bill’s blog

Bandwidth theft is a topic that we hear about all the time but one that we rarely associated with theft. Anyone that lives in a big city knows… They can get free Internet anywhere! The key word here is FREE. Just because you can get onto the Internet doesn’t mean it free for you to use. Someone is paying for the access and unless explicitly informed that it is free most times it’s not and you are stealing from that individual.

WOW… that’s a heavy way to start the day but it’s true just because some fool leaves the keys in the car doesn’t mean it yours for the taking. Let’s take a look at this scenario for a second… must people are NOT computer savvy! That’s why we have the jobs we have. Consumer marketed wireless devices are made so that the user can just plug and play. That’s unfortunate. My question is why can’t manufacturers devise some kind of wizard that walks you through setting up a secure wireless network. Cisco’s Linksys line does… with its Secure Easy Setup utility but the wizard doesn’t run on all platforms (noticeably lacking is MacOS. Linux and BeOS). That’s understandable. They consist of a small percentage of the marketplace (combined they don’t even come close to Microsoft’s domination). And some may say that it’s not our responsibility to provide secure networks by default. True! BUT why not get the ISPs on the hook for the dime on this. Think of all that lost revenue!

Regardless… There are other forms of bandwidth theft. This includes individuals that set up hosting services on another individual’s data line without their permission. Those of us in IT do it all the time. “Oh, I need to learn how to implement Apache (insert your favorite service application).” We spend weeks setting it up… we upload our content… but fail to tear it down when the learning is done. Instead we invite our friends and family to visit the site. “Hey look at what I did!” Next thing you know the company is footing the bill for both the hosting environment and the line that it’s attached to! Now some may say what’s the big deal? We’ll very often the site/host goes untouched after the initial setup. Patches aren’t applied nor is virus definitions updated. Pretty benign until the box is compromised! Then depending on the breach it could be used to bring a network to its knees. The box could be used as a jumping point to other boxes on the protected network OR turned into an object in a botnet! It could be used to stored illegal data such as pirated mpegs or mp3.

Peer-2-Peer applications… Let’s face it, these can be used for legitimate purposes but ultimately they are not (think about Napster). They are used by individuals to share files with users that do not have the legal right to use said files. Aside from the copyright issues that are being violated, this activity could cause potential problems for the owners of the network line that are allowing these things to happen (think accessory to the crime). Additionally, the applications can demand a huge amount of bandwidth to support the traffic. Peer-2-Peer clients effectively turn your machine into a file server. On top of that you are allowing ANYONE access to the box. Now there’s a big problem! Any open port is a door by which a cracker can have access to a machine.

SO… where does that leave us? 1st and foremost in a corporate environment, strong Internet/Appropriate usage polices are a must! Enforcement of the policy needs to happen. No one will adhere to the policy if they know there aren’t any consequences! Unfortunately people need to be sacrificed to prove the company means business. In a home network, secure your wireless networks! Don’t leave them open for the world to have at it. Remember… it’s not just your network line that is exposed… it’s your entire network. Next, monitor your network! Check the system logs of your access point. Set up the firewall (something is better than nothing). Set up email alerts. Set up a syslog server. In it’s basic form if a syslog server can alert you to certain events in now becomes an Intrusion Detection System (both host based as well as network based). WHY? Because you are grabbing the logs from all devices (think computer as well as firewalls and access points). It may not be real-time alerting but at least you’ll know when someone tried to do something not quite right. Tools like Splunk are more than syslog servers. They can provide statistical data that can be used to baseline your network. It can be “programmed” to alert you when it sees certain conditions. It can track failed login attempts. Depending on what you’re logging on your host it can look for file access records. It can notify you of port scans based on the logs from your firewall. One thing to keep in mind with Splunk is that it is not a true IDS but it can certainly provide some of the functionality.

Neither are a single solution.

Many mentioned the IDS market is being taken over by the IPS market. It’s interesting that even the government doesn’t consider them 2 different solutions! For those that don’t already know this NIST publishes some great white papers (or in NIST vocabulary) Special Publications. In researching IDSs, I came across NISTs Special Publication SP800-94. This document is a pretty concise. It touches on almost very topic you need to know about setting an IDPS solution.

There are many products out there that do not advertise themselves to be IDPS solutions. Many firewalls such as the Sonicwall line perform IDPS. It will alert you to all sorts of attacks. You are protected from the following attacks: Simple Port Scans, SYN Flood Prevention in “Watch mode” (vs. “intercept mode”), Ping of death, IP Spoofing, Land attack, Smurf amplification, sequence number prediction, Back Orifice attacks, FTP bounce attack protection. While not exhaustive by any means… It isn’t necessarily billed as an IDPS. Next NAC devices… One must realize the whole point of IDS is you prevent attacks before they happen, thus protecting you data. To that end… one may want to consolidate host intrusion prevention, antivirus protection, endpoint accessibility, vulnerability assessment, and standards (HIPAA, SOX, PCI, etc.) compliance into one box. The nice thing about these solutions are they offer reporting on all of the above… what good is the data when no one looks at it.

So let’s take a look at something I’ve been using for a while…

Sophos (major player in the antivirus field) has expanded their security and data protection products over the past few years. The Enterprise solution is modular in that you can purchase the “protection” you need now and expand when funds permit. Sophos offers Endpoint Security and Data Protection. This is their basic offering. It gets your foot in the door so to speak. It comes with solutions for anti-virus protection, encryption, and NAC technologies. This basic package can be enhanced with SafeGuard and NAC Advanced. SafeGuard Enterprise monitors your network and through the use of policies can protect/secure USB ports, PCMCIA slots, Wi-Fi and Bluetooth interfaces, PDAs, laptops as well as a plethora of external storage devices. NAC Advanced provides protection against foreign devices trying to attach to your network that do not meet current security policies. It offers end-user ACLs insuring that only those users that need access to protected data have it. Lastly, as part of Sophos’ offering they provide a Host-based IPS that is fully integrated into their solution. One nice thing about the product is that it offers support for multiple platforms!

Assessing the problem, formulating a game, determination of follow through, and the ability to compromise to get results one can live with… are all qualities that a good systems administrator needs to have. Without these skills one is just shooting in the dark and hoping for the best and often this is just not good enough. Things will pass you by. I recently had the opportunity to put these skills to the test and while results of this Endeavour has yet to see fruition only time will tell.

So how do these skills translate into tools for those dealing with intrusion detection? One must realize that it not a question of if but rather when you will need to put your skills to the test. Let’s take a look…

Assessing the problem

This might not be a current problem that needs to be solved right away. Very often in intrusion detection is a matter of understanding what a future threat may be. Networks are under continuous bombardment! Some of which are malicious acts with a particular goal in mind (DOS attack), while other may be normal (or not so normal) activities on your network. Having a baseline is the only real way to understand your network. Very often this is an impossible task. Short of a baseline, understanding what traffic is on your network will go a long way to understanding when something goes wrong. A network grows rapidly and in a complex environment other administrators in different faculties could be working against you. Not in a malicious way but rather we as administrators should take the role of enabler rather than policeman. Sure we can’t let our users run amok on the network, but we should understand the need and then figure out a way to make it happen.

Formulating a game

Once we understand what the threat is we need to come up with a game plan as to how we are going to deal with it. Risk assessment is key. Assigning a pain index to the threat is the next step. We have to determine which threats are most important to deal with and which ones should be back burnered. One needs to realize that not every threat can be effectively dealt with. Sometimes there’s nothing that can be done short of taking your machine off the network and locking it in a closet. Having a policy with clear steps of action is important. Know who to call and when. Don’t try to go it alone. It’s like any other emergency… one-person drives; the other is on the phone. Depending on how large the event is you may need to coordinate with other individuals in different locations to contain the incident.

Determination

This is the hard part because it centers on you! You’re the one that can see things through. It’s not always easy to be the last one in the office. Sometimes you have to put on blinders and focus on the issue at hand. Many people will offer suggestions, but sticking to the game plan is all that matters. The policies are in place. Deviating from the course will only add to the confusion.

Ability to compromise

The down side to determination is things don’t always go your way. There is a point of diminishing returns. Sometimes you have to cut bait. WHY? Because it may be easy and cheaper to rebuilt your system from scratch. Sure we’d all like to get to the root cause of the problem. In some cases we will be mandated by compliance to a standard or various laws… BUT sometimes not. One has to remember that the machines we’re trying to fix are not our play toys. They are business tools with users that need to get access to them. Knowing when to put the brakes on and figure out another solution is important. A good policy will have contingency plans and if not you should take the lessons learned from the compromise and figure that into the revision of the plan. YES… It’s important to review and update your plan from time to time.

People have lives outside of work and it’s important to take that into consideration when dealing with co-workers and ‘clients’. Often times we are heads down pushing out projects or dealing with the mundane while working help desk. It is repetitive and at times it takes every ounce of restraint to keep from screaming but at the end of the day one must realize that we in IT. We are here to serve. A network isn’t simply there to be put in place just because we can… people need to use it to get there work done.

If the network isn’t up and the resources are not available… we’re not doing our jobs. People are capable of some very stupid things both benign and malicious. Intrusion Detection Systems helps to keep us one step ahead of bad guys! These systems provide us with eyes in the back of our heads. We can’t be expected to be everywhere at one time. Why not use the computer technology to helps us perform our jobs. Intrusion detection/prevention is an absolute task that needs to be taken seriously. Security through obscurity doesn’t work any more. In an average month my home network is scanned 100’s of times! And I’m a nobody! Now put a dollar value behind the information you’re protecting and the motivation value goes way up.

Securing your network is the first step. Setting up a firewall correctly can go a long way to making your networks safe. Many firewalls come with an IDS built in. One must realize that this will only inform you of the traffic moving your private network and the Internet but that’s where most of the malicious activity is coming from. The nearly 82% of losses were attributable to insider threats at a cost of $293,890,505. This is a little misleading… first the data is from a survey that is more than 10 years old, and second they put a dollar value on the loss without putting hard facts as to how those numbers were reached. Times change quickly in 10 years The Internet is not the safe haven of academia anymore. There are a lot more bad guys out there today with a different set of drivers to motivate them. 10 years ago it was about the notoriety now it’s about the dollars. Viruses were the crimes of the day… try calculating how much employee time is wasted on the prevention and eradication of virus breaches. Let’s see how those numbers stack up. No, today’s crackers are driven by the dollars or backed by nations that see the advantages of controlling other nations networks. BUT I digress!

The thing about human beings is we can get distracted very easily and block out information that we don’t need. Computers only do what we ask them to do… they see patterns of ones and zeros and act on them based on instructions we provide. False positives are problematic at best. ID systems work on a set of rules or signatures and while logic is applied, computers don’t have the capacity of reason. Because of this, things like false positives or worse yet, false negative can be problematic. False positives (or the boy who cried wolf syndrome) are when an IDS alerts that there is a problem when in fact there isn’t. The system will send out SMSs and email (god-forbid pagers). People will all jump to attention and look at what’s going on. If the problem is negligible or non-existent and continues unchanged… eventually we will block out the message. Unfortunately, that could lead to a situation where a real emergency is NOT responded to. False negative in my opinion are worse than false positives. This is where the IDS fails to alert when the actually is a problem. Very often this can go on for long periods of time allowing the intruder to go unchecked. The quicker you can close the door on them the better. IDSs are like anything else in IT, it needs to be tweaked and cared for (updated regularly).

As for insider threats… well I don’t want to seem like I’m down playing this! It is very real but with regard to the above-mentioned survey, the loss was attributable to employees (who had legitimate access to the data) taking proprietary information or changing data in acts of fraud. This is not a situation where IDSs would come into play. In today’s modern network ACLs (or Access Control Lists) should be implemented and reports generated to see who is access what data at what times. Failed logins or file accesses need to need reported and polices need to be put into place in order to correct the behavior.

In an odd twist of faith, risk assessment and encryption follow many of the same principles. It’s about indentifying what the data is worth and the putting a value to it. Once that is done, protecting the data becomes a matter of pain threshold. In other words, what can we afford to lose and how much will it cost use to protect it. In encryption the principle in effect is… How long will it take someone to crack the encryption and will the data still be valuable when they do. It is tricky to assess pain threshold as everyone feels like his or her data is the most important to the organization. Certainly trade secrets and financials rate high on the pain threshold index. BUT what about creative artwork? It depends. Is time to market critical? Or is there a feature set that will put your organization far in front of the competition? These are all questions that need to be answered before one can determine the worth of the data being protected.

Ultimately, if you want to deploy a technology it’s up to you to determine the ROI and present it to the holders of the purse strings. It’s up to you to convince them that what you’re trying to do is worth the investment.

ROI (or Return on Investment) is the key to the budgeting for any project particularly so in IT. We are a cost center in most organization. That doesn’t have to be. While we may spend dollars with the implementation of a project, we also are instrumental in saving the company money. Sometimes what seems like a mundane request from an end-user such as “The colors in this printer doesn’t match the other printer” can lead to a cost savings of over 3.4 million dollars a year in overall printing costs. Wish I saw some of that… maybe a small vacation… perhaps! Other projects have a much more expensive ticket to admission and being able to justify the cost is something you need to be equipped to deal with.

Spending on an Intrusion Detection System is tough. Why? Because there are no real hard up-front savings. IDSs need to be pitched as an insurance policy. You never know when you’re going to need it but when you do you’ll be glad you have it. PKI, and most encryption for that matter, works on the principle that it will take more time to crack the encryption than the information protected is good for. In his book, Time Based Security, author Winn Schwartau applies this concept to Intrusion Detection. If the time that protection mechanisms can withstand attack exceeds the time it takes to detect and effectively respond to attack, then a system can be secured (Schwartau, 1999).

Resources:

Schwartau, W., (1999), Time Based Security, Interpact Press

Project Management is an art form and anyone that tells you differently… Well let’s just say we all have our own opinions. The best-laid plans are just that plans. They are not steadfast nor have outside influences acted upon those plans. Projects are always in a state of flux until completed. And then even when you think they are done… well let’s just say some projects never end (especially in IT). The pioneers of modern project management, Henry Gantt (who gave us the Gantt charts) and Henri Foyol (who introduced the 5 stages of project development) are the fundamental tools used by any project coordinator. The author of the textbook takes Foyol’s basic principle and modifies them to meet the needs of someone rolling out an IDS.

Foyol’s five basic stages are:

1. Initiation
2. Planning
3. Execution
4. Monitoring
5. Completion

Using these steps as a guideline merely sets the stage for a successful project. Without following these basic steps you may complete your project but I guarantee it won’t be as easy as it could have been.

Gantt charts are an excellent was of tracking a project. Both MS Project and ACE FastTrack allow for the setting of milestones. I personally use FastTrack and one of the really cool features of this program is its ability to push back other milestones based on missed deadlines. All projects get behind at some point (humans can’t predict when someone is going to be out sick). Seeing how one task is dependent on another is a valuable tool. There are many variables in life… many of which we can’t control. On the other hand… many things we can. It is the balancing of these two that lead to the meeting of deadlines. This makes me think back to Kennedy’s promise to put a man of the Moon by 1970. The deadline was established! However since no one had ever under took a project of this magnitude… It was incredibly difficult to budget and plan man-hours to accomplish the project. The contractors knew enough about their businesses to be able to balance what they knew with the unknown and unexpected AND they managed to make Kennedy’s dream a reality 5 months before the deadline. How’s that for project management?

It’s been a while since my last posting…

The summer goes fast and while the rain in the Northeast has been a drag, my grass is growing well. I spent some time up in Misquamicut, RI… Relaxing. I was in Leige, Belgium again in June. And I’m off to North Carolina later in the summer. Anyway, It’s time to start posting again. I have a back log of stuff to put in order and post.

Stay tuned!