The RSA Conference is one of the premier cyber security gatherings in the IT industry. Companies, analysts, and cyber security professionals flood to San Francisco every year to hear talks from the experts, see the latest products on the Expo floor, and socialize at a week of parties. The conference has grown over the years, just as emphasis has increased within IT on cyber security, as Jon Olstik of NetworkWorld points out:
RSA use to be an oasis from mainstream IT and a place to discuss DLP, web security and key management. It was an under-funded IT step child and the RSA Conference was still centered on bits and bytes. That was then, this is now and cyber security is everywhere!
But it makes sense. We live in a world where our bank accounts can be hacked by someone thousands of miles away, where companies have data about our personal lives that they can sell to advertisers, and where governments routinely perform cyber espionage. Security and privacy is no longer restricted to a smaller corner of the IT department: it affects everyone.
So, how can you as an IT or network admin help protect your network from being hacked? Here are a few ways to make sure that you are on top of your network security policy:
Passwords Attacks and Best Practices
There are two main ways that passwords are the cause of breaches. First is simply guessing, which is paradoxically becoming more sophisticated. Analysis of the numerous password breaches over the past year show that most people are using passwords which can be guessed easily, including Syrian President Assad’s use of “12345”. However, enforcing more complex passwords isn’t necessarily the answer, since it leads to the classic “sticky note under the keyboard,” or its equivalent in a mobile workforce.
Detecting password guessing is relatively straightforward: look for repeated login attempts, especially for login failures. While this is usually easiest via server logs, it can work on the wire too by looking for repeated access to the login URL for a web app.
However, an increasingly common cause of password-related breaching is so-called “spear phishing,” in which an attacker will send an email to a target pretending to be something innocuous, or even something official. A common technique among professional penetration testers is to send an email claiming to be from the company IT department, with a link to a site that requests the user’s username and password. Average success rates for this spear phishing technique are over 30%.
Stolen passwords can be difficult to detect, but Google recently shared one of their methods: look for logins that happen from different locations. It would be rather unusual for a GeoIP lookup of the login to come from two different continents within minutes of each other!
Best practice for good passwords is still 2-factor authentication with a hardware token. If it’s cost-effective for Blizzard to use with World of Warcraft, then it is be cost effective for your organization. There are even open source or dual license solutions available.
Monitoring IT That is in Public Clouds
The idea of sharing a public utility in general can be scary, especially when IT personnel do not have control over every aspect of the company’s infrastructure. Beyond this concern there are other tactical security concerns that need to be addressed prior to moving to a public cloud, as well as while you are monitoring your cloud service.
One of the emerging challenges is the push for Single Sign-On (SSO) in cloud-hosted applications. This is a complicated issue, and it’s easy to get lost in the discussion of “if Facebook can do it, why can’t we?” versus “Let’s use OAUTH like Twitter!”. Our recommendation is to start with knowing the scope of the problem, and an excellent resource is a recent series of articles on Securosis.
From a detection perspective, cloud security is about knowing where the dotted lines are that define what used to be your perimeter. Understand your traffic between your in-house services and your cloud instances, enforce them with firewalls if not VPNs, and audit them frequently.
Continued Network Monitoring and a Contingency Plan
Your best technique to combat evolving security threats is vigilance. That doesn’t mean sitting 24×7 watching the network. It means using the tools at your disposal to gain visibility. If you’re using a SIEM to correlate IDS and log data, configure your OmniEngine software probes to send the Expert event log to the SIEM as an additional data source. Not only will it give you an additional data collector (especially if you’re using custom filters), it will also tell you where in the capture to look when you do investigation of events.
This monitoring of your network 24/7 is a great tool for network forensics. Network forensics works as a contingency plan in case a security breach does occur. It can help you clean up your network to make sure that there are no lingering worms or other suspicious traffic, and it can also help to determine where the hacker breached your network so you can fix any security holes.
Keep in mind that you’re not just looking at the Top 10. If anything, you’re looking for a node in the long tail that’s relatively quiet, but which suddenly starts sending more traffic, or starts using different protocols than before. If you’ve got a desktop PC that suddenly starts sending probes to other parts of your network, that’s suspicious activity that you should investigate, and that you might not have noticed by relying purely on an IDS.
Cyber security threats are not going away and they will continue to become more sophisticated over time. It is important to be aware of trends affecting the security industry (both big and small), so you can be versed and prepared to protect your network against both nascent and lingering threats out there.