October 2010...C YL D E consulting CLYDE consulting CLY DE Beyond the Wall: CONSULTINGSecurity in a...

CLYDEconsulting

CLYDEconsulting

CLYDECONSULTINGBeyond the Wall:

Security in a Post-Perimeter World

October 2010

Walls have served multiple purposes throughout history. The Great Wall of China defended against invaders, while the Berlin Wall kept citizens from freely traveling beyond the control of their rulers.

Network security relies on similar premises. For years network security professionals touted “perimeter security” as the primary solution to keep the bad guys out and the good guys in. However, just as guns and air attacks overcame protective walls, changes in malware attacks have rendered network firewalls and perimeter-centric security an ineffective defense. Simultaneously, the increasingly mobile workforce makes an on-premise approach even more futile. Walls can no longer keep the bad guys out, nor can they keep the good guys in.

Welcome to the post-perimeter world.

CLYDEconsulting

CLYDEconsulting

CLYDECONSULTING

Beyond the Wall: Security in a PoSt-Perimeter World © 2010 clyde consulting, llc

2

The Bad Guys Are Getting In“Protect the perimeter” is no longer an effective strategy against the attacks of malicious code writers. Malware programs

like worms and Trojans are aptly named. They are able to get inside the wall. As the volume of these malicious programs explodes, the perimeter cannot hold.

According to NSS Labs, an independent product analysis lab, most attacks are exploit-based attacks that are delivered via e-mail or compromised Web sites. They target vulnerabilities in Web browsers, plug-ins and client-side applications. Once these exploits are inside the wall, the pillaging of valuable data begins. The Open Security Foundation’s annual Data Loss report lists 586 publicly recorded data breaches in 2009 that affected more than 200 million records of

“personally identifying information.”

Mercenaries for HireThe proliferation of malicious code is driven by a sophisticated underground economy. Password-stealing Trojans and programs that export user data are rampant. A decade ago, many virus and malware writers sought publicity. Now, virtually all seek financial gain. In fact, in some countries, writing code for organized crime syndicates is a prestigious career. It presents an opportunity for both personal wealth and economic growth for developing economies. There are vast sums of money made in the black market of IDs and credit card numbers and login credentials. Symantec found the estimated value of advertised stolen credit cards exceeds five billion dollars, and the value of advertised stolen bank account IDs/passwords is more than seven million dollars. This underground economy funds the development of malicious code to facilitate the collection of marketable data.

As a result, the volume of dangerous code being launched at network security perimeters continues to mushroom. The number of new signatures has doubled year-over-year and will likely approach four million in 2010. This never-ending explosion of malicious code limits the effectiveness of traditional signature-based antivirus programs. A recent NSS Labs test found that many products are ineffective at stopping exploits and estimated that 70 to 75 percent of companies are under-protected.

As the volume of these malicious programs

explodes, the perimeter cannot hold.

There are now vast sums of money made

in the black market of IDs and credit

card numbers and login credentials.

MED(15%)

EDU(15%)

GOV(18%)

BIZ(52%)

EMA (1%)

FIN (5%)

ACC (6%)

MED (7%)

MISC (7%)CCN (7%)

DOB (9%)

SSN (25%)

NAA (33%)

FIGURE 1

CCN Credit Card Number

DOB Date of Birth

SSN Social Security Number

NAA Names and/or Addresses

EMA Email Addresses

ACC Account Information

FIN Financial Information

MED Medical Information

MISC Other personally identifying information,such as other logins and passwords to various sites and applications

Source: Open Security Foundation

Breakdown of 2009 Recorded Data Breaches by Sector and Data Type

FIGURE 2

0

500000

1000000

1500000

2000000

2500000

300000020092008200720062005200420032002

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

2002 2003 2004 2005 2006 2007 2008 2009

20

,25

4

19

,15

9

74,9

81

113

,081

167,

06

9

70

8,7

42

1,6

91,3

23

2,8

95

,80

2

Source: Internet Security Threat Report, Symantec April 2010

Numbers of New Signatures

CLYDEconsulting

CLYDEconsulting

CLYDECONSULTING


3

One might think that increasing protection through perimeter reinforcement can keep thieves out. These cyber mercenaries-for-hire have mastered the ways to appear legitimate. While it is widely understood that credit card numbers, bank account numbers and social security numbers are valuable information, one might not realize that Web site and application login credentials are also highly sought data.

When a keylogger finds its way on to an employee’s laptop while it is outside the wall of the corporate network, it can gather login information to Customer Resource Management (CRM) and Human Resource (HR) applications. Then the bad guys don’t need to hack in to steal valuable customer billing data or employee personal data because they have the keys to open the door. As a result, the market to buy and sell logins and passwords continues to grow.

ITEM RANGE OF PRICES

Credit card information $0.85 – $30

Bank account credentials $15 – $850

Email accounts $1 – $20

Email addresses $1.70/MB – $15/MB

Shell scripts $2 – $5

Full identities $0.70 – $20

Credit card dumps $4 – $150

Mailers $4 – $10

Cash-out services $0 – $600 plus 50% – 60%

Website administration credentials $2 – $30

Bad Guys Posing as Good GuysThe “Beefmaster” case in 2009 demonstrates the value of login credentials and the harm that can be inflicted after that information is compromised. Andrew Brandt, Lead Threat Research Analyst for Webroot, documented the details of the case in the January 2010 edition of the Network Security Newsletter.

In this case and others like it, the bad guys start by stealing Web site administration credentials from a Web site administrator who works on a legitimate Web page. This is done using a keylogger. In this case, a keylogger found its way onto a friend’s laptop and when the Web site administrator used that laptop to login to do his job, his FTP login credentials were captured and later sold on the black market.

After being purchased, the compromised credentials were inserted into another malicious program that systematically logs into sites, identifies html files with “ index” or “default” in the name and replaces them with another piece of evil code that loads a keylogger onto the computer of anyone who visits the Web page.

Source: Internet Security Threat Report, Symantec April 2010

Beefmaster Webmaster

Removing malware

Keylogger Adding malware

Malware infects users who visit the site

FIGURE 4

Source: Webroot

FIGURE 3

0

500000

1000000

1500000

2000000

2500000

300000020092008200720062005200420032002

CLYDEconsulting

CLYDEconsulting

CLYDECONSULTING


4

As soon as the real Web site administrator realized there was bad code on his site, he removed it. However, his login credentials were compromised, and the program continued to login and continuously re-inserted the malware code into the Web pages. More than 1,600 files were modified. The errant FTP connections came from 60 different, unique IP addresses, making it virtually impossible to track down a location for the person who led this effort.

While some people may not be aware of specific stories like this one, most do have a general sense that these threats are real and growing. InformationWeek Analytics’ Strategic Security Survey found that a majority of companies surveyed expect a security breach in the next year. Among companies with fewer than 1,000 employees, 84 percent of respondents state that malware is the most likely security breach they will face. Almost half also think a Web or application exploit will breach security. Respondents to the same survey identified the serious risks associated with these breaches, such as network or application downtime, and theft of valuable information.

The big question is what should companies do about it?

FIGURE 5

0 20 40 60 80 100

DENIAL OFSERVICE

WEB ORSOFTWARE

APPLICATIONSEXPLOITED

OPERATINGSYSTEM

VULNERABILITIESATTACKED

PHISHING

MALWARE(VIRUSES,

WORMS,BOTNETS)

0

20

40

60

80

100

Denial of ServiceWeb or software applications exploitedOperating system vulnerabilities attackedPhishingMalware (viruses, worms, botnets)

N/A

84%

56%

41%

52%

48%

25%

44%

29%

N/A 20092010

Source: Strategic Security Survey, InformationWeek Analytics, May 2010

FIGURE 6

0

10

20

30

40

50

60

FraudViolated government regulations regarding data securityLegal liabilityIdentity theftOther internal records lost or damagedCustomer records compromisedMinor �nancial lossesIntellectual property theft or information con�dentiality compromisedNetwork or business applications unavailable

0 10 20 30 40 50 60

FRAUD

VIOLATED REGS RE: DATA SECURITY

LEGAL LIABILITY

IDENTITY THEFT

OTHER INTERNAL RECORDS LOST

CUSTOMER RECORDS COMPROMISED

MINOR FINANCIAL LOSSES

IP THEFT OR CONFIDENTIALITY COMPROMISED

NETWORK OR BUSINESS APPLICATIONS UNAVAILABLE 57%

54%

39%

39%

39%

34%

34%

30%

29%

Which Types of Security Breaches or Espionage Are Most Likely to Occur in Your Company Within the Next Year?

What Will be the Impacts of These Breaches?

Source: Strategic Security Survey, InformationWeek Analytics, May 2010

CLYDEconsulting

CLYDEconsulting

CLYDECONSULTING


5

The Good Guys Are Getting OutThe ever-growing number of assaults via malware and exploits is only part of the challenge facing companies today. An even bigger dilemma is protecting corporate data against these assaults in a world of mobile employees.

The era of the walled cities didn’t end simply because their ability to protect diminished. Many rulers found that over time their people refused to live behind a wall. The human desire to not be captive is powerful. Likewise, employees want to be free. Free to work from anywhere, and free to use whatever devices they want to access work files and data. The days of only company issued assets connecting to secure parts of the IT infrastructure are gone.

According to International Data Corp (IDC), more than one billion non-PC mobile devices will access the Internet in 2010. In-keeping with that trend, IDC reports that “mobility” is cited as the number one factor driving increased security spending. IT security professionals are realizing how challenging it is to protect employees who are outside the perimeter.

Regardless of the security challenges associated with mobile workers, employees are committed to working from outside the perimeter. Recent research sponsored by Unisys and conducted by IDC found that 75 percent of

“information workers” are willing to pay at least part of the cost of IT tools in order to be able to use what they want. This “consumerization” of IT raises some new and unique concerns for maintaining security and managing corporate IT infrastructure.

IDC predicts the percent of workers using smart phones and social networking is expected to double from approximately 40 percent to almost 80 percent by 2013. In addition to the increased number of consumer devices accessing company networks, many interactive Web applications are being used via a corporate network connection.

FIGURE 7

0

20 40 60 80 100

GOOGLE APPS

ACCESSING BLOGS

PROFESSIONAL SOCIAL NETWORKS

TEXT OR IM

GPS

SMART PHONE

MOBILE PHONE

LAPTOP

0

20

40

60

80

100

120

Google AppsAccessing BlogsProfessional Social NetworksText or IMGPSSmart PhoneMobile PhoneLaptop

61%

52%

55%

38%

47%

36%

35%

51%

BUSINESS BOTH PERSONAL

COMPANIES WITH 500+ EMPLOYEES N=2,820 Source: A Consumer Revolution in the Enterprise by IDC, sponsored by Unisys, June 2010

The days of only company issued assets

connecting to the IT infrastructure are gone.

Percent of Respondents Using for...

CLYDEconsulting

CLYDEconsulting

CLYDECONSULTING


6

The explosion of Web applications and software-as-a-service (SaaS) means that employees using any Internet connected device anywhere in the world can access vital business applications with just a login. This trend towards anywhere-and-everywhere computing is fueling a shift away from software sold as a packaged product. IDC expects that by 2012, less than 15 percent of new software firms will ever ship a packaged product (CD). Tied to this, IDC predicts continued growth in the SaaS market. IDC estimates that the SaaS market reached $13.1 billion in revenue in 2009, and will grow to $40.5 billion by 2014—a compound annual growth rate (CAGR) of just over 25 percent.

This is the post-perimeter world. No longer can an artificial wall separate business and personal use of devices, Web sites, social networks, and other tools. Businesses need to embrace this new paradigm by:

• providing solid security at the point that users connect to business applications

• ensuring valuable data is protected

• constantly updating device-level protection.

Citizens Still Must be ProtectedThe explosion of malicious code and onslaught of mobile employees mean an increased number of data-security breaches. Companies are not alone in wanting to protect valuable data. Governments around the world also are attempting to address these concerns.

In many countries, government is expected to play an important role in fighting crime, identifying fraud and protecting the valuable personal data of its citizens. The laws and regulations that have emerged require companies to implement specific measures aimed at protecting data.

FIGURE 8

0

20

40

60

80

100

TwitterYouTubeVideo StreamingBlogs/WikisProf. NetwrkingInternet PhoneGoogle AppsInternet VideoText MessagingIMWeb or AudioShared DocsWeb BrowsingEmail

0 20 40 60 80 100

TWITTER

YOUTUBE

VIDEO STREAMING

BLOGS/WIKIS

PROFESSIONAL NETWORKING

INTERNET PHONE

GOOGLE APPS

INTERNET VIDEO

TEXT MESSAGING

IM

WEB OR AUDIO

SHARED DOCS

WEB BROWSING

EMAIL

COMPANIES WITH 500+ EMPLOYEES N=2,820

Source: A Consumer Revolution in the Enterprise by IDC, sponsored by Unisys, June 2010

Laws and regulations require companies

to implement specific measures aimed

at protecting data.

Percent Respondents Using for Both Business and Personal

CLYDEconsulting

CLYDEconsulting

CLYDECONSULTING


7

FIGURE 9

GLBAw h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t

Gramm-Leach Bliley Act

Requires that sensitive information sent across the Internet is encrypted

Finance industry

DPAw h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t

Data Protection Act of 1998

Protects people’s personal information by imposing legal obligations on anyone processing personal data

European companies that handle personal data

SOX w h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t

Sarbanes- Oxley Act

Protects shareholders and the general public from accounting errors and scandals by requiring all public companies to retain their email and business records for at least 7 years

Finance industry, public companies that register shares for sale on a US Stock Exchange

FRCPw h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t

Federal Rules of Civil Procedure

Enforces data retention standards by requiring companies to produce records within a set amount of time

Any business that may become involved in a court case

FOIA w h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t

Freedom of Information Acts

Gives citizens the right to have copies of any information that government or commercial bodies are holding on them

UK and US government organizations

HIPAAw h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t

Health Insurance Portability and Accountability Act

Ensures the privacy and confidentiality of patients’ healthcare information

Healthcare industry

PCI-DSSw h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t

Payment Card Information Data Security Standard

Enforces global standards to protect credit card data against theft and fraud

Anyone that handles payment card transactions

CIPA w h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t

Children’s Internet Protection Act

Prevents access to offensive Internet content on school and library computers

Education industry

These well-intentioned efforts can place additional burdens on companies to ensure regulatory compliance in their approach to information security. Staying ahead of malware attacks and securing a mobile workforce to protect valuable data and ensure regulatory compliance is a tall order for even the largest IT security department. For many small- and medium-sized businesses, the challenge often is insurmountable.

Source: Webroot

CLYDEconsulting

CLYDEconsulting

CLYDECONSULTING


8

Beyond the Perimeter Is the CloudNow that users are outside the perimeter and working in and through what has come to be known as “the cloud,” it makes sense that security also must be provided and managed in the cloud. This is good news. Companies no longer need attempt to staff and maintain a large data security infrastructure.

The changes in attack vectors, user behaviors and Web-centric computing from anywhere and everywhere make perimeter security inadequate. The time has come for a new post-perimeter approach to information security.

The benefits of moving to the cloud are not merely speculative. In a global study, commissioned by Webroot, Web Security professionals in Australia, the United Kingdom, and the United States identified simplicity, effectiveness, and blocking access to inappropriate sites as the top three reasons for adopting security SaaS.

The Forrester paper “Real-World Insights into SaaS Implementation Success” summarizes the experiences of clients who have completed SaaS implementations. The proven SaaS benefits discussed in the report are:

• Speed to deploy

• Responsive service from vendor

• Lower costs

• Faster deployment of latest innovations

• Easy-to-use interfaces

• Security

It’s noteworthy that security is included on the list of benefits, given that it often is identified as a top concern for those considering a SaaS purchase. However, customers who have implemented SaaS affirm that it offers a superior security option. The Forrester study confirms this:

“The majority of the customers we interviewed revealed that their SaaS vendors were doing more to secure their data than their own IT departments could do. One reference said, ‘Our greatest fear became our biggest confidence.’”

TWITTER

CRM

CONSUMER IT INFRASTRUCTURE

ERP

COMPANY COMPUTERS

POST-PERIMETERPERIMETER

EXTERNALSTORAGE DEVICES

HOME OFFICE MOBILE DEVICES

WEB SURFING

CONSUMER IM

FACEBOOK

WEB 2.0

WEBMAIL

HOSTED EMAIL

SKYPE

CRM

ERP

TWITTER

WEB SURFING

CONSUMER IM

FACEBOOK

WEB 2.0

WEBMAIL

HOSTED EMAIL

SKYPE

FIGURE 10

Perimeter vs. Post-Perimeter SecuritySource: Webroot

The time has come for a new post-perimeter

approach to information security.

SaaS vendors are doing more to secure

data than in-house IT departments could do.

CLYDEconsulting

CLYDEconsulting

CLYDECONSULTING


9

This statement is particularly auspicious for small- and medium-size enterprises that are less likely to have the budget and staff resources to effectively manage IT security in-house.

Farewell to the Company Data CenterIt’s not just the perimeter that is going away. Much of the infrastructure that historically was contained within a company’s walls is also going away. As employees increasingly rely on personal devices to perform work functions and business applications are provided as services instead of software installs, the need for company data centers is eliminated.

Gartner predicts that by 2012, 20 percent of businesses will own no IT assets. According to Gartner, “Several inter-related trends are driving the movement toward decreased IT hardware assets, such as virtualization, cloud-enabled services, and employees running personal desktops and notebook systems on corporate networks.” This trend will also make Virtual Private Networks (VPNs) obsolete.

This means a field-leveling opportunity for smaller companies that want to compete with larger companies. No longer will they need to invest in a hardware-intensive infrastructure. Start-up companies should be selecting SaaS solutions instead of shopping for servers. Established small- and medium-sized businesses should retire application software along with the server it is housed upon and migrate to a SaaS security solution.

For larger companies, server consolidation efforts can be accelerated to lower overhead. SaaS means they too can gain efficiencies and eliminate hardware and maintenance costs.

What’s Next?In the coming years, expect to see virtually every aspect of IT security transition to the cloud. IDC’s “Worldwide Security SaaS Forecast by Market” details the growth they predict in the various security segments during the next several years.

The faster companies adapt to this new post-perimeter world and seek security solutions that do not rely on antivirus signatures as their primary means of protection, the faster they can secure valuable information.

In order to take advantage of this trend companies should seek a security SaaS vendor that provides the following:

1. Cloud-centric solution that offers superior protection for mobile workers. This means it runs primarily in the cloud while still providing the necessary endpoint protection.

FIGURE 11

0

1000

2000

3000

4000

5000OTHERSECURITY AND VULNERABILITY MANAGEMENTIDENTITY AND ACCESS MANAGEMENTNETWORK SECURITYENDPOINT SECURITYWEB SECURITYMESSAGING SECURITY

0

$1000M

$2000M

$3000M

$4000M

$5000M

$4500M

$3500M

$2500M

$1500M

$500M

OTHER

SECURITY AND VULNERABILITY MANAGEMENT

IDENTITY AND ACCESS MANAGEMENT

NETWORK SECURITY

ENDPOINT SECURITY

WEB SECURITY

MESSAGING SECURITY

2008 2009 2010 2011 2012 2013Source: IDC March 2010

Start-up companies should be selecting SaaS

solutions instead of shopping for servers.

Worldwide Security SaaS Forecast by Market

Companies need to quickly adapt to the new

post-perimeter world.

CLYDEconsulting

CLYDEconsulting

CLYDECONSULTING


10

2. Scalable cloud service to grow with the business. This will reduce implementation costs and simplify ongoing management.

3. Complete SaaS solution that includes both e-mail and Web protection. This ensures that valuable company data is secured.

4. Innovative technical approach based on pro-active protection that is not merely signature-based. This protects against nearly all attacks, not only the ones for which there are already signatures.

The Great Wall of China and the site of the Berlin Wall are certainly worth a visit, but their utility to protect and contain has ceased. The day is fast approaching when out-dated network firewalls and extraneous servers can be sent off to the “Perimeter-Security Museum.”

About the AuthorA recognized industry leader, Robert Clyde serves as the Managing Partner of Clyde Consulting LLC and provides executive advisory services to innovative security companies. Rob has more than 25 years of experience as a security software expert and he has had leadership roles in startup and small businesses as well as mid-size and large companies, including Symantec and Axent Technologies. As CTO at Symantec, Rob was a key member of the management team that drove the company to grow from slightly under $1B in revenue to more than $5B, during which time the stock split three times.

An Internet security pioneer and innovator, he is credited with the creation of the first commercial intrusion detection system. He is a Certified Information Security Manager and founding board member of both SAFEcode and the IT-ISAC. In 2010, Rob received the coveted Joseph J. Wasserman award from the New York Metro Chapter of Information Security Audit and Control Association.

Forrester Research Real-World Insights Into SaaS Implementation Success may 2010

Gartner Top Predictions for IT Organizations and Users, 2010 and Beyond december 2009

IDC Worldwide Software as a Service 2010 – 2014 Forecast: Software Will Never Be the Same june 2010

IDC, sponsored by Unisys A Consumer Revolution In The Enterprise june 2010

InformationWeek Analytics Strategic Security Survey april 2010

Network Security Newsletter When Admins Attack january 2010

NSS Labs Q2 2010 Endpoint Protection Product Group Test Report: Host Intrusion Prevention july 2010

Open Security Foundation’s Data Loss Database 2009 yearly report datalossdb.org

Symantec Internet Security Threat Report april 2010

Unisys Poll: Information Workers Ready and Willing to Purchase Their Own Technology for Work august 10, 2010

Webroot Web Security in SMBs march 2010

Sources

October 2010...C YL D E consulting CLYDE consulting CLY DE Beyond the Wall: CONSULTINGSecurity in a...

Documents

Transcript of October 2010...C YL D E consulting CLYDE consulting CLY DE Beyond the Wall: CONSULTINGSecurity in a...