If one were to go back through the archives of
theSans
Institute's Top Threats lists, some of which I
have contributed to, one would find the range of threats and
vulnerabilities shifting and changing through the years along with
the ever-changing security landscape itself, writes Timothy
Mullen, vice-president of consulting services atNGS
Software.
Even the name has changed. You will see references ranging from
the "Top 10 Internet Security Vulnerabilities" to the "Top 10
Risks" to the "Top 10 Threats". Actually, these are three very
different things, so let me say now that I disagree with some of
the items on the
2008 list. However, I will leave that for now and concentrate
on the list itself.
Over time, issues such as the default installation of Internet
Information Services (IIS), weaknesses in the Lan Manager
authentication protocol and Null Session attacks gave way to
vulnerabilities in plug and play services, Windows Messenger
services, and internet browsers. Those in turn were replaced by
exploits in Microsoft Office applications, instant messaging
programs and even in security products, such as anti-virus
software.
But even though the names and faces of the top threats have
changed, the core concepts that support the solutions to and
prevention of these threats have stayed fundamentally the same. The
following suggestions on how to avoid being hit by the new Top Ten
Threats are all rooted in
defence in depth,
least privilege access rights (ie. need to know), and
user education (aka The Big Three).
One should strive to create a network environment where threats,
both known and unknown, are obviated by the design itself, and not
the specific technical details of every threat or exploit that
comes along. Embracing these Big Three concepts will allow this, as
you will see from the following suggestions.
Threat: Increasingly sophisticated
website attacks that exploit browser
vulnerabilities
Prevention: Programs and code launched from
exploitation of browser vulnerabilities are executed in the context
of the interactively logged on user. Logging on as a "normal" user
(not an administrator) significantly limits what action malicious
code can take, if it runs at all. The first step therefore is never
to run as admin unless you are performing tasks that require
administrative privileges. One should never casually surf the net
when logged on as an administrator. This is an example of "Least
Privilege, ie. a user has only the fewest possible privileges
essential to perform a specific function.
Also, keep your software current. This includes operating system
updates with proper firewall configurations, browser updates, and
current anti-virus/anti-spyware. This is "defence in depth," which
provides multiple layers of security to protect you when one fails.
Also, keep the security settings for untrusted sites high, and
don't allow visits to sites that you can't trust if it can be
avoided. That is good user education teach your users what to look
for and how to help spot malicious sites.
Threat: Increasing sophistication and
effectiveness in botnets
Prevention: Regardless of how sophisticated
botnets get, they have to get on your machine in the first place.
Typically administrative privileges are needed for installation.
Even if you have an unpatched machine with one of the
aforementioned browser vulnerabilites or you have no anti-virus but
still open that SeeBritneyNaked.exe Trojan in an e-mail, if you are
not logged in as an administrator, in most cases, the bot will fail
to install.
This comment is not carved in stone, and it is not an excuse to
do mindless things, but it is certainly a best practice - don't run
as administrator don't watch Britney videos (this is just good
social advice) and obviously, keep updated, maintain
anti-virus/spyware updates, and don't try to install software that
comes from untrusted sources like "Jimmy Jank's House of
Codecs".
Threat: Cyber espionage efforts by
well-resourced organisations looking to extract large amounts of
data
Prevention: This is a bit different than your
standard "internet threat" as it is really just an expansion of the
environment that surrounds organised crime and the methods
criminals use to steal corporate information spies are just adding
cyber attacks to their bag of tricks.
If your organisation is the target of a focused attack to steal
corporate information, you must first accept that you are in
trouble. Targeted attacks specifically against you are far worse
than random internet activity because well resourced organisations
won't stop until they get what they want.
Double-checking your firewall rules and sending out warning
e-mails to the "everyone" distribution list won't cut it. You will
need professional help at many levels: legal, technical, law
enforcement, etc.
In that regard, I have a hard time listing this as a Top Ten
Risk (the auspice under which the item was originally listed). Is
it a threat? Sure - so is someone breaking into your house - but is
it a risk shared by enough businesses to warrant a Top 10 listing?
Personally, I don't think so.
Even so, the technical process of protecting against a
specifically targeted attack begins the same way as one protects
against anonymous, random attacks:
● Isolate servers and services into DMZs
● Limit what information your users can access
● Have written employment and system usage policies in place
that are communicated and enforced that spell out what information
they can and can't share, and the ways the information can be
shared in the first place.
Professional help in the face of a targeted attack will help
identify the particular methods that someone is using to get your
data, but a foundation of The Big Three will give you some
protection until the cavalry arrives.
Threat:Mobile phone
threats, especially
against iPhones and android-based phones plusvoice over IP
Prevention: I do not to second-guess the minds
that Sans has tapped, but I do not regard this as a Top Ten risk or
threat. It may become one, but it is not one today. That said, the
main concern here is that these types of units are not just "cell
phones" but they are cellular- or Wi-Fi-enabled handheld computers.
That means organisations may underestimate, or even disregard, the
extent to which a vulnerability on these platforms could be
leveraged.
Information leakage from lost or stolen phones (consider that
all your e-mail is easily accessible from these devices) is bad
enough. But consider the implications of an iPhone "rootkit" that
constantly and silently passes all communications, including
telephone calls, to some malicious back-end server.
Regarding Voice over IP, most companies completely underestimate
the capabilities of the system, and therefore the risk. Many VoIP
systems not only provide voice communication capabilities, but they
provide white-board, desktop-sharing, and file transfer
functionality as well.
The first step in securing these devices is to threat them as if
they were desktops or laptops. Assume hackers can that can attack
them the same way, infect them the same way, and can so access your
network the same way. And do NOT assume that just because they are
cute little devices that look and act like phones, that they ARE
just phones. Of course, that will be difficult because the
deployment of iPhones and gPhones (or whatever Google chooses to
call them) is still in its early stages - but at least you know
where and how to start worrying.
Threat:Insider attacks
Prevention: Again, I believe "insider attacks"
are not "internet attacks." If they have made the list now, then
they should have been on the list from its inception, and they
should have a slot carved out from now on. But their classification
in this regard does not make them less insidious.
The Big Three will help here, but to honest, I am quite
sceptical about how one can stop an inside attack effectively. An
insider attack is probably the best model one can use to illustrate
the difference between threat and risk. You can ensure that your
users are not local administrators, but if they have physical
access to the hardware, it is trivial for them to bypass that
precaution. The same applies if they have physical access to your
servers or controllers.
There may be a threat that an employee can access service
hardware, but unless the risk is great enough (meaning doing so
would yield a valuable enough asset) then you won't spend the money
required to secure the server room physically from a reasonably
predictable attack.
So identification of threat and assignment of risk must take
place on a per-incident basis. Practice security in depth,
implement least privilege, but in the end, insider attack is a
trust problem with humans, and not a technical issue.
As such, I think its inclusion is the list is wrong. You can't
solve it technically. At some level, you must trust a human to
protect your assets. You can set up as many elements and guards as
you want, but you must always ask, who guards the guards?
Threat: Advanced identity theft from
persistent bots
Prevention: It doesn't really matter what the
bot does. An "advanced ID theft bot" is no different than the
aforementioned "sophisticated and effective" bot. Don't get caught
up in what data a bot targeted and try to close the stable doors
after the horses have been rustled. Don't let the bot install in
the first place. So, don't run as administrator, keep current on
your updates, and filter and/or limit outgoing traffic at the
border.
Threat: Increasingly
maliciousspyware
Prevention: See above. At some point, spyware
will reach out of your monitor and beat you until you tell it what
sites you have visited and what your playboy.com password is. Don't
worry about how increasingly malicious spyware gets - worry about
keeping it off your system from the start. Think "Big Three."
Threat: Web application security
exploits
Prevention: User education, or better yet,
developer education is key here. If your business depends on your
web application to be successful, then make sure that you give your
developers the resources they need to do the job right.
Budget for it. That includes not only direct education for your
team, but also third party review by expert, professional testers.
I am not saying this to flog NGS services - I'm just saying that no
matter who you choose to
penetration-test your web apps, make sure that you choose
someone competent.
Simply contracting "Bob's House of Port Scanners and Britney
Video Archive, LLC" to run simple script-kiddie attacks against
your website is not nearly enough. If the attack isn't both
broad-based and mounted from right outside the web server, you are
missing a very large threat base.
Various training courses can tell you how to build secure web
applications, so don't assume that your team will immediately
become experts on WebAppSec. Go into it knowing that you are going
to need help, that it will take time, and that you are going to pay
for it.
Obviously the Big Three apply here as well:
● Create physically separate DMZ segments to protect internal
assets from web-accessible resources
● Ensure database services are running under restricted user
accounts
● Sanitise user input by checking values, variable type
enforcement, and content inspection.
Threat: Increasingly
sophisticatedsocial engineering
Prevention: Social engineering is a people
problem, not a technical problem. You can't solve it with technical
means, so don't bother trying. Unless they mean
phishing, which is different.
In my opinion, regarding "sophisticated social engineering" in
its true sense as a top internet risk is a waste of time for
administrators and system engineers.
An exploit against a vulnerability on a computer works against
multiple systems because they all share the same vulnerability
vector - computers don't have a "disposition." But every human is
different. While there are 10 people in an organisation who will
give out their password when asked for it, there are 10 more that
won't. It all depends on how you ask them.
If the FBI called and threatened to put me in jail if I didn't
give them my PGP key, I would tell them to get my cell ready. But
if they called and said that they had my kid and to give them my
PGP key, they would have it in one second flat.
There is always a clever "trick" one can use to make someone
give up information, whether it is posing as Ned the Network Nerd
to get credentials, or using flat-out-threats. Just remember, your
employees are not going to put your data ahead of their, or their
families' personal safety.
That said, one can best mitigate typical social engineering
attacks by combining written, circulated, and enforced corporate
policy with user education.
● Never circulate install programs or other executables to
customers and users via e-mail, and let them know. That means they
won't go out of their way to run executable e-mail attachments.
● Never solicit personal information, including username and
password, over the phone or via e-mail, and let customers and staff
know that so that they won't give out that information to
unsolicited callers.
● Have and enforce policies and processes on how to set up
technical support calls and follow-up, and make sure that your
employees know the procedures so they won't be fooled by people
calling up pretending to be network support personnel.
Even if an employee did give out their credentials, least
privilege practices should restrict what the attacker can do with
those credentials. If you practice security in depth too,
techniques such as dual-mode authentication (eg. using an RSA fob
for VPN or OWA access, or smartcards for log-on) would keep
attackers from leveraging the credential from outside, even if they
had the soft data.
While you can limit risk introduced via social engineering
techniques, you can't prevent it. Again, it's The Big Three that
will save you by mitigating the extent of attack.
Threat: Supply chain attacks infecting
consumer devices (USB thumb drives, GPS, digital photo frames,
etc.)
Prevention: I am at a complete loss as to how
this made it onto the list. This is a "Top 10 Internet Threat/Risk
Vulnerability List" after all, and not a "Top 10 Conspiracies"
list.
There were indeed some Maxtor hard drives, manufactured by a
contractor in Taiwan, that shipped with the ghost.pif Trojan, and
discovered in 2007 Kaspersky Labs did indeed warn Seagate that they
found it on "at least one" drive.
Of course, now you will find a million people who say they found
it on their drives, but I think that is like the million people who
will tell you they were at Woodstock. In any case, there is no way
this threat is a "Top Ten" anything.
Oh, and for what it's worth, you would have to be running as
admin to install that ghost.pif Trojan, and most current anti-virus
would pick it up anyway.