bill's blog

Just another WordPress weblog

Browsing Posts tagged network infrastructure

Lying… trickery… duping… all words for the same thing. Words that have taken on a new meaning in the world of the on-line… connected… human! Words that have evolved into high stakes games on misinformation, fraud and identity theft. Words that have taken on the new moniker of social engineering!

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying (wikipedia.org, 2010). So what does this all mean? Well how many times have you answered the phone and the person on the other end of the line starts asking you questions about your mortgage? Wanting to help you reduce your rates! They start by asking benign questions and then move onto more personal information… such as your date of birth or heaven forbid your social security number. You’re happy to give away that information in exchange for $200 dollars off your monthly expenditures!

Or how about that cold call asking if you’re in charge of the network infrastructure at your place of employment? Or perhaps they want to know about what routers you use or the brand of toner purchase. Sure they may be mere cold calls… BUT they could be so much more. Social engineering in not about knocking at one door to see who answers but rather it’s about gathering as much information and using the information gathered in previous calls to further the manipulators efforts to make inroads into an organization.

In his book the Art of Deception, Kevin Metnick goes to great lengths to illustrate the ways in which we can be tricked into revealing information that may be common place within an organization but to an outsider can be very damaging if used inappropriately. In an interview in 2006 with Tom Espiner, Kevin Metnick shared his thoughts on what signs to looks for in a possible social-engineering attack.

Mostly, it’s gut instinct–if something doesn’t look or feel right. If someone is calling on the telephone, but they refuse to give any contact information, that’s a red flag. If they make a request that’s out of the ordinary, that’s a red flag. If they make a request for something sensitive, that’s when verification is necessary, depending on company policy (Espiner, 2006).

Honestly, the Art of Deception should be required reading for anyone responsible for security in any kind of organization… especially IT and HR departments! Social engineering needs to be addressed. Still and all, no matter what technical measures you introduce, people will do and say careless things under insecure conditions (Coffee, 2006). Employees need to be educated to the various forms phishing another social engineering practices both when using the Internet as well as answering the phones (Heese, 2007).

At the end of the day, humans have a need to help others. It ingrained within each of us. We have to get in touch with our inner selves… That part of us the screams out that something is wrong. We need to listen to that voice and heed its warning.

Resources:

Coffee, Peter (2006, August 14). Security Success Depends on Good Management, Retrieved on July, 6th, 2010, http://www.eweek.com/article2/0,1895,2001478,00.asp

Espiner, T., (2006, June 14th), Kevin Mitnick, the great pretender, Retrieved on July, 6th, 2010 from http://news.cnet.com/Kevin-Mitnick,-the-great-pretender/2008-1029_3-6083668.html

Heese, W., (2007, February 21), Computer system security policies – key trends, Retrieved on July 6th, 2010 from http://weblog.randomdog.net/?p=942

Various, (2010, July 4th), Social Engineering (security), Retrieved on July6th, 2010 from http://en.wikipedia.org/wiki/Social_engineering_(security)

Security in not about relying on a single process to protect assets! A belts AND suspenders approach is the best way to minimize the risk of compromise. Access control list are only a small part of the equation! They relate to who will have access to a particular resource once they have been authenticated. The key here is ACLs support known users to the system NOT unknown users. Network security is a cat and mouse game. The smarter you get at protecting your assets; the hacker will always be one step away! As long as computers are accessible from the Internet they will always be at risk. Many vendors will tell you their product does it all! BUT in reality they don’t and they often fail miserably. Those companies that speak in terms parts to a security plan understand that a layered approach to computer security increases your chances at successfully defending your resources! SO what are these different layers and how are the applied?

First there are firewalls. Firewalls are designed to block unauthorized access while permitting outward communication (wikipedia.org, 2009). They sit on the perimeter of your network and the Internet. They control which packets are allowed to pass through to internal resources. Firewalls have a default set of attack signatures whereby they can tell when they are under attacked based on the type and frequency of the packets they “see”. Additionally, network administrators can programmed the device to apply complex rule sets that will determine if the traffic is legitimate or not! These rules bases can be set to allow or deny packets based on the port, source IP address, destination of the traffic, time of day, and contents of the packet. Firewalls can also be deployed within a network infrastructure to protect resources with higher protection needs such as medical information or financial records. They can be deployed on hosts within a secured network in keeping with the belts and suspenders approach… protect the network…protect the host!

Network Access Controls discover and evaluates endpoint compliance status, provisions the appropriate network access, provides remediation capabilities, if needed, and continually monitors endpoints for changes in compliance status (symantec.com, 2008). In other words, any device that connects into your network it is checked to make sure that it conforms to your minimum requirements before it will be allowed to use your protected resources. We (as network administrators) can take measures that minimize who can use our network by making sure that unused wall jacks are not connect to the network or using MAC address to filter to determine who can get an IP address but this will not stop an determined threat or the casual use of networked PDAs. Network Access Control devices proactively scan your network for new devices and agents are delivered to the device wanting access. The end-user agrees allow the agent to “attach” itself to the client and then when access is no longer needed deletes itself from the host machine. Symantec calls this technology, dissolvable agents!

Never under estimate the value of keeping your machines fully patched. Software Updates can insure that vulnerabilities are closed and cannot be used as an attack vector! Applying patches just to keep current is not always the best thing to do. Very often new bugs can be introduced into an otherwise stable environment. Understanding what services a system is offering and patching the system that is vulnerable. There’s no need to patch the httpd daemon if you’re not running/installed web services. Change management plans are a big part of this scenario!

Access Control Lists (or ACLs) is a permission-based method for securing resources (very often is relates to objects on a file system or in a database). In an ACL-based security model, when a subject requests to perform an operation on an object, the system first checks the list for an applicable entry in order to decide whether to proceed with the operation (wikipedia.org, 2009). ACLs allows for greater control over the access to files. In the standard POSIX model, there are owner, group and other permissions, each having read, write and execute attributes assigned to them… very restrictive especially considering that only one user and one group can be assigned to the file/directory. With ACLs, the options are much more varied! You can have multiple owners and multiple groups assigned to a file/directory. In addition, you have the following permissions attributes:

osx_acls_select
Figure 1. Available ACLs permissions attributes for OSX Server v10.5 (Heese, 2009)

NOTE: You can specify not only ALLOW permissons but also DENY permissions!
One thing to keep in mind when deploying ACLs is that not all file systems support them. Formatting your hard disk, writing data to disk and then discovering an un-supported file system can lead to a lot of wasted time!

Virus Protection is an overlooked aspect of file security. Very often people think in terms of protecting my computer. But it is more than that. Viruses can erase files but Trojans can allow others to gain access to your computer (whether it’s a personal computer or a file server). Critical data such as credit card numbers are often stored in databases and once a computer has been compromised, it’s only a matter of time before the data housed on that computer is lost. One thing to keep in mind when working on a server is never to browse the Internet (especially with root privileges). Much of the malware spread across the Internet takes advantage of vulnerabilities within certain OSs and browsers. Why take the risk. Yes it’s a pain in the bottom but think of all the hassles you’ll have to deal with should you host become compromised. To illustrate the point a little further, it has been recently reported that ATMs are being compromised by some very sophisticated pieces of malware. Now granted the ATMs themselves are being compromised but rather hardware security modules (or HSM) that encrypt and decrypt your PIN as it makes its way from the ATM to the bank clearinghouses are. Specially configured malware can be installed on these devices, and it grabs the decrypted PIN numbers out of memory and writes them to a log file that can be retrieved at a later date (Anderson, 2009).

The last item I want to touch on is log files and while not a security mechanism, it is something worthy of protecting. We often don’t put much thought into log files until there is a problem. Unfortunately, if your log files reside on the same host that’s been compromised, then you should consider that the log files have been altered. Why alter a log file? While many daemons will spit lots of information to syslog so will attempts (or more importantly FAILED attempts) to access a host be recorded. When an attacker is trying to compromise your system, one of the first things he will probably do is completely erase the log files, or erase evidence of his trespass out of those files. Moving you log files off of a host and onto a dedicated syslog server insure that you access can be properly evaluated without the fear that they may have been compromised.

Ultimately, security is NOT about set and forget. You must take an active role! It is not about one size fits all! One single solution will prevent you host from compromise! If you machine is out on the Internet long enough, it will get compromised. That’s not to say that the bad guys are looking for you. Remember we are dealing with computers. The bad guys let the computer work for them. Throwing as many obstacles in the path of the cracker will discourage only the most determined of individuals.

Resources:

Anderson, N., (2009, April 15), PIN-grabbing malware compromises bank networks, Retrieved on May 11th, 2009 from http://arstechnica.com/tech-policy/news/2009/04/pin-grabbing-malware-compromises-bank-networks.ars

Heese, B., (2009, May 11), Available ACLs permissions attributes for OSX Server v10.5

Unknown, (2008, December), Symantec™ Network Access Control, Retrieved on May4th 2009 from http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-datasheet_network_access_control_12-2008_12836809-3.en-us.pdf

Unknown, (2009), Main: Syslog Security Tip, Retrieved on May 11th, 2009 from http://www.syslog.org/wiki/Main/SyslogSecurityTip

Various, (2009, April 24), Access control list, Retrieved on May 6th, 2009 from http://en.wikipedia.org/wiki/Access_control_list

Various, (2009, May 4), Firewall, Retrieved on May 4th, 2009 from http://en.wikipedia.org/wiki/Firewall_(networking)

Can you secure a network through access control systems only?

Security in not about relying on a single process to protect assets! A belts AND suspenders approach is the best way to minimize the risk of compromise. Access control list are only a small part of the equation! They relate to who will have access to a particular resource once they have been authenticated. The key here is ACLs support known users to the system NOT unknown users. Network security is a cat and mouse game. The smarter you get at protecting your assets; the hacker will always be one step away! As long as computers are accessible from the Internet they will always be at risk. Many vendors will tell you their product does it all! BUT in reality they don’t and they often fail miserably. Those companies that speak in terms parts to a security plan understand that a layered approach to computer security increases your chances at successfully defending your resources! SO what are these different layers and how are the applied?

First there are firewalls. Firewalls are designed to block unauthorized access while permitting outward communication (wikipedia.org, 2009). They sit on the perimeter of your network and the Internet. They control which packets are allowed to pass through to internal resources. Firewalls have a default set of attack signatures whereby they can tell when they are under attacked based on the type and frequency of the packets they “see”. Additionally, network administrators can programmed the device to apply complex rule sets that will determine if the traffic is legitimate or not! These rules bases can be set to allow or deny packets based on the port, source IP address, destination of the traffic, time of day, and contents of the packet. Firewalls can also be deployed within a network infrastructure to protect resources with higher protection needs such as medical information or financial records. They can be deployed on hosts within a secured network in keeping with the belts and suspenders approach… protect the network…protect the host!

Network Access Controls discover and evaluates endpoint compliance status, provisions the appropriate network access, provides remediation capabilities, if needed, and continually monitors endpoints for changes in compliance status (symantec.com, 2008). In other words, any device that connects into your network it is checked to make sure that it conforms to your minimum requirements before it will be allowed to use your protected resources. We (as network administrators) can take measures that minimize who can use our network by making sure that unused wall jacks are not connect to the network or using MAC address to filter to determine who can get an IP address but this will not stop an determined threat or the casual use of networked PDAs. Network Access Control devices proactively scan your network for new devices and agents are delivered to the device wanting access. The end-user agrees allow the agent to “attach” itself to the client and then when access is no longer needed deletes itself from the host machine. Symantec calls this technology, dissolvable agents!

Never under estimate the value of keeping your machines fully patched. Software Updates can insure that vulnerabilities are closed and cannot be used as an attack vector! Applying patches just to keep current is not always the best thing to do. Very often new bugs can be introduced into an otherwise stable environment. Understanding what services a system is offering and patching the system that is vulnerable. There’s no need to patch the httpd daemon if you’re not running/installed web services. Change management plans are a big part of this scenario!

Access Control Lists (or ACLs) is a permission-based method for securing resources (very often is relates to objects on a file system or in a database). In an ACL-based security model, when a subject requests to perform an operation on an object, the system first checks the list for an applicable entry in order to decide whether to proceed with the operation (wikipedia.org, 2009). ACLs allows for greater control over the access to files. In the standard POSIX model, there are owner, group and other permissions, each having read, write and execute attributes assigned to them… very restrictive especially considering that only one user and one group can be assigned to the file/directory. With ACLs, the options are much more varied! You can have multiple owners and multiple groups assigned to a file/directory. In addition, you have the following permissions attributes:

osx_acls_select
Figure 1. Available ACLs permissions attributes for OSX Server v10.5 (Heese, 2009)

NOTE: You can specify not only ALLOW permissons but also DENY permissions!
One thing to keep in mind when deploying ACLs is that not all file systems support them. Formatting your hard disk, writing data to disk and then discovering an un-supported file system can lead to a lot of wasted time!

Virus Protection is an overlooked aspect of file security. Very often people think in terms of protecting my computer. But it is more than that. Viruses can erase files but Trojans can allow others to gain access to your computer (whether it’s a personal computer or a file server). Critical data such as credit card numbers are often stored in databases and once a computer has been compromised, it’s only a matter of time before the data housed on that computer is lost. One thing to keep in mind when working on a server is never to browse the Internet (especially with root privileges). Much of the malware spread across the Internet takes advantage of vulnerabilities within certain OSs and browsers. Why take the risk. Yes it’s a pain in the bottom but think of all the hassles you’ll have to deal with should you host become compromised. To illustrate the point a little further, it has been recently reported that ATMs are being compromised by some very sophisticated pieces of malware. Now granted the ATMs themselves are being compromised but rather hardware security modules (or HSM) that encrypt and decrypt your PIN as it makes its way from the ATM to the bank clearinghouses are. Specially configured malware can be installed on these devices, and it grabs the decrypted PIN numbers out of memory and writes them to a log file that can be retrieved at a later date (Anderson, 2009).

The last item I want to touch on is log files and while not a security mechanism, it is something worthy of protecting. We often don’t put much thought into log files until there is a problem. Unfortunately, if your log files reside on the same host that’s been compromised, then you should consider that the log files have been altered. Why alter a log file? While many daemons will spit lots of information to syslog so will attempts (or more importantly FAILED attempts) to access a host be recorded. When an attacker is trying to compromise your system, one of the first things he will probably do is completely erase the log files, or erase evidence of his trespass out of those files. Moving you log files off of a host and onto a dedicated syslog server insure that you access can be properly evaluated without the fear that they may have been compromised.

Ultimately, security is NOT about set and forget. You must take an active role! It is not about one size fits all! One single solution will prevent you host from compromise! If you machine is out on the Internet long enough, it will get compromised. That’s not to say that the bad guys are looking for you. Remember we are dealing with computers. The bad guys let the computer work for them. Throwing as many obstacles in the path of the cracker will discourage only the most determined of individuals.

Resources:

Anderson, N., (2009, April 15), PIN-grabbing malware compromises bank networks, Retrieved on May 11th, 2009 from http://arstechnica.com/tech-policy/news/2009/04/pin-grabbing-malware-compromises-bank-networks.ars

Heese, B., (2009, May 11), Available ACLs permissions attributes for OSX Server v10.5

Unknown, (2008, December), Symantec™ Network Access Control, Retrieved on May4th 2009 from http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-datasheet_network_access_control_12-2008_12836809-3.en-us.pdf

Unknown, (2009), Main: Syslog Security Tip, Retrieved on May 11th, 2009 from http://www.syslog.org/wiki/Main/SyslogSecurityTip

Various, (2009, April 24), Access control list, Retrieved on May 6th, 2009 from http://en.wikipedia.org/wiki/Access_control_list

Various, (2009, May 4), Firewall, Retrieved on May 4th, 2009 from http://en.wikipedia.org/wiki/Firewall_(networking)