The Essentialsof Enterprise Security

an Security eBook®

The Essentials of Enterprise Security

2 An Overview of Enterprise Security

4 Penetration Testing, Patch and Vulnerability Scanning

9 Dealing with Insider Threats

11 Mobile and Wireless Security

14 Password Security

17 Quick Wins for Enterprise Security

4

2

9

11

17

14

Contents…

Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.


2 The Essentials of Enterprise Security an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.Back to Contents


eeping the servers, laptops and desktop PCs in your organization secure is a vital job, as a breach in security can lead to:

• Valuabledatabeingdestroyedoraltered

• Competitorsgainingaccesstoconfidentialdata such as proprietary information,futureproductplans,orfinancialdata

• Creditcardnumbersandothercustomerpersonaldata being stolen

• Virusandothermalwareinfections, which can have unknown consequences. Once infections are discovered there is a loss in productivity, as resources have to be devoted to removingtheinfectionsandbringing the disinfected or rebuiltsystemsbackintoservice.

The cost of a serious security breach can be very high indeed — in 2009 the average per-incident cost for U.S. companieswas$6.65million,or$204percompromisedcustomerrecord,accordingtoPonemonInstitute.

Forthisreasonmostorganizationsdevotesignificantresourcestokeepingmalwareandmalicioushackersfromgetting on to the corporate network and gaining access to data.

Typical defenses against these threats include:

• Afirewalltoseparatethecorporatenetworkfromthe Internet

• Anintrusionprevention/detectionsystem(IPS/IDS) to detect when typical hacker activities, such

as port scans, occur and take stepstopreventthemfromsuccessfully penetrating the network

•Malwarescannerstopreventmalicioussoftwarefromgettingon to the network hidden in e-mail,instantmessaging,orWebtraffic.

•Theuseofpasswordsandotherauthenticationsystemstoprevent unauthorized access to networks,computers,ordatastoredonthem

Mostorganizationsalsodevoteresourcestomitigatethe“insider threat” — data being stolen, altered, or deleted bystaffmembersinsidetheorganizationwhocanaccesscomputersystemsusingtheirown(orcolleagues’)authentication credentials, without the need to break in usinghackingtechniques.Insidersaretypicallymotivatedbythedesiretomakemoremoneyortogetrevengeforaperceivedinjustice(suchasanunsuccessfulrequestfora raise,) or they act under coercion.

Typical defenses against the insider threat include: • Screeningnewemployeesforpreviouscriminal

An Overview of Enterprise SecurityBy Paul Rubens

K



behaviourandmonitoringallemployeesforunusualbehaviorthatmightindicatedissatisfactionwiththeorganization or a troubled personal life

• Implementingendpointsecuritysystemstopreventemployeescopyingconfidentialinformationontomemorysticksandotherremovablemedia

• Monitoringandloggingemployeee-mailandWebactivityandusingdatabasemonitoringsystems.

Can Your Systems Ever Be Completely Secure?

Theanswertothisquestionhastobe“no.”That’sbecauseit’snotpossibletoknowwhatpreviouslyunknownvulnerabilitiesmaybediscoveredinyoursystemsandthesoftwarethatyourun.

The question that you can try to answer is “How easily couldmysystemsbecompromised?”Itisadeceptivelysimplequestionbutitisessentialthatyouknowtheanswertoit.That’sbecauseifyoudon’titmayturnoutthat:

• YourWebapplicationsarevulnerabletoSQLinjection attacks

• Holesinyourfirewallleaveyournetworkvulnerable

• YourIPS/IDSisnotconfiguredcorrectlyandwillnot protect your network effectively

• Thepasswordsusedtoprotectyourresourcesarenotsufficientlystrongtoprovidetheprotectionyourequire

• YourITinfrastructurehasothervulnerabilitiesyou are not aware of, such as an unauthorized and insecure wireless access point set up by an employee



efending a network and attacking a network are two different disciplines that require differentmindsets,soitfollowsthatthepeoplebestqualifiedtotestwhetheryour

networkcouldeasilybecompromisedarenotcorporatesecurity staff — who are experts at defending a network —buthackerswhoareexpertsatattackingthem. A penetration test involves a trusted third party actively carrying out the samesortsofscansandattacksasahackertoseeifitispossibletofindany vulnerabilities that can then be used to break into your network and compromiseyoursystems.

Someorganizationschoosetohavepenetration tests carried out on selected parts of their IT infrastructure, such as their wireless networking setup or a particular Web application, butitgenerallymakesmostsensetohavetheentireITinfrastructuretested.That’sbecauseinmanycases,hackersfindvulnerabilitiesinoneareathatcanthenbe leveraged to attack another area. By gaining access to the network after cracking a weak password on a roguewirelessaccesspoint,forexample,itmaythenbepossibletocompromiseaserverandacquirelog-incredentials to get access to a database.

Acompletepenetrationtestwillseektofindvulnerabilities in areas that include:

• Networkingequipment,serveranddesktopoperatingsystems,applications,anddatabases:Arethesecorrectlyconfiguredandpatched,anddoothervulnerabilitiesexist?

• Webapplications:AretheysusceptibletoSQLinjection,cross-sitescripting,andotherattacks?

• Wirelessinfrastructure: Do unauthorized rogue access points exist, and are all authorized ones secured using appropriate encryption and strong passwords?

•Physicalaccess: Is it possible to walk in and steal data, or gain useful informationaboutITsystemsfromtrashleftindumpsters?

•Stafftraining:Canemployeesbe tricked by social engineering into revealing passwords and other confidentialinformation,orintoclickingonane-mailattachmentcontainingmalicioussoftware?

After the penetration test, the testers shouldproduceareportoftheirfindings,detailinganyweaknesses, their seriousness, and the actions that need tobetakentocorrectthem.

Inbroadtermsthen,apenetrationtestisavitalstepin the corporate IT security process that can identify vulnerabilities in all areas of your IT infrastructure and prioritizetheworkneededtofixthem.

Penetrationtestsalsohavesecondarybenefits.Byhavingatestcarriedoutyoumaybeabletoproveduediligenceandcompliancetoindustryregulators,aswellastoshareholdersandcustomers.Thisisvaluablebecausenon-compliancecan,insomecases,meanheavyfinesforyourorganization,andpossiblyevenpersonalrepercussions including loss of your job and prosecution.

Penetration Testing, Patch and Vulnerability Scanning

D



PenetrationTestingYourITInfrastructure

ScopeThefirststepistodecideonthescopeofyourplannedpenetration test. In other words, do you want to test a particular Web application or database server, or do you wanttotestyourentireITinfrastructure?Anddoyouwant to restrict the testing to hardware and software, orshouldthepenetrationtestersbeallowedtoattempttogainaccesstosystemsusingsocialengineeringandphysicalaccesstechniquesaswell?

ConstraintsThereareanumberofwaysinwhichapenetrationtestcan be carried out, and the initial constraints that you set outwillhaveanimpactontheresults.Oneofthemostimportantconstraintsistheamountofinformationatestteamstartsoutwithwhenthepenetrationtestbegins.

To understand this, put yourself in the shoes of a hacker on the outside of a large organization such as your own. Before he can launch a concerted attack to break intoyoursystems,hehastocarryoutagreatdealofpreparatoryworkthatmayinclude:

• Informationgathering: Using Google and other resourcestofindoutasmuchaspossibleaboutyourcompany,itsemployees,theirnames,andsoon

• Portscanning:To establish what hosts are connectedtoanetwork,whatoperatingsystemsthey are running, and what services they have runningonthemthatmaybevulnerabletoattack

• Reconnaissance: Contacting particular servers thatanorganizationmayberunningandtogetinformationfromthem(suchasthespecificversionsof the applications that are running, etc.).

These and other activities help the hacker build up a partial picture of your network infrastructure that he can use in his hunt for vulnerabilities. Only then is he in a position to exploit any vulnerability he has discovered in

anyofthesystems.

Thishasimportantimplicationsasfaraspenetrationtesting is concerned.

BlackBoxTestingOne option is to put the penetration testers in exactly the samesituationasahackerbygivingthemnoinformationatallaboutyourITsystemsbeforetheystarttesting.Thatmeansthattheymustfirstbuilduptheirownpicture of your infrastructure before they can begin to test it for vulnerabilities. The advantage of this “black box”approachisthatitsimulatestheconditionsthata real hacker would face, and enables you to prioritize correctivemeasuresbasedonreal-worldconditions.

WhiteBoxTestingAnotheroptiongoestotheotherextreme.A“whitebox”approachgivesthepenetrationtestersalltheinformationthey need about the infrastructure to be tested, including network topology and details about each host and thesoftwareitisrunning.Thistypeofapproachmoreaccuratelysimulateswhatahackermightdoifhehadbeenprovidedwithinsideinformationfromadisgruntledformeremployee,butwon’tnecessarilyrevealwhichsystemsarethemostvulnerable.

WhoShouldCarryOutaPenetrationTest?The results of a penetration test — either white box or blackbox—willdependontheskillsoftheteamcarryingoutthetest.Justassomehackersmaybeabletobreakintoyoursystemswhileotherswillnot,agoodpenetrationtestingteamwillbeabletohighlightvulnerabilitiesthatotherswillmiss.Thatiswhychoosingtherightpeopletocarry out the test is crucial.

Themostimportantthingistoavoidthetemptationtocarry out a penetration test yourself, using your own IT staff.That’sbecausethemorefamiliaryouarewiththesystemstobetested,andthesecuritymeasuresthathavebeenputinplace,themorelikelyyouaretooverlooksomethingduringatest.(Afterall,ifyouoverlookeda vulnerability when you built your defenses, there is noreasontosupposethatyouwon’toverlookitagain

http://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdf

http://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdf

http://assets.devx.com/IBM/Developeffectiveusermanagement.pdf

http://assets.devx.com/IBM/EscapingPCIpurgatory.pdf

http://assets.devx.com/IBM/Secureandcompliantcollaborationandaccess.pdf



whencarryingoutatest.)Forthesamereason,itisalsoimportantnotuseanyofthecompaniesthatsuppliedorinstalled any of your IT infrastructure.

Thatmeansthatitisusuallyadvisabletousespecialistthird-party penetration testers who can approach the test withacompletelyopenmind.Questionsyoushouldaskbefore choosing one include:

• Whowillbeinthepenetrationtestingteam?

• Howexperiencedarethey?Howlonghavetheyworkedfortheorganization?

• Whatprofessionalqualificationsandcertificationsdotheyhave?

• Whatmethodology(suchastheOpenSourceSecurity Testing Methodology) if any, do they follow?

• Howwouldtheycarryoutapenetrationtest,andtowhattimescale?

• Whatsortsofreportsandrecommendationswouldtheyprovideafterthetest,andhowmuchdetailwouldtheygointo?

RisksofaPenetrationTestBeforehavingapenetrationtestcarriedout,it’sworthbearinginmindthattherecanbeassociatedrisks.

Thefirstriskcomesfromgivingathird-partyorganizationthe authority to explore your network infrastructure. The assumptionisthatthisorganizationistrustworthy,butifitoranyoftheindividualsthatmakesupthepenetrationtestingteamisnot,thenthereisariskthattheycouldexploit any vulnerabilities discovered for their own use.

Thesecondriskderivesfromtheactionsofthepenetration testers during the tests. At the very least, it is likely that the scans and probes that the testers carry out will slow down your network and reduce the responsivenessofyourserversfromtimetotime.But

thereisalsoariskthatsomeactionscouldcrashoneormoreofyoursystemsormakethemunreachable,impactingtheday-to-dayrunningofyourbusiness.Thisriskmaybemitigatedbycarryingouttestsoutsidebusinesshours,butthisconstraintimpactsthevalidityof the tests since hackers would not be subject to this constraint.

AutomatedPenetrationTesting,Vulnerability,andPatchScanning

A penetration test can only reveal vulnerabilities in your IT infrastructureataparticularperiodintime—theperiodin which the penetration test is carried out. For that reason it is sensible to have a penetration test conducted atregularintervals,whichcouldrangefromeverysixmonthsorsotoeverytwoorthreeyears,aswellaswhenevermajorchangesaremadetoyourinfrastructure.

Figure 1. Automated penetration testing with Metasploit Express.

In between these full penetration tests you can use penetrationtestingsoftwaretocarryoutautomatedtestsonafarmoreregularbasisandatfarlowercost.Askilledhumancancarryoutamorethoroughtestthananyautomatedsoftwaretool,butusingpenetrationtestingsoftware to carry out your own penetration tests is still a



good idea because:

• Youcancarryoutthesetestsyourselfonamonthlyorevenweeklybasis,orwheneveryoumakesignificantinfrastructurechanges,withoutincurring the costs associated with repeated tests carried out by a consultant.

• Ifyouusemanyofthefreepenetrationtestingtoolsthatareavailableyouwillalmostcertainlybeusingthesameonesthatmanyhackersuseashackingtools.Ifyoucansuccessfullycompromiseyourorganization’ssecuritywiththesetoolsthensocan hackers — even relatively unskilled hackers who know how to use the software.

Examplesofcommercialpenetrationtestingsoftwareinclude:

• CoreImpactPro,CoreSecurityTechnologies,www.coresecurity.com

• ImmunityCANVASProfessional,Immunity,www.immunitysec.com

• MetasploitExpress,Rapid7,www.rapid7.com, see Figure 1.

Free, open source penetration testing software includes:

• Metasploitframework,www.metasploit.com

• FastTrack,www.thepentest.com

VulnerabilityScanningA vulnerability scanner is another type of tool that you canrunonaregularbasistohighlightsecurityproblemsthatcanthenbefixed.Whileapenetrationtestingtooltriestoactivelyexploitvulnerabilitiesthatitfindstocompromisesystems,avulnerabilityscannerchecksforknown vulnerabilities without using those vulnerabilities tofurtherpenetrateyoursystems.

Figure 2. Performing a vulnerability scan with Tenable Nessus.

The vulnerabilities that these scanners can search for include:

• Hardwareorsoftwarethathasbeenleftwiththedefault password

• Softwarethathasaknownvulnerabilitysuchasabuffer overflow issue

• WebservershostingPHPapplicationsthatarevulnerabletoSQLinjection

• Operatingsystemswithmissingsecuritypatches

• Undesirablesoftwaresuchaspeer-to-peerfile-sharing applications

• Unnecessaryportsleftopenonhosts

Good vulnerability scanners will report a risk score foreachvulnerabilityitfindssoyoucanprioritizeremediationwork,aswellasrecommendasolution(suchas closing a port, upgrading an application to the latest version, or applying a vendor supplied patch).

Commercialvulnerabilityscannersinclude:

• Nessus,TenableNetworkSecurity,www.nessus.

org, see Figure 2.

• NeXposeEnterprise,Rapid7,www.rapid7.com



• SecuniaEnterpriseVulnerabilityManager,Secunia, www.secunia.com

• WhiteHatSentinel,WhiteHatSecurity,www.

whitehatsec.com

• HPWebInspect,HP,www.hp.com

• IBMRationalAppScanEnterprise,IBM,www.ibm.com

Free, open source vulnerability scanners include:

• Nikto2,www.cirt.net/nikto2

• ParosProxy,www.parosproxy.org

• WebScarab,www.owasp.org

PatchScanningRelated to general purpose vulnerability scanners are application patch scanners. Patch scanners scan hosts to identifytheapplicationsrunningonthem,andidentifywhich applications need updating to a newer version or aremissingpatches.

Tomakeapplicationupdatingassimpleaspossible,somescannersprovidelinkstothenecessaryupdatesorpatchesthatshouldbeappliedtoparticularsystems.SomealsointegratewithWindowsServerUpdateServicesorMicrosoft’sSystemCenterConfigurationManager so that updates and patches can be applied automaticallyfromacentrallocation.

Figure 3. Secunia’s Network Software Inspector.

• Commercialapplicationpatchscannersinclude:

• SecuniaCorporateSoftwareInspector,www.

secunia.com, see Figure 3.

• ShavlikNetChk,Shavlik,www.shavlik.com

• LumensionPatchandRemediation,www.

lumension.com



nsiders — people who work within your organization — pose a potential security risk thatshouldn’tbeoverlooked.That’sbecausewhile hackers and other outsiders have to

overcomeallofyoursecuritymeasurestobreakintoyournetworkandgainaccesstosystemsanddata,manyinsidershavevalidcredentialstologonquitelegitimatelyandaccessthesystemsanddatatheyneedtocarryouttheir jobs.

Unless appropriate steps are taken, it can be quite trivial forrogueemployeestocopyyourconfidentialdataontoamemorystickandwalkoutthe door, install a keylogger to steal colleagues login credentials,installalogicbombto destroy data in the future, orsetthemselvesupwithlog-in credentials to ensure that they have access to your systemssotheycanattempttocontinue stealing your data even after they have left your employment.

Thereareanumberofprecautionsyoucantaketominimizetheinsiderthreat,andthesefallintotwobroadcategories:humanresource-basedandtechnology-based.

HumanResourcesPrecautions

More than 30 percent of insider attacks are carried out byemployeeswhohavecriminalrecordsatthetimetheyare hired. Basic checks can help you identify prospective employeeswithahistoryoffraudortheft,whileincertain

industriesitmayalsopaytohaveathirdpartycarryoutmorespecializedbackgroundcheckstotrytoidentifyindustrialspiesoragentsfromforeigngovernments.

Manyinsiderattacksaremotivatedbyadesireforrevenge for a perceived slight — failure to get a promotionorapayraise,forexample.Signsofadisgruntledemployeeincludebecomingunusuallyemotionalatworkordisplayingachangeinnormalbehavior patterns, such as a noticeable drop in work

performanceoranincreasingpropensity to arrive late. It isthereforeimportantthatmanagersandotherstaffare alert to these sorts of signs.Onceidentified,theseemployees’ITresourceusageshouldbecarefullymonitored.

Well-meaningemployeeswho download the contents ofacustomerdatabaseintoExcel on their laptop so that

theycantakeithomeandanalyzeit,orwhowritetheirpasswords down on Post-IT notes where colleagues can seethem,alsoposeaninsiderthreat—albeitwithoutmaliciousintent.Thebestdefenseagainstthesethreatsistocontinuallyremindpeopleofyoursecuritypoliciesandthereasonswhythesepoliciesexist.Itmayalsobeappropriatetoremindemployeesoftheconsequencesof failing to adhere to security policies or any other negligent behavior.

More than two-thirds of insider attacks are carried out byformerstaffwithinthreeweeksofleaving.Anexitinterviewwithstaffontheirlastdayofemploymentinyourorganizationisanopportunityforyoutoremind

continued

Dealing with Insider Threats

I



Monitoring data sources rather than end points can let youputyourfingeronanomalousbehaviororbehaviorthatgoesagainstyourpolicies,inrealtime,enablingyouto react before data leaves your organization. If a user normallyaccessesorderdataonerecordatatime,andthen suddenly accesses hundreds of records in one go, or startsaccessingdifferentapplicationsordatabasesfromthosethattheynormallyuse,thenbymonitoringyourdata sources you should be able to detect this.

Insiders pose a greater threat than outside hackers because they have access credentials to your data, but you can reduce the threat by ensuring they only have access to data they need to carry out their day-to-day duties.Agoodrightsmanagementsystemwillenableyoutocompareanyemployee’sdataaccessrightswiththe data they actually need, and flag any unnecessary rightsthatcanberemoved.

Over a third of all insider attacks are carried out by IT administratorsorsuperusers.Databaseadministrators(DBAs)haveenormouspowersoveryourdatabase,soparticular care needs to be taken to ensure that you are in apositiontodetectanymaliciousbehaviorontheirpart.AgooddatabasemanagementsystemcontrolledbyasecurityofficerratherthanaDBAcancheckthataDBAis accessing structural changes to your database without actually accessing the data.

themoftheconsequencesofanyillegalactions.Someorganizationpresentemployeeswithprintoutsofrecente-mailsorwebsitesthattheyhavevisitedattheseinterviewstoreinforcethemessagethattheiractionshavebeenmonitored.Thesemeasuresmaybeenoughtodissuadesomeemployeeswhoareconsideringsomeformofrevengeactionfromactuallycarryingitout.

Technology-BasedPrecautions

Usingahoneytokencanhelpyoudetectmaliciousinsideractivity.Ahoneytokenisapieceofmade-updata,suchasaparticularmeaninglessstring,thatcanbeinsertedinto a database where it should never be accessed under normalcircumstances.Ifyourmonitoringsystemsdetectthat the honeytoken is accessed then this is clearly not normalbusinessbehaviorandmayprovideawarningthatdatabaserecordsarebeingaccessed(orcopied)byamaliciousinsider(oranoutsidehacker).Youcanalsoconfigureintrusiondetectionsystemstoalertadministratorsifpacketscontainingthehoneytokentravelover your network.

Morethanhalfofstaffmembersthatlosetheirjobstakeconfidentialcorporateinformationwiththemona DVD or USB drive, according to research carried out bythePonemonInstitute.Endpointsecuritysystemscan restrict what portable storage devices can be used, andbywhom,andmonitorwhatinformationiscopied.Suchsystemscanbeusefulinmakingithardertocopyinformationmaliciouslywithoutbeingdetected,butcan’tpreventatrustedinsiderwithauthoritytocopydatafromdoingsomaliciously.



he security of your corporate data and the integrityofyourcompanynetworkareputat risk whenever you travel with a business laptop.That’sbecausethelaptopisno

longerprotectedbythephysicalsecuritythatyourofficeprovides,orthesecuritysystemsdesignedtoprotectthe

softwarerunningonit.Andanymalwarethatgetsontoyour laptop has the potential to infect other devices on yournetworknexttimeyourlaptopconnectstoit.

EncrypttheHardDrive

If your laptop is lost or stolen, anyone who gets their handsonitcouldstealyourdata,readconfidentiale-mails,communicatewithyourcontacts,andpossiblyeven connect to your corporate network and cause even morehavoc.

Thebestwaytopreventthisistoencryptthelaptop’shard disk so that a password has to be entered before thecomputerwillboot.Thiswillalsomakeyourdata

inaccessibleeveniftheharddriveisremovedandconnectedtoanothercomputer.

For laptops running business versions of Windows Vista orWindows7youcanuseMicrosoft’sBitLockerutility,includedwiththeoperatingsystem,toencryptthesystemdrive.AppleMacBookusersrunningOSX10.3orlatercancreateanencrypteddiskimageusingDiskUtility.ForotherWindows,Linux,andOSXsystems,theopensourceTrueCryptapplicationwilldothesamejobfor free.

Figure 4. Encrypting a volume with TrueCrypt.

UseaVPN

ConnectingtotheInternetfromabusinesscenter,Internet café, or airport hotspot presents a serious securityriskastheseareenvironmentswhereitisrelativelyeasytointerceptyourdata.AVPNencryptsalldata before it leaves your laptop, and keeps it encrypted untilitreachesatrustedendpointsuchasyourhomeorofficenetwork.Ifyourcompanydoesn’tprovideaVPN,trythefreeOpenVPN.Simplertousesolutionsinclude

Mobile and Wireless Security

T



paid-forserviceslikeHotSpotVPN,whichusesOpenVPN,orremoteaccessserviceslikeGoToMyPCorLogMeIn,both of which use data encryption to connect your laptop backtoatrustedofficeorhomenetwork.

ChainUpYourLaptop

Mostlaptopshaveasecuritycablesocket(knownasaKensington slot), which allows you to physically attach yourlaptoptoadeskortable.Whilethismaynotbenecessarymostofthetime,usingasecuritycableisa sensible precaution at conferences or other busy environmentswhereyoumaybedistractedandunabletokeepwatchoveryourlaptopallofthetime.

KeepYourBackupDataSecure

Keepingbackupcopiesofimportantdataandpasswordsseparatefromyourlaptopisalwaysasensibleprecautionin case your laptop is lost or stolen while travelling. To keepthemsecure,ensuretheyarestoredinencryptedform,ideallyonaUSBdrive.

YoucanstorefilesonanencryptedpartitiononastandardUSBstickusingthefreeTrueCrypt(seeFigure4),aslongasyoucanrememberalongandsecurepasswordtoprotectit.ForevenmoresecurityyoucansecurefilesandpasswordsonaspecialUSBstickliketheIronKey.TheIronKey(seeFigure5)includesafeaturethatcauses the device to self-destruct if the wrong password isentered10timesinarow,effectivelypreventingbrute-forceattacksthatinvolvetryingmillionsofdifferentpassword possibilities until the correct one is found, and thereforemakingshorter,morememorablepasswordsmoresecure.OthersecureUSBsticksincludetheBlockmasterSafeStickandtheSandiskCruzerEnterpriseFIPS Edition

Figure 5. IronKey control panel.

WirelessSecurity

Rogue access points and weak passwords are the bane ofanynetworkadministrator’slife:allittakesisoneusersettingupaconsumer-gradewirelessrouterintheircubicle for there to be a potentially serious security risk. If a rogue wireless signal leaks out into the street then anyone nearby could get access to your corporate network, even if WEP, WPA, or WPA2 encryption is in use.

Butit’snotjustrogueAPsthatareaworry.UnlessyouareusingWPA-EnterpriseorWPA2-Enterprise(bothofwhich use a RADIUS server) in your organization, then any wireless networks you are using also present a risk.

The best way to check for rogue access points is to scanforthembywalkingaroundyourorganization’spremiseswithalaptoprunningscanningsoftwaresuchasNetstumbler,Airodump-ng(partoftheaircrack-ngsuite),orKismet.



Figure 6. Performing a wireless audit with airodump-ng.

If your IT infrastructure includes wireless networks that do not use a RADIUS server for authentication then it is unwise to rely on WEP encryption, as it can easily be crackedinafewminutesusingtheaircrack-ngsuite.Instead,ensureanywirelessaccesspointsareconfiguredto use WPA or WPA2.

YoucancheckthatyourWPApasswordscannoteasilybecrackedusingtheWPACrackerservice(www.wpacracker.

com/).



continued

hefirstlineofattackforamalicioushackertrying to guess a password or crack a password hash is to try a list of “obvious” words,suchas“password”,thecompany

name,theuser’sname,orthenameofaspouse,child,or pet if known. If this fails, the hacker will probably thenruna“dictionaryattack,”methodicallytryingeveryword in a long word list. These lists will likely include letterandnumberpatternslike“abcde”,“qwerty”,“asdf”,and“12345”,andcommonsubstitutions,suchasreplacing“3”for“e”or“5”for“s”, as well as adding one, two ,or three digits before or after each word or spelling dictionary words backwards.

If a dictionary attack fails the hacker will then likely resort to a brute-force attack, trying every combinationofletters,orupperand lower case letters, or upper and lower case letters and digits, or upper and lower case letters, digits,andothercharacters(like$,%, ,̂&andsoon)forpasswordsof increasing lengths.

PasswordPolicies

Theroleofacorporatepasswordpolicyistodefinerules for passwords to ensure that they provide a level of securitythatmakestheattacksdescribedaboveunlikelytosucceed.Themostimportantrulesgovernpasswordmakeupandlength.

PasswordMakeupPasswordsneedtobedrawnfromsuchalargepoolof

possible ones that the probability of successfully brute-forcingthepasswordinareasonablyshortamountoftimeisacceptablysmall.

Ifapasswordconsistsofsixrandomlowercaseletters,thereabout300millionpossiblepasswords.Acomputerthatcancheck10millionpasswordguessespersecondwouldtake30secondstocheckall300millionofthesesix character passwords.

Ifthepasswordismadeupofsixrandomupperorlowercaseletters(52inall)orthe10digits 0-9, then there are about 57,000,000possibilities.Itwouldtakeacomputerabout90minutestocheckallofthese six character passwords.

This shows that increasing the poolofcharactersfromwhicheach character of a password israndomlydrawnmakesasignificantdifferencetotheamountoftimerequiredto

brute-force it, and therefore it increases the security of the password appreciably.

PasswordLengthIntheexamplesabove,passwordsthatweresixcharacterslongwereused,andevendrawingfromapool of upper and lower case characters and digits the resultingrandompasswordscouldbecrackedinlessthantwohours.Onewaytomakepasswordshardertocrackisto increase their length.

TheSANS(SysAdmin,Audit,Network,Security)Institute

Password Security

T



recommendspasswordsshouldbeatleast15characterslong,andbyusingrandomupperandlowercaselettersanddigits,thereareabout750,000,000,000,000possibilities,whichwouldtakeacomputer2,000,000,000years to check.

PracticalPasswordPolicyIntherealworlduserscan’teasilyrememberrandomstrings — anything longer than seven characters appears particularlyhard—soforcingthemtouserandom15-digitpasswordseffectivelyforcesthemtowritethemdownsomewhere.Thisposesaninternalsecurityrisk:thatsomeonewithphysicalaccesstotheoffice—suchasaco-workerormaintenancestaff—willseethepassword written on a Post-It note and use it to access restrictedresourcesorpassitintosomeoneoutsidetheorganization.

Many organizations, therefore, allow users to pick passwordsthatarememorableratherthanrandom,whilestillinsistingthattheyincludeletters,numbers,andpunctuation.Althoughthesearenotassecureasrandompasswords,theycanstillbehighlysecureiftheyconformto a well thought out password policy.

TheSANS(SysAdmin,Audit,Network,Security)Instituterecommendsthatorganizationsadoptapasswordpolicywhich requires that passwords:

• Containbothupperandlowercasecharacters(a-z,A-Z)

• Havedigitsandpunctuationcharactersaswellasletters(0-9,!@#$%^&*()_+|~-=\`{}[]:”;’<>?,./)

• Areatleast15alphanumericcharacterslongandareapassphrase(Ohmy1stubbedmyt0e)

• Arenotawordinanylanguage,slang,dialect,jargon

• Arenotbasedonpersonalinformationsuchasfamilynames

• Canbeeasilyremembered.Onewaytodothisis create a password based on a song title or other phrase.Forexample,thephrasemightbe:“ThisMayBeOneWayToRemember”andthepasswordcouldbe:“TmB1w2R!”or“Tmb1W>r~”orsomeother variation.

YoucandownloadSANS’ssamplepasswordpolicydocumentfromwww.sans.org/security-resources/policies/Password_Policy.pdf.

Fromtimetotime,itissensibletoauditthepasswordsin use in your organization to see if they can be guessed or brute-forced by popular password tools. If you can successfully crack any passwords then so could a hacker, implyingtheneedtomodifyyoursecuritypolicyortakessteps to ensure that your existing one is being applied throughout your organization.

Figure 7. Password auditing with L0phtcrack.

L0phtcrack(www.l0phtcrack.com, see Figure 7) is a commercialpasswordtool.Freeoropensourcepasswordtools include:

• Cain,www.oxid.it/cain.html



• Ophcrack,ophcrack.sourceforge.net

• Medusa,www.foofus.net/jmk/medusa/medusa.html• Hydra,freeworld.thc.org/thc-hydra/• JohntheRipper,www.openwall.com/john/

continued



nadditiontoallofthemethodsdiscussedearlierinthiseBook,thereareanumberofinstantactionitemsthatcanhelpmakeyourenterprisemoresecure.

• Removegames,hyperterminals,and“crapware”thatcomebundledwithendusermachinesandunnecessary software on servers. If you need six applicationsonamachine,thenthereshouldbesix, not 20. Ideally, deploy standardizedimages,anddocumentwheneveranon-standardizedimageisusedforany reason.

• Implementingressandegressfiltering,allowingonlythose ports and services with adocumentedbusinessneed.Configurationsshouldbedocumentedandcheckedtoensure they are secure.

• Makesureyoursecuritylogsaremonitoredtoensurethatyouwillspotanyanomaliesorunusualbehaviour that occurs on your network.

• UseWebapplicationfirewallsandapplicationlayersecuritytoprotectyourapplicationsfromSQLinjections, cross-site scripting, and other attacks.

• SomeITstaffneedadminprivileges,butnotforreadinge-mail.Ensuretheyhavedifferentaccountsandpasswordsforadminandnon-adminactivities.

• Disableanyaccountsthatcan’tbeassociated

with current staff or contractors, and create a procedure for disabling accounts when users leave. It’salsousefultogenerateregularreportsonaccountsthatarenotusedregularlyandattemptstoaccess disabled accounts.

• Ensurethatalldeviceshaveusernamesandpasswordschangedfromtheirdefaults.

• Organizeastaffsecuritytraining session. Half an hour spent explaining how and why to choose a secure password, orwhyclickingone-mailattachmentsfromunknownsources is a bad idea, can pay huge security dividends.

• Makesureyouknowwhich data needs protecting, where it is, and who need s access to it. Ensure controls are in place to restrict access to authorized users.

• Ensuringanti-malwaresoftwareisrunningonallsystemsisimportant,butmakesureyouhaveasysteminplacesothateverysystemisupdatedregularly.

• Disableautorunforremovablestoragedevices.

• Makesureyourrouterscanonlybeaccessedinternally,andthatfirewallsorfiltersdropalltrafficexcept for services and ports that are explicitly allowed.

Quick Wins for Enterprise Security

I

The Essentialsof Enterprise Security

Documents

Transcript of The Essentialsof Enterprise Security