European banks new harmonised payments regime.Network Security: Handle with care

Protecting your network from internal and external attacks is likely to become more difficult as the economic downturn bites and new threats from mobile workforces and applications come to the fore. David Adams looks at the latest threats and countermeasures

Fraud and criminal behaviour goes up during recessions – always has and always will. That’s bad news for financial companies, because cybercrime was developing at a healthy rate anyway during the boom years. There was a reminder of this at the start of March, with the conviction of a gang of would-be thieves, caught back in 2004 trying to hack into Sumitomo Mitsui’s network via their London office, to steal £229 million.

Cybercrime is connected to organised crime now; it’s not vandals or kids looking to throw a spanner into the works for kudos anymore. So how well protected are financial companies’ networks, now so frequently accessed by staff, clients and customers using various online and mobile technologies? Traditional threats from hacking attempts, trojans, viruses and botnet-enabled denial of service attacks have all been accepted means of attack for many years now but CISOs at financial institutions must also fear the rise of new threats to the integrity and security of networks from social networking sites and mobile staff and customers. Strong access control technologies covering employees, contractors and temps, and systems that can flag up unusual network user behaviour are all now required.

“With external threats it is [financial companies’] customers who probably represent the biggest problem,” says Gunter Ollmann, chief security strategist at IBM. “From an insider threat perspective, financial services organisations are slightly above average in protecting [themselves].”

But both external and internal threats are now frighteningly dangerous. Between three and five per cent of all corporate systems have been infiltrated by spam and malware-spouting botnets, according to research published in March by security specialist Damballa. Most malware, whether cunningly implanted from outside or carried into organisations unintentionally or deliberately by customers or staff, now contains components designed to facilitate phishing. That might take the form of keylogging software, or as technology that records mouse movements to crack drop-down menu-protected passwords. “We see a new piece of malware every four seconds – that’s more than 20,000 a day,” says Graham Cluley, senior technology consultant at the vendor Sophos. “Most are designed to steal financial information.

Malware can also be picked up by accident from infected websites, or those that have fallen victim to SQL injection attacks. Paul Wood, a senior analyst at MessageLabs, believes it’s wrong to think in terms of some websites being safe and others dangerous – these threats can hide anywhere. Damballa estimates that only 53 per cent of malware infections are detected by security technologies on the day they appear and that around 15 per cent remain undetected for at least six months. That’s disturbing, because the malware is now so sophisticated. Security experts are still waiting to see if the Conficker (Downandup) worm, which has been exploiting vulnerabilities in Microsoft technology since the autumn, creating chaos in organisations of all kinds all over the world, has yet finished its dirty work. “It copies itself all over the place and hooks into a whole bunch of program interfaces,” explains Stuart Okin, managing director of Comsec Consulting (and previously chief security advisor at Microsoft, and head of the security practice at Accenture). “It then protects itself through deleting restore points, blocking AV sites, and so on. It also takes action to spread the infection. That was what caused the recent outages at global firms: not the malware itself, but the fact it was flooding the networks. It’s that level of sophistication that worries the security industry.”

Traditional threats
At least a much anticipated spike in the use of mobile devices to attack networks hasn’t occurred, yet. “I don’t see much of that,” claims Ron Meyran, product marketing manager at Radware. “We didn’t see many attacks using web 2.0 technologies last year either. The majority are still coming through compromised websites and traditional email scams. The hackers are looking not so much for vulnerable machines as for vulnerable users.”

There is also good reason to be concerned about the actions of disgruntled employees. Fifty-nine per cent of Americans who lost or left a job during 2008, and were interviewed for a survey carried out by the Ponemon Institute on behalf of the vendor Symantec, admitted stealing confidential information such as customer contact details and employee records. Worryingly, twenty-four per cent still had access to their former employer’s networks after they had left. The Sumitomo conspiracy depended on the help of a security guard who let his accomplices into the bank’s office to install keylogging software on computers, so the simple threats matter – even down to physically securing your premises.

Staff may also bypass security unwittingly by revealing too much information on social networking sites or through the careless use of USB-connected devices. Again, the enforcement of usage policies is as important as any technical innovation for countermeasures, but it might be worth considering the use of tools like Avanquest’s DeviceDefender software that encrypts USB ports and removable devices from within the device itself, as an extra line of defence.

The net result of these problems, particularly if a company does not patch software vulnerabilities as quickly as it should, is that a majority of networks almost certainly contain infected computers that have been recruited by botnets. “A couple of years ago I would have said the easiest way to break into a bank was to stand outside the front door handing out USB keys to staff,” says IBM’s Ollmann. “Now you can visit websites to get lists of infected machines inside an organisation of your choice and purchase control of them for about $100 per machine.”

Access control
All these problems are exacerbated by the ever more fluid nature of the network boundary, as more organisations allow employees, business partners, outsourcers, clients and customers to access networks from remote locations. “The network is becoming more transparent,” says Miles Clement, senior research consultant at the Information Security Forum (ISF) trade body. “The increased number of attack points means you need stronger access control.”

There’s been no shortage of innovation in this area. Products worth examining include Commerce Media’s Celo product, developed in conjunction with a Ministry of Defence agency, in which a randomly generated secure password is delivered via a specially secured, out-of-band text message to a user’s phone. Most retail banks are also now issuing or planning to issue handheld authentication tokens for online banking customers. Nationwide and CFS, for instance, have both recently completed the rollout of two factor authentication (2FA) devices that are similar to home chip and PIN tools from Xiring, to strengthen the protection for their customers when they access the firms’ websites or buy online.

But these security technologies are not hack-proof, just a little harder to crack. There is also the worry that hardware could be compromised during the manufacturing process, as has happened with the standard UK chip and PIN machines. In a scam revealed last autumn, terminals were doctored in factories in China and Pakistan, with devices inserted to skim card numbers. So subtle was the alteration that it could only be detected by a slight difference in weight between infected and uninfected terminals.

Threats penetrating the increasingly elusive network boundary may also be exacerbated by the use of more outsourcing and software-as-a-service (SaaS) business models. “Outsourcing is already a big thing, but with SaaS we’re going to see a lot more,” warns Clement. “The security guys don’t often get a choice – usually what happens is that the business managers say ‘we’re going to save this much, let’s do it’. So one of the challenges is how we ensure SaaS is going to be delivered securely.”

The key challenge is still to strengthen authentication, by introducing two-factor authentication (2FA) based on biometrics, random passcode generation or other technologies, or by using authentication of the computer or device connecting to the network. But ISF research shows that in most organisations internal password-based authentication (and associated vulnerabilities) will remain the norm for the foreseeable future, because of the costs of 2FA solutions. Even for those companies that do invest in these technologies there will still be practical log-in issues to resolve, relating to the fact that some users need very swift access to systems or applications. At the moment, 2FA solutions tend to be installed for external purposes only, mainly to protect online banking customers.

It might be useful to try and bring additional intelligence into the network, using solutions like ConSentry’s network platform to run role-based access control policies. This uses behavioural analysis software to examine from where and how an individual is seeking access to particular areas of the network, challenging or refusing access and alerting management to suspicious behaviour. The current economic climate is also likely to affect the implementation of a security strategy. But Comsec’s Okin sees an upside to tightening budgets. He doesn’t think enough organisations have yet really considered the cost savings that can be accrued from improved network security. “By improving simplicity of the system and bringing controls up to date, you’ll probably reduce risks,” he points out, noting that even consolidation of security technology can save a great deal of money, particularly within larger companies.

Cost-cutting must certainly not mean removing essential resources, stresses Matthijs van der Wel, manager of principal forensics, EMEA, at Verizon Business Security Solutions. “Many organisations don’t have the resources to watch their systems to see what’s going on,” he says. “What we find when we investigate incidents is that in many cases had the organisation just looked at the log files they would have seen something wrong. Usually what happens is that it can take weeks, if not months, before an organisation notices what’s happening.”

Mobile threat
Of course, prevention is better than cure and one of the most effective ways to improve overall network security is to embed security and risk management philosophies deeply into the business mindset of employees, so that systems development has to include security planning from the outset. Martin O’Neal, managing director at the Corsaire security consultancy, points to the approach taken by his company’s client, the mobile banking specialists Monitise, as an example of good practice. Monitise had to incorporate security into the planning of its MoniLink network, a joint venture with VocaLink over which banks can offer transactional mobile banking services to customers.

Rob Brown, development director at Monitise, says the biggest challenges the company faced were related to the fact that what they were trying to do had not been attempted before – namely, building a network that would be able to interface securely with mobile operators, a vast range of mobile phones and the VocaLink network. “There is a need to maintain a continuous assessment regime, incorporating theoretical risk assessments, ethical hacking and penetration testing, and to try to anticipate future threats,” he explains. Further challenges lie ahead, in part because the network will eventually be used for peer-to-peer payments, allowing individuals to make payments to each other using nothing more than individual phone numbers.

Taking full account of security needs during systems development won’t do much for vendor solutions. “You should use part of the procurement cycle to get people to assure you about their good processes,” says Corsaire’s O’Neal. His firm writes contract clauses for clients that stress the need for suppliers to secure solutions in line with standards, demanding that the supplier remedy the situation at its own expense if this is not the case.

Finally, of course, there is physical security to consider when protecting your network, including both the recommendations any decent security consultant would make on the management and staffing of areas in the workplace where unauthorised personnel might be able to view sensitive applications or data; regular audits of computers, to check no additional devices have been added to them; and more stringent monitoring of who comes in and out of the office. “You’ve got to be on guard against, say, cleaning staff taking USB devices inside,” says Sophos’ Cluley. “That is going to be a bigger and bigger problem if hackers find it more difficult to make money through conventional malware.”

Technology will never solve all your network security problems. It’s a depressing thought, but your only hope is to try and make life harder for criminals to the extent that they try to attack someone else instead. Even if people do behave badly when times are hard, and crime goes up during this recession, there’s no reason why your organisation has to suffer as a result.

>> other supplement features

Whitepapers (NEW)
abc home