Protecting Data

IT Security personnel and network support staff tasked with managing large networks are routinely at odds with identifying and solving the most common problems a large network poses.

Typical causes that can be identified and treated, however, generally fall within one of the following 3 categories:

1. performance degradation
2. host identification
3. security issues.

Performance Degradation

Performance degradation refers to loss of speed and data integrity due to poor transmissions. While every network is prone to performance issues, large networks are especially susceptible due to extra distance, endpoints and additional equipment at midpoints.

Solutions to performance degradation are not difficult. The first step is to purchase the best quality computer networking hardware one can afford--all other solutions build upon a solid foundation of good network hardware. After all, network performance is only as good as the components of which it is composed.

Although quality matters, quantity can also be an issue in this case. Networks without enough routers, switches, domain controllers, etc., are comparable to 'pumping water from a municipal well with a straw'. Beginning with adequate, quality hardware is an excellent start, but that still is not enough--hardware is useless without proper configuration.

Ensuring all computers and network 'plumbing' are properly connected (with quality cabling) and configured is essential. This includes verifying network settings in server and desktop network configuration apps and verifying settings in networking components' firmware (switches, routers, firewalls, etc.).

Every device connected to the network should be initially and routinely checked for problems, as rogue PCs infected with viruses, spyware, bot ware and so forth can waste bandwidth and, even worse, infect other systems.

Host Identification

Proper configuration is also essential to maintaining proper host identification. Just as the post office cannot deliver messages without some form of addressing, neither can computer networking hardware. While small networks can easily be configured with manual addressing, large networks become completely impractical. DHCP servers, domain controllers, and their requisite addressing software and protocols are a must for creating and maintaining a large, scalable network.

Top performance and proper host identification are hardly beneficial on a network that hackers have breached. For this reason, securing a network is equally important.

Security Issues

Network security issues involve:

• maintaining network integrity
• preventing unauthorised users from infiltrating the system (viewing/stealing sensitive data, passwords, etc.)
• protecting the network 'denial-of-service attacks'.

These issues are greatly magnified as a network increases in size.

Larger networks are more susceptible to attack because they offer more vulnerable points at which intruders can gain access--more users, passwords and hardware mean more places a hacker can try to gain access.

Preventives against these problems include:

• firewalls and proxies
• educating staff members and end-users
• installing strong antivirus software
• deploying strict password policies
• making use of network analysis software
• physically securing computer networking assets
• invoking procedures that compartmentalise a large network with internal boundaries.

Security Threats circling your Network

Which network security threats are top-of-mind for your customers? A recent survey of more than 3,700 IT professionals shows several concerns.

The Information Systems Audit and Control Association (ISACA), an international provider of industry information and certifications, has issued the results of a recent survey of the global security landscape, including perceptions of the most dangerous network security threats.

In the past year, 22 per cent of enterprises have experienced a security breach, and 21 per cent have faced mobile device security issues, according to the survey.

The following examples are the most likely network security challenges people face:

External hacking

Ah yes. Good old-fashioned external hacking seems almost quaint given the rapid extension of modern threats and attack vectors. But given the emphasis on these recent developments, it can be easy to take your eye off the ball regarding garden-variety hackers. Five per cent of surveyed IT professionals said external hacking is the most likely threat facing their network security over the next 12 months.

For the most part, the strategy here is about keeping security suites properly configured and up-to-date. Not very exciting, we know. But it’s still something that requires your ongoing attention in the never-ending quest to keep your customer’s information safe.

Disgruntled employees

We’ve all heard the stories about people who had installed attacks to occur when their name disappears from payroll, or some other attack on their employers in an illegal, or at least unethical, expression of “Take this job and shove it.” This is the domain of the disgruntled employee -- not to be confused with the accidental exposures committed by happy, “gruntled” employees otherwise in good standing. While such acts of misconduct are relatively rare, channel partners must identify potential symptoms and guide their clients toward policies that will help to prevent them before they occur. Five percent of surveyed IT professionals said disgruntled employees represented the most likely threat facing their network security over 12 months.

Cyber attacks

Cyber-attacks happen every day, although only the most high-profile ones tend to make the news. The most recent cyber-attacks are even purpose-built by national governments for various purposes, such as espionage and sabotage. And some of the more famous ones, such as Stuxnet and Flame, are highly modular. That means some of the nastiest features can be lifted out of the military-grade bugs and dropped into existing malware platforms to make the more common types of attacks even nastier. That also means that as you read this, some malware author is probably using those modules to create an uber-bug that can put him on the map. Seven percent of surveyed IT professionals said cyberattacks represented the most likely threat facing their network security over 12 months.

Cloud computing

Effective security for the cloud is a huge topic in today’s IT discourse, which means it's not surprising that 11 per cent of surveyed IT professionals said cloud computing represents the most likely threat facing their network security over the next 12 months.

Nearly every vendor has a strategy for how cloud security can be maximized, and (surprise!) that vendor’s products happen to be the focal point of truth and justice. This means that the channel is looking at a huge opportunity in helping customers to navigate these offerings and the related purchasing decisions. But that level of assistance implies that the partners have a very strong knowledge of the various risks and responses. According to many industry insiders, some channel companies are doing a better job of that than others. And since one of the key concerns about the cloud is that channel partners can become interchangeable parts, developing this expertise can be a key differentiator.

Incidents Related To Employees' Devices (BYOD)

“Hey, I got this new tablet, and I’m going to use it on the network.” We’re not sure how often these words are spoken because the devices often show up without permission. But “bring-your-own-device,” also known as the “Consumerization of IT”, has opened up a Wild West of new threat vectors. It's a fear that is quickly creeping up on IT departments, as 13 percent of surveyed IT professionals said BYOD represented the most likely threat facing their network security over the next 12 months. The focus for the channel is mostly around detecting devices, maintaining security and figuring out exactly what those devices might be up to. This is an especially tall order when you consider that personal devices are, well, personal. And that means gaining access to them and managing them can be a lot more difficult, especially when employees are less than thrilled about the idea.

Inadvertent employee mistakes

Forget about the proverbial 'inside job'. The second biggest concern, cited by 16 per cent of respondents, is accidental exposures by employees instead of the intentional, inside job variety. These could include acts such as parking data on insecure storage sites, malware accidentally delivered by USB devices, loss of computers, phones or USB devices, and also social engineering attacks in which victims are tricked into revealing sensitive information. The solution is based on more than just solid security technologies. It also involves no small measure of employee education on specific risks and how to avoid them. Look for channel partners to become more involved in this aspect of security as time goes on.

Data leakage

Loss of data leads the league to IT security care-about, with 17 per cent of survey respondents naming it as the most likely single threat facing network security in the next 12 months. And as various exploits target the seams of security coverage while the malware bugs are becoming more insidious, who can blame them? The data on the network represents a substantial percentage of company value, and various compliance standards such as HIPAA and PCI have stringent requirements that can make data loss an even more unpleasant experience than ever before. Thus, the topic moves beyond its previous status as a technology level discussion. It is becoming more of a business level discussion as C-Level executives of all types increasingly recognise the inherent risks.

Network Access Control (NAC)

'Firewalls' are principally deployed to manage access between networks. They control communications by blocking (fragmented data) 'packets' based on access rules permitting or denying certain IP addresses and network ports or other filtering criteria.

Firewalls cannot control whether a device can connect to a network in the first place.

Defence in-depth, or 'endpoint security', refers to controls that monitor the security of a network behind the perimeter firewall.

Network Access Control (NAC) allows administrators to devise policies or profiles describing a minimum-security configuration that devices must meet to access a network. This is called a 'health policy'.

Typical policies check malware infection, firmware and OS patch level, personal firewall status and the presence of up-to-date virus definitions. A solution may also be to scan the registry or perform file signature verification.

The health policy is defined on a NAC management server and reporting and configuration tools.

Physical Port-security

With wired ports, access to the physical switch ports and switch hardware should be restricted to authorised staff, using a secure server room and lockable hardware cabinets.

To prevent the attachment of unauthorised client devices, a switch port can be disabled using the management software; or the patch cable can be physically removed from the port. Completely disabling ports in this way can introduce a lot of administrative overhead and scope for error. Also, it doesn't provide complete protection as an attacker could unplug a device from an enabled port and connect their laptop. Consequently, more sophisticated methods of ensuring port security have been developed.

MAC Address Filtering

Configuring MAC filtering on a switch means defining which MAC addresses connect to a particular port. This can be done by creating a list of valid MAC addresses or specifying a limit to the number of permitted addresses.

For example, suppose port security is enabled with a maximum of 2 MAC addresses. In that case, the switch will record the first 2 MACs to connect to that port but then drop any traffic from machines with different network adapter IDs that try to connect.

Many devices also support 'whitelisting' and 'blacklisting' of MAC addresses: a MAC address added to a whitelist is permitted to connect to any port, whereas a MAC address on a blacklist is prohibited from connecting to any port.

Port security/IEEE 802.1X

The IEEE 802.1X standard defines a Port-based Network Access Control (PNAC) mechanism. PNAC means that the switch (or router) performs some sort of authentication of the attached device before activating the port.

Under 802.1X, the device requesting access is the supplicant. The switch, referred to as the 'authenticator', enables the Extensible Authentication Protocol over LAN (EAPoL) protocol and waits for the device to supply authentication data. Using EAP, this data could be a simple username/password (EAP-MD5) or involve using a digital certificate or token. The authenticator passes this data to an authenticating server, which checks the credentials and grants or denies access.

VPN

As well as allowing hosts to connect over wired or wireless local connections, most networks have to allow devices to connect remotely to support home workers, fieldworkers, branch offices, partners, suppliers and customers. A remote connection is easier for external attackers to exploit than a local one, so remote access must be subject to stringent security policies and controls.

A Virtual Private Network (VPN) connects the components and resources of 2 (private) networks over another (public) network. A VPN is a 'tunnel' through the internet (or any other public network).

It uses special connection protocols and encryption technology to ensure that the tunnel is secure and the user is properly authenticated. Once the connection has been established, the remote computer becomes part of the local network (though it is still restricted by the bandwidth available over the WAN link).

TCP/IP communications are encrypted and packaged within another TCP/IP packet stream with a VPN. The VPN hardware or software can encrypt either just the underlying data in a packet or the entire packet itself before wrapping it in another IP packet for delivery.

If a packet on the public network is intercepted along the way, the encrypted contents cannot be read by a hacker. Such encryption of data, or packets, is typically implemented by using a protocol suite called Internet Protocol Security (IPSec).

A remote-access request is only granted if the user authenticates correctly and has given the account remote (or 'dial-in') permission. The client device could also be subject to NAC policy checks before it can fully join the VPN.

By identifying common security threats and vulnerabilities, you will be better equipped to suggest or implement the most effective counteractive measures.

Vulnerabilities, Threats and Risks

In IT security, it is important to distinguish between the concepts of vulnerability, threat and risk.

• Vulnerability: A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.
• Threat: The potential for a threat agent or threat actor (something or someone that may trigger a vulnerability accidentally or exploit it intentionally) to 'exercise' vulnerability (i.e. to breach security). The path or tool used by the threat actor can be referred to as the 'threat vector'.
• Risk: The likelihood and impact (or consequence) of a threat actor exercising a vulnerability. To understand network security, you need to understand the types of threats exposed to a network and how vulnerabilities can be exploited to launch actual attacks.

Social Engineering Threats

Much of the focus in computer security is on deterring malicious external and insider threats.

Attackers can use a diverse range of techniques to compromise a security system. A pre-requisite of many types of attacks is to obtain information about the security system.

'Social engineering' refers to trickery or the deceptive means of getting unsuspecting authorised users to reveal confidential data or sensitive information or allowing access to the organisation that should not have been authorised--violating security guidelines. Social engineering is often a precursor to another type of attack.

It is also important to note that gaining access to a network is often based on small steps rather than a single large step.

For example:

1. Knowing an employee's email address allows an attacker to search for facts about that user online.
2. This might help target the employee with fake messages. A message might be convincing enough to persuade the employee to reveal confidential information or to install malware.
3. The malware allows the attacker to access the network and discover the ID of a more privileged account or the location of important data files.

Because these attacks depend on human factors rather than technology, their symptoms can be vague and hard to identify. Social engineering attacks can come in various methods: in person, through email, or over the phone; and typically take advantage of users who are not technically knowledgeable.

Although, it can also be directed against technical support staff if the attacker pretends to be a user who needs help.

Common Social Engineering Exploits

Preventing social engineering attacks requires an awareness of the most common forms of social engineering exploits.

Impersonation

Impersonation (pretending to be someone else) is a basic social engineering technique. The classic impersonation attack is for an attacker to phone into a department, claim they have to adjust something on the user's system remotely and get the user to reveal their password.

Attackers will try any of the various recognised methods to make an impersonation attack convincing; such as:

• intimidating their target by pretending to be someone senior in rank
• intimidating their target using spurious technical arguments and jargon or alarm them with a hoax
• coax their target by engaging with them and putting them at their ease. (Do you know who is on the other end of the line?)

Phishing and Spear Phishing

Phishing

'Phishing' combines social engineering and spoofing (disguising one computer resource as another). For example:

1. The attacker sets up a spoof website to imitate the target bank or eCommerce provider's secure website.
2. The attacker then emails users of the genuine website, informing them that their account must be updated, supplying a disguised link that leads to their spoofed site.
3. When the user authenticates with the spoofed site, their logon detail is captured.

Another technique is to spawn a 'pop-up' window when a user visits a genuine site to trick them into entering their credentials through the pop-up.

Spear phishing

'Spear phishing' refers to a phishing scam where the attacker has some information that makes the target more likely to be fooled by the attack.

For example, the attacker might know the name of, say, a document that the target is editing and send a malicious copy; or the phishing email might show that the attacker knows the recipient's full name, job title, telephone number or other details that help to convince the target that the communication is genuine.

Pharming

'Pharming' is another means of redirecting users from a legitimate website to a malicious one.

Rather than using social engineering techniques to trick the user, however, pharming relies on corrupting the way the victim's computer performs internet name resolution. They are redirected from the genuine site to a malicious one. For example, if mybank.com should point to the IP address w.x.y.z, a pharming attack would corrupt the name resolution process and point to IP address a.b.c.d.

Trust and dumpster living

Being convincing or establishing trust usually depends on the attacker obtaining privileged information about the organisation or an individual. For example, an impersonation attack is more effective if the attacker knows the user's name.

As almost all companies are set up toward customer service rather than security, this information is typically easy to come by. Information that might seem innocuous (such as department employee lists, job titles, phone numbers, diary appointments, invoices or purchase orders) can help an attacker penetrate an organisation through impersonation.

Another way to obtain information that will help make a social engineering attack credible is by obtaining documents that the company has thrown away.

'Dumpster diving' refers to combing through an organisation's (or individual's) garbage to find useful documents. Attackers may even find files stored on discarded removable media.

Note: Remember that attacks may be staged over a long period. Initial attacks may only aim at compromising low-level information and user accounts. Still, this low-level information can be used to attack more sensitive and confidential data and better-protected management and administrative accounts.

Shoulder surfing

'Shoulder surfing' refers to stealing a password, PIN or other secure information by watching the user type it.

The attacker may be nearby or could use high-power binoculars or CCTV to observe directly 'over the target's shoulder' from a remote location.

Tailgating

'Tailgating' (or piggybacking) means entering a secure area without authorisation by following close behind the person allowed to open/enter the door or checkpoint.

This might be done without the target's knowledge, or maybe a means for an insider to allow access to someone without recording it in the building's entry log.

Another technique is to persuade someone to hold a door open, using an excuse such as, 'I've forgotten my badge/key'.

Mitigation of Social Engineering Attacks

Training users to recognise and respond to such situations is the best means to defeat social engineering.

• Train employees to release information or make privileged use of the system only according to standard procedures.
• Establish a reporting system for suspected attacks—though the obvious risk here is that many false negatives will be reported.
• Train employees to identify phishing-style attacks plus new styles of attack as they develop in the future.
• Train employees not to release any work-related information on third-party sites or social networks (and especially not to reuse passwords used for accounts at work).

Other generic mitigation factors include:

• ensuring documents and information are adequately destroyed before disposal
• using multifactor access control by putting more than one or two barriers between an attacker and their target
• restricting the use of administrative accounts as far as possible.

Password Attacks

Accounts and account-protect credentials (typically passwords) protect computer systems.

Passwords can be discovered via social engineering or written down by a user.

'Packet sniffing' attacks are often launched to obtain credentials for one or more accounts. The attacker's job is done if a network protocol uses cleartext (typed in unencrypted form and so is readily consumable and readable); however, most passwords are only sent over the network or stored on a device using cryptographic protection.

Either the channel can be protected, or the password can be protected (or both). If the channel is encrypted, the attacker has to compromise the encryption keys stored on the server. If a cryptographic hash protects the password, the attacker might use password-cracking software to decipher it.

Note: A password might be sent in an encoded form, such as Base64, simply an ASCII representation of binary data. This is not the same as cryptography. The password value can easily be derived from the Base64 string.

'Physical security' refers to the implementation and practice of control methods to restrict physical access to facilities.

One case where physical security is important is when there is a need to control physical documents, password records and sensitive documents and equipment. Just one successful unauthorised access attempt can lead to financial losses, credibility issues and legalities.

In addition, physical security involves increasing or assuring the reliability of certain critical infrastructure elements (such as switches, routers and servers).

Physical Security Controls

'Physical' security measures mean controlling who can access a building or a secure area of a building--such as a server room. One of the oldest types of security is a wall with a door in it (or a fence with a gate).

To secure such an access point, it must be fitted with a lock or door-access system.

LOCK TYPES

Door locks can be categorised as follows.

• Conventional: A conventional lock prevents the door handle from being operated without the use of a key. More expensive types offer greater resistance against lock picking.
• Deadbolt: A bolt-on to the door frame, separate from the handle mechanism.
• Electronic: The lock is operated by entering a PIN on an electronic keypad rather than a physical key. This type of lock is also called a 'cipher', 'combination' or 'keyless'.
• Token-based: A smart lock may be opened using a magnetic swipe card or features a proximity reader to detect the presence of a wireless key fob or one-time password generator (physical tokens) or smart card.
• Biometric: A lock may be integrated with a biometric scanner so that biometric features (such as a fingerprint, voiceprint or retina scan) can activate the lock. Biometric locks make it more difficult for someone to counterfeit the key used to open the lock.
• Multifactor: A lock may combine different methods (such as a smart card with a PIN).

A secure gateway will normally be self-closing and self-locking, rather than depending on the user to close and lock it.

Turnstiles and Mantraps

Tailgating/piggybacking to enter a secure area without authorisation by following close behind the person allowed to open the door or checkpoint can be thwarted by training and a strict policy to mitigate the automatic politeness that causes employees to 'co-operate' with this type of attack.

Effective training should also ensure employees keep doors locked to protect secure areas (such as servers and equipment rooms).

Gateways can also have improved physical security, such as CCTV monitoring or the presence of a security guard.

Another option is a conventional turnstile or a mantrap.

A mantrap is similar to a turnstile, but rather than a rotating bar in the access point, a mantrap has 2 sets of interlocking doors inside the access point, where the first set of doors must close before the second set opens.

Suppose the mantrap is manual: a guard locks and unlocks each door in sequence via an intercom or video camera allowing the guard to control the trap from a remote location.

If the mantrap is automatic: identification or a key of some kind may be required for each door, and sometimes different measures may be required for each door.

Metal detectors are often built-in to access points to prevent the entrance of people carrying weapons. Such use is particularly frequent in banks and jewellery shops.

Security Guards

Human security guards, armed or unarmed, can be placed in front of and around a location to protect it as they can:

• monitor critical checkpoints
• verify identification
• disallow access
• log physical entry occurrences
• provide a visual deterrent
• apply their knowledge and intuition to potential security breaches.

ID badges and Smart cards

A photographic ID badge showing the name and (perhaps) access details is one of the cornerstones of building security. Anyone moving through secure areas of a building should be wearing an ID badge; anyone without an ID badge should be challenged.

Radio Frequency ID (RFID) badges, together with proximity badge readers, monitor the wearer's location. When the RFID badge passes a reader (with a range up to about 5 metres), it registers a signal and transmits its ID to the management software.

As well as using RFID tracking, smart card badges and key fobs can be programmed with biometric authentication or with some token-generating or certificate-based authentication. This type of badge could also be used to open smart locks, as described earlier.

Entry Control Rosters

An electronic lock may log access attempts, but a security guard can manually log movement using a sign-in/sign-out sheet if no technological solution is available. An entry control roster requires all visitors to sign in and out when entering and leaving the building.

Logging requirements will vary depending on the organisation, but should include the:

• name and company being represented
• date, time of entry and time of departure
• reason for visiting
• contact within the organisation.

When possible, one single entry point should be used for all incoming visitors. This decreases the risk of unauthorised individuals gaining access to the building and tailgating.

Physical security controls for devices

The most vulnerable point of the network infrastructure will be the communications room. This should be subject to the most stringent access and surveillance controls that can be afforded.

Cable locks and locking cabinets

Another layer of security can be provided by installing equipment within lockable rack cabinets. These can be supplied with key-operated or electronic locks.

Server-class hardware often features physical chassis security (server locks). The chassis can be locked, preventing the power switch, removable drives and USB ports. An attacker with access to these might boot the machine with a different operating system to steal data or install malware.

If there is no chassis protection and the computer cannot be located in a secure room, another tool is a USB lock. This device engages springs to make it difficult to remove from a USB port unless the key is used. Although they can deter and delay, they are unlikely to prevent a determined attacker.

If installing equipment within a cabinet is not an option, it is also possible to obtain hardware locks for portable devices such as laptops.

Privacy screens

A privacy screen prevents anyone but the user from reading the screen. Modern TFTs are designed to be viewed from wide angles. This is fine for home entertainment use but raises the risk that someone would observe confidential information shown on a user's monitor.

A privacy filter restricts the viewing angle to only the person directly in front of the screen.

Data Disposal Methods

As well as the security of premises, equipment rooms and devices, physical security measures also need to account for the media on which data is stored.

'Remnant removal' refers to decommissioning data storage media, including hard disks, flash drives, tape media and CDs/DVDs. The problem has become particularly prominent as organisations recycle their old computers, either by donating them to charities or sending them to a recycling company which may recover and sell parts.

There are at least 3 key reasons that make remnant removal critical.

1. An organisation's confidential data could be compromised.
2. Third-party data that the organisation processes could be compromised, leaving it liable under Data Protection legislation, in addition to any contracts or Service Level Agreements signed.
3. Software licensing could be compromised.

The main issue is understanding how much data on different media types may be recoverable.

Data 'deleted' from a magnetic-type disk such as a hard disk is not erased. Rather, the sectors are marked as 'available for writing', and the data they contain will only be removed as new files are added.

Similarly, using the standard Windows format tool will only remove references to files and mark all sectors as 'useable'. With the proper tools, any deleted information from a drive could be recoverable in the right circumstances.

There are several approaches to the problem of data remnants on magnetic disks.

Physical destruction

A magnetic disk can be mechanically shredded, incinerated or degaussed in specialist machinery.

• Shredding: The disk is ground into little pieces by a mechanical shredder that works in much the same way as a paper shredder.
• Incineration: Exposing the disk to high heat melts its components.
• Degaussing: Exposing the disk to a powerful electromagnet disrupts the magnetic pattern that stores the data on the disk surface.

These types of machinery are costly but will render disks unusable so they cannot be recycled or repurposed.

A less expensive method is to destroy the disk with a drill or hammer—do be sure to wear protective goggles. This method is not appropriate for the most highly confidential data as it will leave fragments that could be analysed using specialist tools.

While optical media cannot be reformatted, discs should be destroyed before discarding them. Shredders are also available for destroying CDs and DVDs.

Overwriting/disk wiping

Destruction is not an option if a disk can be recycled or repurposed.

Disk wiping software ensures that old data is destroyed by writing to each location on the media, either using zeroes or in a random pattern. This leaves the disk in a 'clean' state, ready to be passed to the new owner. This overwriting method is suitable for all confidential data but is time-consuming and requires special software.

Low-level format

Most disk vendors supply tools to reset a disk to its factory condition. These are often described as low-level format tools and will have the same effect as disk wiping software. A 'proper' low-level format creates cylinders and sectors on the disk. This can generally only be done at the factory. The disk utilities just clean data from each sector; they don't re-create the sector layout.

Every established organisation such as a college or a workplace will have an IT policy in place. It might be called a 'Code of Conduct' or an 'Acceptable Use Policy'.

Review one relevant document from any organisation. (You do not need to identify the organisation.) In that document, find what their policies are on the following aspects:

• Bring Your Own Device (BYOD)
• Wi-Fi access
• downloading illegal materials
• use of social media
• using the organisation’s equipment for your own personal use.

Share, discuss and compare on the Hardware Task Forum with your peers.