Security Considerations for the 21st Century – Working Together to Solve the Problem

Dr. Hossein Eslambolchi
July 2012

Work together to solve the problem: The information technology infrastructure is vital for communication and commerce. The private sector has an important role in securing the nation’s IT infrastructure by deploying sound security products and adopting good security practices. The federal government also has a role to play by supporting the discovery and the development of cyber-security technologies that underpin these products and practices.

Increase research funding, promote recruitment, and improve technology transfer on a federal level: Below are some of the findings and recommendations from President’s Information Technology Advisory Committee’s report “cyber-security: A Crisis of Prioritization”:

○ Increase funding: The Federal R&D budget provides inadequate funding for fundamental research on cyber-security.

○ Promote recruitment and retention of researchers and students: The national cyber-security research community is too small to adequately support the necessary research and education programs.

○ Strengthen technology partnerships: Current technology transfer efforts are not adequate.

○ Priority areas recommended for increased research emphasis:

1. Authentication technologies
2. Secure fundamental protocols
3. Secure software engineering and software assurance
4. Holistic system security
5. Monitoring and detection
6. Mitigation and recovery methodologies
7. Cyber forensics
8. Modeling and test-beds for new technologies
9. Metrics, benchmarks, and best practices
10. Non-tech issues that can compromise cyber-security

 

Security technology directions:

○ Convergence on the network-based security model

○ Implement network-level security policies (cybernetic network security)

○ Develop advanced identify-management infrastructure for all forms of end devices, including mobile user devices.

○ Provide diligent monitoring for anomalies and indicators of coming attacks

○ Provide conformance such as automated anomaly detection and root cause analysis

 

Add intelligence: The future of network security is the intelligence behind the technology. Further improvements are needed in techniques for detecting anomalies and policy violations that do not reduce network performance or impede normal business procedures. As detection becomes more critical to internal network security policy enforcement, intrusion prevention will drive the need for continuous improvement in the quality of detection as well as the quality of policy enforcement management. The evolution of intrusion prevention will shift the focus to making smarter and more effective products that provide real-time knowledge for correct decisions.

 

The changing network perimeter: Today’s threats demonstrate that the perimeter as we know it is deteriorating. It’s becoming increasingly difficult to create a protective fence around an entire network and its users, which now extends to mobile users, virtual private network tunnels and wireless LANs. These provide multiple entry points for threats to gain access into the enterprise, beyond the traditional firewall/gateway. Customers need internal network security solutions that actively stop threats from propagating inside the network.

 

Software is a major vulnerability: While network connectivity provides “door-to-door” transportation for attackers, vulnerabilities in software substantially compound the cyber-security problem.

 

Mandated security plans: At a hearing of the subcommittee of the House Commerce and Energy Committee, lawmakers suggested that Congress would consider legislation to extend the rules in the Gramm-Leach-Bliley Act to businesses that sell consumer information. The act requires financial institutions to have a security plan to protect the confidentiality and integrity of consumer information.

 

“For profit” hackers – a cyber-underworld of organized crime

Attack patterns and motives changing: 2012 could prove to be a watershed year for hacking with the rise of the professional hacker. Both the pattern of hacker attacks and the motives behind the attacks are changing.

 

 

Hackers are now far more coordinated, and they no longer merely rely on copycat tools and random attacks. More hackers are now writing their own exploits; whereas, in the past, they would just use well-known attacks.

 

Phishing attacks are for-profit attacks: Take phishing attacks: It’s usually the people who are running the attacks themselves that are earning money; no one is paying them to do it.

 

The new face of cybercrime: Whereas hacker vandals once coveted bragging rights, professional hackers have profit in mind. What’s more, they are considerably more determined and have better resources than vandals. They are simply looking for the easiest possible way to make money, which usually involves scams and phishing exploits based on social engineering, not technical hacking. We may need to consider different security approaches to block these types of attacks — like very deep packet inspection techniques.

 

Small in numbers but dangerous in consequence: It’s the attacks that don’t make it to TV that you’ve got to be really worried about. These are the attacks launched by “black hat” hackers who know what they’re doing and leave little trace that they’ve compromised your network. Currently, less than 2% of worms fall into this category, but even that represents a large number, considering the total number out there.

 

Spyware, malware and adware

Definition of malware: There is no official breakdown of malware categories: broad categories can include adware, spyware, hijackers, toolbars, and dialers. Also considered to be malware, are programs such as viruses, worms, Trojans, and everything else generally detected by anti-virus software. Many, if not most, malware programs will fit into more than one category.

 

 

Anti-spyware tools: Spyware has evolved from an occasional nuisance to something that wastes IT user and technical support resources, and compromises the integrity of corporate systems, applications and data. Although stand-alone anti-spyware tools are necessary, antivirus and anti-worm vendors are beginning to provide anti-spyware capabilities within their products.

 

New malware threats: In the near future, we can expect new malware to be introduced through the volume of new removable media devices out there including thumb drives and micro drives. Some of the latest ones are designed not only to hold files, but to act as personal servers, and even to serve applications to the desktop.

 

 

A blurred line between adware and spyware: Generically, adware is any software application in which advertising banners are displayed while the program is running. Around 2002, some adware required the user to submit their surfing habits. Over time, these programs became more invasive and aggressive. By 2010, pure spyware emerged: spyware with no legitimate free software to protect consumers and businesses.

 

Steps consumers can take to increase the security of personal information

Two-factor authentication: The rapid increase of online account-takeover crimes in the United States that use techniques such as phishing and keyboard logging is causing increased nervousness among consumers and service providers. Consumers’ e-mail accounts are also being hijacked. As a result, some consumers are more willing to adopt and pay for strong two-factor authentication to access their accounts.

 

 

Use the technology available: Install an Internet firewall and turn it on. Ensure the most current patches and security updates are installed. Install antivirus software.

Use a trusted service provider: Inquire as to the compliance policies regarding Gramm-Leach-Bliley Act and privacy policies of the service provider or vendor.

 

Use common sense: Use a shredder. Don’t give out sensitive information over the telephone. Be aware of your surroundings when using passwords and account numbers in a public place. Follow the advice offered by groups such as the Identify Theft Resource Center (www.idtheftcenter.org):

• Check your credit reports once a year from all three of the credit reporting agencies listed below.
• Guard your Social Security number. When possible, don’t carry your Social Security card with you.
• Don’t put your SSN or driver’s license number on your checks.
• Guard your personal information. You should never give your Social Security number to anyone unless they have a good reason for needing it.
• Watch for people who may try to eavesdrop and overhear the information you give out orally. Carefully destroy papers you throw out, especially those with sensitive or identifying information. A crosscut paper shredder works best.
• Be suspicious of telephone solicitors. Never provide information unless you have initiated the call.
• Delete without replying to any suspicious email requests. Check our Scam Alert page for recent problem areas.
• Use a locked mailbox to send and receive all mail.

 

Tax season and e-filing – multiple states/vendors offer services. What best practices should the vendors/government follow to ensure tax payers’ filings are secure?

E-filing services and tax preparers should follow security and private procedures consistent with electronic commerce and general network security best practices. These include strong authentication, confidentiality, data integrity, customer service, and system availability.

 

How companies can improve network security to better protect customers and employees.

Implement several lines of defense:

 

1. Network and gateway security is still one of the best ways to protect the corporate network — it is the organization’s first line of defense to keep malicious code out of the network. Security investments in network firewalls, gateway anti-virus, network-based IDS or IPS, and proactive alerting/notification systems, are important.
2. Client security technologies are also important; there are constantly mobile systems “in the wild” that can bring threats back inside the firewall, and they need protection while outside of the corporate network. User Web surfing also puts companies at risk.
3. Add general security tools to mitigate the remaining threats, such as content/spam filtering tools, strong authentication systems, and Web application security products to fight noncompliance and hackers, respectively. Also there are security event management, identity management, and network quarantine products to manage security compliance and to enforce good password and access policies.

 

Coordinate efforts between IT security and operations groups: IT organizations need to become more effective at running cooperative processes across IT security and operations. IT security groups should influence operational security configuration management tool purchasing decisions to ensure that security configuration management requirements can be expressed to vendors and weighted in product selection decisions. The elimination of desktop, server and network vulnerabilities requires a coordinated effort between the IT security and operations groups. Because the majority of desktop and server vulnerabilities are caused by missing patches and configuration errors, an effective vulnerability management program requires:

 

• Defining security configuration policies
• Evaluating and auditing the environment with respect to those policies
• Marshaling resources to fix configuration errors and eliminate their root causes

 

Create a “security-aware” culture: The biggest IT security gaps in many organizations are in management and culture, not technology. IT security managers must create clear, enforceable security policies and lead by example to promote a “security-aware” corporate culture. Employee education and accountability will be key components of the program. A good security program relies on two pillars: governance (policies and structure) and awareness (education and corporate culture).

 

Every company should have a policy in place to define end users’ responsibilities and acceptable use of resources. The second major step is to enforce that policy, at least socially, by getting end users to formally indicate acceptance, and even better through application use enforcement products.

 

Implement vulnerability management and intrusion prevention approaches:

As cyber attackers become more efficient at quickly exploiting software vulnerabilities, IT security managers will not be able to patch faster than all cyber-attacks.

 

Move repetitive security tasks to IT operations (or outsourcers) to free up staff and budget in order to keep pace with emerging challenges:

The IT security group should focus on security challenges, while the IT operations group assumes responsibility for fighting the current generation of problems. Operational responsibility for the blocking and elimination of spam, most viruses and other known attacks (such as previous worms) should be given to e-mail, network and system support groups because these tasks don’t require security expertise.

Integration of security event management with vulnerability management:

Organizations are testing new ways to automate and improve security defense and at the same time trying to meld the new with the old. The cutting edge of security management today supports goals to automate and leverage existing investments in security. This is achievable through the integration of security event management with vulnerability management, firewall, router, intrusion detection, and intrusion prevention solutions.

 

Eliminate coding errors: Some schools now divide developer classes in two: a green team for writing code and a red team for breaking it. The application’s relative security becomes part of its final grade. Why isn’t this a standard development process?

 

How viruses, worms and denial of service attacks operate and proliferate

Automated worms: There are numerous Web sites that sell malware such as Trojans and hacker tool kits to anyone who wants it, for prices that range from $10 to more than $50 a pop. It is the easy availability of tool kits and how-to manuals for developing worms and viruses that has led to the recent surge in automated worms.

 

 

Malware: A worm first infects a system, then perhaps downloads an additional infection component like a Trojan horse or a bot, and before you know it, the machine is infected with everything necessary hacker remote control.

 

Viruses: More viruses are being written that install back doors for stealing confidential information or to log keystrokes and install spyware.

 

Facts to consider:

• Researchers with the Honeynet Project at Aachen University in Germany estimate that at least a million machines are under the control of hackers worldwide. They were able to identify more than 100 botnets during a three-month project. The botnets ranged in size from only a few hundred compromised PCs to several of up to 50,000 systems. They are the root of denial of service attacks against corporate networks and the foundation of most spamming.

 

• Recent data from the Honeynet.org’s sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations have an online mean life expectancy of 3 months before being successfully compromised.
• By December 2011, 80.3% of all global e-mail was spam. And most of that is sent through infected home computers.

 

• The first real mobile phone viruses were found in 2004, including Cabir and Mosquitos.
• 83 percent of Web-enabled U.S. consumers shop online, 67 percent bank online, 65 percent pay bills online and 22 percent engage in other online financial transactions such as investing. Altogether, 80 percent of online consumers conduct some sort of financial transaction online.