p p p p p p ppppppppp p p p p p p p p p ppppppppp p p p p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p ppppppppp p p p p p p p p p ppppppppp p p p p p p p p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p p p ppppppppp

p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p ppppppppp p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p ppppppppp p p p p p p p p ppppppppp p p p p p p p p p ppppppppp p p p p p p p ppppppppp p p p p p p p p p p p ppppppppp p p p p p p p p p ppppppppp p p p p p p pppp

TechGuide
Network Security
Time to Move Beyond Signatures Skilled Network Experts Fend off Zombies Is New Technology Bypassing Traditional Controls? India Inc. Goes Beyond Routine

A global look at network security technologies

q THREAT DETECTION: q botnets:

q DEVICE SECURITY:

q SECURITY ASSESSMENT:

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp THREAT pppppppppppp pppppppppppp DETECTION pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

Time to Move Beyond Signatures

Network threat detection requires a new paradigm where content is monitored and analyzed, rather than solely relying on matching network packets to existing signatures.
by michael s. mimoso
THREAT DETECTION

BOTNETS

finding malware, or
DEVICE SECURITY

worse, attackers pivoting from server to server on your

network, is a difficult proposition. Persistent, motivated hackers are adept at developing code that evades detection from signature-based network security devices. And more often than not, attackers are penetrating enterprise networks using legitimate credentials stolen via social engineering scams. The cat-and-mouse game between security analysts and attackers has become a highstakes game too, with more than stolen payment information at stake. More and more, corporate and political espionage is motivating hackers to poke and prod network threat detection, looking for anything from intellectual property to military secrets. Surely, long gone are the days when security managers can hide behind their firewalls and feel protected. The guys who are more aware of the game these days know firewalls and IDS are not enough; sure, some are still in that compliance mindset, but thats got to change and its going to change, said Marty Roesch, developer of the Snort intrusion detection system, and CTO and founder of Columbia, Md.based Sourcefire Inc. Those who dont change? Attackers will change the game for them. Packet filtering firewalls are no longer enough to safeguard networks from

SECURITY ASSESSMENT

Attackers are penetrating enterprise networks using legitimate credentials stolen via social engineering scams.

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp THREAT pppppppppppp pppppppppppp DETECTION pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

attackers. Experts recommend a gamut of new security means to keep data safe, ranging from sandboxing capabilities, smarter re-architecting of networks and configurations, content analysis, visibility and context into whats happening on a network, and intelligence about the latest threats and hacker techniques. In other words, this aint your fathers network security any more.
THREAT DETECTION

I think the packet-centric approach has been, if its not dead, eclipsed by much more focus on the content. All of the exciting developments have been less about making good matches against packets or streams, and more about observing the traffic flow, extracting content , analyzing it and making a determination, said Richard Bejtlich, chief security officer at Alexandria, Va.-based Mandiant Corp., and author of the popular TaoSecurity blog. The file-centric method is how were catching the most interesting activity. Companies relying on detection technologies such as network monitoring tools, IDS, IPS and more are finding complementary success using those tools along with sandbox technology. Sandbox tools, such as those offered by FireEye, Damballa and others, capture potentially malicious or untrusted code on the network and execute it in a controlled environment. Sandboxes are becoming a popular failsafe as signature-based defenses come under fire. If you want to test something in the environment, sandboxing makes a lot of sense, said Derek Gabbard, CEO of Baltimore, Md.-based LookingGlass Cyber Solutions Inc., which sells products that correlate and analyze threats in an enterprise environment. Testing code in a sandbox enables an analyst to see code behavior and react accordingly, rather than engage in an endless loop of vulnerability management. Sandboxing is really popular, and part of the reason is the realization you cant reverse engineer everything, Bejtlich said. You dont need to know about vulnerabilities. You need to know what it does when its successfully run. Ripping and replacing signature-based detection technologies isnt feasible for any organization. Instead, John Strand, owner of security consultancy Black Hills Information Security and a senior SANS Institute instructor, would

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp THREAT pppppppppppp pppppppppppp DETECTION pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

rather educate security managers to properly architect networks with internal segmentation in order to improve detection, analysis and visibility into traffic and potential events. For example, workstation segments should be kept separate from each other, said Strand, a longtime penetration tester. If theyre talking, you should block it and it should fire off an alert. On really good networks, theyll
THREAT DETECTION

enable the firewall on Windows workstations so none are talking to each other, only to network devicesgateways, file servers and printers. Workstation-to-server subnets are OK. That contains exploits. Such segmentation helps limit the spread and effectiveness of exploits, and helps network managers and security analysts with detection and analysis. In that example, if you limit the number communication pathways you have to monitor, you can now focus on detection between workstations and servers, Strand said. If you block access to workstation communication, and forcing the bad guys to try to get access via servers, you can monitor that intensely. Architect so there are fewer possibilities for communication so you can put more resources into monitoring those that are left. The notion of having security visibility into networks is supremely important in the context of todays attacks. Experts urge companies to have an automated way to understand the environment theyre protecting and analyze threats relevant to their organization. Prevention as a methodology will fail, Sourcefires Roesch said. You need to go beyond that. You cannot control things youre unaware of. If something happens, and no one observes it, you have a problem. If all your technology missed it, how will you find it and get it out? You only get one shot at prevention. If your initial chance for prevention came and went, it wont work. Often, attacks are carried out using legitimate credentials stolen via social

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

Often, attacks are carried out using legitimate credentials stolen via social engineering campaigns.

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp THREAT pppppppppppp pppppppppppp DETECTION pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

engineering campaigns. Attackers with access look like insiders, have staying power inside a network, and a lot more opportunity to exfiltrate data or drop customized malware that will evade signature-based AV or IPS monitoring. Signatures, meanwhile, still have their function as a protector of networks, but attackers have figured out sometimes painfully easy ways of getting around this type of security. Strand, for one, disagrees that this blacklisting type of apTHREAT DETECTION

proach is dead. If you look at blacklist technology, its similar to the concept of immunizations. As a kid, you get measles, polio shots. Just because you got a shot in the arm, youre not going to swim in a cesspool. You have to exercise and make healthy lifestyle choices, he said. When you look at traditional blacklist technology, you cant think youre immune to attacks and your users can go anywhere on the Internet. (Signatures) have their place. They may have their place, but they get stale quickly, Bejtlich said. It does come down to the quality of signatures. If you have good intelligence and know what to look for, you can find stuff. Most of the time, what you get from an IPS vendor wont help much, he said. Most of the value comes from signatures you develop yourself. As you can imagine though, most companies dont have that kind of intel, or a crew to write signatures. Many times you have to go outside, and it becomes an arms race for signatures. Roesch too is hesitant to say signatures dont work anymore. IPS and the original prevention technologies did well, he said. Attackers are now operating out of that scope. If you take away IPS, for example, you can go back to easy hacking. n

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp BOTNETS pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

Skilled Network Experts Fend off Zombies

Having skilled IT pros closely monitoring intrusion prevention systems to investigate network traffic anomalies can reduce infections. BY ROBERT WESTERVELT
THREAT DETECTION BOTNETS

DEVICE SECURITY

cybercriminal gangs wielding hoards of malware-infected zombie machines are

primarily using them for massive spam campaigns aimed at pushing pharmaceuticals, herbal remedies and porn, but they are also often rented out for more nefarious purposes, say experts who monitor them. Botnets can be used to conduct distributed denial-of-service attacks (DDoS), leveraging the power of infected systems to disrupt and wipe out websites. Botnets often spread malware, and are the main engine behind phishing campaigns or the fuel behind powerful clickjacking campaigns. What started as an amateur activity on Internet Relay Chat (IRC) networksusing the power of people connected to IRC to knock victims offlinequickly became a for-profit venture associated with cybercriminal fraud activities, said Joe Stewart, director of malware research at Dell SecureWorks. Now we see youve got governments and hacktivists getting into the game for reasons that arent really just money related, Stewart said. Stewart and other security experts say many enterprises have zombie machines running on their networks without even realizing it. Rather than being aimed to disrupt systems, the malware is being remotely controlled to seek an enterprises most prized possession: intellectual property. Theyre highly focused on companies and governments, Stewart said. Anything you can imagine that somebody might steal in the virtual world, somebody has a botnet that is probably doing it. Stewart and other security experts say many businesses are far too reliant

SECURITY ASSESSMENT

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp BOTNETS pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

on automated systems; big security appliances such as intrusion prevention and detection systems designed to monitor network traffic. Theyre calling for enterprises to instead hire skilled IT security pros to proactively monitor those systems and investigate issues. The approach, they say, improves the security systems already deployed in most enterprises by addressing and isolating issues before they become a serious problem.
THREAT DETECTION

The good news is some of the malware associated with widely known botnets can be detected using most traditional security appliances and endpoint security software, including antivirus. But a much more serious threat is targeted attacksparticularly those hurled at enterprise employeesthat use malware combined with techniques that are designed to evade detection. Once an endpoint machine is infected by stealthy malware, a Trojan embeds itself and then attempts to reach out to cybercriminals for orders. Enterprise network monitoring tools can detect the nefarious traffic and block some of it, but over the years, cybercriminals have become savvy at tunneling communications using strong encryption algorithms, timing communication drops for odd hours when systems arent being fully monitored or sending out tiny communication packets that assimilate with normal network traffic. You can hope your corporate antivirus [detects botnet infections] at the gateway or on the desktop, but we know from testing that those capabilities dont have the highest rates of detection, Stewart said. If you move into the network realm you can pick up a lot of this activity because it doesnt change its network fingerprint very often.

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

BOTNET SIZE DOESNT MATTER

Stewart said the most powerful botnets are not necessarily the largest. The Flame malware toolkit for example, contained a botnet of less than 200 infected machines in Iran, yet it wielded a powerful arsenal for those behind it. The limited scope of the attack, believed to be a nation-state driven cyberespionage operation, enabled the botnet operators to stealthily eavesdrop on their victims, steal data and capture video for years.

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp BOTNETS pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

By contrast, Stewart said larger botnets give cybercriminals the advantage of leveraging the computing power of infected computers to spread malware and other malicious activities. They can be used to amplify a denial-of-service attack to take down a website or quickly spread malware and steal account credentials. The Zeus and SpyEye malware families make up massive botnets that have,
THREAT DETECTION

for years, wreaked havoc on the financial industry. The botnets spread quickly due to the business model put in place by the cybercriminals behind the malware. Using automated attack toolkits, the cybercriminals set up an affiliate network, rewarding other cybercriminals for infecting machines. Zeus gained notoriety in 2006. The malware can be coded to spoof websites, steal account credentials and drain bank accounts. Security firms have tried to knock out portions of the botnets by disrupting the command-and-control servers associated with them, but despite those efforts, cybercriminals have built-in mechanisms to bring them back online. The most recent effort came from Microsoft, which used legal action to wipe out Zeus botnet servers in the United States.

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

DETECTION: THE HUMAN FACTOR

There is no technology better than a skilled IT pro assigned to look for anomalies on the corporate network, said Johannes Ullrich, chief research officer at the SANS Institute. Skilled system administrators should be inspecting network traffic and system logs, applying creative thought in the process of flagging potential problems for further investigation, Ullrich said. Packet analyzers and other filtering tools can help network security pros determine if suspicious traffic is malicious in nature. A lot of enterprises still rely on old, signature-based antivirus, Ullrich said. Particularly with [targeted] attacks and these kinds of botnets it depends on individuals at this point. The trend at many enterprises has been to outsource network monitoring activities, but Ullrich said that in his experience, outsourced security monitoring usually fails at detecting the targeted attacks and botnet infections that matter

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp BOTNETS pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

the most. Outsourced services follow a checklist and process a specific number of requests per hour, Ullrich said, adding that outsourced services would be better if they played a role in assisting a system administrator to find the next new thing versus yesterdays bot. They dont really understand the business and thats why some enterprises are going through the expensive process of bringing it back in-house, he said.
THREAT DETECTION

Endpoint security combined with network-based security such as host intrusion prevention (HIPS) technology and other reputation and filtering systems can help mitigate malware infections, said Mike Rothman, analyst and president of Phoenix, Ariz.-based security research firm Securosis LLC. The firm recently concluded its malware detection series that focused on why detection is so challenging. Network security appliances can provide context on application and user behavior, but it requires adjusting and tuning to avoid a serious impact to end users, Rothman said in a blog post describing the firms research series. The same goes for Web filtering and reputation-based. Find a balance that is sufficiently secure but not too disruptive, navigating the constraints of device ownership and control, and workable across device locations and network connectivity scenarios, Rothman wrote. n

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp DEVICE pppppppppppp pppppppppppp SECURITY pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

Is New Technology Bypassing Traditional Controls?

Security pros need to implement the right level of security on all networked devices. BY warwick ashford
THREAT DETECTION

BOTNETS

network securitty controls

and practices are among the most mature, but can

businesses be sure that some network traffic is not sneaking past traditional
DEVICE SECURITY

controls, especially with the recent proliferation of new mobile wireless and other IP-enabled devices? With the rise of mobile enterprise applications and related trends such as the consumerisation of IT and bring-your-own-device (BYOD), an increasing number of enterprise employees are looking to access corporate networks through Wi-Fi hotspots, both internally and externally. Whether these Wi-Fi hotspots increase the potential of data leakage depends mainly on an organisations strategy for network security. If organisations continue to rely on network security as a key control in the protection of their data, Wi-Fi is a potential avenue for data leakage, according to Matthew Lord, chief information security officer at IT-enabled business services firm Steria UK. An attacker could just sit in an organisations car park and try to force their way into the network by trying a combination of user IDs and passwords until they gain access, he said. If enterprises want to use Wi-Fi hotspots safely, they must follow two data leakage prevention strategies: set them up as an internet hotspot with no access

SECURITY ASSESSMENT

An increasing number of enterprise employees are looking to access corporate networks through Wi-Fi hotspots, both internally and externally.

10

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp DEVICE pppppppppppp pppppppppppp SECURITY pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

to internal systems, and use a stronger form of authentication such as clientside certificate authentication. Internal Wi-Fi hotspotswhere there are separate corporate and guest networks, and the corporate network has tight controls, including device authenticationare therefore generally not an issue for network traffic slipping past controls.
THREAT DETECTION

However, corporate users could be tempted to switch to the guest network where there are fewer or no controls and that is where leakage could occur. Best practice would be to set up a guest network that requires temporary credentials to enable connections.

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

PUBLIC WI-FI HOTSPOT DANGERS

Public Wi-Fi hotspots, such as those commonly provided by coffee shops, are typically unencrypted, which means any wireless sniffer or rogue wireless access point can get all the traffic because all the data packets are open. Therefore, data leakage prevention depends on how the mobile device accessing the network is protected and configured. Best practice would be for public hotspots to move to WPA2 to encrypt each session and for businesses to allow access to internal networks only through a virtual private network (VPN) client, which means all a traffic sniffer would see is a stream of encrypted data packets. This also prevents traffic redirection and man-in-the middle attacks associated with web access over https. Small and medium enterprises (SMEs) are typically at highest risk of data leakage through public Wi-Fi hotspots because they do not commonly use VPNs. Best practices for mobile devices that support 3G, high-speed packet access (HSPA) and Wi-Fi is to use voice-over-IP (VoIP) instead, and run a peer-topeer call manager software to encrypt the traffic, according to Jirasek. This enables all traffic to be encrypted over an untrusted network, he said. Another potential avenue of data leakage is the increasing number of IP-enabled devices within the enterprise, including printers, CCTV cameras, point-

11

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp DEVICE pppppppppppp pppppppppppp SECURITY pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

of-sale (POS) systems, building access, and other control systems. The fact that most devices can operate on an IP network, coupled with the fact that most corporations need to save money today, inevitably means there is an increasing use of the corporate network as a communications backbone for more than just file and print servers. In light of this fact, and the need to block as many avenues for data leakage
THREAT DETECTION

as possible, organisations need to treat their internal networks as hostile and implement the right level of security on all networked devices. A good example would be to encrypt CCTV footage between the camera and the recorder or implement a hardened factory control server with a firewall on your network, rather than an unprotected workstation running system control software, said Sterias Lord. Again, best practice is to segregate different types of devices and apply different security controls accordingly, said Jirasek. You dont want to put IP devices on the same domain or network as your computers. If they dont need to talk to each other, they should not be able to, he said.

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

NETWORK ACCESS REQUIRES CAREFUL MANAGEMENT

Ideally, all traffic should be monitored, but when you make a cost/benefit analysis, it may seem excessive to do so. You need to make a judgment call based on the threat analysis [to ascertain] whether it is worth putting these controls into some segments, said Jirasek. It would be very bad practice to have it all on the same network, but this is what small companies are doing. SMEs dont really have money to segregate the network. The best approach would be to have anomaly detection protection which baselines the network traffic and looks at the patterns and identifies the anomalies. That would be the best from a pure network traffic point of view, but for the determined attacker you need to be prepared on the hostso have it tightly secured, users not having admin rights, some sort of protection against RAM-

12

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp DEVICE pppppppppppp pppppppppppp SECURITY pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

scraping malware, good anti-virus and anti-malware, the data classified and potentially segregated with access over some kind of Citrix session, and then ideally if the user has access to secrets inside the organisation they should use a different PC for browsing the internet, said Jirasek. Complexity is the biggest challenge for large enterprises. Security vulnerabilities typically arise because of misconfigurations. With only 30% to 40% of
THREAT DETECTION

firewall rule bases used, organisations tend to expose their networks to access for which there is no business purpose. Data leakage is seldom a problem with technology. It is not an issue of data sneaking past network controls, but of misconfiguration of those controls and a reluctance to fix known misconfigurations for fear of blocking business access to the network, said Jody Brazil, founder and chief technology officer of Kansas-based security management firm FireMon. For large corporate and government networks, he said that in addition to reactive security information event management (SIEM), there needs to be a complementary proactive capability to build a picture of overall risk by identifying all network access. This enables organisations to reduce risk by blocking unnecessary access paths before there is a security incident. Most organisations are astounded when we show them how many paths there are to their network that could be used for unauthorised access, said Brazil. FireMon, he said, goes beyond rival configuration management systems by combining traditional operational capabilities with continuous risk monitoring and visibility, which includes the ability to identify and prioritise risk mediation tasks and model the knock-on effects of any network configuration changes. Many organisations are still relatively weak when it comes to continuous monitoring, according to PwCs Beer. I am always surprised to see how log data is not being used to pinpoint potential attacks, he said.

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

13

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp DEVICE pppppppppppp pppppppppppp SECURITY pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

EDUCATING USERS ABOUT SECURITY RISKS

Like all security challenges, however, technology alone is not enough. Especially in the BYOD era, enterprises need to ensure that employees are aware of the risks of using mobile devices to access corporate networks and data. There are a whole range of mobile device management suppliers, but enterprises need to do more around people and awareness because of the problem is
THREAT DETECTION

often the user, who becomes the weakest link, said Beer. While many organisations have appropriate technologies, policies and awareness programmes in place for desktop and laptop computers, he said it is often lacking when it comes to smartphones and other mobile devices. The level of awareness of the potential risks of IP-enabled devices is also relatively low. We need to raise the profile of unmanaged IP-enabled devices because the number of these vulnerabilities is only going to increase, warned Beer. n

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

14

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp SECURITY pppppppppppp pppppppppppp ASSESSMENT pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

India Inc. Goes Beyond Routine

As network security assessments become essential hygiene, security experts at Indian enterprises are honing in on specifics. BY varun haran
THREAT DETECTION

as security threats continue to proliferate unabated, security challenges for

BOTNETS

Indian enterprises are correspondingly on an upward spiral. Security is now a matter of hygiene; its no longer a matter of if and when but rather, more a matter of how. Network security assessments play an important role here in prioritizing resource allocation to critical areas and ensuring that security gaps in the network are discovered and remediated in time. SearchSecurity.in spoke to several security experts across verticals in the Indian industry for insights into the nitty-gritty of network security assessment/ vulnerability assessment and penetration testing exercises. What emerged was that while a secure network might be a common goal and lack of skilled manpower and budget constraints common woes; Indian enterprises are approaching the problems in their own unique ways, going beyond the routine and honing in to specifics.

DEVICE SECURITY

SECURITY ASSESSMENT

NETWORK SECURITY ASSESSMENT AT INDIA INC.

Manish Dave, CISO, Essar Group, a $16 billion Indian conglomerate with diverse interests including steel, oil & gas, power and shipping, views network security assessments in Indian enterprises from two perspectives. One, within the organizations WAN; the other, between the outside world and the logical perimeter. Dave feels that while intrusion from outside or information leaks from inside are points of focus, what is often ignored during network security assessment is the availability aspect of CIA (confidentiality, integrity and availability).

15

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp SECURITY pppppppppppp pppppppppppp ASSESSMENT pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

Unless a backed-up device exists in case of failure, the whole purpose of security at the logical perimeter is defeated, he says. Building redundancy at each level (firewalls, IPSs, core routers, and so on) is something organizations might be overlooking, and a failure at any critical point is a free ticket for intruders, Dave feels. He advises that network security assessments should not be limited to firewalls/IPSs and Internet-facing websites, but should also inTHREAT DETECTION

clude services such as VoIP and video conferencing systems. Pankaj Agrawal, CISO & head of technology governance at Aircel, feels that, in boardrooms across the country, especially in telecom, discussions around network security and vulnerability assessment are now more mature and intelligent, rather than being restricted to a basic level. Moreover, telecom being a highly regulated sector in India, with any breach or leak attracting massive penalties and reputation loss for companies, security is getting deeply embedded into the organization culture. Agrawal believes that given the maturity of organizations today, the focus is shifting from perimetercentric security to data protection. He sees the market moving towards solutions to protect data at rest and data in motion. Agrawal prefers to rely on a robust ISMS framework, regular tool-based vulnerability assessments and rigorous annual audits to stay secure.

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

POLICY REVIEW

Dave of Essar says that while Indian organizations are fielding a full spectrum of security tools from IPSs to firewalls, the necessary skill-sets to configure policies on these devices are lacking. Most devices come with hundreds of policies prewritten, which organizations may be configuring based on inputs and templates from the vendor itself. Many of these policies might not even be relevant to the business. Therefore a mechanism to review network policies on a periodic basis is essential, he says. The policy review mechanism must be geared to deal with whether policies are relevant and up-to-date and whether not a mechanism exists to record changes to policies on network devices.

16

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp SECURITY pppppppppppp pppppppppppp ASSESSMENT pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

Says Dave, Changes to policies need to be strictly recorded as human error cannot be ruled out. A periodic review of all checks and balances is a must to keep track of anomalous activities. Unless sensible analysis is done on critical devices, a major gap in the network security architecture is inevitable. Satish Das, CSO and VP at software major Cognizant, firmly believes that a good policy management, monitoring and response mechanism are key to
THREAT DETECTION

a secure network. Das depends on tools to monitor changes and help in automating the policy review process, to ensure correct network security policy enforcement. Similarly, Aircel has installed network access controls to monitor hygiene and compliance, and restrict network access on-the-fly.

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

SPECIALIZED PEN-TESTING NEEDED

Das feels that many Indian organizations are today at a level of security where general pen-tests during a network security assessment exercise will not unearth much. Giving the analogy of how a regular checkup for a fit man might not find any problems, Das believes that beyond a certain level of maturity, more rigorous and specialized tests need to be conducted in order to test the networks susceptibility to attack. Das believes the security market in India is moving towards specialized pen-testing. With the Essar Groups interests in critical infrastructure sectors such as oil and gas, Dave says it becomes imperative to go beyond the technical aspects of pen-testing and consider attack vectors such as social engineering and physical security. He states that while a biannual internal tool-based vulnerability assessment is essential for hygiene, an annual independent third-party assessment is required to properly assess network security. In addition to a complete network security assessment exercise, focusing on different aspects each year (vulnerability management, device compliance, privileges & access, and so on) can be a great way to weed out problems, especially if the assessments are done by the same team every year.

17

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp SECURITY pppppppppppp pppppppppppp ASSESSMENT pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

IN-HOUSE OR OUTSOURCE

According to Axis Banks CISO Nabankur Sen, for an annual network security review, independent third-party firms are appointed by the bank, to avoid potential biases. During this exercise, Sens security team only comes into the picture when a secure network architecture (SNA) diagram is systematically prepared. This is then handed over to the network team for implementation.
THREAT DETECTION

To overcome the shortage of skilled manpower, Sen moved to a managed service provider three years ago, and this option is working well for the bank thus far. In terms of whether penetration testing should be done through third parties or in-house, the general consensus is that it depends upon the size of the organization and the resources at its disposal, says Das. An SME would be much better off outsourcing, but a large company in a regulated industry might find it prudent to have both an internal team as well as an outsourced team. In Dass case, while he uses the internal team to run periodic tool-dependent pen-tests, he expects external teams to conduct various specialized tests on his network infrastructure.

BOTNETS

DEVICE SECURITY

SECURITY ASSESSMENT

ENDWORD

For successful network security assessments, strategizing in advance is essential. For instance, without proper planning, it would be extremely difficult to perform assessments on live production environments. In fact, at telcos such as Aircel, pen-testing is only performed on pre-production environments. According to many, India as a country still lacks professionals with specialized security capabilities such as forensics and incident response. To deal with emerging threats, experts believe that specialization within security needs to be encouraged if massive deficits in manpower are to be plugged. Finally, a culture needs to be created in the security profession that would facilitate a career path for professionals who would like to specialize. n

18

network security

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp about the pppppppppppp pppppppppppp authors pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

Michael S. Mimoso is the editorial director for TechTargets Security Media Group.
THREAT DETECTION

This Technical Guide on Network Security is a SearchSecurity.com e-publication. Michael S. Mimoso Editorial Director Eric Parizo Senior Site Editor Robert Westervelt News Director Marcia Savage Site Editor Kara Gattine Senior Managing Editor Linda Koury Director of Online Design Doug Olender Vice President/Group Publisher dolender@techtarget.com Peter Larkin Associate Publisher plarkin@techtarget.com

BOTNETS

Robert Westervelt is the news director for TechTargets Security Media Group. Warwick Ashford is security editor at Computer Weekly. He joined the CW team as chief reporter in June 2007, focusing on IT security, business continuity, IT law and regulation, compliance and governance. Varun Haran contributes to SearchSecurity.in and SearchDataCenter.in. He holds a bachelors degree in economics and a post graduate diploma in journalism from ACJ, Chennai.

DEVICE SECURITY

SECURITY ASSESSMENT

TechTarget 275 Grove Street, Newton, MA 02466 www.techtarget.com

2012 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group. About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

19

network security