Detecting and Mitigating Security Risks - AT&T

Detecting and MitigatingSecurity RisksExecutive SummaryWith the number of security threats increasing daily, government agenciesare looking for ways to identify and eradicate vulnerabilities. Because manyapplications are now dependent on other networked applications, downtimecan ripple across the organization and impact a greater number of services.What can government agencies do to detect and mitigate these risks?

Detecting and Mitigating Security Risks________________________________________________________________________________________________________ 2IntroductionIT security threats are multiplying quickly. One reason is thatsophisticated hacking tools have grown abundant, greatly simplifyingthe effort required for intruders to compromise a network. Second,while hacking once largely constituted an intellectual exercise forsecurity enthusiasts, hacking for profit has now become a business.Entire underground communities are springing up that focus onmaking money by invading corporate and government networkresources.Finally, there’s the changing nature of the software that is beinginstalled throughout organizations. Applications now often sharecomponents and data with one another, using the agency network astheir primary interface. There is appreciable value in having networkedapplications share data enterprise-wide. When its applicationfoundation operates holistically and correlates events, an agency canbecome responsive to changing operational conditions.With applications now depending to some degree on othernetworked applications, a level of complexity enters the picture thatis accompanied by new security vulnerabilities. Bringing down oneapplication, a costly event in itself, no longer has an isolated effecton just that application. Rather, given that application’s dependencieson other software, service downtime could ripple across the agencyand impact any number of services. This situation has heightenedthe potential for compromised assets, agency reputation and publicservices.Detecting VulnerabilitiesWhat can agencies do to detect and mitigate these vulnerabilities?There are multiple types of threats facing a given organization.Hackers might attempt to access private information resources frominside or outside the organization, for example. Meanwhile, the publicInternet carries viruses, spyware and other types of malware that getintroduced to unsuspecting users during everyday communicationsactivities, such as opening an email attachment or downloading a file.Left untreated, malware usually causes disruption or complete denialof service (DoS) to one or more networked application services.To launch such attacks, intruders can tamper with packets in variousways. Several types of attacks can overburden network and computingresources, causing situations where users are denied access to servers,applications or networks.There is virtually no limit to the resources that can be attacked usingthese common methods. Targeting an agency’s Domain Name System(DNS) servers, which translate domain names to the correspondingunderlying IP addresses that Internet routers understand, couldtopple an entire agency’s operations. Hackers could flood a Website’s access network with traffic or a Web server with messages andtransactions so that legitimate users would not be able to accessthe site. Exploiting a hole in an application that is a component ofan organization’s total operational and access system would have asimilar effect.So how does an agency get its arms around these potential exploits?Generally speaking, any noticeable activity change somewhere in thenetwork reflects an anomaly that should be investigated.Spotting these fluctuations in activity requires scanning traffic at allkey network junctures. These are the places where one network ornetwork segment meets another, such as between agency access anddistribution switches, between data center switches and WAN accessrouters and between data center switches and servers.Scanning should take place between network segments in both theWAN and LAN and might use a combination of third-party securitymonitoring services and self-managed security products, which will beexplored further in the section, “Mitigating Threats.”The network conditions and threats described below are among someof the red flags indicating that a security violation might be pending:• Unusually high levels of activity on a given application port. Theseindicate a potential distributed DoS (DDoS) attack aimed at aparticular application, which could quickly turn into an Internet-wideissue. Viruses and worms use certain application ports to propagatethemselves. An appreciable spike in activity on, say, TCP port 25might indicate an attack on email applications that use the SimpleMail Transfer Protocol (SMTP), which is universally assigned to port25. Such an attack could potentially impact anyone connected tothe Internet if the virus or worm should propagate.• Elevated traffic volumes on ports and protocols aimed at aparticular IP destination address. This condition usually indicatesthat the attack is intended for a specific organization, perhapstargeted by a competitor or disgruntled ex-employee, or for aspecific individual.• Elevated traffic volumes coming from a particular IP sourceaddress. Here, it is likely that an individual person or organizationis attempting to flood a resource with bogus messages ortransactions.• The use of “bot armies,” sometimes called “botnets.” These largegroups of remotely controlled software are sometimes maliciousin nature. Often conforming to industry-standard chat protocolsand controlled by a chat server, they spread spam, launch DDoSattacks against Web sites, aid in conducting fraudulent activitiesand prevent authorized traffic from traversing the network. Becausethe perpetrators tend to continually change the IP address of thedevice(s) generating the bot attacks, it can be challenging to blocktraffic from the source server to curb the attacks.Mitigating ThreatsSeveral layers of threat identification and management functionsare required to deal with the broad spectrum of attack types. Mostorganizations use a combination of outsourced security services andself-managed security products to help discover and mitigate threats.Network security starts with authenticating users using firewall andrelated access-control capabilities that are designed to enforcecustomer’s policies about which users are allowed to access whichservices. Firewalls, however, don’t address “bad” traffic, such as wormsand the other malware, which someone might wish to inject intothe Internet at large or into a specific intranet to bring down serverresources, applications and networks. Infected traffic can also find itsway into an agency network by mistake. A user who picks up bad codewhile surfing the public Internet could innocently introduce it onto theagency network.

Detecting and Mitigating Security Risks________________________________________________________________________________________________________ 3There are managed security services that, operating at an Internetwidemacro level, help detect such anomalies and help determinewhether they are precursors to worms or viruses.These services benefit the Internet community in general as theyare designed to detect potential, pending attacks before they causeserious downtime. Providers of these services usually post alerts anddirect their customers to software patches that clean the malware assoon as the patches become available.Basic DDoS Attack TypesAttack TypeSpoofedMalformedFloodsNullProtocolDescriptionPacket in which the source address has been forgedIPackets sent with abnormal bits or flagsHigh rates of legitimately formed packetsPackets that have no payload. The protocol in thepacket header could be TCP, UPD, etc.Packets sent with illegitimate protocol, a valuethat is not legal in the protocol field of thepacket headerMore importantly, the latest generation of detection services providesorganizations with the ability to give permission to security detectionservice providers to inspect traffic for threats and attacks directedspecifically at their enterprise networks. The provider can then supplyactionable information to organizations based on their internalnetwork’s traffic flow. Organizations using these services often canaccess a portal service where IT staff can view their own network trafficpatterns and event information.These portal-based services might spot anomalies in the Internetbackbone destined for a given organization’s network and deal withthem before they even reach the premises. Once it discovers anaberration, the provider may divert traffic to a specialized device, eitherto quarantine the traffic stream or to “scrub” it. Scrubbing involvesapplying a series of algorithms to remove the packets causing DDoS,whether it is coming from a single IP address or botnet, allowingthe device to then inject the valid traffic back into the routing pathtoward its destination on the enterprise network. The other primarycomponents of the security detection foundation include the following:Firewall FilteringTo monitor and control access outside of the enterprise network,firewall filtering can be deployed by using a network-based service orself-managed products installed at the edge of the enterprise WAN.As a first line of defense, firewalls make a “permit/deny” decisionabout whether to grant a particular user access to the enterprisenetwork based on access-control lists (ACLs) created by the ITdepartment.For large installations, network-based firewall services scale muchbetter for protecting against external attacks, because a “perimeter”firewall is not required behind the WAN access router in each andThe latest generation of detection services providesorganizations with the ability to give permission tosecurity detection service providers to inspect trafficfor threats and attacks directed specifically at theirenterprise networks. The provider can then supplyactionable information to organizations based on theirinternal network’s traffic flow.every enterprise location. In CPE-centric environments, capital andoperational expenses inflate quickly as enterprises add increasingnumbers of distributed sites. Scanning for attacks that originate insidethe organization does require firewall-filtering capabilities directly onthe enterprise premises between access and distribution switchesand between core switches and servers. The internal firewalls can bemanaged either by the security services provider or by the agency ITstaff.Firewalls have been enhanced in recent years with extra preventivefeatures called application inspection, or deep packet inspection (DPI).These capabilities allow firewalls to examine, help identify and verifyapplication types and treat traffic according to detailed policies thatgo beyond just network information at Layer 3. DPI allows networksto block, for example, traffic and users that unlawfully try to gainadmittance using an open TCP application port.Intrusion Detection/Prevention Systems (IDS/IPSs)Together, these functions continually check traffic flows at the higherlayers (4 – 7) in search of known malicious signatures or unusualconditions. The “detection” component compares signatures to aknown database of worms and other malware, and the “prevention”component filters any traffic that matches it off the network.Many of today’s IDS/IPS systems and services can also addressso-called Day Zero attacks by aiming to identify generally anomaloustraffic and protocol behavior and then rate-limiting or blocking thattraffic from the network. Day Zero attacks are suspicious signaturesthat have not yet been identified and stored for comparison.Note that in the wireless LAN environment, there are wireless IDS/IPSs that scan at the lower, radio-frequency (RF) layers to ferret outidentified unauthorized devices operating in an organization’s airspace. Wireless IDS/IPSs do not deeply inspect application-level traffic;they work in conjunction with an enterprise’s wired IDS/IPS systemsand services for that function. Rather, their purpose is to scan all Wi-Fichannels to help detect, alert and possibly act on the presence ofunauthorized devices that are not known by the enterprise, but areconnected to its network.Endpoint Security and Antivirus ControlThis security component involves running special client software onmobile and remote user devices. Network access control/protectionsoftware or appliances in the managed service provider’s securityoperations center (SOC) or in the enterprise’s data center check theclient devices for viruses and help ensure that client software is incompliance with the organization’s current software versions andstandards. The scans compare the operating system, application and

Detecting and Mitigating Security Risks________________________________________________________________________________________________________ 4Securing public Internet accessFederal agencies are expected to comply with the Officeof Management and Budget (OMB) Memorandum 08-05,which not only defines the Trusted Internet Connections(TIC) initiative, but also requires agencies to reduce thenumber of public Internet connections and provide secureIP portals for traffic to and from the public Internet.This new directive allows greater security between eachagency’s IT infrastructure and the public Internet, bysignificantly reducing the number of Internet connectionsthroughout federal agencies. TIC solutions are availablenow through GSA Networx contract holders, includingAT&T.antivirus software versions residing on the devices with the agencypolicy. If there is a match, the connection is allowed. If not, the systemtakes the action as dictated by policy to block the connection, updatethe software or quarantine the connection for later remediation.Security Information and Event Monitoring (SIEM)SIEM tools and services enable enterprise-wide event logging,correlation to other events, incident management and reporting.Based on the resulting comprehensive network security picture, SIEMtools provide snapshots, trends and related incidents that help identifythe number of security events that should be viewed and addressedby IT staffs.This helps IT staffs facing increased workloads to prioritize securityevents, while also helping to decrease the number of events thatneed to be manually addressed. Automated capabilities that reviewand correlate hundreds or thousands of daily events leave staff ableto handle a manageable number of events in a given day. Accordingto the SANS Institute, a worldwide provider of information systemsecurity training and certification, about 1,000 events per day is apractical maximum of events to handle.* But some organizationswithout SIEM systems are seeing 100,000 or more events per day.user authentication systems to correlate events enterprise-wide. SIEMtools generally consolidate logs, gathered from various monitors, intoa centralized server, for example, where AI-based software quicklysifts through the logs to identify attacks and correlate them in anenterprise-wide context. Such a system might pick up on a repeatedevent over a period of time, such as multiple unsuccessful log-inattempts to crack a password (called a “brute force” method). If thesystem identifies a number of unsuccessful log-in tries, followed by asuccessful log-in and a network configuration change, this is the typeof activity IT security staff would likely wish to be alerted about rightaway with an automated page or an email notification.Once a threat is identified, SIEM systems and services also enable theautomation of managing an incident, whether that entails an emailalert, an automated remediation action or the creation of a troubleticket. Security event reporting is also part of this discipline.Today’s environment requires audits, logging and the tracking ofnetwork resource access. Tracking is performed through the use ofInternet cookies, messages from a Web server that a Web browserstores in a text file. The message is sent back to the server eachtime the browser requests a page from the server to identify usersand potentially prepare customized Web pages for them, based oninformation they have input in the past.In the future, protection of data and information at the individual levelwill become of paramount importance. Security policies and monitorswill be able to identify, down to the file level, those individuals whohave read a document. They will also control who has access to aCentralizing network policies and security also helpsovercome software-patching issues, which have thepotential to cause significant vulnerabilities if a foolproofpatching process is not in place. By pushing softwareupdates out to predetermined network devices all atonce from a central location, organizations keep patchesupdated and synchronized throughout the organization.In the future, protection of data and information at theindividual level will become of paramount importance.Security policies and monitors will be able to identify,down to the file level, those individuals who have reada document. They will also control who has access to agiven document using versions of identity managementthat utilize biometrics, smart cards and othertechnologies.SIEM tools can also be used in the context of a centralized securityservice from an ISP. As a service or on-site tool, SIEM plays a largerole in detecting, alerting and remediating vulnerabilities. SIEMgenerally involves using automated security tools and services thatintegrate with other security devices such as firewalls, IDS/IPSs andgiven document using versions of identity management that utilizebiometrics, smart cards and other technologies. What will be requiredfor this model is a universally accepted and trusted source for identitymanagement, similar in concept to the public key infrastructure thatbinds public keys with respective user identities by means of a trustedcertificate authority.The Importance of PoliciesCentralizing network security policies is a recommended industry bestpractice. To follow this model, enterprises create one central place forsetting, maintaining and enforcing a common set of security policiesacross all network sites. The functions, services and systems describedin the section above function as the “policy enforcers.”Policies are at the core of any security foundation. They can cover alot of ground, including what action is to be taken if certain conditionsare discovered. These conditions can range from the discovery of

Detecting and Mitigating Security Risks________________________________________________________________________________________________________ 5malware to the type of connection being used to access the network.Enterprises may wish to bar certain legitimate traffic from the networkbased on circumstances surrounding the connection, such as devicetype, access method or even time of day.One common enterprise policy is to prohibit the use of the olderTelnet protocol to export traffic, because Telnet sends traffic in theclear rather than in an encrypted state. This leaves organizationsvulnerable to so-called man-in-the-middle attacks. In this scenario,if a hacker grabs a piece of information about a client from an opensession, that hacker could pose as a valid user and take control of thesession.Centralized policies can be enforced internally or through the useof a managed carrier service. When created and enforced internally,the policy resides in either an appliance or router in the enterprisedata center, where scanning occurs. In the case of managed services,the policies can be uploaded from the data center to the serviceprovider’s SOC, where incoming requests are scanned on behalf of thebusiness. This is designed to keep harmful traffic farther away frominternal enterprise network components, lowering the risk of a breach.Centralizing network policies and security also helps overcomesoftware-patching issues, which have the potential to cause significantvulnerabilities if a foolproof patching process is not in place. Bypushing software updates out to predetermined network devices all atonce from a central location, organizations keep patches updated andsynchronized throughout the organization. Without such a system,IT staffs usually follow a priority-based procedure, where certainlocations take precedence over others to accommodate their timeand load constraints. Depending on patching load and frequency, thissystem can result in some sites being left unpatched for a period oftime, opening a pinhole to a potential enterprise attack.ConclusionThe abundance of sophisticated hacking tools and network-securityattacks, combined with the interdependent nature of networkedapplications, has created a complex environment that introducesnew vulnerabilities. Mitigating risks now requires continuous scanningof internal and external traffic streams for unauthorized users andmalware. Malware attacks could target a single application, however,by that application’s association with other software, possibly bringingdown a good portion of the networked computing environment.The security foundation must comprise automated and multi-leveldetection and prevention functions that can alert IT staff and takeappropriate policy-based action when such anomalies are discovered.Detection services continually sift through traffic looking fornonstandard protocol use and comparing bit sequences to knownthreats in order to prevent malicious signatures from infecting theenterprise network. Some of these services function at a macro levelto help identify general Internet threats that could affect nearly anyInternet user if not tempered quickly. Others target Internet-basedattacks aimed directly at a given enterprise’s network. Still othersmight involve the managed service provider specifically monitoring agiven organization’s own virtual private backbone service by samplingtraffic from the enterprise’s WAN access routers to find infections thatmight have been generated from inside the agency.In addition to WAN-centric detection services, enterprises mustinstitute firewall access control and detection scanning on theirinternal LANs to help protect against intrusions that might originatein-house, innocently or otherwise. Taking a centralized approach toenforcing policies, correlating events and automating actions helpsthe IT staff monitor and manage the entire security landscape so theycan sleep soundly at night.Reference* “A Practical Application of SIM/SEM/SIEM: Automating ThreatManagement,” pp. 5-6. Published by the SANS Institute.© May 2007; author, David Swift. Reference: http://www.sans.org/reading_room/whitepapers/logging/1781.phpFor more information, locate your AT&T representative at att.com/gov/rep or visit att.com/gov/mtips04/14/09 TS-0264© 2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.