pointer

Category Archives: Network Security

How to clean up an attack like Wells Fargo

Posted on by .

    In late March, news broke that Wells Fargo’s consumer facing website had gone offline due to a distributed denial of service (DDoS) attack. News outlets reported that the attack was conducted by hacktivist group Izz ad-Din al-Qassam Cyber Fighters. The group performed these attacks because they were upset about an anti-Islamic YouTube video. The group also claims that they’ll be performing these types of attacks to other banks such as Chase, Citibank, and SunTrust in the future if the video is not taken down. James Dohnert of V3.co.uk writes in more detail about the attack here.

    Organizations both big and small have suffered from DDoS attacks in the last few months. Although DDoS are pretty “old school,” they remain highly effective in bringing down websites and web-based applications. The methods behind these attacks have become more sophisticated, with much greater horsepower behind the attacks, and much more obfuscation as to the sources. But network monitoring and analysis are also rapidly improving, offering new strategies to both protect your network and clean up your network if an incident occurs. Below we detail how you can be both proactive in protection and also reactive if you fall victim.

    How to Protect Yourself
    DDoS attacks are designed to block network access for legitimate users. These attacks create extremely large volumes of useless traffic, causing various network resources to become saturated thereby blocking access for users and customers. The attacks predecessor, Denial of Service (DoS) attacks, affected servers by using up resources signaling the start of a conversation with no intention to converse. To mitigate these attacks, you could use ACLs (access control lists) or firewall rules to keep the attack traffic from reaching the server. But with DDoS attacks, the first “D,” or the distributed nature of the attack, makes blocking offending traffic extremely difficult, and it broadens the scale of the attack from a few machines to a widespread attack from machines worldwide that have been infected by bots.

    With today’s DDoS attacks it really comes down to network protection. It is therefore very important to:

    • Use network analysis tools to capture all the data in one place, although attacks come from a large number of IP addresses, these attacks are fairly homogenous in the IP layer. If you can find a common behavior at the packet level then you can filter out this traffic.
    • Set up alerts to isolate questionable behavior. If you are experiencing a request that requires more data than normal, or the number of users accessing your website suddenly spikes, it might be the beginning of a DDoS attack.

    How to Clean-Up the Mess
    Having a network recorder with network forensics in place is key to helping you clean up your system. Network forensics is the process of capturing and storing data packet-level network data 24X7 for analysis if a problem occurs. This process gives you a complete picture of the problem and allows you to gain crucial information, including exactly where, and how, the attack was orchestrated. Armed with this knowledge, you can build new rules for intrusion detection and prevention systems (IDS/IPS), or new alarms for the network monitoring and analysis solution, so you’ll be notified at the first sign of a renewed attack. If you are interested in learning more about network forensics, check out this Rich Report podcast featuring Jay Botelho, Director of Product Management at WildPackets, here.

    DDoS attacks are on the rise and even large banks like Wells Fargo have trouble protecting themselves and reacting to these attacks. To help mitigate some of the headaches, have a game plan in place both for proactively stopping these attacks and cleaning up after these attacks if you are targeted.

      RSA: The Rising Cyber Security Threats Attacking Your Network

      Posted on by .

        The RSA Conference is one of the premier cyber security gatherings in the IT industry. Companies, analysts, and cyber security professionals flood to San Francisco every year to hear talks from the experts, see the latest products on the Expo floor, and socialize at a week of parties. The conference has grown over the years, just as emphasis has increased within IT on cyber security, as Jon Olstik of NetworkWorld points out:

        RSA use to be an oasis from mainstream IT and a place to discuss DLP, web security and key management. It was an under-funded IT step child and the RSA Conference was still centered on bits and bytes. That was then, this is now and cyber security is everywhere!

        But it makes sense. We live in a world where our bank accounts can be hacked by someone thousands of miles away, where companies have data about our personal lives that they can sell to advertisers, and where governments routinely perform cyber espionage. Security and privacy is no longer restricted to a smaller corner of the IT department: it affects everyone.

        So, how can you as an IT or network admin help protect your network from being hacked? Here are a few ways to make sure that you are on top of your network security policy:

        Passwords Attacks and Best Practices
        There are two main ways that passwords are the cause of breaches. First is simply guessing, which is paradoxically becoming more sophisticated. Analysis of the numerous password breaches over the past year show that most people are using passwords which can be guessed easily, including Syrian President Assad’s use of “12345”. However, enforcing more complex passwords isn’t necessarily the answer, since it leads to the classic “sticky note under the keyboard,” or its equivalent in a mobile workforce.

        Detecting password guessing is relatively straightforward: look for repeated login attempts, especially for login failures. While this is usually easiest via server logs, it can work on the wire too by looking for repeated access to the login URL for a web app.

        However, an increasingly common cause of password-related breaching is so-called “spear phishing,” in which an attacker will send an email to a target pretending to be something innocuous, or even something official. A common technique among professional penetration testers is to send an email claiming to be from the company IT department, with a link to a site that requests the user’s username and password. Average success rates for this spear phishing technique are over 30%.

        Stolen passwords can be difficult to detect, but Google recently shared one of their methods: look for logins that happen from different locations. It would be rather unusual for a GeoIP lookup of the login to come from two different continents within minutes of each other!

        Best practice for good passwords is still 2-factor authentication with a hardware token. If it’s cost-effective for Blizzard to use with World of Warcraft, then it is be cost effective for your organization. There are even open source or dual license solutions available.

        Monitoring IT That is in Public Clouds
        The idea of sharing a public utility in general can be scary, especially when IT personnel do not have control over every aspect of the company’s infrastructure. Beyond this concern there are other tactical security concerns that need to be addressed prior to moving to a public cloud, as well as while you are monitoring your cloud service.

        One of the emerging challenges is the push for Single Sign-On (SSO) in cloud-hosted applications. This is a complicated issue, and it’s easy to get lost in the discussion of “if Facebook can do it, why can’t we?” versus “Let’s use OAUTH like Twitter!”. Our recommendation is to start with knowing the scope of the problem, and an excellent resource is a recent series of articles on Securosis.

        From a detection perspective, cloud security is about knowing where the dotted lines are that define what used to be your perimeter. Understand your traffic between your in-house services and your cloud instances, enforce them with firewalls if not VPNs, and audit them frequently.

        Continued Network Monitoring and a Contingency Plan
        Your best technique to combat evolving security threats is vigilance. That doesn’t mean sitting 24×7 watching the network. It means using the tools at your disposal to gain visibility. If you’re using a SIEM to correlate IDS and log data, configure your OmniEngine software probes to send the Expert event log to the SIEM as an additional data source. Not only will it give you an additional data collector (especially if you’re using custom filters), it will also tell you where in the capture to look when you do investigation of events.

        This monitoring of your network 24/7 is a great tool for network forensics. Network forensics works as a contingency plan in case a security breach does occur. It can help you clean up your network to make sure that there are no lingering worms or other suspicious traffic, and it can also help to determine where the hacker breached your network so you can fix any security holes.

        Keep in mind that you’re not just looking at the Top 10. If anything, you’re looking for a node in the long tail that’s relatively quiet, but which suddenly starts sending more traffic, or starts using different protocols than before. If you’ve got a desktop PC that suddenly starts sending probes to other parts of your network, that’s suspicious activity that you should investigate, and that you might not have noticed by relying purely on an IDS.

        Cyber security threats are not going away and they will continue to become more sophisticated over time. It is important to be aware of trends affecting the security industry (both big and small), so you can be versed and prepared to protect your network against both nascent and lingering threats out there.

          Public Wi-Fi: Stay Safe!

          Posted on by .

            We’re all desperate for connectivity, and sometimes that addiction leads us to use public Wi-Fi Internet connections without really considering the source of the service. This could have some very serious repercussions. Whether you are using public Wi-Fi at a coffee shop, on public transportation, or at a restaurant or hotel, you are always vulnerable, but especially so when the pedigree of the Wi-Fi network is unclear.

            Vulnerability takes many forms on public Wi-Fi. Most notably, wireless can be easily “sniffed” by anyone with the right software (free software) if they’re within a few hundred feet of you. So the combination of Wi-Fi and public means you need to take even greater precautions to ensure your security.

            New technology that makes our lives more convenient can also create additional security threats, and Wi-Fi is a case in point. It is very easy for anyone to create a wireless hotspot (many smart phones have built-in hotspots), or to spoof an existing hotspot, so be very careful when accessing a public network, especially if the network requires financial or personal information to gain access.

            Since we are usually the cause of our own demise, there are many easy ways for us to keep ourselves safe on public networks, and as network/IT admins it’s our responsibility to help our “users” as much as possible in accessing public Wi-Fi securely.

            Five Steps to Stay Safe on Public Wi-Fi

            Know the network you’re joining
            In a rush to get things done, it’s easy to just hop on a public network, assuming that it’s been provided for your convenience by a reputable organization in a secure manner. But this isn’t always the case. Unscrupulous individuals can set up networks that aren’t secure, and worse yet, are designed to sniff for personal data. And with the hotspot capability on smart phones this is now even easier. You should never join anyone’s personal hotspot, period, unless you know the user and they have secured their network with a private key that they share with you. And if it’s a public network that you trust (like at Starbucks) but it doesn’t require any type of password to join, be very careful of the data you transmit over the network, it is NOT secure.

            Keep your firewall and antivirus software up to date. Although this won’t protect you from every attack, it will help protect you from automated worms and viruses that use the intimate nature of public Wi-Fi to go from computer to computer.

            Never turn your antivirus off. Occasionally people will turn off their antivirus software because they think it makes downloads and connections faster. This is a fallacy. Turning off your antivirus software will not speed up your download and leaves your computer extremely vulnerable.

            Look for signs. If you see warnings about website certificates, log-in fields in unfamiliar locations, or requests for financial details, stop what you are doing and put your computer away. These small signs can be an indication that someone is trying to get information from you that you do not want to share.

            Clean up your computer when you get home. If you want to be really diligent about ensuring you were not infected or harmed, run a malware scan, especially after being on a public Wi-Fi network that you feel may have been less than secure.

            VPNs Keep Employees Safe When Using Public Wi-Fi

            Set up a virtual private network for work and non-work activities. As a network engineer or IT admin, it is really easy and effective to set up a VPN, especially if you have mobile workers or provide devices to your workers. A VPN encrypts all traffic and keeps both your corporate data as well as employees’ personal data safe and secure. Require that the VPN be used for access to any corporate application, and encourage your users to take advantage of the VPN to protect their personal public Wi-Fi usage as well.

            Remember: when using a hotspot you are in a public space and sharing material that you may not want to share with the public. Make sure you think wisely about what you are accessing and using. And, if unsure, wait until you get back to your secure home or work network before buying that pair of shoes you were eyeing on Zappos.