October 2010...C YL D E consulting CLYDE consulting CLY DE Beyond the Wall: CONSULTINGSecurity in a...
Transcript of October 2010...C YL D E consulting CLYDE consulting CLY DE Beyond the Wall: CONSULTINGSecurity in a...
CLYDEconsulting
CLYDEconsulting
CLYDECONSULTINGBeyond the Wall:
Security in a Post-Perimeter World
October 2010
Walls have served multiple purposes throughout history. The Great Wall of China defended against invaders, while the Berlin Wall kept citizens from freely traveling beyond the control of their rulers.
Network security relies on similar premises. For years network security professionals touted “perimeter security” as the primary solution to keep the bad guys out and the good guys in. However, just as guns and air attacks overcame protective walls, changes in malware attacks have rendered network firewalls and perimeter-centric security an ineffective defense. Simultaneously, the increasingly mobile workforce makes an on-premise approach even more futile. Walls can no longer keep the bad guys out, nor can they keep the good guys in.
Welcome to the post-perimeter world.
CLYDEconsulting
CLYDEconsulting
CLYDECONSULTING
Beyond the Wall: Security in a PoSt-Perimeter World © 2010 clyde consulting, llc
2
The Bad Guys Are Getting In“Protect the perimeter” is no longer an effective strategy against the attacks of malicious code writers. Malware programs
like worms and Trojans are aptly named. They are able to get inside the wall. As the volume of these malicious programs explodes, the perimeter cannot hold.
According to NSS Labs, an independent product analysis lab, most attacks are exploit-based attacks that are delivered via e-mail or compromised Web sites. They target vulnerabilities in Web browsers, plug-ins and client-side applications. Once these exploits are inside the wall, the pillaging of valuable data begins. The Open Security Foundation’s annual Data Loss report lists 586 publicly recorded data breaches in 2009 that affected more than 200 million records of
“personally identifying information.”
Mercenaries for HireThe proliferation of malicious code is driven by a sophisticated underground economy. Password-stealing Trojans and programs that export user data are rampant. A decade ago, many virus and malware writers sought publicity. Now, virtually all seek financial gain. In fact, in some countries, writing code for organized crime syndicates is a prestigious career. It presents an opportunity for both personal wealth and economic growth for developing economies. There are vast sums of money made in the black market of IDs and credit card numbers and login credentials. Symantec found the estimated value of advertised stolen credit cards exceeds five billion dollars, and the value of advertised stolen bank account IDs/passwords is more than seven million dollars. This underground economy funds the development of malicious code to facilitate the collection of marketable data.
As a result, the volume of dangerous code being launched at network security perimeters continues to mushroom. The number of new signatures has doubled year-over-year and will likely approach four million in 2010. This never-ending explosion of malicious code limits the effectiveness of traditional signature-based antivirus programs. A recent NSS Labs test found that many products are ineffective at stopping exploits and estimated that 70 to 75 percent of companies are under-protected.
As the volume of these malicious programs
explodes, the perimeter cannot hold.
There are now vast sums of money made
in the black market of IDs and credit
card numbers and login credentials.
MED(15%)
EDU(15%)
GOV(18%)
BIZ(52%)
EMA (1%)
FIN (5%)
ACC (6%)
MED (7%)
MISC (7%)CCN (7%)
DOB (9%)
SSN (25%)
NAA (33%)
FIGURE 1
CCN Credit Card Number
DOB Date of Birth
SSN Social Security Number
NAA Names and/or Addresses
EMA Email Addresses
ACC Account Information
FIN Financial Information
MED Medical Information
MISC Other personally identifying information,such as other logins and passwords to various sites and applications
Source: Open Security Foundation
Breakdown of 2009 Recorded Data Breaches by Sector and Data Type
FIGURE 2
0
500000
1000000
1500000
2000000
2500000
300000020092008200720062005200420032002
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
2002 2003 2004 2005 2006 2007 2008 2009
20
,25
4
19
,15
9
74,9
81
113
,081
167,
06
9
70
8,7
42
1,6
91,3
23
2,8
95
,80
2
Source: Internet Security Threat Report, Symantec April 2010
Numbers of New Signatures
CLYDEconsulting
CLYDEconsulting
CLYDECONSULTING
Beyond the Wall: Security in a PoSt-Perimeter World © 2010 clyde consulting, llc
3
One might think that increasing protection through perimeter reinforcement can keep thieves out. These cyber mercenaries-for-hire have mastered the ways to appear legitimate. While it is widely understood that credit card numbers, bank account numbers and social security numbers are valuable information, one might not realize that Web site and application login credentials are also highly sought data.
When a keylogger finds its way on to an employee’s laptop while it is outside the wall of the corporate network, it can gather login information to Customer Resource Management (CRM) and Human Resource (HR) applications. Then the bad guys don’t need to hack in to steal valuable customer billing data or employee personal data because they have the keys to open the door. As a result, the market to buy and sell logins and passwords continues to grow.
ITEM RANGE OF PRICES
Credit card information $0.85 – $30
Bank account credentials $15 – $850
Email accounts $1 – $20
Email addresses $1.70/MB – $15/MB
Shell scripts $2 – $5
Full identities $0.70 – $20
Credit card dumps $4 – $150
Mailers $4 – $10
Cash-out services $0 – $600 plus 50% – 60%
Website administration credentials $2 – $30
Bad Guys Posing as Good GuysThe “Beefmaster” case in 2009 demonstrates the value of login credentials and the harm that can be inflicted after that information is compromised. Andrew Brandt, Lead Threat Research Analyst for Webroot, documented the details of the case in the January 2010 edition of the Network Security Newsletter.
In this case and others like it, the bad guys start by stealing Web site administration credentials from a Web site administrator who works on a legitimate Web page. This is done using a keylogger. In this case, a keylogger found its way onto a friend’s laptop and when the Web site administrator used that laptop to login to do his job, his FTP login credentials were captured and later sold on the black market.
After being purchased, the compromised credentials were inserted into another malicious program that systematically logs into sites, identifies html files with “ index” or “default” in the name and replaces them with another piece of evil code that loads a keylogger onto the computer of anyone who visits the Web page.
Source: Internet Security Threat Report, Symantec April 2010
Beefmaster Webmaster
Removing malware
Keylogger Adding malware
Malware infects users who visit the site
FIGURE 4
Source: Webroot
FIGURE 3
0
500000
1000000
1500000
2000000
2500000
300000020092008200720062005200420032002
CLYDEconsulting
CLYDEconsulting
CLYDECONSULTING
Beyond the Wall: Security in a PoSt-Perimeter World © 2010 clyde consulting, llc
4
As soon as the real Web site administrator realized there was bad code on his site, he removed it. However, his login credentials were compromised, and the program continued to login and continuously re-inserted the malware code into the Web pages. More than 1,600 files were modified. The errant FTP connections came from 60 different, unique IP addresses, making it virtually impossible to track down a location for the person who led this effort.
While some people may not be aware of specific stories like this one, most do have a general sense that these threats are real and growing. InformationWeek Analytics’ Strategic Security Survey found that a majority of companies surveyed expect a security breach in the next year. Among companies with fewer than 1,000 employees, 84 percent of respondents state that malware is the most likely security breach they will face. Almost half also think a Web or application exploit will breach security. Respondents to the same survey identified the serious risks associated with these breaches, such as network or application downtime, and theft of valuable information.
The big question is what should companies do about it?
FIGURE 5
0 20 40 60 80 100
DENIAL OFSERVICE
WEB ORSOFTWARE
APPLICATIONSEXPLOITED
OPERATINGSYSTEM
VULNERABILITIESATTACKED
PHISHING
MALWARE(VIRUSES,
WORMS,BOTNETS)
0
20
40
60
80
100
Denial of ServiceWeb or software applications exploitedOperating system vulnerabilities attackedPhishingMalware (viruses, worms, botnets)
N/A
84%
56%
41%
52%
48%
25%
44%
29%
N/A 20092010
Source: Strategic Security Survey, InformationWeek Analytics, May 2010
FIGURE 6
0
10
20
30
40
50
60
FraudViolated government regulations regarding data securityLegal liabilityIdentity theftOther internal records lost or damagedCustomer records compromisedMinor �nancial lossesIntellectual property theft or information con�dentiality compromisedNetwork or business applications unavailable
0 10 20 30 40 50 60
FRAUD
VIOLATED REGS RE: DATA SECURITY
LEGAL LIABILITY
IDENTITY THEFT
OTHER INTERNAL RECORDS LOST
CUSTOMER RECORDS COMPROMISED
MINOR FINANCIAL LOSSES
IP THEFT OR CONFIDENTIALITY COMPROMISED
NETWORK OR BUSINESS APPLICATIONS UNAVAILABLE 57%
54%
39%
39%
39%
34%
34%
30%
29%
Which Types of Security Breaches or Espionage Are Most Likely to Occur in Your Company Within the Next Year?
What Will be the Impacts of These Breaches?
Source: Strategic Security Survey, InformationWeek Analytics, May 2010
CLYDEconsulting
CLYDEconsulting
CLYDECONSULTING
Beyond the Wall: Security in a PoSt-Perimeter World © 2010 clyde consulting, llc
5
The Good Guys Are Getting OutThe ever-growing number of assaults via malware and exploits is only part of the challenge facing companies today. An even bigger dilemma is protecting corporate data against these assaults in a world of mobile employees.
The era of the walled cities didn’t end simply because their ability to protect diminished. Many rulers found that over time their people refused to live behind a wall. The human desire to not be captive is powerful. Likewise, employees want to be free. Free to work from anywhere, and free to use whatever devices they want to access work files and data. The days of only company issued assets connecting to secure parts of the IT infrastructure are gone.
According to International Data Corp (IDC), more than one billion non-PC mobile devices will access the Internet in 2010. In-keeping with that trend, IDC reports that “mobility” is cited as the number one factor driving increased security spending. IT security professionals are realizing how challenging it is to protect employees who are outside the perimeter.
Regardless of the security challenges associated with mobile workers, employees are committed to working from outside the perimeter. Recent research sponsored by Unisys and conducted by IDC found that 75 percent of
“information workers” are willing to pay at least part of the cost of IT tools in order to be able to use what they want. This “consumerization” of IT raises some new and unique concerns for maintaining security and managing corporate IT infrastructure.
IDC predicts the percent of workers using smart phones and social networking is expected to double from approximately 40 percent to almost 80 percent by 2013. In addition to the increased number of consumer devices accessing company networks, many interactive Web applications are being used via a corporate network connection.
FIGURE 7
0
20 40 60 80 100
GOOGLE APPS
ACCESSING BLOGS
PROFESSIONAL SOCIAL NETWORKS
TEXT OR IM
GPS
SMART PHONE
MOBILE PHONE
LAPTOP
0
20
40
60
80
100
120
Google AppsAccessing BlogsProfessional Social NetworksText or IMGPSSmart PhoneMobile PhoneLaptop
61%
52%
55%
38%
47%
36%
35%
51%
BUSINESS BOTH PERSONAL
COMPANIES WITH 500+ EMPLOYEES N=2,820 Source: A Consumer Revolution in the Enterprise by IDC, sponsored by Unisys, June 2010
The days of only company issued assets
connecting to the IT infrastructure are gone.
Percent of Respondents Using for...
CLYDEconsulting
CLYDEconsulting
CLYDECONSULTING
Beyond the Wall: Security in a PoSt-Perimeter World © 2010 clyde consulting, llc
6
The explosion of Web applications and software-as-a-service (SaaS) means that employees using any Internet connected device anywhere in the world can access vital business applications with just a login. This trend towards anywhere-and-everywhere computing is fueling a shift away from software sold as a packaged product. IDC expects that by 2012, less than 15 percent of new software firms will ever ship a packaged product (CD). Tied to this, IDC predicts continued growth in the SaaS market. IDC estimates that the SaaS market reached $13.1 billion in revenue in 2009, and will grow to $40.5 billion by 2014—a compound annual growth rate (CAGR) of just over 25 percent.
This is the post-perimeter world. No longer can an artificial wall separate business and personal use of devices, Web sites, social networks, and other tools. Businesses need to embrace this new paradigm by:
• providing solid security at the point that users connect to business applications
• ensuring valuable data is protected
• constantly updating device-level protection.
Citizens Still Must be ProtectedThe explosion of malicious code and onslaught of mobile employees mean an increased number of data-security breaches. Companies are not alone in wanting to protect valuable data. Governments around the world also are attempting to address these concerns.
In many countries, government is expected to play an important role in fighting crime, identifying fraud and protecting the valuable personal data of its citizens. The laws and regulations that have emerged require companies to implement specific measures aimed at protecting data.
FIGURE 8
0
20
40
60
80
100
TwitterYouTubeVideo StreamingBlogs/WikisProf. NetwrkingInternet PhoneGoogle AppsInternet VideoText MessagingIMWeb or AudioShared DocsWeb BrowsingEmail
0 20 40 60 80 100
YOUTUBE
VIDEO STREAMING
BLOGS/WIKIS
PROFESSIONAL NETWORKING
INTERNET PHONE
GOOGLE APPS
INTERNET VIDEO
TEXT MESSAGING
IM
WEB OR AUDIO
SHARED DOCS
WEB BROWSING
COMPANIES WITH 500+ EMPLOYEES N=2,820
Source: A Consumer Revolution in the Enterprise by IDC, sponsored by Unisys, June 2010
Laws and regulations require companies
to implement specific measures aimed
at protecting data.
Percent Respondents Using for Both Business and Personal
CLYDEconsulting
CLYDEconsulting
CLYDECONSULTING
Beyond the Wall: Security in a PoSt-Perimeter World © 2010 clyde consulting, llc
7
FIGURE 9
GLBAw h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t
Gramm-Leach Bliley Act
Requires that sensitive information sent across the Internet is encrypted
Finance industry
DPAw h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t
Data Protection Act of 1998
Protects people’s personal information by imposing legal obligations on anyone processing personal data
European companies that handle personal data
SOX w h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t
Sarbanes- Oxley Act
Protects shareholders and the general public from accounting errors and scandals by requiring all public companies to retain their email and business records for at least 7 years
Finance industry, public companies that register shares for sale on a US Stock Exchange
FRCPw h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t
Federal Rules of Civil Procedure
Enforces data retention standards by requiring companies to produce records within a set amount of time
Any business that may become involved in a court case
FOIA w h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t
Freedom of Information Acts
Gives citizens the right to have copies of any information that government or commercial bodies are holding on them
UK and US government organizations
HIPAAw h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t
Health Insurance Portability and Accountability Act
Ensures the privacy and confidentiality of patients’ healthcare information
Healthcare industry
PCI-DSSw h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t
Payment Card Information Data Security Standard
Enforces global standards to protect credit card data against theft and fraud
Anyone that handles payment card transactions
CIPA w h at i t i s w h at i t d o e s w h o i t i m p a c t s m o s t
Children’s Internet Protection Act
Prevents access to offensive Internet content on school and library computers
Education industry
These well-intentioned efforts can place additional burdens on companies to ensure regulatory compliance in their approach to information security. Staying ahead of malware attacks and securing a mobile workforce to protect valuable data and ensure regulatory compliance is a tall order for even the largest IT security department. For many small- and medium-sized businesses, the challenge often is insurmountable.
Source: Webroot
CLYDEconsulting
CLYDEconsulting
CLYDECONSULTING
Beyond the Wall: Security in a PoSt-Perimeter World © 2010 clyde consulting, llc
8
Beyond the Perimeter Is the CloudNow that users are outside the perimeter and working in and through what has come to be known as “the cloud,” it makes sense that security also must be provided and managed in the cloud. This is good news. Companies no longer need attempt to staff and maintain a large data security infrastructure.
The changes in attack vectors, user behaviors and Web-centric computing from anywhere and everywhere make perimeter security inadequate. The time has come for a new post-perimeter approach to information security.
The benefits of moving to the cloud are not merely speculative. In a global study, commissioned by Webroot, Web Security professionals in Australia, the United Kingdom, and the United States identified simplicity, effectiveness, and blocking access to inappropriate sites as the top three reasons for adopting security SaaS.
The Forrester paper “Real-World Insights into SaaS Implementation Success” summarizes the experiences of clients who have completed SaaS implementations. The proven SaaS benefits discussed in the report are:
• Speed to deploy
• Responsive service from vendor
• Lower costs
• Faster deployment of latest innovations
• Easy-to-use interfaces
• Security
It’s noteworthy that security is included on the list of benefits, given that it often is identified as a top concern for those considering a SaaS purchase. However, customers who have implemented SaaS affirm that it offers a superior security option. The Forrester study confirms this:
“The majority of the customers we interviewed revealed that their SaaS vendors were doing more to secure their data than their own IT departments could do. One reference said, ‘Our greatest fear became our biggest confidence.’”
CRM
CONSUMER IT INFRASTRUCTURE
ERP
COMPANY COMPUTERS
POST-PERIMETERPERIMETER
EXTERNALSTORAGE DEVICES
HOME OFFICE MOBILE DEVICES
WEB SURFING
CONSUMER IM
WEB 2.0
WEBMAIL
HOSTED EMAIL
SKYPE
CRM
ERP
WEB SURFING
CONSUMER IM
WEB 2.0
WEBMAIL
HOSTED EMAIL
SKYPE
FIGURE 10
Perimeter vs. Post-Perimeter SecuritySource: Webroot
The time has come for a new post-perimeter
approach to information security.
SaaS vendors are doing more to secure
data than in-house IT departments could do.
CLYDEconsulting
CLYDEconsulting
CLYDECONSULTING
Beyond the Wall: Security in a PoSt-Perimeter World © 2010 clyde consulting, llc
9
This statement is particularly auspicious for small- and medium-size enterprises that are less likely to have the budget and staff resources to effectively manage IT security in-house.
Farewell to the Company Data CenterIt’s not just the perimeter that is going away. Much of the infrastructure that historically was contained within a company’s walls is also going away. As employees increasingly rely on personal devices to perform work functions and business applications are provided as services instead of software installs, the need for company data centers is eliminated.
Gartner predicts that by 2012, 20 percent of businesses will own no IT assets. According to Gartner, “Several inter-related trends are driving the movement toward decreased IT hardware assets, such as virtualization, cloud-enabled services, and employees running personal desktops and notebook systems on corporate networks.” This trend will also make Virtual Private Networks (VPNs) obsolete.
This means a field-leveling opportunity for smaller companies that want to compete with larger companies. No longer will they need to invest in a hardware-intensive infrastructure. Start-up companies should be selecting SaaS solutions instead of shopping for servers. Established small- and medium-sized businesses should retire application software along with the server it is housed upon and migrate to a SaaS security solution.
For larger companies, server consolidation efforts can be accelerated to lower overhead. SaaS means they too can gain efficiencies and eliminate hardware and maintenance costs.
What’s Next?In the coming years, expect to see virtually every aspect of IT security transition to the cloud. IDC’s “Worldwide Security SaaS Forecast by Market” details the growth they predict in the various security segments during the next several years.
The faster companies adapt to this new post-perimeter world and seek security solutions that do not rely on antivirus signatures as their primary means of protection, the faster they can secure valuable information.
In order to take advantage of this trend companies should seek a security SaaS vendor that provides the following:
1. Cloud-centric solution that offers superior protection for mobile workers. This means it runs primarily in the cloud while still providing the necessary endpoint protection.
FIGURE 11
0
1000
2000
3000
4000
5000OTHERSECURITY AND VULNERABILITY MANAGEMENTIDENTITY AND ACCESS MANAGEMENTNETWORK SECURITYENDPOINT SECURITYWEB SECURITYMESSAGING SECURITY
0
$1000M
$2000M
$3000M
$4000M
$5000M
$4500M
$3500M
$2500M
$1500M
$500M
OTHER
SECURITY AND VULNERABILITY MANAGEMENT
IDENTITY AND ACCESS MANAGEMENT
NETWORK SECURITY
ENDPOINT SECURITY
WEB SECURITY
MESSAGING SECURITY
2008 2009 2010 2011 2012 2013Source: IDC March 2010
Start-up companies should be selecting SaaS
solutions instead of shopping for servers.
Worldwide Security SaaS Forecast by Market
Companies need to quickly adapt to the new
post-perimeter world.
CLYDEconsulting
CLYDEconsulting
CLYDECONSULTING
Beyond the Wall: Security in a PoSt-Perimeter World © 2010 clyde consulting, llc
10
2. Scalable cloud service to grow with the business. This will reduce implementation costs and simplify ongoing management.
3. Complete SaaS solution that includes both e-mail and Web protection. This ensures that valuable company data is secured.
4. Innovative technical approach based on pro-active protection that is not merely signature-based. This protects against nearly all attacks, not only the ones for which there are already signatures.
The Great Wall of China and the site of the Berlin Wall are certainly worth a visit, but their utility to protect and contain has ceased. The day is fast approaching when out-dated network firewalls and extraneous servers can be sent off to the “Perimeter-Security Museum.”
About the AuthorA recognized industry leader, Robert Clyde serves as the Managing Partner of Clyde Consulting LLC and provides executive advisory services to innovative security companies. Rob has more than 25 years of experience as a security software expert and he has had leadership roles in startup and small businesses as well as mid-size and large companies, including Symantec and Axent Technologies. As CTO at Symantec, Rob was a key member of the management team that drove the company to grow from slightly under $1B in revenue to more than $5B, during which time the stock split three times.
An Internet security pioneer and innovator, he is credited with the creation of the first commercial intrusion detection system. He is a Certified Information Security Manager and founding board member of both SAFEcode and the IT-ISAC. In 2010, Rob received the coveted Joseph J. Wasserman award from the New York Metro Chapter of Information Security Audit and Control Association.
Forrester Research Real-World Insights Into SaaS Implementation Success may 2010
Gartner Top Predictions for IT Organizations and Users, 2010 and Beyond december 2009
IDC Worldwide Software as a Service 2010 – 2014 Forecast: Software Will Never Be the Same june 2010
IDC, sponsored by Unisys A Consumer Revolution In The Enterprise june 2010
InformationWeek Analytics Strategic Security Survey april 2010
Network Security Newsletter When Admins Attack january 2010
NSS Labs Q2 2010 Endpoint Protection Product Group Test Report: Host Intrusion Prevention july 2010
Open Security Foundation’s Data Loss Database 2009 yearly report datalossdb.org
Symantec Internet Security Threat Report april 2010
Unisys Poll: Information Workers Ready and Willing to Purchase Their Own Technology for Work august 10, 2010
Webroot Web Security in SMBs march 2010
Sources