Security

Today, a security threat can enter from anywhere, be it
through e-mail, a Web browser, or even an infected notebook pluging into your
network. It could also come from an unpatched machine or a disgruntled employee;
or from a seemingly innocent phone call, a technique more that comes under the
social engineering type of attack. We recall incidents of people having received
phone calls from people calling themselves ones from credit card companies, and
tried to wriggle out your credit card details. Besides social engineering, we
also saw lots of phishing and pharming scams this year, two techniques aimed at
fishing out a user's personal information. So security has definitely been on
the top of everyone's mind this year, and will continue to be that way next
year as well. As most of these attacks are aimed at stealing identities, we're
seeing a lot of action in the identity management solutions market. And as more
enterprise businesses moves online, they need better security measures. This saw
a rise in SSL based VPN solutions, and even a rise in integrated security
appliances applications.

Security appliances
 

A lot of vendors are entering the market with security
appliances and integrated appliances that have firewalls, anti-spam, antivirus,
and even end-to-end encryption. Also included in these appliances is the ability
to demarcate DMZs and support VPN over IPSec or PPTP with either 3DES or AES
(256-bit) encryption. The IDS features on these boxes range from detecting
various kinds of known attacks including flooding, IP spoofing, DoS, etc. Such a
box can also react in case of emergencies by dropping packets from the
attacker's address. Some appliances even have network anti-virus capability.
These need to be geared to meet enterprise-class performance requirements for
availability and speed. The iForce IDS appliance from Symantec for instance is
supposed to monitor networks at speeds of upto 2 Gbps on some models.

Vulnerability stats
 

The number of vulnerabilities reported this year is up
about 500 incidents from last year and stands at 4,268. This is about 25 times
more than ten years ago when a few hundred vulnerabilities used to be reported
each year. That trend was broken between 2000-02 when it rapidly doubled each
year and went upto 4,129 at the end of that period. This year's count so far
is more than that figure. The most frequent ports under attack were reported to
be FTP, SSH, DNS, HTTP/HTTPS, SunRPC, NetBIOS and SQL Server. Thankfully, most
of these could be mitigated by upgrading to newer versions of software or
changing port numbers. CERT sees the number of Trojans and self-propagating
worms as an area of concern.

Social engineering & ID theft
 

Social engineering attacks, like the one that happened with
a Delhi-based call center where one of the executives sold a Sun reporter
details of bank accounts, credit cards and driver's license of UK bank
customers for under $10 each. The call center worker also reportedly assured the
reporter that he could sell him 2 Lakh such account information a month. Earlier
this year, US customers of Citibank suffered thefts of $ 350,000 because of a
similar breach at another call center in

India

. The twin calamities of the Asian Tsunami and the earthquake also prompted
several websites of questionable intentions to spring up and seek donations on
behalf of the victims, only to disappear after they had collected a sizeable
fortune. This has led to the concern of managing identity securely. Two main
technologies leading ID management are devices like SecurID that have one-time
keys that you use at designated terminals or screens, and digital certificates.
With more financial and govt services going online, the need for effective
identity management only goes up.

Everything's cached
 

Nowadays, anything that's exposed to the Web has mostly
likely been stored away forever in some corner of the Internet. Internet
archival systems like The Wayback Machine and content replication systems that
provide mirroring services are but the tip of the ice-berg. To this add the
proliferation of community networks (blogs, et al) where something rumored to
have been said catches on like wild fire and gets endlessly replicated and
linked so anyone can find it with a simple keyword... only makes the problem
worse. What problem? What if your internal employee appraisal letters somehow
got onto Google? Recently, some of Papa John's-a Pizza house in

USA

-internal e-mail got onto Google accidentally (they're still there as we go
to press). The problem with the permanence of content on the Net is that even if
you act swiftly to protect your information with simple ways as password
protection or a change of URL, caching mechanisms will still preserve their own
copies for quite some time to come.

Disk space-full
 

Scientists postulate that about 23% of the Universe is
composed of dark matter. Stuff we cannot see, but their presence has direct
consequences on our Universe. Much the same is true for files and programs on
our hard disk. In order for so many things to happen when we just click onto a
Web page, our computer downloads and runs so many files and programs-large and
small. And all of it is on our computer's hard disk. Those that run may never,
in fact, leave our computer completely, no matter what tools we use. This in
fact, is the single biggest challenge for system administrators world-wide. Even
malware has its defenses, but 'dark files' have no known cure. The problem
is that most combative techniques use either black or white lists to eliminate
the unwanted. While most don't know the difference, they are more often than
not out-of-date and require constant administrative overheads to keep them
updated. Resurgent defenses now include system-wide policies that let users than
software vendors decide what's useful and what's not and discard the rest;
the term being 'gray-listing'.

Cracking for the public
 

Cracking passwords, it seems, has become commonly
accessible and fashionable to do. A site has sprung up powered by Zhu
Shuanglei's 'Rainbow Crack' engine (an open source download) that promises
to place online about 500 GB of rainbow tables (pre-computed password hashes)
readily usable by anyone who pays them for an account. RainbowCrack-Online.com
claims to be for cracking what Google is for search. A lusty claim sure, but
imagine how much more you need to protect your systems once such a database is
at the back and call of every cracker around the world! The price tag on it
should keep away most kiddie-crackers and is purportedly to be used only for
white-collar cracking for security auditing.

A turnaround?
 

Marcus Barnum (the inventor of the proxy firewall) would
have us believe that patching systems and doing security audits is the wrong way
to do things, since that means and ensures that things aren't 'secure by
default'. In his article-The Six Dumbest Ideas in Computer
Security-(http://www. ranum. com/security/computer_security /editorials/dumb/index.html),
he outlines what he thinks really needs to be done-which is basically to
disallow anything you do not know to be good, rather than attempt to create a
blacklist and block only known bad things. He also cautions his readers not to
fall into the age-old trap of implementing the 'latest' in the attempt to
stay ahead of the hacker, or trust in periodic reeducation of network users who
insist on opening attachments from strangers or believing email from banks they
don't have accounts with. Marcus agrees with Kevin (Kevin Mitnick, 'The Art
of Deception') in that security is a social as well as a technological
concern. But, contrary to Kevin's idea of user education, Marcus would like
enterprises get into proactively blocking unwanted people and software rather
than relying on users to do it.