Why donetwork security problems persist?
While wireless network security issues continue to make current
headlines, attention has been drawn away from the fact that wired
networks are often affected by many of the same weaknesses. As a
result, our vulnerability to network eavesdropping continues,
despite growing investment in security measures. Eavesdropping
attacks are insidious, because it's difficult to know they are
occurring. Once connected to a network, users may unwittingly feed
sensitive information - passwords, account numbers, surfing habits,
content of email messages - to an attacker, writes Tom King,
applications and security manager at3i.
Eavesdropping attacks are easy to set up and protecting against
the threat calls for a multi-faceted approach. Perhaps the
persistency of the problem is explained by the implementation of
partial solutions, leaving gaps in what should be done about
it:
Awareness.
Lack of awareness of any security issue can be dangerous and IT
managers need to promote awareness and demonstrate good practice.
The next time you connect to a public wireless network think about
the applications you are using.
Do they use strong encryption? If not, who might be listening?
What could they do with the information they listen in on? If you
are aware of the problem, spread the message!
Encryption.
Encryption is a great defence against eavesdropping. By only
using applications and systems which use strong encryption, you can
make an attacker's life far more difficult. But it isn't a panacea,
for a couple of reasons:
First, we continue to see a dual pronged attack against
encrypted data. While PCs
follow Moore's law and their speed increases exponentially,
security tools get smarter. Faster PCs reduce the time an attacker
needs to crack a password and modern password-cracking technologies
- such as rainbow tables - can reveal passwords in seconds.
Second, unfortunately many applications do not offer encryption,
or they may be configured not to use encryption by default, perhaps
for performance reasons. The latter is the issue which was found to
affect Gmail last year.
Network segmentation.
In the world of networks, the default position is often that
"anything can access anything", which is weak from a security
perspective. Why, for instance, does the salesman's laptop need
network access to the HR system? Most likely it doesn't, but
corporate networks tend to be configured in a manner that allows
this and allows abuse. Formal network segmentation can provide a
countermeasure against a number of threats, including
eavesdropping.
Network access control (NAC).
One way to make eavesdropping more difficult is to prevent
unauthorised users getting onto your network in the first place,
"keeping the bad guys out". All that is needed to eavesdrop on
many networks is physical access to the building (and even that is
not needed if the network is wireless.) NAC attempts to fix this
problem by ensuring that
every connecting device is trusted before full network
connectivity is delivered. NAC can give the network attacker a
tough time.
Physical security.
Part of the "keep the bad guys out" philosophy is good physical
security. Are there network points in your lobby? Network points in
meeting rooms which visitors use? Do these network points offer
direct connectivity to the corporate network? These kinds of
weaknesses offer the unscrupulous a simple way of connecting to
your corporate network, and stealing data through eavesdropping, or
worse.