Frequently there is a lot that can be done with existing equipment to improve an organisation’s security posture.  This not only improves general security, it can help an organisation resist targeted attacks.  Configuration hardening is the process of reducing the attack surface of an organisation.  There are in general four aims:

• Implement standards and write them down – if people do not know how to behave or what is the organisation’s standard configuration, how can policies be followed?
• Manage change – standard configurations are not always possible, how is that to be handled?  Requirements changeover time, this also must be handled.
• Identify what can operationally be hardened.  It could be argued that disabling pinging makes an attacker’s job harder but it can be seriously detrimental to the smooth running of an organisation to do so.  Perhaps looking at the various features of ping and deciding to limit those that can be used, like ping redirect, might be a good compromise.
• Work out how assessments can be carried out – can they be automated so that tests can be scheduled?

A large percentage of vulnerabilities are as a result of incorrect configuration of devices.  Another common action is to check versions, many routers, switches and even firewalls are rarely updated as frequently updates cannot be automated for operational reasons.

Only enable services that are required.  This requires an understanding of what is required and what is running by default on any server whether file, email, web or security.  What this does do is reduce which patches are critical which allows time to focus on those that are.

Allow only traffic that is needed – many firewalls still have unregulated outbound rules in place which is a simple and effective way of blocking the cruder malware that might be introduced into a network.  However, carry out this policy across your network ensuring that if a segment does get compromised it does not result in other segments being easily available.  For instance, when you have VPNs between sites, identify what is expected across that VPN and disable other traffic.

Passwords are a major issue, simple passwords, along with password reuse and password reset cause innumerable problems, just see the mess HB Gary got into as a result of poor password process (http://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/).  Putting a strict password policy in place is truly a cheap way to improve security, users and managers may not like it but they will be considerably more unhappy if their accounts are hacked.

Data storage planning is good practice.  Every organisation, big or small, has data that is sensitive whether it is customer data or just the salary of the CEO.  Have specific places within your network where this data is stored.  It makes it easier to tie access down to just those that need to know, easier to isolate and make harder to access and if data encryption is used nowhere else, and it should be, it makes one place where it can be.

To follow on from the above paragraph, wherever possible encrypt data whether temporarily or permanently stored.  It is the last line of defence when you systems have been compromised, it can save customers from exploitation and organisations from severe reputational damage, prosecution and fines.

Organizations would also need to ensure that segregation of duty requirements are satisfied – a lone IT manager is frequently a vulnerability in him or herself.  They can make mistakes as there is no buddy system to help them check what they are doing, they rarely document changes and, of course, if they leave or go sick, there is no one to manage the environment.  Where possible, personnel need to share duties and information – in some situations it may be necessary to outsource duties to ensure the required segregation and duplication of services.

There is considerable assistance available from a number of sources for Configuration Hardening:

• National Institute of Standards and Technology (NIST)
• Center for Internet Security (CIS)
• National Security Agency
• For those organisations with Cisco, there is help here

It is important to recognise that configuration hardening takes time.  Configurations need to be tested before being adopted.  There may be a large number of systems in production and the required changes will have to be carried out during scheduled downtime.  These standards will then be baked into provisioning processes for new systems.

There are tools that can help any organisation automate security assessments to ensure compliance to standards.  Configuration drift is common where systems inevitably and incrementally move away from the company standard.  It is important to catch this and to verify that such changes are justified and if not, that they are brought back into compliance.  Carrying out such assessments manually means that they are usually done infrequently if at all, it also can be time consuming and without rigid discipline, may not be comprehensive.

As persistent as their name suggests, Advanced Persistent Threats (APTs) demand a new level of vigilance.  They can hide dormant for months, transform to avoid detection, move stealthily around networks and then inflict untold damage.  IT managers need to impose multiple layers of security – not just to try to prevent infection but to detect it when it happens.

The US National Institute of Standards and Technology (NIST) gives the following definition of APTs:

“An adversary that possesses sophisticated levels of expertise and significant resources, which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future.
The advanced persistent threat:

• Pursues its objectives repeatedly over an extended period of time;
• Adapts to defenders’ efforts to resist it; and
• Is determined to maintain the level of interaction needed to execute its objectives.”

(http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf).

There are three differences between an APT and more “traditional” attacks.  Firstly, APTs are persistent, repeatedly trying different approaches over a long period.  Secondly, they are stealthy, as ideally they do not want to be noticed and they want to stay in residence as long as possible.  Finally, they adapt or are resilient – the hacker recognises that his attacks may be discovered and will either morph to avoid detection or install multiple executables to maintain his presence when one or more of these compromises are discovered.

The purpose of these attacks is normally for the extraction of information such as manufacturing processes, results of private research, sensitive commercial documents like business plans and pricing along with emails and contact lists.  This is why APTs are frequently associated with inter-governmental attacks where one state is keen to learn about or, in some cases, impede the activities of another state.  A typical example of impeding activities is the Stuxnet virus, carefully aimed at impeding Iran’s nuclear programme and assumed to be the work of another government.

However, it is not just governmental organisations that have suffered an attack.  RSA, Google and NASA have all experienced breaches due to APTs.  It is a form of attack that is showing considerable success, and that, regrettably, means that it will be increasingly used.

Traditional attacks tend to focus on a particular vulnerability.  They do not care about the target; they care about the technology.  If a system is not vulnerable to a particular exploit, then the attack moves on looking for one that is.  The purpose of this attack is more flexible, so if the target is not valuable in itself, then just making it part of a botnet gives the hack a value.

In APTs, the focus is the target.  Some considerable research must be done to investigate the target; what information is there about key players in the organisation; and what is its focus?  The actual attacks may not be that original.  Spear phishing is showing remarkable success given the proliferation of social networking sites where it is possible to find what people do, what their interests are and who they do business with.  Armed with this information, it is possible to write extremely plausible phishing attacks that enable the attacker to persuade a victim to open an attachment or click on a link.  This may well lead to relevant data of interest to the victim, but also to a Trojan exploiting a zero day vulnerability.

The Trojan is not noisy in any way; it installs quietly and does not interrupt the day to day operation of the end point, the user or the network.  Through it, more software can be downloaded and depending on the victim, this compromise might be used to launch new attacks to infect individuals higher up the chain.  There are multiple ways this infestation can be carried out, for example, an interesting article left on a community drive results in others reading it as it is perceived as ‘trusted’ but leads to the reader’s system being infected.

Equally, quiet brute force attacks on servers can seek out weak passwords, as the servers under attack were never considered at risk because, previously, they could not be accessed by external agents.  This sometimes results in passwords being reused or being sent by internal email.  Simply uploading the password hashes from the victim’s system allows the attacker to crack the passwords or it might just be possible in some cases to pass the hash and be authenticated on a system.  Either way, the attacker can escalate his ‘privilege’ to allow him greater access to an organisation’s information.

The attacker is not in any rush, the Trojan might well stay dormant for a number of days or weeks before taking action.  The methods of infection may well be low level at this stage as it is important to infect more endpoints and to install different backdoors, to establish a resilient presence in the network.

The next consideration for hackers is how to control this Trojan and associated backdoors.  A number of approaches have been used over the years, but having the malware communicate with websites over HTTP is a common way of reducing visibility.  Other hackers have developed protocols based around MSN, Jabber or even online calendars.  The intention is that security teams will see this as legitimate traffic and not investigate any further.  Other methods are to embed the commands in SSL encrypted streams with the obvious barriers this has for inspecting the content.

While it is undeniably difficult to defend against APTs, the best solution is a layered defence comprising:

• A gateway solution with two or more anti-virus engines, to try and prevent the initial ploy arriving at its intended victim
• Good anti-spam, to employ alternative techniques and prevent phishing attacks from getting through
• Effective end point protection, ideally with access to a list of both good and bad software, which then allows for a third and important category: unknown.

Unknown software needs to be run in a sandbox to try and see what it is going to do; good heuristics will catch out the cruder attacks.  It is important to realise that APTs are associated with vulnerabilities that are usually unknown, they have been designed to by-pass existing signature and heuristic detection, so any solution must deal with this possibility.  Assuming that an unknown software programme passes all the tests above, when it is run it should be monitored and any changes it makes should be noted.  If it is subsequently identified as malware, the changes can be rolled back, removing the infection.  However, during this period data may have been uploaded and this is where data leak prevention (DLP) can play a role.  Unfortunately, however, even DLP may not be able to help when the mechanism for uploading information is encrypted and, in the end, good monitoring of log files and traffic from all relevant sources is essential.

As always, vigilance is essential.  Frequently correlating different events can help security teams to identify malicious behaviour and catch it early.  This is a hard job to do manually but organisations need to consider how they best address this problem as it is a growing threat.  Increasingly, the challenge is not whether a company is infected, but rather how quickly it can detect that it is infected.

Voice over IP (VoIP)  systems are increasingly popular.  However, IP-based private branch exchanges (PBXs) are being hacked or targeted by toll fraud and distributed denial of service (DDoS) attacks.   Companies keen to benefit from the undoubted advantages of VoIP need to be aware of the risks.

VoIP is just data to computers and is as easily compromised as other data.  It is no longer on a separate network; usually, voice data touches other networks and, in the case of least cost routing, the networks that are touched can be considerable.  In some cases, voice may be routed not only across the providers’ considerable network, but may interface with the Internet.  It is therefore up to the customer to make sure that VoIP security is properly addressed.

From a hacker’s point of view, VoIP has all the vulnerabilities of both data and telephony networks.   To appreciate this, it is important to take into account all of the various components required for a VoIP deployment.  There are a lot of services that need to be configured correctly and these are all prime targets for any hacker.

They are:
1.    User Agents (devices)
2.    Media gateways
3.    Signalling gateways
4.    Gatekeepers
5.    Proxy Servers
6.    Redirect Servers
7.    Registrar Servers
8.    Location Servers
9.    Network management systems
10.    Billing systems servers

So now the telephone system is just a computer and can be attacked in the same way.  For instance, it can be attacked via the WiFi as the protocols used for wireless – both WEP (Wired Equivalent Privacy) and WPA (WiFi Protected Access) – can now be hacked.  Or it could be that switches, routers or NIC drivers are not up-to-date, have a flaw and can be compromised.  Perhaps the operating system is not fully patched, as sometimes VoIP manufacturers recommend that autoupdates be turned off.   The telephone system is now also exposed to generalised network issues like broadcast storms, which can affect handsets on the same network.  The point is that the telephone system needs the same protection as your other servers.

Next, the hacker will look at the many VoIP protocols that are used:
1.    Session Initiation protocol (SIP)
2.    Simple Gateway Control Protocol (SGCP)
3.    Internet Protocol Device Control (IPDC)
4.    Real Time Transport Protocol (RTP)
5.    Secure Real Time Transport Protocol (SRTP)
6.    RTP Control Protocol (RTCP)
7.    Secure RTP Control Protocol (SRTCP)
8.    Media Gateway Control Protocol (MGCP)
9.    Session Description Protocol (SDP)
10.    Session Announcement Protocol (SAP)
11.    Multipurpose Internet Mail (MIME)
12.    Inter-Asterisk eXchange (IAX)
13.    Gateway Control Protocol (Megaco H.248)
14.    Remote Voice Protocol over IP (RVP over IP)
15.    Real Time Streaming Protocol (RTSP)
16.    Skinny Client Control Protocol (SCCP – Cisco)
17.    Unified Network Stimulus (UNISTIM – Nortel)

The intention will be to see if there are any inconsistencies in the way the protocols have been implemented and any configuration issues that can be taken advantage of.  With so many servers and protocols to attack, this allows for a number of different approaches:

1.    Identity Spoofing
2.    Conversation Eavesdropping/Sniffing
3.    Password Cracking
4.    Man-in-the-Middle
5.    SIP-Cancel/Bye DoS (prematurely ending calls)
6.    SIP Bombing (transmitting a large quantity of forged SIP messages)
7.    RTP Insertion Attacks
8.    Web Based Management Console Hacks
9.    Fuzzing
10.    Default passwords

However, it is not just these well-known attack vectors that companies need to be aware of.  VoIP introduces some nuances that allow a hacker to be quite inventive.  In one case, the hacker realised that the telecommunications company actually stripped off the ‘head’ number and just passed on the extension.  However, the integrated service router (ISR) on the customer site had been configured to allow call forwarding.  The hacker discovered this and by prefixing the code for an external line (‘9’), he was able to make calls to premium rate numbers.  For a more indepth explanation go here.

In another case, the VoIP system had a voice mail system that could be accessed by employees remotely by the dialling and entering of a PIN number.  One of the PIN numbers was broken by the hackers, giving them access to that voicemail.  The voicemail feature provided the ability to configure a call transfer, so the hackers could configure a call transfer to a premium rate number.  They did this on a Friday evening and changed the PIN number ensuring the legitimate user could not log back on.  By Monday, the ITSP was ringing to inform the customer of a 100,000 Euros bill.

Obviously, distributed denial of service (DDoS) attacks are a concern for any organisation and it seems that large companies are just as vulnerable.  TelePacific Communications fell victim to an attack that lasted a number of days.

Organisations should also be aware of the risk of eavesdropping or ‘sniffing’ VoIP data.  This was recently illustrated by a flaw in some Cisco phones, where phones still on-hook (but apparently not being used) could be turned into listening devices.

Virtual LAN (VLAN) hopping is another threat that is not commonly understood.  The “Voice VLAN” is a special access port feature of Ethernet switches that allows IP phones to auto-configure and easily associate to a logically separate VLAN.  This feature provides various benefits, however, when IP Phones are located at physical locations outside of close physical proximity to the corporate network, the threat of attacks based on VLAN hopping greatly increases.

The reason for this is that many companies implement a configuration of voice and data VLANs at these remote locations that mirrors the exact VoIP configuration of the internal network.  So, at this remote location, the hacker ensures that his laptop/PC is directly terminated into the Ethernet cable coming from the network jack on the wall rather than being terminated on the Ethernet port on the IP phone.  The hacker then uses “sniffer” software to collect data from the network.  Dissecting these multicast frames will tell the attacker the VLAN numeric ID of the VoIP VLAN.  After the hacker has set the Ethernet frames emanating from his laptop/PC to have the Voice VLAN ID, the Ethernet switch permits and switches the traffic correctly. The IP phones will then be allowed to send a dynamic host configuration protocol (DHCP) request for an IP address in the Voice VLAN network.  So now we have an unauthorised laptop/PC on the VoIP VLAN which cannot be good.  Once on the Voice VLAN, it can now do a regular VLAN hop onto the data network and hence gain access to other vital company resources like databases and financial information.

The purpose of this article is not to scare but to prepare.  Organisations can gain innumerable benefits from VoIP, but this telephony strategy should not be adopted without putting effective and comprehensive security systems in place.  For more information on how to protect against the threats detailed in this article, visit www.redscan.com/node/582.

In 2012, we all became pretty familiar with hackers, getting to know their groups like Anonymous, Lulzsec, and others like them.  The activities of these high-profile hackers have come to the attention of international authorities, who are now increasingly working co-operatively across national boundaries to try to prosecute them.  Hooking a hacker is, however, easier said than done.

The obvious fact is that hackers use the Internet to obscure their identity.  Let’s start with the basics – the IP address that uniquely identifies a system on the Internet is dynamically allocated by the Internet Service Provider (ISP), so the only way of finding out who had that address, at that time, is to hope that the ISP has a record for this.  Not all ISPs do.  In the UK, ISPs do keep records of IP addresses allocated, but they don’t hold this information forever, so time is against the investigators.  The trouble is that any request for this information requires proof of illegal activity to generate a warrant, which can take time.

Even if IP address information can be retrieved, the source of the IP might well be in another country which raises political and legal barriers to any investigator.  Hackers know this and will deliberately attack targets outside their own countries.  Some hackers who have been identified have only finally been caught because they were arrogant enough to attack an institution in their own country.  This happened to Victor Faur from Romania who attacked NASA from the safety of his country.  He seemed immune to prosecution, as Romania did not recognise the crime, but Faur then decided to attack computers in Romania, at which point the Romanian authorities arrested him.

Knowing that they cannot always hide safely behind a dynamic IP address, hackers moved on.  The next step was for them to use a proxy or, more likely, several proxies.  Examples of proxies are:

• Facilities provided by individuals or companies usually with the intent of making it possible for people in repressive regimes to have their say anonymously;
• Systems that have been compromised without the victim’s notice.  Many hackers will tell of forgotten servers in some foreign country that they have hacked onto and now route their traffic through, others will talk about an army of computers that they have turned into their obedient servants, or Robots, making a network of Robots or BotNet.

Proxies make the investigators’ life a little harder as they may now have multiple ISPs in multiple countries to work with.  The result is more time, greater complexity and less certainty in the results.  And like chasing all prey, it requires patience, determination and a good deal of silence.

In the meantime, some hackers have moved on to use onion routing, a technique for anonymous communication via computer network.  Tor is now the obfuscator of choice though there are others.  These routing protocols manage to obscure the source, destination and the actual body of the data, making the life of the investigator extremely difficult.  There are ways of discovering more information but they require more time and considerable access to parts of the onion routers’ network, like the exit node of a Tor network for instance.

Sometimes, ironically, investigators are helped by the hackers themselves, who need to communicate either with their collaborators or, in the case of hacktivists, by the need to make people understand why they are taking the actions they are taking.  So the frequent posts made require that the hacker always takes precautions.  One Anonymous member, Sabu, was apparently caught because he failed to use Tor once when logging onto his IRC feed.  This allowed the FBI to see his IP and hence allowed him to be traced.  Another member, Nerdo, kept his childhood ‘handle’ so whilst as a hacker he was cautious, it was possible for investigators to associate this name with a real world name by tracing it back to a time when he was less careful, as he had less reason to be.

The job will get harder; hackers will learn how others were caught and will take precautions, and investigators will have to look for flaws in those new precautions.  By the nature of the game, investigators are reactive, waiting for a compromise and then having to chase on limited information.  Victims can help by having good security and improving logs which help traceability by providing more information.  Good monitoring is also key, as the less the time between hack and detection, the less data that is stolen and the hotter the trail.

Network Box are introducing S-SCAN, their state-of-the-art high speed web content filtering system, designed to help organisations block undesirable content from reaching their users.  S-SCAN is based on signatures which uniquely identify websites and categories.  This allows one signature to cover a large number of websites and webpages, greatly enhancing efficiency.

S-SCAN has been running for over two years with 16 categories of “undesirable” content (Adult, Criminal, Gambling, Offensive, Malware, etc) but did not attempt to address the “productivity” categories. The reasons for this were that:

• For most organisations, the core categories are what count the most, and
• The core categories are those that can be most accurately categorised (with less room for gray areas).

For those organisations that required tighter control of the productivity categories , Network Box offered the Sur fControl /WebSense content filtering engine with its 52 categories.  Since then, S-SCAN has won both critical and user acclaim, winning both the IT Pro Corporate Choice and Computerworld awards. Customers love it, and the fact that it won in ‘customer voting’ awards and it beat the ‘big name’ content filtering providers is very satisfying.  It also won a significant number of new customers to Network Box because of it.

Network Box are now ready to announce the next stage of S-SCAN for both the NBRS-3 and NBRS-5 platforms.  For the past two years, Network Box content filtering teams, as well as their partners like Redscan Ltd, have been hard at work expanding the coverage of S-SCAN to 57 categories. S-SCAN  has grown from approximately 3.5 million signatures in 2011, to more than 7 million signatures today. How many web sites do those 7+ million signatures categorise? Well, as one signature can cover anything up to several thousand websites, it is hard to say. But, based on the average browsing activity of the Network Box customer base, they estimate more than 190 million websites are categorised by S-SCAN today. Please note that those are websites, not web pages, the number of web pages would be an order of magnitude greater than that.

Network Box believe it is only by measuring something, to industry standard metrics, that you get an appreciation for how good (or bad) it is, and how things are changing for the better (or worse) over time. They, therefore, recently spent quite some time measuring the performance of S-SCAN, and here is what they found by comparing the S-SCAN engine, to the SurfControl engine, for the 5 data sets below:

The results of the comparison between the S-Scan engine and the SurfControl engine, were extremely encouraging:

S-SCAN specifically targets highly popular websites, and the S-SCAN coverage figure of 98.7% of the top 100,000 websites (as measured by Alexa) is to be expected. Note that Alexa is not a perfect test set, as a number of garbage spammed websites make it into the rankings- if you were to remove those unreachable and uncategorisable websites from the Alexa list, the S-SCAN coverage would be 100%.

Now, the purpose of these tests is not to denigrate SurfControl/ WebSense. Their engine is among the leading content filtering engines available in the market today. Network Box continue to be impressed by the engine’s performance every day, WebSense continue to be a Network Box partner and Network Box continue to offer their engine.

The purpose of S-SCAN is to offer both an alternative to the SurfControl/WebSense offering by Network Box which allows S-SCAN to focus on accurate classification of:

• Network Box’s customers’ own websites
• The top websites visited by the global Internet audience
• The top websites visited by Network Box customers
• The websites visited by most of Network Box customers most often that were uncategorised (the uncategorised feedback loop)

S-SCAN category list

The list below is the full S-SCAN Extended list. The basic 14 categories available on S-Scan Core is highlighted in red.

N.B. Please note the difference between ‘unknown’ and ‘uncategorised’. A result of ‘unknown’ indicates that the category of the URL cannot be determined by the engine. A result of ‘uncategorised’ indicates that the category of the URL is explicitly being returned as uncategorisable by the engine.

With new unique pieces of malware emerging daily and ever-increasing access requirements from a host of new endpoints, the challenge posed by malware detection has changed.  Zero-day threats pose an increasing risk as, by definition, nobody has a signature for this and in many cases heuristics can be bypassed.

User habits are changing too; the vast majority of applications are now downloaded and installed over the internet.   Users need to connect to the internet to do anything useful; time off-line is usually brief and increasingly rare and unproductive.    This, though, provides a new way of delivering security that can keep users safe and up to date instantly.  Webroot have used this in their Secure Anywhere (WSA) product to provide a new concept that changes the anti-malware game.

WSA doesn’t download vast databases of signatures onto an end user’s device, which is a boon for the increasing army of endpoints that are being used.  This also saves bandwidth and it saves time, the installation times drop dramatically and make it very easy to install.  Some anti-malware solutions are downloading vast quantities of data everyday in updates.  Instead, Webroot’s system stores a vast database in the cloud (over 400TBytes and growing), which is updated all the time with new solutions (around 200GBytes a day).  Any file that can be executed is first ‘hashed’ and then sent up to this vast store and categorised as:

• Known good software – the hash uniquely identifies the code as a known piece of software that has been tested and known to be safe to run.
• Known bad software – the hash uniquely identifies the files as a known piece of malware that will be blocked from running and either quarantined or removed from the endpoint.
• Unknown – this is where the clever stuff happens and the fact that Webroot’s database defines known as well as unknown makes this category very useful:

The graphic below illustrates the communication flow between the agent and cloud.

• If the Webroot Intelligence Network (WIN) responds with an unknown classification, the file is executed in a virtual sandbox environment. This allows the behaviour of the file to be monitored. This behaviour is then packaged and sent up to the Webroot Intelligence Network where it’s compared to thousands of behavioural rules.
• In the diagram, you can see the behaviour is classified as Good. This means that Webroot haven’t observed any malicious behaviour at this stage.
• Because the behaviour is good (so far), the file is allowed to execute on the endpoint but it’s placed in monitor mode. While in monitor mode, the behaviour is watched to see if changes. As soon as it starts to behave maliciously, or as soon as Webroot’s Threat Research team identify the threat, the malware is quarantined or removed and, more importantly, it is remediated.
• While in monitor mode, every single change the file makes to the endpoint is recorded in a local change-journal database. So if a file is found to be malicious, remediation means not just quarantining or deleting the malware, it means that all changes that the file made to the endpoint can be reversed, providing a perfect clean-up routine.

In addition to the Monitoring functionality, there is also a powerful Identity & Privacy shield to protect data from information stealing malware which means that even if the initial infection tries to make changes, the endpoint and user’s data will still be protected.

The other major benefit this solution brings to companies is that it can be run from an interface in the cloud allowing the administrator to manage the system from wherever they are without the time and expense of maintaining a locally sourced server.  Added to which this administration interface provides a wide range of features that will even allow administrators to do all the usual administration tasks as well as white and black listing applications right down to  executing commands on end users’ systems if required.

The other thing to consider is what happens when the endpoint is not connected to the internet.  If a brand-new piece of software is introduced when the endpoint is completely offline, and it has no relationship with any existing software on the endpoint, then WSA automatically applies special offline heuristics blocking many threats automatically. If a threat gets past this logic, it is run in monitoring mode which ensures any threats that do execute cannot do lasting damage.

The suspicious program is monitored to see precisely what files, registry keys, and memory locations are changed by the software program, while remembering the “before and after” picture of each change. If the software is subsequently found to be malicious, WSA proceeds to clean up the threat when it is online again. The important thing here is that WSA doesn’t just simply delete the main file—it removes every change that the threat made and returns the endpoint to its previously known good state. If at any point a suspicious program tries to modify the system in such a way that WSA cannot automatically undo it, the user is notified and that change is automatically blocked.

With conventional antivirus products, their signature bases are never completely up to date. When a brand-new infection emerges, and the antivirus software hasn’t applied the latest update or there isn’t a signature written for that specific threat, the infection simply roams freely across all endpoints, deleting, modifying, and moving files at will. As a result, it doesn’t really matter if a device is online or offline—the malware infection has succeeded in compromising the endpoint.

When a traditional AV product comes back online, it applies any updates and if configured to do so, runs a time-consuming scan—it might then be able to remove the infection. But it will not be able to completely reverse the changes the infection made, so the user or administrator will have to activate the System Restore function. More likely, the endpoint will need to be re-imaged because it’s so unstable—a major further drain on time and productivity.

Conversely, WSA leverages behavioural monitoring to pick up infections when the Internet is inactive or the endpoint is offline and it isn’t sure whether a file is malicious or not. This process provides uniformly strong protection against the damaging effects of malware.

The effectiveness of the approach was highlighted in 2007 when it recognised Flame and protected customers against it a good number of years before other manufacturers even knew of its existence.  A conversation between computer security companies reveals the effectiveness of Webroot’s approach: http://www.npr.org/2012/05/30/153970997/computer-security-companies-debate-flames-origins.

This is a really clever use of the internet to provide a large database of signatures and heuristics but keeping the footprint on the endpoint very light giving the best of both worlds.  The other consideration is that there is a mechanism for catching and remediating zero-day threats which shows a degree of pragmatism rarely seen in other products

Many organisations are replacing desktop PCs with laptop computers and rolling out tablet computers and smart phones to teams working outside of the office. These mobile devices are contributing to improved efficiency and are undoubtedly popular with employees, but they are also inherently vulnerable. To minimise the risks, organisations must develop specific mobile device management policies – and then enforce them.

The figures make interesting reading. In 2012, Gartner predicts that PC sales will reach about 400 million units worldwide. This sounds a lot, but Gartner also forecasts that over 600 million smart phones and 100 million tablets will be sold in the same period, indicating that mobile devices are now significantly outpacing traditional PCs in popularity.

An increasing number of these mobile devices is likely to be employed in corporate environments. Organisations, large and small, are now using tablets and other portable computing equipment to realise significant improvements efficiency. Indeed, in a survey of 6,275 global organisations, conducted by Symantec (2012), 70% of respondents said they expected smart phones and tablets to increase employee productivity.

Whatever their potential value, mobile devices nevertheless pose an enormous security risk. They are, after all, easy to accidentally misplace and highly lucrative prizes for opportunistic thieves. If lost or stolen, smart phones and tablets could be used to gain unauthorised access to corporate systems, steal data and maliciously infect core business applications.

Given the risks, it is absolutely essential for organisations today to have a comprehensive mobile device management policy in place. This policy must cover security policy, application control, configuration control and a host of other precautions.

Ten important points to address in a company policy include:

1. Password protection across all mobile devices, enforced for all users
2. Encryption of all data on local memory and removable memory
3. Methods of installing, disabling, removing and controlling permitted applications
4. The use or prevented use of public WiFi networks and Bluetooth in some locations
5. Provision and maintenance of anti-malware software
6. Regular data back-ups
7. GPS and tracking mechanisms to detect the location of devices
8. Secure methods of connecting to the corporate network to exchange data (such as a virtual private network)
9. Effective management of assets: who has mobile devices, where, when and why
10. Access to IT support and maintenance for remote workers

Once a company policy has been developed, it is of course essential to enforce it. Employees must be educated on the importance and relevance of the policy and measures should be put in place to monitor their adherence.

With the proliferation of keyloggers, Trojans and other malware, it becomes progressively more difficult to ensure that data being used is safe.  In fact, it may not be possible to state that data in use is ever truly secure given that any company is also dependent on the end user and how trustworthy he or she is.  So perhaps the first precaution that can be taken is to ensure that those that have access to the data actually need to access it.  It is also important to consider if a person does have access to data where can they access it from and how.  If data is highly secure, then really it should never leave the secure location where it is stored, whether that is on-premise or in the cloud, no matter who might be asking or how convenient it might be.

This issue becomes more of a concern when employees are being encouraged to work from home or are tempted to do work from an unsecured machine.

So the first step is identifying the required privacy of data (data discovery and classification is a useful task in itself) and who is allowed access to that data.  Then the appropriate access rights can be set up and procedures created on how that data is to be accessed.

Once the policy is in place, then technical solutions can be used to help enforce those policies.  To that end, it is important that data protection is part of the work flow and that the user is largely unaware of it where possible.  It should be part of what they do.  Full disk encryption (FDE) is a good first step and increasingly ‘invisible’ to the end user.  Whilst this may be considered as data at rest, it should be noted that FDE encrypts swap space which is arguably data in use.  Furthermore, it has to include all media.  For instance, data copied to a USB must be just as encrypted as the hard disk of the desktop or laptop.

Another technical solution that provides protection for company data is the use of a virtual OS on USB sticks.  This allows employees to plug this USB into any machine, have their familiar environment and still be private.  This allows employees to use home machines that may also be used by their family and yet maintain complete separation from that platform.

Increasingly Data Leak Prevention (DLP) is being used to ensure that a foolish action is prevented from publicising sensitive data but this is a whole subject in itself, please see here for more information on DLP.

Good gateway protection implementing defence in depth continues to be good policy for the company infrastructure.  Locking down the user’s OS and keeping it and all applications patched with the latest and greatest releases is also key.  However, this frequently runs into issues where the danger of manufacturers introducing errors and hence vulnerabilities is contrasted with the vulnerabilities that are being patched.  It requires an understanding of what is being patched, a process to test before production and a way to roll back if an error is discovered that cannot be accepted.

Another way of controlling the desktop environment is the application whitelisting where only known applications are permitted to run.  This can impede productivity but if possible can go a long way to reduce the chance of malware and of inadvertent disclosure.  As ever, the deployment of defence in depth is best practice and some control at the gateway of a network is an extra precaution that is easy to deploy, manage and monitor.  There also remains little alternative to good desktop security.

In the end, the security of data in use is to do about risk mitigation.  However, with the current targeted attacks and the proliferation of zero day threats, the risk level is high.  It is necessary that action is taken to implement the required precautions that reduce the risk to an acceptable level.

Network Box has revealed details of its new software platform called NBRS-5.0, which will be available in increments from the second quarter of 2012.  This new technology will be available free of charge to existing users of the Network Box device.  Redscan will be contacting customers that use Network Box later this year to arrange the upgrade.

NBRS-5.0 is both a platform and a product. Made up of a large number of security modules, building upon a base platform, NBRS-5.0 provides comprehensive protection, without sacrificing the functionality of the individual security modules.  There are four main design goals of that are to be anchor for NBRS-5.0:

NBRS-5.0 is transparent
NBRS-5.0 applies transparency as a philosophical goal. The product is designed to have little impact on existing networks and to require as few changes as possible. Like a water filter, it filters the dirt (viruses, spam etc) from the water (network traffic) without affecting other flows.  The connection between the box and Network Operation Centre (NOC) is also simplified.  NBRS-5.0 boxes connect back to their management NOCs (or other Network Boxes in a cluster) using a single SSL-encrypted connection. The NOCs (and management boxes) then communicate with the box using these individual management links.

NBRS-5.0 is holistic
Most UTM systems today reduce the complex problem of network security down to its fundamental parts (such as anti-virus, anti-spam and firewall etc) and deliver these as individual solutions. Although named ‘Unified’, in practice this approach does not lead to unification – other than that they are all running and maintained on the same appliance. To put it simply, the administrative interfaces are still broken apart by module.  NBRS-5.0 is designed, from the ground up, to provide a Holistic Security Management platform, and to extend that platform with security modules that both fit and work together in a holistic manner.  Several key technologies (including an entity model, unified logging and configuration) contribute to a single Holistic User Interface.

NBRS-5.0 is scalable
Capacity planning is a continuing problem for computer systems, as traffic and usage patterns continue to increase. Scalability is the key to meeting this goal. NBRS-5.0 addresses scalability in two ways: in-the-box by supporting multi-core and multi-cpu appliances and out-of-the-box with fundamental support for clustering of boxes into a single seamless solution.

With both high-availability and load-balanced approaches, the cluster can be centrally managed, and traffic will be balanced both within the box (across CPU cores) and within available cluster devices. Unified logging and configuration systems make configuration seamless – a single change to a parameter is replicated and deployed across the cluster (either within an office, or across a globally dispersed organisation). Cluster configuration and log replication are automatic and can be flexibly deployed in a variety of configurations.

NBRS-5.0 is modular
NBRS-5.0 is designed as a base platform, with security service components that can easily be installed and removed. The base platform consists of a kernel, a user space tool chain, a logging system and a configuration system.  Essentially it is like an extremely sophisticated router; it is the security service components that provide the UTM+ functionality.

The advantages of this base platform approach are a reduction in firmware size (both in memory and on disk), no requirement for installation of services not required, simplification of deployment and, most importantly, a clarity of thinking in what is being provided.  Individually, the components of NBRS-5.0 aim to be best in class and, working together, they will combine to provide an effective, affordable and comprehensive network security system.

Redscan will make NBRS-5.0 available to all of its Network Box customers and will contact customers later this year to discuss the upgrade.  NBRS-5.0 will be supported on all current hardware (the S- M- and E- class boxes that have been released for five years now) and should not require any hardware upgrades. However, if extra functionality is enabled and used, customers may require extra hardware capacity.

Redscan proactively monitors and maintains Network Box security solutions on behalf of its customers in Europe and is part of a network of similar operations centres Worldwide. These products generate extensive statistics that provide a unique view into what is happening in the real world. This article examines the statistics collected in 2011 and explains what they reveal.

There is a great deal that can be gleaned from customer systems. When statistics from many different organisations, of different sizes, from different industries, in different countries are amalgamated and analysed, they provide a useful insight into the true nature of security threats. These trends are not only interesting to observe, but are also invaluable in helping companies to determine future security policies. The statistics gathered in 2011 reveal:

• A new security signature was released every 8.1 seconds
• Malware attacks escalated by 68.1% in 2011, as compared to 2010
• Attacks using firewall technology increased by 13.1% on the previous year
• Small businesses – not just large organisations – were targeted with denial of service (DoS) and distributed denial of service (DDoS) attacks
• A larger proportion of IT managers are imposing restrictions on web site usage

In 2011, Network Box Security Response PUSHed out 7,125 updates which was down 39.2% on 2010. However the number of signatures grew 25.9% to 3,880,267. This strange statistic reflected the continued move to cloud-based signature systems (such as the Network Box’s Z-Scan and NBCP content categorisation systems). So the number of signatures per update fell, while the number of signatures released increased. This is a trend that is destined to continue, as traditional signatures continue to be the most effective against the depth and breadth of malware, whilst cloud-based signatures are emerging as the most effective solution for zero-day outbreaks. The result is that there was approximately one new signature every 8.1 seconds in 2011.

During the year, the average Network Box blocked 208,081 spams which is down 55.8% from 2010, but malware is up 68.1% on 2010 to 8,008. The reduction in overall spam volume is due to the large-scale takedown operations against botnets and their owners that have occurred, as botnets are the single biggest source of spam. However, the reduction in spam volume is somewhat masked by the increased use of pre-scan filtering such as RBL blocks at the envelope stage and recipient address verification (for an explanation of envelopes, click here). Such envelope-stage blocks are effective against a huge amount of spam (currently estimated at around 35%, globally). Messages, both spam and malware, blocked at the envelope stage do not appear in our reported figures for ‘messages blocked as spam and malware’.

The 2011 statistics reveal that the average Network Box blocked 9,191,536 attacks during the year using firewall technology. Such attacks were up 13.1% on 2010, which could indicate that hackers believe that firewalls can be badly configured and are worth probing for vulnerabilities, either in the firewall itself or just as a way of accessing the network behind. Intrusions were down 18.3%. It should be noted, however, that such network-level attacks are an unavoidable consequence of being connected to the global Internet.

The trend away from attacks composed of mass-mailed spam and malware towards attacks of targeted/mass vulnerability exploit continued during 2011. One worrying new pattern was the increase in relatively low-impact denial of service (DoS) and distributed denial of service (DDoS) attacks. In the past, DoS and DDoS have used hundreds of megabits of bandwidth, but 2011 saw a large number of such attacks in the tens of megabit category targeting small organisations. Whilst larger enterprises have deployed protection against this form of attack, many smaller companies haven’t and are therefore vulnerable.

In 2011, the average Network Box blocked 1,663,284 websites due to company content filtering policy, which is up a massive 45.5% on 2010. When this is compared with the 45,838,221 website URLs visited on average over the year (which is only up 12.8% compared with 2010) this indicates that IT managers are imposing more controls to implement their company’s policy. The growth in bandwidth usage – and web usage, in particular – continues, driven by the increase in web-based applications, social networking, cloud-based solutions and smart mobile devices.