16

TELEWORKING

Protecting an enterprise can be a shock-ingly difficult task. The attackers that are attempting to gain access to your systems are a largely unknown quantity. One day they could be knocking loudly on your door, while the next it seems that your fortress is totally secure. Beyond that, budgets need to be drawn up, staff need to be trained on the latest tech-niques, and business units are constantly putting pressure on the integrity of your security architecture.

The attackers that we face today are much more sophisticated than those in years past, and the types of attacks that are being executed are beyond the scope of the classic suite of security products to stop. When thinking of what products and services to use to protect your enterprise, you must first be aware of the recent developments in attack technology and the impact these

developments have on your existing products and architecture.

Decreased exploit development timeframeExploits can be created through two dif-ferent processes. A security researcher (or attacker depending on the person’s moti-vation) can find a vulnerability in a pro-gram through direct inspection methods such as code review, protocol fuzzing, or simple experimentation. Once a vulner-ability is found, the researcher may then chose to build an exploit that leverages the vulnerability for system access or system disruption.

The other way exploits get written is through examination of a patch or other artifact of the vulnerability. Rather than directly finding the location of the vulnerability, the researcher can reverse

engineer a security patch released by the vendor, determine what was changed and assume what was vulnerable. Patches can be either source code patches, com-mon with open source software, or binary patches which are often seen with COTS software. Based on the research-er’s assumptions and their reverse engi-neering activities, a working exploit can then be created.

The technology and methods for reverse engineering patches in order to develop an exploit have become more sophisticated in recent years. Data for worms created four or five years ago indicate that the exploit embedded within them was directed code that was patched weeks, if not months, prior. However, in more recent worms and virus outbreaks, the malicious payloads were targeted at patches that were released only days prior. Also, security researchers have repeatedly demonstrated their ability to reverse engineer patches and create malicious payloads for tools such as Metasploit in a matter of hours from patch release.

The end result is that the release of a patch to the public is effectively the same as the release of an exploit. While patch management is a necessary part of any enterprises security architecture, it is unrealistic to expect that patches can be deployed in advance of an exploit being

The changing face of IT securityBruce Potter

Faced with multiple changes in the IT landscape, it is sometimes hard to keep track of where the technology trends are going. Some varieties of attacks occurring today leave traditional security measures standing.

ATTACK TRENDS

of anti-virus protection, as can intrusion detection systems.

There are key aspects to securing the corporate network that businesses should consider. Extending boundaries and securing the network to the end user device will help to counteract any threats. This will also help to prevent information being ‘dropped’ onto the public infrastructure and therefore, securing business critical data or cus-tomer details. In addition, one of the crucial aspects in ensuring the network is secure, is building up layers of secu-rity, rather on relying on a single fire-wall, or anti-virus software. The key to preventing such attacks is building up a combination of defences.

Conclusion: service deliveryAs it is the Internet service providers who have control of the public Internet, only they can provide organizations with the capability to expand the security perim-eters. The industry is challenging ISPs to offer this enhanced security capability.

Enterprises need a true private network, which involves creating security measures embedded in the network. These also need to specifically address the new and emerg-ing threats of today that are mostly likely to affect a business. The problem with teleworkers is that IT directors have a lack of control over the machine and what they are accessing. Businesses need to regain the

control by implementing an integrated, multi-layered approach to security measures that can counteract viruses, worms, iden-tity theft etc, no matter what purpose the remote worker is using the end device for.

About the authorAngus Peacey is head of product marketing at Pipex Business Services. Focusing on secu-rity and boundary networking products. He started his career as a software architect in South Africa, working for several corporate organizations. Prior to joining Pipex, worked at Cogenta Systems. His career also includes a two and a half-year stint at LANNET, Lucent Technologies and Avaya, where his roles included South Africa Country Manager.

Network Security November 2006

17

ATTACK TRENDS

created. For complex operating environ-ments that require a large amount of regression testing for new patches, the time to patch can still be measured in weeks.

Public disclosure is fadingAt the same time that exploits are

being developed at a faster pace, it seems that public discourse on vulnerabilities is becoming less commonplace. There has been a variety of zero-day exploits for Microsoft products in 2006 includ-ing attacks against the Windows Metafile (WMF), Vector Markup Language (VML), and Internet Explorer. While the public mailing lists still have a constant flow of SQL injection vulnerabilities in websites, there is little discussion of seri-ous bugs such as WMF and VML prior to exploits being seen in the wild. Also there is a large number of “coordinated releases” occurring where a security researcher announced a vulnerability in conjunction with the vendor releasing a patch.

It seems the vulnerability and exploit information is being kept closely held by the researchers and companies that find the bugs. Some companies, such as iDe-fense and Tipping Point, are even paying security researchers for exclusive rights to vulnerability and exploit information. These bugs are disclosed to private com-panies that in turn use the information to make their products and services dif-ferentiated from their competitors (i.e. a company that is buying vulnerabilities can integrate the vulnerability informa-tion into their IPS product and claim their product protects from non-publicly known exploits).

The end result on the community is that security practitioners have less information go to on regarding new vulnerabilities and mitigation options

until it is already too late. Also, with so much information being kept closely held, it is hard to get a handle on vul-nerability trends and protections with-out paying for it. This represents a shift from the past where a security practi-tioner could monitor public channels for information but now needs to pay for access to private repositories of data.

“Security researchers have repeatedly demonstrated their ability to reverse engineer patches and create malicious payloads for tools such as Metasploit in a matter of hours from patch release”

Impact on your security architectureOverall, attackers have more of an advantage than ever before. What used to require a high level of sophistica-tion to execute can now be carried out by your local script kiddie. The VML exploits, for example, were nearly undetectable by most security products in the first few days of widespread use. This is a very dangerous situation for an enterprise because not only can an attacker use a zero-day exploit to cause mass havoc on your systems, but an attacker could just as easily exploit a small handful of machines and main-tain access for long periods of time without detection. This second type of targeted attack is difficult to prevent and detect but represents a longer term

and potentially more dangerous threat to your systems and your business.

All this means your security archi-tecture needs to be able to detect and prevent attacks that aren’t yet publicly known. Unfortunately, most of the prod-ucts we commonly deploy in our enter-prises are based on fore knowledge of an attack or vulnerability. While modern anti-virus and IDS systems do have some ability to look for variants of a known attack and the fingerprints of attack execution, they are still fundamentally signature based systems.

These trends in the attack space are going to drive the market for other types of security products. Host Integrity Monitoring Systems (HIMS) for instance, are a good technology to look for change on your end systems. While not all changes to a system are relevant to security, at least an HIMS will find traces of previously unknown attacks. Also, technologies like statistical analysis of network data and log analysis across log data sets will also help find new and modified attack vectors. With respect to prevention, strong operating system security models such as those offered by Novell’s AppArmor and SELinux will provide an enterprise some protection against these unknown attacks. However, these protection mechanisms can be unwieldy to deploy en masse and are very operating system-specific.

Parting shotsThe path forward for security in your enterprise is not well defined. What is known, however, is that the existing suite of security products you are used to will be necessary but not sufficient in keeping attackers at bay. You will have to consider new tools and software products that may not be in your arsenal today in order to keep your enterprise free of the wily hacker.

NESE strip ad_0206 28/3/06 12:10 Page 1

November 2006 Network Security