Security

Changing security threat landscapes

2007 saw a shift in the threat landscape, globally and in India. Varun Aggarwal attempts to investigate what lies ahead

One of the broader issues facing the enterprises is rightly summed up in one line by Bruce Schneier, cryptographer, computer security specialist, and writer—“Amateurs hack systems, professionals hack people.”

A chain is as strong as its weakest link. Further today, the security threat landscape is arguably more dynamic than ever. As security measures are developed and implemented to protect the computers of end users and organizations, attackers are rapidly adapting new techniques and strategies to circumvent them. As businesses are exposing more and more of their applications to the Internet, there are more targets available.

Peter Theobald, CEO, IT Secure Software Pvt Ltd said, “In all the ethical hacking projects we have undertaken in the last year (with the target company’s express prior authorization of course), there was not a single case where we were unable to penetrate the systems to get root access and completely compromise the target system. In other words, by and large, the safety measures being undertaken today are not good enough. Very often it is akin to locking the door and leaving the key under the doormat.”

2007 saw a tremendous increase in Web-based threats ranging from simple IP spoofing to malware. The data losses incurred due to such criminal activity turned out to be the most critical problem faced by large enterprises. Arun Nirmal, Research Analyst, Technical Insights, Frost & Sullivan said, “Many of the major banking Web sites have been compromised by the new wave of technically sophisticated malware in 2007, leading to losses in the range of millions of dollars. Along the same lines, we would have lost information regarding around 100 million debit and credit cards to the global converged network of spammers and phishers.”

Nirmal feels that the new trend of sophisticated hacking has put most large enterprises and small and medium businesses (SMB) in a quandary about selecting the appropriate and ideal security solution that can provide comprehensive protection. “Last year also saw a significant rise in the number of malicious threats aimed to steal personal and confidential data from home networks. The loss due to Web threats has increased a hundred fold over the last couple of years. The online crime community has been flourishing mainly due to the lack of adaptive and specific security tools,” he added.

Targeted attacks

Kartik Shahani, Regional Director, McAfee Inc. opined that the threats are becoming silent. “There is a shift in the way that malware is coming in and the focus is shifting towards financial gain. We did not see any widespread outbreaks in 2007 unlike previous years which means that most attacks that happened were silent and targeted attacks.” The single biggest threat seen last year was the Storm Worm which emerged in January 2007 and continues to be active. The Storm Worm was a one-of-a-kind botnet that uses a decentralized approach making it difficult to shut down and retaliates whenever someone tries to investigate it.

Wing Fei Chia - Security Response Team Manager, F-Secure observed, “We saw Banking Trojans gaining more in 2007. These are Trojans that sits patiently on the infected computer listening for banking activities. Another uptrend we saw last year was a notable increase in Trojan password stealers stealing passwords to online games. Once the criminals get their hands on your virtual sword or gold [personal information], they can sell it for a nice amount although these items are not physically real.”

Nirmal added that the effect of malware attacks has generated public awareness on many network security challenges, thereby forcing the research community to develop efficient means of protection. Moreover, the enterprise community has come together in recognizing the wide problems of such threats and is expected to deploy key security tools such as network optimizers and data stream monitors. In 2008, we can expect to see new and improved technologies in niche security areas such as Web content filtering and network protection.

The Internet don

It would be an absolute understatement to say that the Internet underworld is growing. Beyond growing rapidly, it has evolved into a new business model for criminals. With every new enterprise hack, we observe, a burgeoning increase in the number of converged crime syndicates that operate across the globe.

Nirmal explained the simplest strategy adopted by these syndicates is creating new ways and processes for obtaining terabytes of user data. This information is then put up for auction, where hackers and spammers bid for the system or user information. This is followed up by individual hackers trying to Spam machines with the goal of obtaining private and confidential information.

The condition explicitly represents the current trend in electronic crime turning into a service driven economy. The trend is expected to follow the same pattern in 2008 as well. Only a consolidation of various security tools or a consortium of security vendors detailing the ways to prevent such crime can help prevent the success of this crime economy.

MPack was one of the notable security threats that emerged in the first half of 2007. It is a commercially available black-market attack toolkit that can launch exploits for browser and client-side vulnerabilities against users who visit a malicious or compromised Web site.

According to Prasad Babu, Director of Systems Engineering and Operations, India, Juniper Networks, “Security firms need to try and find vulnerabilities and incorporate measures to address them before they become public.”

Mobile security scare

Wireless infrastructure opens up organizations and people at large to online security threats. The mobile phone is turning into a computer. This makes it susceptible to precisely the same vulnerabilities as a PC like viruses, Spam and Spyware. While an increasing number of mobile device users have given rise to a market for third-party applications such as games and other mobile applications, it has also opened up the proverbial can of worms. The number of smartphone users is increasing at a rapid pace in India.

Surendra Singh, Regional Director, SAARC, Websense Inc. opined, “Some services that make mobile phones vulnerable include the ability to open e-mail attachments and removable storage cards. Due to the rising popularity of data-centric mobile phones and handheld devices, these devices could become an attractive target for virus writers in the future.”

According to Singh, mobile operators now have a way to offer their enterprise customers centrally managed protection for smartphones against malicious mobile code such as SMS Spam and viruses. Mobile devices are increasingly coming under attack. “Mobile handsets with Wi-Fi cards are prone to these attacks as they connect to a public network and, at the same time the organization’s network,” he added.

Sumeet Gugnani, Director, Mobile Communications Business, Microsoft India said, “Enterprises, on their part, have to ensure that they have the right infrastructure in place and that their employees are well aware of the security measures that they should adopt to guarantee data security. At the device level, precautions should be taken by allowing only authorized access to the device and preventing unauthorized applications such as viruses or Spyware from being installed or accessing critical parts of the device.” PIN authentication, password protection and storage card encryption, management role definition, application access tiers, code signing settings, security settings, and security certificates combine to help achieve device-level protection.

Gugnani added, “According to a recent survey, 74.6% of handheld users either do not have or do not know about security protection on their devices. The product manual is a mine of information in this regard, and the enterprise can help by crafting FAQs that incorporate details of customization of security and other features to make it easy for the user.” He continued that addressing security concerns at these multiple layers can help address the top three areas of data protection which are leaks of confidential data during mail exchange, loss of data with loss of device and unauthorized access of a device.

Wireless networks

There is no doubt that wireless computing is alluring. The absence of wires means more freedom to answer your e-mail on the couch. Browse the Internet and shop from your bed, or pay your bills online at the kitchen table. Because it’s so easy to set up a wireless network, many people connect their wireless router install their Wi-Fi adapter card and ‘go’, without thinking about setting up proper security for their new wireless networks.

Without taking basic security precautions, wireless networks are vulnerable to attacks from hackers, attempts from scammers to steal your personal information, and also to neighbors looking to ‘piggyback’ for free on your Internet connection. There are more serious threats you need to be aware of, such as packet sniffing and wi-phishing. “Packet sniffing is a form of wire-tap applied to computer networks. As long as you and the hacker are on the same public network, they can sniff information packets in unencrypted wireless transmissions, and decode your passwords. In a wi-phishing scam, a bogus wireless logon page appears legitimate, but the only real part of a wi-phishing scam is the damage to you and your family,” explained Vishal Dhupar, Managing Director, Symantec India.

Nirmal said, “The most feared threat, which has been releasing new waves of concern amongst operators, is VoIP spam or Spam over Internet telephony (SPIT), which involves the broadcasting of unsolicited bulk messages to telephones on a VoIP network. A SPIT attack could result in the creation of bottlenecks in a network and the attack would be undetectable by traditional signature-based anti-virus tools.”

Data Loss Prevention

The biggest vulnerability lies with people. Let’s look at the challenge for an enterprise today, with an increasing mobile workforce, many users are carrying sensitive data or data that they don’t even know is sensitive, but could be used by the competition. Ajit Pathak, Country Manager- Sales Operations, Secure Synergy explained, “The biggest risk is what happens when data is lost or if some poor guy prints off the customer list and then falls asleep on the train and leaves it there. A huge challenge for many clients today is not just in security but in building resilience in business around the increased mobility of the people in the enterprise and the data that they carry around with them.” There are various encryption technologies that allow mobile devices to secure data, create a mobile device security policy specifically for handheld devices and start an awareness program to make the new policy known within the organization.

Dhupar explained, “While data breaches are costly in financial terms, they also come at a price to the business’ reputation and customer confidence.” According to a recent IT Policy Compliance Group report, business losses can be significant if the breach is reported. Benchmarks reveal that a business experiencing a publicly reported data loss can expect to see an 8% decline in customers and revenue, an eight percent decline in the price per share for publicly traded firms, and additional expenses averaging $100 per lost customer record for firms that publicly disclose data losses and thefts.

UTM moves from edge to core

From the edge, UTM appliances have moved into the core of the enterprise network especially in banking and online trading.

When Unified Threat Management (UTM) appliances gained entry into the network security market they were primarily meant for the SMB segment and were deployed at the edge of the network and used for securing remote branches. There were doubts that once different functionalities such as anti-virus, firewall, and IPS are combined in a single box it will not perform properly. This was why enterprises continued to use point solutions for many years. That myth is slated to be broken as the UTM appliances have matured to the point where they are being widely adopted by enterprises.

An enterprise running core applications cannot compromise on security issues and will go to any extent to protect its IT network. That is why standalone products will continue to co-exist with UTM appliances at the core of an enterprise network.

Atul Kumar, Assistant General Manager, department of Information Technology, Syndicate Bank says, “We are using UTM appliances both at the gateway as well as the core of our banking network. We found that the throughput is good and there is perfect interoperability between different functionalities in a UTM box amongst each other.” Moreover it is easy to upgrade and add modules to a UTM box unlike the case with standalone systems. Syndicate Bank’s core banking initiative links about 1,500 branches across the country and four UTM boxes secure the core banking system at its data centre in Mumbai and at its DR site. The cost of managing the system is now one third of what it used to be with the earlier standalone systems. However the bank has not done away with its standalone systems and they have been deployed at less critical zones with the core of the network now being handled by UTM boxes.

Spice Telecom has also gone in for UTM boxes (FortiGate-300A systems from Fortinet) and although it is not being used at the core of the network, the company is using it to scan any incoming traffic mainly through the Internet and also on its Intranet. All incoming traffic to its corporate office is secured using UTM boxes. The scanning of inbound and outbound traffic results in throughputs in excess of 300 Mbps. The company is impressed with the some recently introduced high-end UTM boxes and looks forward to protect its core network at the data centre using UTM boxes. Bhaskaran R, Senior Manager IT, Spice Communications Limited, explains,” We found that the high-end UTM boxes which have been recently introduced by some UTM vendors can provide us with higher throughputs and can manage our 600 node network. We found that even some ISPs and MSPs in India are using high end UTM boxes and this has instilled the confidence to evaluate such boxes to secure our core data centre operations in the near future.” Although Spice Telecom has felt that the high end UTM boxes will ease manageability as it will get different functionalities in one box, it feels that it will not bring in much change in its TCO as Bhaskaran says, “The subscription charges of UTM are based on the number of nodes a enterprise wants to secure and the prices are currently on the higher side. Although we can negotiate for a price during the initial deployment, the subscription charges are on par with standalone security devices which are equally expensive but the catch here is that the ease of manageability through a single console is highly advantageous which is what these UTM boxes offer.”

In another instance Geojit Financial Services Ltd is securing its online trading engine using UTM boxes as it was finding it challenging to manage heterogeneous standalone system. Geojit is running a FortiGate-800 box at its data centre in Kochi to secure its network core. Geojit has a network which comprises of VSAT links, leased lines, VPN, etc. All the branches are networked to the head office in Kochi for online information dissemination and risk management. The total number of transactions executed daily over the company’s network is more than a lakh.

UTM moves from edge to core

From the edge, UTM (Unified Threat Management) appliances have moved into the core of the enterprise network especially in banking and online trading. When (UTM) appliances gained entry into the network security market they were primarily meant for the SMB segment and were deployed at the edge of the network and used for securing remote branches. There were doubts that once different functionalities such as anti-virus, firewall, and IPS are combined in a single box it will not perform properly. This was why enterprises continued to use point solutions for many years. That myth is slated to be broken as the UTM appliances have matured to the point where they are being widely adopted by enterprises.

An enterprise running core applications cannot compromise on security issues and will go to any extent to protect its IT network. That is why standalone products will continue to co-exist with UTM appliances at the core of an enterprise network.

Atul Kumar, Assistant General Manager, department of Information Technology, Syndicate Bank says, “We are using UTM appliances both at the gateway as well as the core of our banking network. We found that the throughput is good and there is perfect interoperability between different functionalities in a UTM box amongst each other.” Moreover it is easy to upgrade and add modules to a UTM box unlike the case with standalone systems. Syndicate Bank's core banking initiative links about 1,500 branches across the country and four UTM boxes secure the core banking system at its data centre in Mumbai and at its DR site. The cost of managing the system is now one third of what it used to be with the earlier standalone systems. However the bank has not done away with its standalone systems and they have been deployed at less critical zones with the core of the network now being handled by UTM boxes.

Spice Telecom has also gone in for UTM boxes (FortiGate-300A systems from Fortinet) and although it is not being used at the core of the network, the company is using it to scan any incoming traffic mainly through the Internet and also on its Intranet. The company is impressed with the some recently introduced high-end UTM boxes and looks forward to protect its core network at the data centre using UTM boxes. Bhaskaran R, Senior Manager IT, Spice Communications Limited, explains, “We found that the high-end UTM boxes which have been recently introduced by some UTM vendors can provide us with higher throughputs and can manage our 600 node network. We found that even some ISPs and MSPs in India are using high end UTM boxes and this has instilled the confidence to evaluate such boxes to secure our core data centre operations in the near future.” Although Spice Telecom has felt that the high end UTM boxes will ease manageability as it will get different functionalities in one box, it feels that it will not bring in much change in its TCO as Bhaskaran says, “The subscription charges of UTM are based on the number of nodes a enterprise wants to secure and the prices are currently on the higher side. Although we can negotiate for a price during the initial deployment, the subscription charges are on par with standalone security devices which are equally expensive but the catch here is that the ease of manageability through a single console is highly advantageous which is what these UTM boxes offer.”

Encryption=protection

To protect data, you need two types of security: people security and data security. We will not dwell on people security—it’s a different market altogether. Digvijay Singh Chudasama, VP – Sales, Cyberoam (India) said, “Authentication mechanism works by requiring users to provide a key to their identity through passwords, biometric information, tokens, ID cards, or other such processes and checking their access privileges against a RADIUS, LDAP or SLDAP database. Authentication helps in building trust in the systems and processes.”

There are technologies available to protect data against external attacks, for example firewalls, intrusion detection/prevention, VPNs, and so on. “Storage encryption protects data within the enterprise and it can be deployed at three points in the enterprise back-up environment: at the host within the OS or application software; at the tape drive, or in the network with a dedicated appliance. Where to deploy encryption will depend on the organization’s requirements for performance, security, scalability, and overall ease of use and maintenance,” explained Soumitra Agarwal, Marketing Director–India, NetApp.

Shailendra Sahasrabudhe, Country Manager-India, Aladdin Knowledge Systems opined, “Businesses have been moving in the direction of increased connectivity, looking for ways to become more efficient, and offer better services to their users. The need for data protection has taken the spotlight. For organizations looking to secure themselves and the private information of their customers, identity and access management have become the buzzwords of choice.”

Apart from encryption, key management is an important consideration in the context of storage security. The best encryption system on earth is ineffective if its associated key management is weak. For this reason, the key management system is an important part of the overall storage security solution. One must be certain that the keys used to encrypt the data will be available whenever and wherever access to encrypted data is required throughout the lifespan of that data—whether it is for one week or for decades altogether.

Amuleek Bijral Country Manager – India & SAARC, RSA—the Security Division of EMC said “Access control and encryption are the most important factors in any good security strategy. A strategy which is information centric and focuses on the risks involved would be effective in addressing the various threats that any organization faces today. For an effective implementation of this strategy it also needs to be repeatable. Information Risk Management is one such strategy.”

There are various aspects of security that need to be addressed by organizations, vendors as well as individuals. No security approach can work in silos. There has to be a holistic approach while taking security measures to ensure that your organization or you as an individual are safe from the hackers who are all set to take advantage of the smallest of security loophole that you leave unplugged.

varun.aggarwal@expressindia.com