Monday, March 2, 2015

Security101 : What is a Next Generation Firewall?

Security101 is a series of short, direct, no fluff articles about security basics.  To see the entire series, click here.

What is a Next Generation Firewall (NGFW)? A Next Generation Firewall is a traditional firewall with some additional functionality added on.  Most NGFWs include, at a minimum, a web filter, basic IDS/IPS functionality, Layer 7 or application visibility, and possibly a botnet filter.

What this means is that in addition to allowing or denying traffic based on source, destination, port, and protocol you can now inspect and control traffic based on a number of additional criteria.  For the privilege, you'll usually be charged more than a traditional firewall and have to pay an annual subscription fee to keep the signatures, lists, and definitions current.

Each of these additional function can be a robust standalone product, but since they all primarily watch traffic at the network's ingress and egress points it was only natural to include them with the firewall since that is where it lives as well.  If you want my Security101 explanation of what each of these are, just click the link below.

Security101: What is a Web Filter?
Security101: What is an IPS or IDS?
Security101: What is Application Visibility?
Security101: What is a Botnet Filter?

Friday, February 27, 2015

Your Data IS Being Stolen

For most companies, even ones that manufacture products, their most valuable assets are digital.  If you are an insurance company it might be your customer list.  If you are an engineering company it might be your technical drawings.  If you are a hospital it might be patient records.  If you are an online retailer it might be your product images and descriptions.  If you are a brick and mortar retailer it may be credit card data.  No matter what your business, you have valuable digital assets.

Much like locks are installed on doors and cameras are mounted thru out a warehouse, digital assets must be monitored and protected.  If you aren't watching it, you are losing it.  There are a number of reasons companies begin working to protect their data.  The top 3 are typically:
  1. Driven by an industry security policy
  2. Desire to protect competitive advantage
  3. The need to maintain your customer's confidence 
No matter the business driver, you cannot allow this data to leak out of your organization.
Stealing Water
I say leak, but in truth there is no way to know what the escape velocity is until you start monitoring it.  It could be a trickle or it could be a fire hose but you can be certain it is happening. 
"No, no" you say, "not our people, not our company!"  I'll share a couple experiences.

In the mid 90s a network admin for a health insurance company confided in me that he had downloaded contact and other non-medical information on every customer his company had ever had and was trying to figure out a way to sell it.  His argument was that all this data was public and so he wasn't really stealing, just providing it in an organized and concise manner.

 A few years later a coworker shared with me that she was fairly certain she was about to be fired.  She seemed calm about it and assured me she was pretty sure she could get a job within a week with one of our competitors.  I asked why and she hinted that she had "something" that they would want.  After some more conversation she implied that she had all our customer data at home, including past sales history with volumes, reports, and stats.  She figured any of our competition would hire her just to get it.  She was probably right.

Data can leave your environment in numerous ways.  One avenue to prevent data loss is Data Loss Prevention (DLP) software.  DLP focuses on two areas, first monitoring your data-at-rest and then watching it as it goes into motion.  What that means is you point the software at specific storage areas (SANs, server hard drives, NASs) to be monitored and the software will then report on who accesses that data, how much data they access, and where that data gets copied to.  Some DLP software can also block or throttle that traffic to prevent or limit data theft.  Other types of DLP software monitor outbound email for keywords, file types, file sizes, and file contents.

Obviously more than DLP software will be necessary to give you the level of confidence you want that virtually no data is being lost or stolen.  In addition to company policies that employees are required to abide by, below area a few types of endpoint security that come to mind:
  1. USB and CD/DVD ROM drive control
  2. Hard drive encryption for laptops and desktops
  3. Screenshot prevention 
Whether DLP seems like a fit for your organization keep in mind that you do have employees that have either already stolen your data or have contemplated it.  Start now taking the steps to protect your company's most valuable digital assets.

Tuesday, February 24, 2015

Security101 : What is Application Visibility?

Security101 is a series of short, direct, no fluff articles about security basics.  To see the entire series, click here.

What is Application Visibility?  From a networking perspective our primary concerns have always been network link speed, usage percentage, and up-time.  We were oblivious to the applications that rode our networks, they were just TCP and UDP traffic and we just had to make sure there was enough pipe for them to travel thru.  Application Visibility (and Control) is a shift in thinking wherein the network teams now focus on the performance of the actual applications riding the network and adapt the network to the application's needs.

To do this we need to be able to see more than just port and protocol, we need to be able to actually identify applications by their observed characteristics. Most often this is handled at choke points in the network like routers and firealls.  Routers, for instance, may monitor and report of the traffic they see.  Using these observations we can dynamically make changes to the network using existing tools like PBR, QOS, and WAN optimization. These changes are applied to switches, routers, and firewalls.  They are typically per-configured settings that can be applied and removed dynamically as needs dictate.  There is often a fair amount  of setup involved, buy vendors are working to bring products to market that make this process easier and faster.

Monday, February 16, 2015

Do You NEED The Internet?

I was reading this post this afternoon by @BrianKrebs regarding the innumerable bank hacks that were discovered recently and reported on by the Wall Street Journal.  To summarize, in case you didn't happen to catch it, reportedly over 100 banks in 30 countries were specifically targeted and had somewhere between 300 million and 1 billion dollars stolen (transferred to bogus bank accounts and then withdrawn, hidden, or otherwise made to disappear).  Brian did a great job on his article but as I read a thought kept replaying in my mind; why?

Not "why did the hackers steal it", or "why didn't someone catch it", or "how could this happen", but "why would a bank allow internet access at all, anywhere?". The internet has become so pervasive in every aspect of our lives that it seems that its a given that employees will have access from their desktops.  In fact, the entire security industry exists in large part because of the internet.  If we went back to modems for remote network access, EDI for exchanging data with business partners, and cash for purchases the vast majority of us security folks would find ourselves without a job

Don't be mistaken, I'm not advocating we go back to that world.  In fact, I quite like fast paced dynamic age we live in;  a world that exists because of the internet.  But I often wonder about, and in fact truly believe, that the vast majority of companies allow internet access into and out of their enterprise simply because of fear.  They are afraid that if employees were required to relinquish internet access they quite simply would mutiny.  They are afraid they would lose their good employees or not be able to attract new ones.

That fear has driven them to spend massive sums of money to try to secure their environments so employees aren't unhappy.  Because really, how happy can you be if you aren't able to check facebook, your back account, your personal email, sports scores, news sites and research hobbies regularly thru out the day? 

I believe this grew organically.  When internet access was first becoming available to businesses the cutting edge companies jumped at the chance.  There wasn't much out there to see and the hacker community was in its infancy. Both employees wasting time and security risks to the company were so small that a little stateful firewall or even no firewall combined with the obscurity of your company were enough to make the risk worth the reward.  Over time even the holdouts got internet access, typically drive by the need to exchange email with business partners.  And along the way employees began to believe it was just part of the world they lived in, some even call it a right.  Well, the internet grew up.  Hackers became millionaires.  Employees found they could read about or watch anything and everything on the world wide web.  And last year you spent way more than you ever thought you would to protect that right.

It is time to reevaluate.  I'm not saying you cut the cables and go dark.  We all know the internet has a place in business.   The problem is we've all forgotten its place.  It is a business tool much like a cash register, or a phone system, or a filing cabinet.  Would you ever let employees use accounting's filing cabinets for personal document storage?  No?  Why not?  In the hundreds of companies I've worked with I've never seen one where completely unrestricted internet access was core to an employee's success.  Yes, even marketing, HR, and especially IT need restrictions.

How you achieve this is up to you.  And it isn't easy.  It isn't easy to draw those lines.  It isn't easy to tell employees that internet access will be limited to known business needs only.  It isn't easy to map those needs to a firewall or web filter policy.  It especially isn't easy to tell IT they'll need to use a commons area internet terminal, or a pc on a physically isolated network, to do research.  But neither is loosing 300 million dollars or going out of business because your customers no longer trust you.

It is said that the only secure server is one that is behind a locked door, unplugged from power and network, and encased in six feet of concrete, and even then there is still a chance.  The best way to reduce your company's chances of being hacked, or losing data, is to cut off the attacker's access and ensure you aren't the easiest target they could find.  And the internet is the biggest and easiest access route they have.

Security101 : What is a Botnet Filter?

Security101 is a series of short, direct, no fluff articles about security basics.  To see the entire series, click here.

What is a Botnet Filter? To understand what a Botnet Filter is, you first have to understand what a Botnet is.  The word botnet comes from shortening the word robot to bot and shortening the word network to net.  So it is a network of robots.  In particular software robots, programmed to respond at their master's command.  Who is their master?  That would be a Command and Control (C&C) server that lives somewhere on the internet.  Sounds like something the evil villain Gru from the movie Despicable Me would come up with.  Either way it is real and if any of your desktops, laptops, or servers have been on the internet or received email in the last 10 years there is a good chance some of them are infected.

This isn't a typical virus.  It is isn't meant to steal your data, or crash your network,  hack your secrets.  A botnet note (your pc) is meant to do nothing possibly for years, until called upon to be part of an orchestrated attack against some yet unknown target.  Once it receives the order it will reach out thru your internet connection and do malicious things against whatever it is pointed at.  Don't worry, you're not alone.  No, in fact there will likely be hundreds of thousands if not millions of machines that will be called on at the same time to launch this attack.  A Denial of Service attack might be a good, however simple, example.  Millions of machines reaching out from all over the globe is a very hard attach to stop if you are the target.  That is why they work so well.

The secret to preventing your company from owning a small cluster of botnet nodes comes in form of updates.  Botnet nodes have to check-in with their C&C server periodically to make sure there aren't any new instructions or that an attack time and target haven't been set.  If you can see traffic leaving one of your machines, typically over a common port like 80, going to a known C&C server in China or Russia, or Nigeria; better yet if you can identify the traffic as C&C traffic even if it is going to an as yet unidentified C&C server somewhere, you can stop it.

So, a Botnet Filter is a system that has a list of known C&C servers as well as the ability to identify C&C traffic leaving your network.  When implemented at the edge of your network, near your internet firewall, you can stop the vast majority of this traffic and identify the offending workstation or laptop (or heaven forbid, server).  Block the traffic, clean the workstation, move on with your day.

Monday, February 9, 2015

Security101 : What is an IDS or IPS?

Security101 is a series of short, direct, no fluff articles about security basics.  To see the entire series, click here.

What is an IDS or IPS?  The acronyms IDS and IPS stand for Intrusion Detection System and Intrusion Prevention System respectively.  The difference between them is only what action is taken once a intrusion attempt is identified (see below).  If you read my post, Security101 : What is a firewall? you recall that traditional firewalls only give the thumbs up or thumbs down when a new traffic flow attempts to come into the network.  An Intrusion System is different in that it inspects the actual traffic as it flows thru the inspection point; the entire data stream from the first byte to the last bit.  It looks deep into the flow on multiple levels of the OSI model to determine if the traffic payload is legitimate or if there is anything in it that looks fishy. 

Once an intrusion attempt is identified the system must decide whether to block the attempt, block and log the attempt, allow the attempt, or allow and  log the attempt.  If the system is configured in such a way that it is capable of blocking the attempt it is called an Intrusion Prevention System (IPS).  If the system is configured in such a way that it is only able to see the attempt but unable to do anything about it then it is called an Intrusion Detection System (IDS).  How you configure a modern Intrusion System often has little to do with constraints of the system and much more to do with your IT Security goals.  Typically an IDS and an IPS are the exact same system just implemented in the network a little differently.

Most intrusion systems have thousands if not tens of thousands of Intrusion Signatures or Rules.  While you are able to write your own signatures, the vast majority are maintained and updated by the company that publishes the Intrusion System software.  These signatures are based on real life intrusion attempts that have been observed in the wild, or known vulnerabilities in common software.  Typically you'll pay an annual fee to get regular updates to your signature base or rule set, or the cost may be included in your maintenance fee.

You typically have three options if you want to implement an Intrusion System in your environment.  You can buy the system from a vendor and pay for regular updates and software support.  You can pay a subscription fee to have an outside company install, manage, and maintain your Intrusion System.  Finally, you can setup your own open source Intrusion System such as Snort.  Which you choose typically boils down to how much technical expertise you have on staff and what your budgetary paint tolerance is.

Monday, February 2, 2015

Security101 : What is a Web Filter?

Security101 is a series of short, direct, no fluff articles about security basics.  To see the entire series, click here.

What is a Web Filter?  A web filter is device that inspects your user's internet bound traffic and determines if that traffic is allowed out to the intended website.  Websites and URLs are automatically categorized into groups by the system based on content.  An example of these categories could be gambling, vulgar, banking, education, gaming, social media, etc.  The administrator often has the ability to modify these groups, create their own, or create white lists and black lists for specific sites, urls, and ip addresses.

The administrator creates policies that either allow or block that traffic based a number of factors such as who the user is, which directory groups the user is a part of, and which website the user is attempting to access. Logging and reporting are a major part of web filters, thus allowing managers and supervisors a view into what employees are doing and allowing security administrators a view of what kind of security risks their environment may be subject to by users.

 Web filters typically integrates with your directory services (Active Directory, Lotus, OpenLDAP, etc.) so you can not only control which categories of website and which specific sites a user can reach (on the internet) but also which users can access those sites. A combination of user or user groups are used in combination with website categories to develop policies.

An example of this might be that users in the Active Directory groups HR and Marketing are allowed access to sites in the social media category, however, all other users are blocked.  Another example I often see, though not a good idea, is traffic generated by users in the domain admins Active Directory group is not logged while all others are.