Internal Threats to Your Network

Internal Threat Landscape

In today's world, more and more customer data is being found on servers, desktops and laptops which contain critical information that can promote a company's growth or destroy the company in an instant. Furthermore, the risk extends beyond the private sector to the public sector and anyone in their homes receiving services from one of these infrastructure entities.

A study performed by Promisec, Inc., a company that regularly conducts comprehensive security audits across a number of industries - including finance, healthcare, insurance, manufacturing, etc., found that:

Use of unauthorized removable storage continues to rise in organizations.

The number of endpoints that do not apply threat management agents or are not updated with the latest build or signatures continues to rise.
Instances of unauthorized instant messaging continue to increase in all organizations.

The study also discovered that -

12% of infected computers had a missing or disabled anti-virus program.
10.7% had unauthorized personal storage like USB sticks or external hard drives.
9.1% had unauthorized peer-to-peer (P2P) applications installed.
8.5% had a missing 3rd party desktop agent.
2.6% had unprotected shared folders.
2.2% had unauthorized remote control software.
2% had missing Microsoft service packs.

Without application awareness, both perimeter and defensive island systems were easily defeated. For example, SQL Slammer was able to enter organizations quickly because:

Firewalls and anti-virus solutions that rely on signatures didn't view the traffic as a threat.

Often, SQL Slammer bypassed perimeter defenses and entered at the network edge through laptops and mobile devices whose traffic never traversed the firewall.

Like firewalls, without a signature to identify it, anti-virus software and most HIDS did not recognize it as a threat.

SQL Slammer was memory resident. Most anti-virus software completely missed it because their scanning engines are often focused on detecting exploits written to disk drives.

Within minutes of an initial SQL Slammer infection, nearly all vulnerable computers on the inside of the network were compromised. Depending on the number of infected devices, this often resulted in massive denial of service on the internal LAN. Furthermore, newer types of attacks are designed not to make "noise" in order to stay undetected.

Product Substitute Availability

Firewalls are a necessary security control for policy enforcement at any network trust boundary, but changing business and threat conditions are putting pressure on growth in the firewall market. Enterprises are redesigning their demilitarized zones (DMZs) to react to the business realities of how staff and customers connect, which drives firewall demand up. However, the increasing requirement for network defense against more-complex threats has increased the deployment of network intrusion prevention, and driven vendors to provide products that support complex deployments and rule sets that mix traditional port/protocol firewall defense with deep-packet inspection intrusion prevention.

At one point in time, Cisco had the best firewall on the market. As the years passed, competitors of all sizes were vying for Cisco's market share. Vendors, such as Juniper, Checkpoint, McAfee and others, have challenged and even taken market share from Cisco. In the Gartner's 2008 magic quadrant, only two vendors are residing in the upper right hand "leaders" quadrant - Juniper and Checkpoint.

In the latest Gartner report, dated 12 October 2009, large enterprises will be replacing stateful firewalls with the Next Generation firewalls during the natural lifecycle replacement. And there are very few vendors that have upgraded their respective product lines to reflect the new attack vectors. Gartner believes that the changing threat conditions and changing business and IT processes will drive network security managers to look for NGFW capabilities at their next firewall/IPS refresh cycle. The key to successful market penetration by NGFW vendors will be to demonstrate first-generation firewall and IPS features that match current first-generation capabilities while including NGFW capabilities at the same or only slightly higher price points.

More coming later - but until then, look at our website for open source software @ http://www.oss4win.com

Mike Millslagel
Security System Consultant
B.S. Information Systems, MBA, MCSE, CNE, CCNP Security Specialist
http://www.oss4win.com

What is a Denial-Of-Service Attack?

A denial-of-service (DoS) attack attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts, banking, root name servers, or other services that rely on the affected computer.

One common method of attack involves saturating the target machine with communications requests, so that it cannot respond to legitimate traffic, or responds so slowly that it is effectively unavailable.

During normal network communications using TCP/IP, a user contacts a server with a request to display a web page, download a file, or run an application. The user request uses a greeting message called a SYN. The server responds with its own SYN along with an acknowledgment (ACK), that it received from the user in initial request, called a SYN+ACK. The server then waits from a reply or ACK from the user acknowledging that it received the server's SYN. Once the user replies, the communication connection is established and data transfer can begin.

In a DoS attack against a server, the attacker sends a SYN request to the server. The server then responds with a SYN+ACK and waits for a reply. However, the attacker never responds with the final prerequisite ACK needed to complete the connection.

The server continues to "hold the line open" and wait for a response (which is not coming) while at the same time receiving more false requests and keeping more lines open for responses. After a short period, the server runs out of resources and can no longer accept legitimate requests.

A variation of the DoS attack is the distributed denial of service (DDoS) attack. Instead of using one computer, a DDoS may use thousands of remote controlled zombie computers in a botnet to flood the victim with requests. The large number of attackers makes it almost impossible to locate and block the source of the attack. Most DoS attacks are of the distributed type.

An older type of DoS attack is a smurf attack. During a smurf attack, the attacker sends a request to a large number of computers and makes it appear as if the request came from the target server. Each computer responds to the target server, overwhelming it and causes it to crash or become unavailable. Smurf attack can be prevented with a properly configured operating system or router, so such attacks are no longer common.

DoS attacks are not limited to wired networks but can also be used against wireless networks. An attacker can flood the radio frequency (RF) spectrum with enough radiomagnetic interference to prevent a device from communicating effectively with other wireless devices. This attack is rarely seen due to the cost and complexity of the equipment required to flood the RF spectrum.

Some symptoms of a DoS attack include:

• Unusually slow performance when opening files or accessing web sites
• Unavailability of a particular web site
• Inability to access any web site
• Dramatic increase in the number of spam emails received

To prevent DoS attacks administrators can utilize firewalls to deny protocols, ports, or IP addresses. Some switches and routers can be configured to detect and respond to DoS using automatic data traffic rate filtering and balancing. Additionally, application front-end hardware and intrusion prevention systems can analyze data packets as they enter the system, and identify if they are regular or dangerous.

The author is a computer security professional with experience protecting small business and home networks. He also teaches the basics of computer network security at 365 Computer Security Training where he blogs regularly and creates video training and educational materials related to information security. Learn more at http://www.365ComputerSecurityTraining.com