnet.

Phishing attacks



Protection against phishing and pharming attacks is very critical as most of

these attacks target end users. Most of the gateway level solutions offer

protection against phishing but majority of these solutions use blacklisting

techniques to detect such attacks. Same technique is used for anti-spam

solutions to detect phishing emails. However, this technique isn't always

successful especially in case of targeted phishing attacks. Once a phishing

email or URL manages to bypass an anti-phishing solution, it can even drop a

malware into a user's machine which might even spread into other nodes of the

network.

Clickjacking



This is relatively new threat and yet to make a big impact but has been
discussed a lot by security researchers in past few months. Clickjacking

exploits vulnerability present in browsers and can even allow an attacker to

take control of users audio as well as webcam. Basically with this vulnerability

attacker can trick the user to click on something that's barely visible on a

webpage, which will direct it to a malicious website. Whether this will actually

make an impact or it will be patched with much noise is something to watch out

for. More details about this can be found at http://www.whitehatsec.com.