your network is changing – are you ready for it?
TRANSCRIPT
FEATURE
March 2011 Computer Fraud & Security11
Your network is changing – are you ready for it?
With noteworthy adoption rates like 600+ million users on Facebook, and phenom-ena such as OnStar providing instant Facebook updates in cars, it is no longer feasible to block consumer applications or ban consumer devices in the workplace. Many employees, and corporations them-selves, are embracing new technologies like the iPhone, iPad and social media plat-forms to increase productivity and spice up marketing efforts. Companies that con-tinue to block or ban these technologies will not thrive under this new paradigm, as they will fail to attract the fresh, young talent they need to be innovative and stay ahead of the pack.
Several key technology trends have recently emerged to create the ‘vanishing perimeter’. These trends have quickly diminished the efficacy of traditional, perimeter-based defences such as proxy servers, firewalls and IDS/IPS, all of which work to keep the bad guys out of the internal network.
According to a 2010 report by Verizon and the US Secret Service, 48% of data breaches are caused by insiders. And according to a study conducted by the Ponemon Institute, the average global cost to an organisation for a data breach is $3.4m. Without proper internal supervision, the following trends could result in costly data loss and a wide vari-
ety of other corporate challenges, includ-ing cyber-attacks, compliance issues and drops in productivity.
IT consumerisation
In the past, once employees stepped into the workplace, they were using corporate-issued and -supported tech-nologies that were protected from the outside world. Today, employees have a whole host of ways to bypass company defences and infect corporate systems. For example, the widespread Conficker worm of 2009 was spread via infected USB devices – including MP3 play-ers. By nonchalantly plugging everyday removable media into their comput-ers, employees can easily take down a network. The Stuxnet worm, which attacked the control systems of industrial facilities and utilities in 2010, is another great example of a dangerous cyber-attack launched via USB devices.
“It is more valuable for cor-porations to provide the necessary user education and employ the right tools to minimise the impact of these convenience technologies on network performance and security”
These incidents clearly demonstrate today’s love of computing convenience. USB drives are a convenient technol-ogy. So are smartphones, iPads, instant messaging, 3G cards, mifi hotspots and tethering. The use of such technologies is inevitable, so instead of spending time trying to block and ban them, it is more valuable for corporations to provide the necessary user education and employ the right tools to minimise the impact of these convenience technologies on net-work performance and security.
“The move towards com-puting convenience is here to stay, and the good news is that there are technolo-gies out there that can help organisations prepare for this paradigm shift”
For example, it may seem like com-mon sense, but if they were to find a USB device in the employee car park, many people would not think twice about plugging it into their machine to see what is on it. Due to features such as Windows autorun, employees do not even need to open or execute any files on the USB device to spread malware from within the internal network, as the files will automatically begin run-ning when the device is connected to the computer. The Conficker and Stuxnet worms mentioned above both took advantage of autorun function-ality. (Microsoft is now taking some steps to limit this feature.) These types
Adam Powers
Adam Powers, Lancope
The past two years have ushered in dramatic changes for corporate networks. The traditional notion of ‘good guys on the inside, bad guys on the outside’ has become obsolete. Not only are employees feverishly embracing the latest and greatest in consumer technologies, but they’re also making them a regular part of their work life.
FEATURE
Computer Fraud & Security March 201112
of scenarios need to be specifically addressed with employees to make sure they are aware of the consequences of such a seemingly innocuous action.
Not only are employees themselves embracing convenient computing prac-tices and devices, but corporations are also trying to reduce the complexities of getting online. Initiatives such as Cisco’s Borderless Networks aim to provide users with the same network performance and seamless experience no matter where they are located. The move towards computing convenience is here to stay, and the good news is that there are technologies out there that can help organisations prepare for this paradigm shift.
Whereas employing traditional security technologies such as IDS/IPS internally is very expensive and inva-sive, collecting and analysing network flows such as NetFlow and sFlow is a cost-effective means of obtaining vis-ibility into what is going on inside the network. With minimal impact on network performance, flow collection and analysis technologies can provide the network insight needed to quickly identify and effectively troubleshoot a wide range of network performance and security issues.
Web 2.0 – HTTP Is the new TCPPreviously, each type of application – web pages, email, FTP transfers, and so on – went through a specific TCP port. If an IT organisation wanted to stop a certain type of communication from happening within the network, it could simply block the corresponding port. Over the years, however, more and more applications have been writ-ten to function over HTTP (TCP port 80) since it is not feasible for corpora-tions to block HTTP communications through the firewall. There are simply too many legitimate uses for HTTP traffic to universally restrict access.
The trend toward HTTP-based web services has resulted in innumerable applications making their way onto the corporate network over a single port, diminishing visibility into what employees are actually doing online. This lack of visibility opens up corpo-rations to further risk since they are unable to easily detect when employees are utilising applications or visiting websites that might lead to a security compromise or a drain on network performance.
Fortunately, perimeter security com-panies such as Palo Alto Networks are leading the charge to bolster traditional firewalls with application awareness. Application-aware firewalls can look deep into the packet to determine exact-ly which applications are truly running over port 80. From there, they can block the exact usages they deem risky or inap-propriate, such as blocking Facebook chat and games but allowing users to check and post status updates.
“The combination of an application-aware perimeter along with application-aware internal monitoring provides a complete picture of how HTTP is being used”
For the internal network, tech-nologies such as Cisco’s Network Based Application Recognition (NBAR) or Lancope’s application-aware StealthWatch FlowSensor can be used to further dissect HTTP traffic. The com-bination of an application-aware perime-ter along with application-aware internal monitoring provides a complete picture of how HTTP is being used across the whole of the enterprise.
Smartphones
Smartphones represent a perfect exam-ple of both of the trends discussed above – IT consumerisation and Web 2.0. With more than 500 million in use around the globe today, expected to grow to 2 billion by 2015, the world has clearly gone smartphone-cra-zy. In addition to accelerating the IT consumerisation trend, smartphones pose the additional IT management and security challenge of featuring a multitude of complicated and varied operating systems.
In addition to Windows and Mac, IT teams now also have to worry about network and security challenges posed by the likes of Windows Phone 7, Android, iOS and BlackBerry OS.
Figure 1: Internal monitoring tools such as Lancope’s StealthWatch provide in-depth network visibility to help organisations stay one step ahead of emerging IT trends.
FEATURE
March 2011 Computer Fraud & Security13
What’s more, operating systems such as Android have many different ver-sions, with a completely different look-and-feel, feature set, and even OS revision for each telecom provider that offers the phone. As smartphones become more sophisticated and acquire more operating power, they are sure to become a more dangerous and widely exploited attack vector into the inter-nal network.
Smartphones are all about the web, and present an excellent example of a device for which every communication runs over HTTP, further validating the movement to Web 2.0 and necessitat-ing corporate strategies to handle this transition.
Are you prepared?
While these trends may seem alarming from a security perspective, they are all relatively easy to control with the right mix of the following strategies and technologies.1. Employee education: first and fore-
most, employee education is critical. Do not assume that your employees are able to spot suspicious Facebook messages, or that they know their emails sent from Starbucks could be intercepted, as IT consumerisa-tion is still a relatively new phe-nomenon for all of us. If you’re not sure whether everyone understands the risks, tell them. After all, the recently-publicised attacks on secu-rity company HBGary were at least partially executed via social engineer-ing. If attackers can convince secu-rity professionals to give up sensitive information, they can convince your employees too.
2. Encryption: as much as IT con-sumerisation has to do with inse-cure technologies coming into the network, it also involves employees taking corporate assets outside of the firewall as more and more companies embrace telecommuting. In the US, one study found that roughly 17
million people telecommute at least one day a month. As telecommuting becomes more common, it is critical that users encrypt their communica-tions when taking computers home or to the local coffee shop. Simple technologies such as Firesheep have proven how easy it is to hijack a user’s HTTP session when on the road. Much of this again goes back to employee education. For instance, many people are not even aware that they can type ‘https://’ instead of ‘http://’ to get to the encrypted ver-sions of popular websites.
3. Authenticated wireless access: most of the new devices being brought into the corporate environment by employees are Internet-enabled, and employees will find a way to get on the Internet with them one way or another. The best policy here is to provide authenticated wireless access for consumer devices. Otherwise, users will find any means necessary to get online – open wireless access points, mifi hotspots, Internet con-nection sharing, tethering, and so on. By getting online through these means, users are bypassing perimeter defences and exposing your internal network and critical assets to the outside world.
4. Zoning: whereas most corporate networks used to consist of just two zones – inside and outside – many companies are now making use of distinct zones within their internal networks. Assets can now be grouped according to function or risk level, and perimeters can be created to prevent communication between zones. For example, com-panies can quarantine systems that process credit card information and block them from being accessed via the Internet.
5. Next-generation firewalls and internal monitoring: as mentioned above, next-generation technologies are staying a step ahead of net-work evolution so that companies
can innovate while still maintaining the same levels of performance and security. Organisations of all sizes across various industries should now be looking into technologies such as next-generation firewalls and flow-based monitoring that complement and fill in the gaps left by perimeter-based security solutions. By obtain-ing visibility into more layers and segments of the network, IT teams can maintain better control over their critical infrastructure and assets.
With new applications being devel-oped every day, and additional trends such as virtualisation taking hold in the enterprise, corporate networks will remain in a constant state of evolution for years to come. Organisations that resist this change or sit back and do nothing about it are likely to fail in the long run, while those that embrace it and take the proper measures to control it will have a far better chance of survival.
About the authorAdam Powers is CTO of Lancope, a provider of flow-based monitoring solu-tions to ensure high-performing and secure networks for global enterprises. He specialises in the development of next-generation network behaviour anomaly detection solutions, and is a significant driver of Lancope’s R&D into behaviour-al algorithms and analysis techniques for the StealthWatch System. With a decade of operational and engineering experi-ence in enterprise IP security technolo-gies, Powers has expertise in datacentre network design, IP flow analysis tech-niques, content delivery networks and enterprise network security planning and management. Lancope’s solutions unify critical network performance and secu-rity information for borderless network visibility, and provide actionable insight that reduces the time between problem identification and resolution. Enterprise customers worldwide include healthcare, financial services, government and higher education institutions.