It's a pity that despite having firewalls, UTMs, antiviruses, spam filters,
and the works, organizations still fall prey to hackers. This is because there
is no single standard available to protect each deployment, due to which some
flaw always go unnoticed. Then it's completely upto a hacker's skills on how
quickly he can exploit it. The moral of the story therefore is that no network
can be 100% secure. So you need to go beyond hardening the security of your
network. What you also need is a proper incident response management strategy.
This comprises of a set of measures you'll take to do damage control. The damage
could be financial in nature, or it could be loss of reputation. Or worse still,
if the hacker is from a terrorist organization, then you'll also have to deal
with law enforcement agencies. How ready is your security team to do all
this? Do you have measures in place, which would allow you to gather sufficient
data to track the hackers?
This might have sounded unrealistic a few years ago, but today, you seriously
need to think about it. And when it is about terrorism, computer forensics
becomes extremely important, because even a single evidence can save a lot of
lives.
So, this time we are not going to tell you how to deploy the right security
devices but discuss how exactly you can isolate a compromised machine on your
network and get as much of an evidence from it as possible.
Before we start going into detail, one has to understand the difference
between standard information and evidence. Essentially an evidence in computer
forensics is a piece of information which is retrieved from a compromised device
in such a way that one can proove the data has not been changed or modified
after the retrieval. So, in simple terms forensics tools are nothing but data
recovery tools but while recovering the data they save checksums at every level
so that at any point of time and at any level the consistency of data can be
checked.
Evidence collection
One you receive an alert from your IDS or some other sources that a machine has
been compromised, the first thing to do is to isolate the machine from the
network so that it can't be accessed remotely by anyone. Remember that you
musn't restart the affected machine. This would destroy any volatile data in the
main or virtual memory, thereby reducing chances of finding evidence.
Backing up the Pagefile
The first thing you would like to do is to take a backup image of your pagefile
(Windows) or Swap (Linux) so that whatever data is there can be analyzed later
on. Usually, a hacker not only runs a script on your computer, but also removes
that script from your hard disk. But, you can find such scripts in the swap
area, unless the system has been rebooted. Before running any command, if it is
a Linux machine, run the script command so that a log can be maintained about
what all you did on the system. This will help you track the steps you've
followed. The command is as follows:
Data leakage and loss prevention
What are some common cyber terrorism threats an enterprise is facing How can an enterprise effectively monitor its users and prevent misuse
Integrating these components into a comprehensive solution helps you What policies could make us secure? Your comments on data leakage detection? How can organizations prevent data leakage? Rajendra Dhavale, |
#script /script.log
Now, for a Linux machine, to take the backup, first mount a removable disk on
your machine or a network share and run the command like this:
#dd bs=1024 if=/dev/hdxy of=/mnt/output/swap.out
Here /dev/hdxy stands for the partition mounted as your swap partition. You
can find it by running fdisk�l command. And the /mnt/output is no-local media
mounted for taking the backup and swap.out is the file that will contain the
image of the swap partition.
If it is a Windows machine just check the path of the pagefile.sys and copy
it. Once done you can use tools such as grave-robber (Linux) or mac-robber
(Windows) to get information from the images. Further the steps for all the OSs
will be similar. Now you can easily reboot the machine as the volatile data has
already been saved.
Next you have to take a backup image of the compromised disk. The image is
required because if something goes wrong during the investigation, you will
still have the data intact. For this, the best approach will be to connect the
compromised disk to a fresh Linux machine, run the script command again and
create an image of the disk by running the dd command. Once the image is taken
you can start recovering data from it. There are many tools for doing so, but
the one which can work on both Linux and Windows is called Sleuthkit. It is
essentially a combination of different tools for doing forensics testing. You
can even get a browser based front end for Sleuthkit which can even record
multiple forensics cases. This frontend is called Autopsy. Some things which
autopsy can do is include recovere deleted files from both page file images and
disk images. It can create an activity timeline so that one can see what all has
happened on the machine between two distinct points in time. And obviously it
creates and saves checksums of the image at every stage. The usage is pretty
simple. All you have to do is to download Sleuthkit and autopsy from sleuthkit's
website http://www.sleuthkit.org/”, then install it on a fresh Linux machine and
start accessing it through any web browser on the network.
Controlling mobile devices
The other thing which is very important for an enterprise is to keep a very
strict watch on mobile devices like mobile phones and laptops that it allots to
its users. This can cause risk in two different ways. First if the laptop is
stolen it can be misused, and second, the original himself might be disgruntled
or involved in suspicious activities.
Preventing infrastructure misuse After the terror email racket was busted last week, the biggest
In quite a few countries today, keeping a backup of each and every Organizations take all possible measures to secure their endpoints and What are the implications for an organization, if their IT
|
How should you keep an eye on these devices which are not actually within the
perimeter of your network? There are multiple solutions available for that.
Let's first talk about mobile phones. A very good example here could be
Motorola's Good Messaging. This application is essentially meant to synchronize
your Exchange folders with a PDA phone and is essentially a messaging solution.
It also provides you a lot of customization options for viewing content. The
application integrates with your PDA and works as if it were part of the
embedded OS itself. It handles the security very well. The application uses FIPS
certified 192-bit AES encryption for the data which is being transferred over
the air, and also for data which is stored on the mobile device. But the real
beauty lies in the kind of control it provides to the administrator over the
PDA, in addition to providing synchronized messaging with the PDA. With GMM you
can create policies for mobile devices (handsets) and allocate them to users.
For example, let's say you don't want your R&D team to use their phone's camera
and snap pictures of your valuable IP. Or let's say you don't want your
employees to send out or copy data using Bluetooth, then you can create
restricted policies for them by disabling the appropriate functionalities in the
devices. You can create such a policy for a single user or you can apply such
policies to a group of users depending upon the requirement. Which essentially
means you can keep tab of the device from anywhere and even monitor the
activities in the form of logs. And if in case something suspicious happens you
can even completely lock down the phone. Not only that, in case your device gets
stolen, you can even remotely delete all the data from the device. All you need
is a Net connection with the device.
Now imagine, if the application is coupled with GSM triangulation based
tracking software which are very easily available how easy is it going to be to
track such a device and the person using itFor laptops also, a lot of similar
applications are available, but the working is slightly different, there quite a
few free software/services which are available today which you can download and
install into the laptop. The service works at the background and whenever the
laptop is connected to the internet it sends the name and IP of Router and the
access point where the laptop is connected. It also tells you the public IP
which the machine is using for internet. With this information one can easily
trace the machine and figure out its approximate location. We have covered one
such software called Adeona in this issue. The article talks about how exactly
one can use it.
IBM's Digital Video Surveillance |
Showcased at IBM Labs day, this is an intelligent digital video solution from IBM. It is designed to perform real time data analysis of video sequences as well as of recordings. It allows monitoring and analysis of events in real time through multiple sensors, cameras, radar and audio inputs. It also has unique features, for eg if somebody tampers with the video surveillance camera, a backup camera will automatically come into operation instantly. The solution allows users to |
The Truth Behind WiFi Security
A lot of noise is happening around WiFi networks being hacked by terrorists
to send terror mails. Well, a lot of news channels are talking about and
advising home users to secure their WiFi networks, but none are talking about
how one can do that. So, we thought of taking the mantle to explain that. There
are essentially three ways in which you can configure a WiFi access point. One
is through a completely unencrypted way, where anybody with a WiFi enabled
device can connect to your access point if he is inside its range. This is the
most insecure way of having configuring an access point (AP) and you should
never leave your access point in such a mode. The second way is by using WEP
where you secure all the data communication through the access point using
encryption and only through a passkey can one connect to the AP. But
unfortunately this is a very insecure mechanism to protect WiFi and can be
easily cracked. Around three years back we had talked about how exactly one can
crack a WEP key. At that time it used to take around a day to crack a WEP key
but today it's just a matter of minutes. Now hackers have tools which can replay
ARP requests which generate interesting packets for cracking the key and hence
the time taken to gather such data streams reduces, and as a result the key can
be cracked quickly.
Then you must be wondering, what's the benefit of using such a key and how
could someone really secure his/her WiFi network? But, don't worry, we have a
third method through which you could feel perfectly secure.The third option of
deploying a WiFi AP is by securing it using WPA2. WPA2 is till date the only
WiFi security technology which can't be hacked and is present in most of the APs
available today, ranging from a simple home AP to an enterprise class AP. So,
the Point to note over here is that it's not only necessary to secure your WiFi
network but also important to secure it correctly.
Surveillance
We have been talking about the importance IP surveillance since our last few
issues. Surveillance, be it CCTV or IP has become an integral part of an
enterprise security strategy. In terms of battling terror through surveillance,
there are two major factors. One is the placement of cameras and second is the
storage of surveillance footage. Again with the placement of cameras there are
various factors in play, such as the needs of an enterprise, their type,
resolution and the number of cameras to be deployed. The most commonly monitored
locations are data centers and entrance of an enterprise. Ideally all peripheral
walls of a company should be monitored along with mission critical areas.
Simply putting cameras and monitoring isn't enough. We really don't need to
remind you about the recent incident in Delhi where cameras were in place but
only one of them was actually storing images. Vendors now have plenty of
solutions dedicated for storage of surveillance footage. However, the biggest
question before enterprises is related to their storage. How long should they
store the video footage, as even a single camera can generate more than 10 GB of
data in a single day. Here technologies such as motion sensing/detection can
help a little, as it will only record and store that part where some amount of
motion has been detected. How long they keep the video surveillance footage will
vary depending upon company policies. Retaining the footage for at least 40 days
is recommended, and in case some untoward incident does happen, for even longer
periods. These days there are endless technologies to ensure cameras work all
times. There are cameras available which will clean themselves automatically, if
something falls on their lens. Similarly there are special cameras available
which can give decent quality pictures even in the darkest of all conditions.
Then comes the management part, ie if your camera is at a mission critical place
and someone manages to tamper, say by cutting the wire or blocking its lens with
something, or even if it goes off due to some technical problem then immediately
a backup camera will start to ensure that 24x7 monitoring is in place. These are
just a few things that you must ask the vendor for when choosing a surveillance
solution.
Aladdin's solutions for cyber terrorism |
Aladdin Systems has two products to control Cyber Terrorism, eToken and eSafe. eSafe: This is used to eToken: On the other hand combines an encrypted USB flash drive |
Threats to web applications and Websites
There has been a significant increase in the attacks on Web applications and
websites. The obvious reason behind it is that as most of enterprises are
looking for ways to automate their businesses and make them available from
anywhere, bad guys are looking for ways through which they can benefit from all
of this. There are a few attacks that have come up especially to target web
applications ranging from XSS attacks to Zero Day attacks. Let's look at some of
these attacks
Web based Malware
This has been one of the major threats in 2008 to websites. According to
latest security threat report from sophos, it finds a newly infected webpage in
every 14 seconds and 83% of these malware has been on legitimate website. This
much has been rate of malware infection on legitimate websites in fast of 2008.
The cause of this has been mainly unpatched web server, which has exploited by
attackers. Once a website has been infected, next it will start looking for
users coming with unpatched browsers and in-turn infect. Most common techniques
used to infect websites have been iframe and SQL injection, which we take a look
at below.
SQL Injection attacks
Just incase you don't know already, SQL injection means inserting raw sql
injection data to a web application, which might cause it to malfaction. There
are many automated tools available online, which lets users test their website
against SQL injection. Just like any other techniques SQL injection techniques
have also matured and many new variations of SQL injection exist now such deep
blind SQL injection or Lateral SQL Injection. This technique is commonly used by
attackers and botnets to break into a website and at times infect them. Most
recent example of this is asprox botnet which used sql injection attack on web
portals made asp and gain access. Once it has infected a website, it infects all
users PC coming to it and once infected these machines become part of asprox
botnet.
Phishing attacks
Protection against phishing and pharming attacks is very critical as most of
these attacks target end users. Most of the gateway level solutions offer
protection against phishing but majority of these solutions use blacklisting
techniques to detect such attacks. Same technique is used for anti-spam
solutions to detect phishing emails. However, this technique isn't always
successful especially in case of targeted phishing attacks. Once a phishing
email or URL manages to bypass an anti-phishing solution, it can even drop a
malware into a user's machine which might even spread into other nodes of the
network.
Clickjacking
This is relatively new threat and yet to make a big impact but has been
discussed a lot by security researchers in past few months. Clickjacking
exploits vulnerability present in browsers and can even allow an attacker to
take control of users audio as well as webcam. Basically with this vulnerability
attacker can trick the user to click on something that's barely visible on a
webpage, which will direct it to a malicious website. Whether this will actually
make an impact or it will be patched with much noise is something to watch out
for. More details about this can be found at http://www.whitehatsec.com.