Category Archives: Network Security

BYOD and Its Impact on Network Security

The bring your own device (BYOD) trend has been picking up steam for quite some time now, leaving some IT managers scrambling to keep their networks secure. As a younger generation accustomed to using personal mobile devices for pretty much everything enters the workforce, BYOD is likely to become even more commonplace.

According to a study by CompTIA, nearly three-quarters of millennials—generally defined as those who reached young adulthood sometime around 2000—used a smart phone for work purposes over the past year, compared with just 37 percent of baby boomers. Tablets, laptops and GPS systems are also more popular among younger workers as well.

Without proper monitoring, BYOD can poke major holes in network infrastructure. For years IT teams had control of mobile devices employees were using for work, but with BYOD they are now charged with extending network access to a wide variety of devices while keeping information secure. They often worry about malware infections or vulnerable devices lost by employees and found by strangers who should not have access to company information.

Increasingly, IT teams are realizing that a multi-tiered security strategy often works best. For instance, educating users about the importance of strong passwords and keeping devices in sight at all times is crucial. Creating a formal, written policy that makes BYOD policy crystal clear for employees is helpful as well.

Of course, using top-flight network monitoring solutions is a major piece of the puzzle. With the advent of BYOD, now more than ever IT managers need a high-level, comprehensive view of everything happening on the network at a given time. Whether an employee is working in the coffee shop down the street or across the country, businesses need detailed network analysis to ensure security. BYOD is the future, and the future is here.

How to clean up an attack like Wells Fargo

In late March, news broke that Wells Fargo’s consumer facing website had gone offline due to a distributed denial of service (DDoS) attack. News outlets reported that the attack was conducted by hacktivist group Izz ad-Din al-Qassam Cyber Fighters. The group performed these attacks because they were upset about an anti-Islamic YouTube video. The group also claims that they’ll be performing these types of attacks to other banks such as Chase, Citibank, and SunTrust in the future if the video is not taken down. James Dohnert of V3.co.uk writes in more detail about the attack here.

Organizations both big and small have suffered from DDoS attacks in the last few months. Although DDoS are pretty “old school,” they remain highly effective in bringing down websites and web-based applications. The methods behind these attacks have become more sophisticated, with much greater horsepower behind the attacks, and much more obfuscation as to the sources. But network monitoring and analysis are also rapidly improving, offering new strategies to both protect your network and clean up your network if an incident occurs. Below we detail how you can be both proactive in protection and also reactive if you fall victim.

How to Protect Yourself
DDoS attacks are designed to block network access for legitimate users. These attacks create extremely large volumes of useless traffic, causing various network resources to become saturated thereby blocking access for users and customers. The attacks predecessor, Denial of Service (DoS) attacks, affected servers by using up resources signaling the start of a conversation with no intention to converse. To mitigate these attacks, you could use ACLs (access control lists) or firewall rules to keep the attack traffic from reaching the server. But with DDoS attacks, the first “D,” or the distributed nature of the attack, makes blocking offending traffic extremely difficult, and it broadens the scale of the attack from a few machines to a widespread attack from machines worldwide that have been infected by bots.

With today’s DDoS attacks it really comes down to network protection. It is therefore very important to:

  • Use network analysis tools to capture all the data in one place, although attacks come from a large number of IP addresses, these attacks are fairly homogenous in the IP layer. If you can find a common behavior at the packet level then you can filter out this traffic.
  • Set up alerts to isolate questionable behavior. If you are experiencing a request that requires more data than normal, or the number of users accessing your website suddenly spikes, it might be the beginning of a DDoS attack.

How to Clean-Up the Mess
Having a network recorder with network forensics in place is key to helping you clean up your system. Network forensics is the process of capturing and storing data packet-level network data 24X7 for analysis if a problem occurs. This process gives you a complete picture of the problem and allows you to gain crucial information, including exactly where, and how, the attack was orchestrated. Armed with this knowledge, you can build new rules for intrusion detection and prevention systems (IDS/IPS), or new alarms for the network monitoring and analysis solution, so you’ll be notified at the first sign of a renewed attack. If you are interested in learning more about network forensics, check out this Rich Report podcast featuring Jay Botelho, Director of Product Management at WildPackets, here.

DDoS attacks are on the rise and even large banks like Wells Fargo have trouble protecting themselves and reacting to these attacks. To help mitigate some of the headaches, have a game plan in place both for proactively stopping these attacks and cleaning up after these attacks if you are targeted.

RSA: The Rising Cyber Security Threats Attacking Your Network

The RSA Conference is one of the premier cyber security gatherings in the IT industry. Companies, analysts, and cyber security professionals flood to San Francisco every year to hear talks from the experts, see the latest products on the Expo floor, and socialize at a week of parties. The conference has grown over the years, just as emphasis has increased within IT on cyber security, as Jon Olstik of NetworkWorld points out:

RSA use to be an oasis from mainstream IT and a place to discuss DLP, web security and key management. It was an under-funded IT step child and the RSA Conference was still centered on bits and bytes. That was then, this is now and cyber security is everywhere!

But it makes sense. We live in a world where our bank accounts can be hacked by someone thousands of miles away, where companies have data about our personal lives that they can sell to advertisers, and where governments routinely perform cyber espionage. Security and privacy is no longer restricted to a smaller corner of the IT department: it affects everyone.

So, how can you as an IT or network admin help protect your network from being hacked? Here are a few ways to make sure that you are on top of your network security policy:

Passwords Attacks and Best Practices
There are two main ways that passwords are the cause of breaches. First is simply guessing, which is paradoxically becoming more sophisticated. Analysis of the numerous password breaches over the past year show that most people are using passwords which can be guessed easily, including Syrian President Assad’s use of “12345”. However, enforcing more complex passwords isn’t necessarily the answer, since it leads to the classic “sticky note under the keyboard,” or its equivalent in a mobile workforce.

Detecting password guessing is relatively straightforward: look for repeated login attempts, especially for login failures. While this is usually easiest via server logs, it can work on the wire too by looking for repeated access to the login URL for a web app.

However, an increasingly common cause of password-related breaching is so-called “spear phishing,” in which an attacker will send an email to a target pretending to be something innocuous, or even something official. A common technique among professional penetration testers is to send an email claiming to be from the company IT department, with a link to a site that requests the user’s username and password. Average success rates for this spear phishing technique are over 30%.

Stolen passwords can be difficult to detect, but Google recently shared one of their methods: look for logins that happen from different locations. It would be rather unusual for a GeoIP lookup of the login to come from two different continents within minutes of each other!

Best practice for good passwords is still 2-factor authentication with a hardware token. If it’s cost-effective for Blizzard to use with World of Warcraft, then it is be cost effective for your organization. There are even open source or dual license solutions available.

Monitoring IT That is in Public Clouds
The idea of sharing a public utility in general can be scary, especially when IT personnel do not have control over every aspect of the company’s infrastructure. Beyond this concern there are other tactical security concerns that need to be addressed prior to moving to a public cloud, as well as while you are monitoring your cloud service.

One of the emerging challenges is the push for Single Sign-On (SSO) in cloud-hosted applications. This is a complicated issue, and it’s easy to get lost in the discussion of “if Facebook can do it, why can’t we?” versus “Let’s use OAUTH like Twitter!”. Our recommendation is to start with knowing the scope of the problem, and an excellent resource is a recent series of articles on Securosis.

From a detection perspective, cloud security is about knowing where the dotted lines are that define what used to be your perimeter. Understand your traffic between your in-house services and your cloud instances, enforce them with firewalls if not VPNs, and audit them frequently.

Continued Network Monitoring and a Contingency Plan
Your best technique to combat evolving security threats is vigilance. That doesn’t mean sitting 24×7 watching the network. It means using the tools at your disposal to gain visibility. If you’re using a SIEM to correlate IDS and log data, configure your OmniEngine software probes to send the Expert event log to the SIEM as an additional data source. Not only will it give you an additional data collector (especially if you’re using custom filters), it will also tell you where in the capture to look when you do investigation of events.

This monitoring of your network 24/7 is a great tool for network forensics. Network forensics works as a contingency plan in case a security breach does occur. It can help you clean up your network to make sure that there are no lingering worms or other suspicious traffic, and it can also help to determine where the hacker breached your network so you can fix any security holes.

Keep in mind that you’re not just looking at the Top 10. If anything, you’re looking for a node in the long tail that’s relatively quiet, but which suddenly starts sending more traffic, or starts using different protocols than before. If you’ve got a desktop PC that suddenly starts sending probes to other parts of your network, that’s suspicious activity that you should investigate, and that you might not have noticed by relying purely on an IDS.

Cyber security threats are not going away and they will continue to become more sophisticated over time. It is important to be aware of trends affecting the security industry (both big and small), so you can be versed and prepared to protect your network against both nascent and lingering threats out there.