Network Security: Handle with care
Protecting your network from internal and external attacks is likely to become more difficult as the economic downturn bites and new threats from mobile workforces and applications come to the fore. David Adams looks at the latest threats and countermeasures
Fraud and criminal behaviour goes up during recessions – always has and always will. That’s bad news for financial companies, because cybercrime was developing at a healthy rate anyway during the boom years. There was a reminder of this at the start of March, with the conviction of a gang of would-be thieves, caught back in 2004 trying to hack into Sumitomo Mitsui’s network via their London office, to steal £229 million.
Cybercrime is connected to organised crime now; it’s not vandals or kids looking to throw a spanner into the works for kudos anymore. So how well protected are financial companies’ networks, now so frequently accessed by staff, clients and customers using various online and mobile technologies? Traditional threats from hacking attempts, trojans, viruses and botnet-enabled denial of service attacks have all been accepted means of attack for many years now but CISOs at financial institutions must also fear the rise of new threats to the integrity and security of networks from social networking sites and mobile staff and customers. Strong access control technologies covering employees, contractors and temps, and systems that can flag up unusual network user behaviour are all now required.
“With external threats it is [financial companies’] customers who probably represent the biggest problem,” says Gunter Ollmann, chief security strategist at IBM. “From an insider threat perspective, financial services organisations are slightly above average in protecting [themselves].”
But both external and internal threats are now frighteningly dangerous. Between three and five per cent of all corporate systems have been infiltrated by spam and malware-spouting botnets, according to research published in March by security specialist Damballa. Most malware, whether cunningly implanted from outside or carried into organisations unintentionally or deliberately by customers or staff, now contains components designed to facilitate phishing. That might take the form of keylogging software, or as technology that records mouse movements to crack drop-down menu-protected passwords. “We see a new piece of malware every four seconds – that’s more than 20,000 a day,” says Graham Cluley, senior technology consultant at the vendor Sophos. “Most are designed to steal financial information.
Malware can also be picked up by accident from infected websites, or those that have fallen victim to SQL injection attacks. Paul Wood, a senior analyst at MessageLabs, believes it’s wrong to think in terms of some websites being safe and others dangerous – these threats can hide anywhere. Damballa estimates that only 53 per cent of malware infections are detected by security technologies on the day they appear and that around 15 per cent remain undetected for at least six months. That’s disturbing, because the malware is now so sophisticated. Security experts are still waiting to see if the Conficker (Downandup) worm, which has been exploiting vulnerabilities in Microsoft technology since the autumn, creating chaos in organisations of all kinds all over the world, has yet finished its dirty work. “It copies itself all over the place and hooks into a whole bunch of program interfaces,” explains Stuart Okin, managing director of Comsec Consulting (and previously chief security advisor at Microsoft, and head of the security practice at Accenture). “It then protects itself through deleting restore points, blocking AV sites, and so on. It also takes action to spread the infection. That was what caused the recent outages at global firms: not the malware itself, but the fact it was flooding the networks. It’s that level of sophistication that worries the security industry.”
There is also good reason to be concerned about the actions of disgruntled employees. Fifty-nine per cent of Americans who lost or left a job during 2008, and were interviewed for a survey carried out by the Ponemon Institute on behalf of the vendor Symantec, admitted stealing confidential information such as customer contact details and employee records. Worryingly, twenty-four per cent still had access to their former employer’s networks after they had left. The Sumitomo conspiracy depended on the help of a security guard who let his accomplices into the bank’s office to install keylogging software on computers, so the simple threats matter – even down to physically securing your premises.
Staff may also bypass security unwittingly by revealing too much information on social networking sites or through the careless use of USB-connected devices. Again, the enforcement of usage policies is as important as any technical innovation for countermeasures, but it might be worth considering the use of tools like Avanquest’s DeviceDefender software that encrypts USB ports and removable devices from within the device itself, as an extra line of defence.
The net result of these problems, particularly if a company does not patch software vulnerabilities as quickly as it should, is that a majority of networks almost certainly contain infected computers that have been recruited by botnets. “A couple of years ago I would have said the easiest way to break into a bank was to stand outside the front door handing out USB keys to staff,” says IBM’s Ollmann. “Now you can visit websites to get lists of infected machines inside an organisation of your choice and purchase control of them for about $100 per machine.”
There’s been no shortage of innovation in this area. Products worth examining include Commerce Media’s Celo product, developed in conjunction with a Ministry of Defence agency, in which a randomly generated secure password is delivered via a specially secured, out-of-band text message to a user’s phone. Most retail banks are also now issuing or planning to issue handheld authentication tokens for online banking customers. Nationwide and CFS, for instance, have both recently completed the rollout of two factor authentication (2FA) devices that are similar to home chip and PIN tools from Xiring, to strengthen the protection for their customers when they access the firms’ websites or buy online.
But these security technologies are not hack-proof, just a little harder to crack. There is also the worry that hardware could be compromised during the manufacturing process, as has happened with the standard UK chip and PIN machines. In a scam revealed last autumn, terminals were doctored in factories in China and Pakistan, with devices inserted to skim card numbers. So subtle was the alteration that it could only be detected by a slight difference in weight between infected and uninfected terminals.
Threats penetrating the increasingly elusive network boundary may also be exacerbated by the use of more outsourcing and software-as-a-service (SaaS) business models. “Outsourcing is already a big thing, but with SaaS we’re going to see a lot more,” warns Clement. “The security guys don’t often get a choice – usually what happens is that the business managers say ‘we’re going to save this much, let’s do it’. So one of the challenges is how we ensure SaaS is going to be delivered securely.”
It might be useful to try and bring additional intelligence into the network, using solutions like ConSentry’s network platform to run role-based access control policies. This uses behavioural analysis software to examine from where and how an individual is seeking access to particular areas of the network, challenging or refusing access and alerting management to suspicious behaviour. The current economic climate is also likely to affect the implementation of a security strategy. But Comsec’s Okin sees an upside to tightening budgets. He doesn’t think enough organisations have yet really considered the cost savings that can be accrued from improved network security. “By improving simplicity of the system and bringing controls up to date, you’ll probably reduce risks,” he points out, noting that even consolidation of security technology can save a great deal of money, particularly within larger companies.
Cost-cutting must certainly not mean removing essential resources, stresses Matthijs van der Wel, manager of principal forensics, EMEA, at Verizon Business Security Solutions. “Many organisations don’t have the resources to watch their systems to see what’s going on,” he says. “What we find when we investigate incidents is that in many cases had the organisation just looked at the log files they would have seen something wrong. Usually what happens is that it can take weeks, if not months, before an organisation notices what’s happening.”
Rob Brown, development director at Monitise, says the biggest challenges the company faced were related to the fact that what they were trying to do had not been attempted before – namely, building a network that would be able to interface securely with mobile operators, a vast range of mobile phones and the VocaLink network. “There is a need to maintain a continuous assessment regime, incorporating theoretical risk assessments, ethical hacking and penetration testing, and to try to anticipate future threats,” he explains. Further challenges lie ahead, in part because the network will eventually be used for peer-to-peer payments, allowing individuals to make payments to each other using nothing more than individual phone numbers.
Taking full account of security needs during systems development won’t do much for vendor solutions. “You should use part of the procurement cycle to get people to assure you about their good processes,” says Corsaire’s O’Neal. His firm writes contract clauses for clients that stress the need for suppliers to secure solutions in line with standards, demanding that the supplier remedy the situation at its own expense if this is not the case.
Finally, of course, there is physical security to consider when protecting your network, including both the recommendations any decent security consultant would make on the management and staffing of areas in the workplace where unauthorised personnel might be able to view sensitive applications or data; regular audits of computers, to check no additional devices have been added to them; and more stringent monitoring of who comes in and out of the office. “You’ve got to be on guard against, say, cleaning staff taking USB devices inside,” says Sophos’ Cluley. “That is going to be a bigger and bigger problem if hackers find it more difficult to make money through conventional malware.”
Technology will never solve all your network security problems. It’s a depressing thought, but your only hope is to try and make life harder for criminals to the extent that they try to attack someone else instead. Even if people do behave badly when times are hard, and crime goes up during this recession, there’s no reason why your organisation has to suffer as a result.