attack on google’s network, december 2009 recommendations to avoid future incidents based upon the...
DESCRIPTION
In December 2009, the corporate network of Google, Inc. was attacked and breached by sophisticated and coordinated efforts originating from IP addresses in Taiwan and China. Upon analysis, it was discovered that access to Google's enterprise network and source code repository had been achieved. The entry point was opened by a Google employee using Microsoft Messenger and clicking on a link opened in Internet Explorer. The web site which was loaded installed the malware onto the user's local computer. This software then connected to a central server, where the perpetrators could obtain access to the user's computer, which in turn gave them access to the Google network. Presented here are our recommendations and a plan of action to reduce the likelihood of this type of attack occurring in the future.TRANSCRIPT
COLTS IT AUDITING TEAM
Attack on Google’s Network, December 2009Recommendations to avoid future incidents based
upon the DS5 component of a COBIT analysis.
Topics Overview of incident Recommend changes to improve the security of
Google’s network infrastructure Total Estimated Cost Closing
OverviewIn December 2009, the corporate network of Google, Inc. was attacked and breached by sophisticated and coordinated efforts originating from IP addresses in Taiwan and China. Upon analysis, it was discovered that access to Google's enterprise network and source code repository had been achieved. The entry point was opened by a Google employee using Microsoft Messenger and clicking on a link opened in Internet Explorer. The web site which was loaded installed the malware onto the user's local computer. This software then connected to a central server, where the perpetrators could obtain access to the user's computer, which in turn gave them access to the Google network. Presented here are our recommendations and a plan of action to reduce the likelihood of this type of attack occurring in the future.
Recommend changes to improve the security of Google’s network
infrastructure People Procedures Hardware Software Telecom
People What actually happened?
Instant message was sent to a Google employee with a malicious link
The employee clicked the malicious link, thus allowing the intruder to gain access to the employee’s machine
The intruder was then able to view computers used by software developers at Google’s headquarters in California
People What is recommended?
The executives at Google Inc. need to set new security policies that prevent intruders from entering a sandbox area.
This sandbox will be highly encrypted, and password protected with at least a 17 character pass phrase.
These new security policies will also include a “revolutionary firewall” that will prevent these types of mishaps from happening again.
All employees at Google Inc. will need to be briefed on the new changes.
People What is recommended? (continued)
Important to note: without defined employee training, human error is likely to occur.
PeopleRequired Action:
Training briefing on new security policies Responsibilities:
The Executives are responsible for giving directions on the new policies, and the training briefing.
Completion Date: Q3 2010
Cost: Approx. $10,000 will be needed for training.
Resources: Security DBA's, as well as the managers from all IT departments
Communication: Training needs to be enforced on new policies. This will ensure that mishaps
such as these will not occur again.
Procedures Google’s network security administrators should
consider adding another layer of security to ‘Gaia’ for identification authentication and access control.
Instant messaging with people outside the Google network should be reserved for authorized employees with legitimate job requirements for such communication activities.
Firewalls should be setup to disable non Google links in employees’ instant messages.
Procedures Google network management should consider
breaking up the ‘Moma’ user directory into smaller manageable subunits. Groups working with critical business data should be separated from less sensitive user groups. An extra layer of security should be added to the most critical subunits.
Multiple passwords and security certificate authentication should be implemented rather than single sign-on to access a variety of Google accounts.
Procedures Employee network accounts should have logging features and
these should be made available to the users so they’re able to see and track their session activities. Users will be able to quickly notice unusual access activity in their accounts.
For example: If Sam lives in San Jose, CA and Sam notice a session activity on his account at 2:00am PST on a Monday, when he was probably sleeping, then Sam would have reasonable suspicion that someone other than him had gained access to his personal account. Upon such discovery, Sam should report a security breach forth with to the network security administrator group.
ProceduresRequired Action:
Track employee login/logout session activities Implement firewalls to disable non Google hypertext links in instant messaging Breakup ‘Moma’ user directory into smaller manageable subunits Institute multiple passwords and certificate authentication for critical user groups
Responsibilities: The IT Director of Network Security shall be in charge of overseeing the implementation of
the above required action procedural changes.Completion Date:
Q4 2010Resources:
Network Managers Network Engineers
Communication: Network engineers shall provide updates to the manager who shall in turn provide regular
updates to the director. The director shall provide weekly or as needed updates to the CIO on the progress of the implementation.
HardwareTwo recommended security devices:
►Network Security Appliance ◄
► Intrusion Detection System (IDS) ◄
HardwareNetwork Security Appliance should: Provide comprehensive protection for all types
of network attacks Ensure high degree of accuracy Process large amounts of network traffic
efficiently Protect against attack without latency Be easy to use, install and maintain
HardwareSonicWall NSA E7500 Initial hardware: $30,000/unit Ongoing costs: $5,000/year for subscriptions
and service contracts Located at each Internet entry point
HardwareIntrusion Prevention System (IPS) orIntrusion Detection System (IDS) Ability to stop malware before anyone can notice Can stop traffic that exhibits malware tendencies Logs network traffic for future analysis
HardwareJuniper Networks IDP 75 Initial cost: $5,800 Ongoing cost: $250-1000 Locate throughout network at strategic points
HardwareRequired Action:
Implement SonicWall NSA E7500 units at each Internet entry point. Implement Juniper Networks IDP 75 at critical internal network locations.
Responsibilities: Network Engineers will be responsible for choosing the appropriate locations for installation.
They along with Network Administrators will be responsible for maintaining and configuring the hardware devices, along with monitoring the logs of all devices to look for any anomalies.
Completion Date: Q3 2010
Resources: Network Managers Network Engineers Network Administrators System Vendors
Communication: All network personnel should be trained in the use and configuration of the hardware for their
specific locations and responsibilities.
Software Software Configuration Management (SCM) servers should be
immediately reconfigured to meet current security standards for other systems, especially pertaining to: default passwords, downgraded running user privileges (on Windows Servers), web interface vulnerabilities, and lack of secured communications between clients and server. Special care should also be taken to maintain up to date patches. Detailed logging should be setup (and maintained on a separate server) and the prevention of excessive rights from being granted to users of the SCM system without a 'need to know' along with implementing logging and auditing on Software Configuration Management systems.
Once available, prepare to implement updated host and network based intrusion detection definitions or code designed to thwart malicious activity that resembles the code used in the attack.
Software Consider limiting or removing the use of Microsoft’s
Internet Explorer on programming department computers. Continue patching of stolen software source code and
work to resolve known bugs from the repository that may have been accessed to prevent attacks on the password system.
Separate some instances of seamless sign on: A correction may involve the use of multiple passwords or digital certificates for access to a variety of sensitive systems. This will hinder ease of use but may increase the integrity of the data.
Software It is also strongly recommended that the use of non
secure instant messaging programs on certain departments machines be reconsidered in favor of a more manageable and secure format. For example, inter-departmental instant messages, a more secure program such as Pidgin (http://pidgin.im/), Jabber (http://www.jabber.org/), or Skype is recommended.
SoftwareRequired Action:
Harden SCM systems, maintain an up to date host IDS schema, limit or remove MS Internet Explorer, and explore new ways to mitigate instant messaging forgeries and keep communications secure.
Responsibilities: SCM administrators will implement necessary changes to the SCM systems, network security
team will contact IDS update vendors and request information on when the latest patches for this vulnerability will be available, Microsoft server systems administrators will assist any SCM administrative personnel and reconfigure GPO’s for end user software.
Completion Date: Q3 2010
Resources: SCM administrators Network Security team Microsoft server systems administrators
Communication: Email progress to each department manager. Managers will present progress every other week
during normal meeting hours until project deadline is met or deemed finalized by the CIO.
TelecommunicationsImplement SSL VPN for remote users Provides for secure, encrypted connection Part of the SonicWall NAS E7500 Forces traffic through Juniper IDP No additional costs other than already stated No additional software on user’s end
TelecommunicationsConsider multiple SSL VPN paths Segregates network access Keeps non-authorized users out of certain areas
TelecommunicationsRequired Action:
Implement SSL VPN connections for all remote users. Responsibilities:
Network Engineers and Network Administrators will be responsible for the implementation and management of the SSL VPNs.
Completion Date: Q4 2010
Resources: Network Managers Network Engineers Network Administrator
Communication: The method of connecting to the Google network via the new SSL VPN must be
communicated to the remote users. This should be done in a secure manner so as not to defeat the purpose of a secure connection.
Training should be provided to all Network Engineers and Network Administrators as to the management of the systems for their appropriate duties.
Total Estimated CostRecommendation Cost
People Employee training $10,000
Procedures n/a
Hardware Sonicwall NSA $600,000 (20 at $30,000 per unit) + $30,000 for 6yr service contractJuniper IDP $174,000 (30 at $5,800 per unit) + $6,000 for 6yr service contract
Software n/a
Telecom n/a
TOTAL $820,000
Closing In an effort to avoid another loss of intellectual
property The Colts auditing team recommends that the People, Procedures, Hardware, Software, and Telecommunications changes are reviewed and implemented at each level of IT department.
Thank you for considering us as your IT auditing provider.