Advertisment

The Right Way to Deploy Enterprise Security

author-image
PCQ Bureau
New Update

We are all well aware of the importance of securing an enterprise's IT setup

and the measures to be taken to protect against the various security threats.

But every year we come to know about some security disaster or the other that

has struck a reputed organization. And the reason is the same; we don't update

our security solutions regularly. Security devices and practices are not issues

that you install once and forget the other day. You need to revisit those

regularly. Even a minute change in the IT infrastructure would require a

complete changeover in your security policies. For instance, imagine you have a

web server running in your organization, and your e-mail server was

outsourced/hosted, and now you decide to shift your mail server as well to your

own datacenter. In such a scenario, the perimeter security you would be having

might need a complete makeover, so that it can cope with the risks which a mail

server possesses and those which were not there in case of a web server. Intel

co-founder Andrew S. Grove once said, 'Only Paranoid Survives.' We have to be

paranoid about security to survive against ongoing new threats taking birth

every day. This story talks about some of the most common and uncommon threats

that your enterprise faces each day and also what are the best approaches to

combat them.

Advertisment

Blocking the gaping holes





As

it is vital to safeguard your house at entry points, similarly it's always

important to protect your IT infrastructure at all possible points of attack.

But to do so, first you have to understand what could be the entry points in

your IT infrastructure. Internet or the broadband gateway is not always the only

point of entry for hackers. Rather hackers and worms are pretty smart now and

know that today people use a firewall to restrict unwanted incoming connections.

They would rather focus on other contemporary ways of getting into the network.

And once they enter, they can open channels and ports through your Internet

connection to go out and connect to the outside world.

Even a simple USB pen drive could be that entry point. These drives are

capable of 'autorun' and are plugged into many machines each single day, and

hence can get infected very easily. We have visitors coming to us with their own

USB drives, with data, and share it with us by copying it to our production

machines. And if that USB drive is compromised, it can easily upload a worm or a

virus or a rootkit in a machine. And once it gets uploaded, it can easily start

spreading across the network and infecting other machines. That's not all; these

viruses can easily start opening up channels from your PC to hacker machines and

can then start uploading sensitive data. Not just a pen drives but also portable

devices such as digital cameras, laptops, mobile phones, PDAs and handhelds, all

of them pose the same threat.

So, you must be figuring out how one to protect your infrastructure from

these threats. One option could be to ban all portable data transfer devices in

your organization, which many enterprises are actually doing. But that is not

the right approach as by doing so you are completely avoiding the use of a great

technology. Rather you should deploy solutions that can take care of the risk

and at the same time you can keep using benefits of such portable devices.

Advertisment
Tools such as this one called EtherApe are

very handy to quickly determine worm attacks that flood the network. In one

shot you can see the infected nodes

Another solution would be a good end point security solution. Essentially an

end point solution is nothing but an antivirus/antispyware which sits on all the

workstations and laptops (even on mobile phones for that matter), but it

connects back to a centralized server for upgrades, deployments and

logging/reporting. There are plenty of such solutions available from different

vendors such as Symantec, Micro World, Quick Heal, etc.

Other

way of protecting against such type of attacks is by deploying a firewall or a

UTM solution which not only scans for the inbound (incoming) traffic but also

scans the outbound (outgoing) traffic. This will make sure that if by chance any

malware or virus has entered your network and already spread itself, the device

would prevent it from opening ports and channels to hackers' websites and also

from inviting more worms or uploading sensitive data. There are quite a few

organizations that deal with such UTM/Firewall solutions, which scan both

inbound and outbound traffic. Some examples are Cyberoam, GajShield, etc.

Advertisment

The threat within



According to a survey which we did last year in the month of Jan, it was found

that internal security threats can sometimes be more deadly than external ones.

This is a very crucial point to remember. A disgruntled employee could give

strategic information to you competition. It could even be done by an innocent

employee 'unknowingly'. Such cases are equally dangerous and need to be tackled

differently. Just imagine, if an employee turns hostile and passes strategic

business information to competition? This is a spine chilling thought, but can

become a reality at some point of time.

To learn about how you can protect your IT infrastructure from such threats

the first thing to do is to understand the difference between an internal and an

external attack. There are essentially two types of attacks which someone

sitting inside the network can perform and which rarely occur through an

outsider. These attacks are Ethernet sniffing and spoofing. The former is used

to promiscuously listen to the flowing traffic on the network and gathering data

from such activities, while the latter means faking the identity of some other

machine to access data intended for that machine. Both are very serious

scenarios that could result in loss of precious data.

The solutions for such issues are twofold. Either you secure the data or you

secure the medium. For securing data, you have to encrypt each and every piece

of sensitive data travelling across the network. For example your mail,

passwords, files, etc all have to be encrypted; whenever they are copied or

transferred over the network.

Advertisment
A non-traditional way to check whether your

site is being faked for a phishing attack is to use an online plagiarism

checking website to see replicas of your site's content

And to secure the medium, you have to replace your network switches with the

once that is more secure. Yes! There are network switches which are secure and

others which are not. To understand this, first you have to understand how data

is switched inside a network switch. For switching data all switches have a

cache table called the arp cache table, which keeps a log of all the machines

connected to it, and keeps a pair of the machine's IP and MAC addresses. For

spoofing data, a hacker manipulates this entry and changes the IP MAC pair which

is called the ARP FlipFlop.

To protect against such kinds of attacks we do have switches which provide an

encrypted arp cache table and hence can't be manipulated or read by hacking

machines. These secure switches

are easily available through most of the switch vendors but are slightly heavy

on your pocket.

Advertisment

You obviously can't change your complete IT infrastructure by deploying new

switches and at the same time it may not be feasible to even encrypt all data

traveling on your network. In such a case, you can deploy an inward facing IPS

solution with alerts. This IPS is essentially an intrusion detection and

prevention system which checks for all types of spoofing, sniffing or other

attacks on the network, and alerts you in case of a problem. It also tells you

the source and destination of the attack. Once you get the source of such an

attack, you can catch the attacker red handed. You can get an IPS solution as a

part of a UTM solution or you can opt for a stand alone IPS system. Snort is one

of the most famous IPS system for wired networks and Kismet is a renowned

solution in the wireless domain.

However, while deploying an IPS solution you should always configure alerts

in such a way that there is minimal delay between generation and delivery of the

alert. So, for instance an SMS alert will be the quickest amongst the lot.

Faking of identity



Phishing or faked websites are always a key concern for users doing online
transactions, but it is a bigger concern for enterprises who own websites that

can be phishing targets. When a site is phished, it is out of the control of the

owner of the actual site as he doesn't even know that his site has been phished,

unless someone reports a scam about it. And such phishing sites are the biggest

cause for loss of reputation for such websites.

Advertisment

So, if you own a website that is vulnerable to phishing, you must start

thinking of measures to take towards preventing it. Yes, you would have to

secure your site with digital certificates from known certification authorities,

and would need to introduce multifactor authentication for your users and

customers.

But other than doing all this there is another easy way to keep track of

which sites are trying to phish your website. The technique doesn't use any

security device or application; rather it works on the great power of today's

search engines.

If you do a simple search on the net you will find lots of free and

commercial web based plagiarism detection tools. Essentially these tools are

used for checking copying of copyrighted material across websites. Such tools

tally each and every sentence on a website and try to search for matching

sentences on other websites, indexed on a given search engine.

Advertisment

During the process of phishing, the attacker copies the actual website to

create an exact replica in terms of look and feel, and so he must be using the

same text as the real site.

If you run your website through a plagiarism checker, it must show you all

websites with the same text, including those that are likely to be phishing

websites. This technique works pretty well with websites having fewer images and

animations and more of text.

One such free website where you can check for plagiarism is http://copyscape.com.

It gives you 10 tries in a one month, which should be good enough for a regular

check.

Advertisment