How did that happen?

Remote Monitoring is an essential part of the physical, perimeter and insider security used by airports, casinos and high-security installations such as nuclear power plants.

Unlike 10-15 years ago – remote monitoring is now performed using the standard TCP/IP networking protocol. A central Network Control Center (NCC) is sited on the corporate network, with IP connectivity to multiple remote devices (such as IP cameras), systems and networks, for surveillance, monitoring and control purposes.

By replacing an IP camera with a laptop computer -  an attacker can use  the IP surveillance  device end point as a back-door that enables  entry and exploitation of the entire corporate network.

The potential damage of such a back-door attack on a remote monitoring system is enormous.

• Data theft – from center or nodes in an IP Based Surveillance system
• Online attacks – to center or nodes in process control and SCADA monitoring
• Interlinking – from one node to another in remote infrastructure monitoring

“attacks on management system components are potentially far more devastating. By targeting strategic management system resources, including security and security management components, attackers can subvert and disrupt the entire operations of an enterprise.”
(Springer Science + Business Media, LLC 2007)

Why not use a firewall?

Traditional IT security products are not effective security countermeasures against threats to vulnerable IP-based remote monitoring networks. There are a number of reasons for this:

• The remote monitoring network topology may not be amenable to firewall/IPS solutions. Unlike a corporate network which generally has a small number of egress points to the Internet that can be serviced by a small number of firewalls – a SCADA or IP surveillance network can have thousands of access points and a complex hierarchical topology.
• IT Security products suffer from software bugs and misconfiguration – enabling hackers to exploit these vulnerabilities and attack the company’s data.
• Large installations such as casinos and airports are attractive targets for well-financed, highly motivated attackers.
• Hacking information and know-how is out there
• As a result, more money, resources and effort is, and will be invested by attackers to facilitate an attack on sensitive networks like the IP cameras in an airport

There is however a more realistic and practical approach than applying layers of firewalls and intrusion detection which may increase complexity and vulnerability of the network rather than improving security.

The solution is a technology that enforces unidirectional connectivity at the physical network layer between the NCC (network control center) and the IP devices in the remote monitoring network. Remote monitoring networks are by nature unidirectional:

• Command and Control  – The NCC sends command data to remote devices
• Surveillance – The IP surveillance devices send data and/or video/audio to the NCC

By enforcing unidirectional connectivity at the physical layer of the TCP/IP network, a hacker cannot enter the corporate network via the remote monitoring network backdoor.

One of our security technology partners is an Israeli company called Waterfall Solutions.

Waterfall provides an impenetrable solution to the threats of on-line attacks and data leakage that are inherent to TCP/IP connectivity. The key to Waterfall’s solution is Waterfall One-Way™, a successful combination of sophisticated software agents, impenetrable hardware components and an underlying proprietary transfer protocol.

Data loss prevention is a rapidly emerging network security technology area that has matured from simple regex-based Web / email content filtering products into products such as Fidelis Security Systems XPS that perform deep inspection of documents such as Microsoft Word and Adobe PDF with high levels of precision and recall.

Motivation

Network content monitoring is generally used for monitoring of employee or students surfing and filtering out violence, pornography and drug-related content.This sort of Web content filtering became “mainstream” by 2005 with wide-scale deployments in schools and larger businesses by commercial closed source companies such as McAfee and Bluecoat and Open Source products such as Censor Net and Spam Assassin.Similar signature-based technologies are also used to perform intrusion detection and prevention.

However, a new class of content monitoring products has emerged that is aimed squarely at protecting firms from unauthorized “information leakage”, “data theft” or “extrusion”. The motivation for using these products is economic not behavioral; transfer of digital assets by trusted insiders or trusted systems can cause much more economic damage than viruses to a business. Unlike viruses, once a competitor steals data you cannot reformat the hard disk and restore from backup. Companies often hesitate from publicly reporting extrusion events because it damages their corporate brand, gives competitors an advantage and undermines customer trust.

There are two potential “internal customers” for content monitoring in a company – business management (risk management and/or internal audit) and IT infrastructure management.

Senior business management wants to protect their brand by protecting their information assets from criminals, competitors and trusted insiders.There seem to be three schools of thought on this with CxO’s; one common approach is to ignore the problem and brush it under the carpet of compliance monitoring. Another approach is to monitor asset flows without telling employees or the whole world. The smart CEO seems to like an extrusion prevention system as a deterrent and as a way of enhancing the brand (“your assets are safer with us”).Passive content monitoring of asset flows in the network that operates independently of existing I.T systems can be an effective auditing tool for threats to digital assets in any case.Employees and hackers cannot detect a Layer 2 Sniffer device and a Sniffer is immune to configuration and operational problems in the network. If it can’t be detected on the network than school of thought number 2 has plausible deniability.

Firewalls are not enough

Many firms now realize that a firewall is not enough to protect digital assets inside the network and look towards incoming/outgoing content monitoring. This is because:

1. The firewall might not be properly configured to stop all the suspicious traffic.
2. The firewall doesn’t have the capability to detect all types of content, especially embedded content in tunneled protocols.
3. The major of attacks and extrusions are not on the IT infrastructure but on the data itself.
   
4. Most hackers do not expect creative defenses so they assume that once they are in, nobody is watching their nasty activities.
5. The firewall itself can be compromised. As we have more and more Day-0 attacks and trusted insider threats, so it is good practice to add additional independent controls.

Detection, Prevention and Security Management

Detection

Sophisticated incoming and outgoing content monitoring technologies basically use three paradigms for detection:

1. AD- Anomaly Detection – describes normal network behavior and flags everything else
2. MD- Misuse Detection – describes attacks and flags them directly
3. BA – Burglar alarm – describes abnormal network behavior (“detection by exception”)

In anomaly detection, new traffic that doesn’t match the model is labeled as suspicious or bad and an alert is generated. The main limitation of anomaly detection is that if it is too conservative, then it will generate too many false positives (a false alarm) and over time the analyst will ignore it. On the other hand, if a tool rapidly adapts the model to evolving traffic change, then too little alerts will be generated and the analyst will again ignore it.

Misuse detection describes attacks and flags them directly, using a database of known attack signatures and constantly tries to match the actual traffic against the database. If there is a match, an alert is generated. The database typically contains rules for:

1. Protocol Stack Verification– RFC’s, ping of death, stealth scanning etc..
2. Application Protocol Verification – WinNuke , invalid packets that cause DNS cache corruption etc.
3. Application Misuse – misuse that causes applications to crash or enables a user to gain super user privileges; typically due to buffer overflows or due to implementation bugs.
4. Intruder detection. Known attacks can be recognized by the effects caused by the attack itself. For example, Back Orifice 2000 sends traffic on default port is 31337
5. Extrusion detection. Detect unauthorized network transfer of data according to the content itself – for example by file types, compound regular expressions, linguistic and/or statistical content profiling. Extrusion detects functions at a much higher level than an IDS/IPS – since it needs to understand file formats and analyze the actual content such as Microsoft Office attachments in a Web mail session as opposed to doing simple pattern matching of an http request string.

Using a burglar alarm model, the analyst must have deep understanding of her network and what should not happen with it. She builds rules that model how the monitored network should work, in order to generate alerts when suspicious traffic is detected. The richer the rules database, the more effective the model. The advantage of the burglar alarm model is that a good network administrator can leverage knowledge of servers, segments and clients (for example a Siebel CRM server which is a client to a Oracle database server) in order to focus-in and manage-by-exception.

Prevention

Anomaly detection is an excellent way of identifying network vulnerabilities but a user cannot prevent data breach events based on general network anomalies such as usage of anonymous ftp. When it comes to prevention there is also a fundamentalproblem with misuse detection. If misuse is detected then unless the event can be prevented (either internally with a TCP reset, blocking inline or by notifying the router or firewall) – then the usefulness of the devices is limited to forensics collection. An additional hurdle to overcome in the area of prevention of data breach events is performance. The widespread usage of load balancers and multiple IDS servers will not work since packets that compose a client-server application session may be spread over multiple servers and it will be impossible to prevent data leakage since no single server has a complete picture of the entire session.

Management – event analysis and reporting

A SIM (or security information management) system consolidates reporting, analysis, event management and log analysis.There are a number of dedicated tools in this category, Net Forensics is one, but the direction appears to be that the content monitoring system will include its own analytical database of events due the specialized nature of content monitoring and filtering. Note that the management sub-system itself does not perform detection or prevention functions – it manages and receives reports from other system components. A typical architecture has a central SIM (management console) and multiple / distributed sensors that feed events (not raw traffic) into the SIM.

I believe many people involved with IT security have a feeling of frustration that stems from continuously reacting to external forces: spam attacks, spyware attacks, insider threats, analyst reports and new product announcements. What should you do?

Consider the three basic tenets of IT Security

1. Network Security is Warfare, if its “kill or be killed” in the sales department, then why not in IT Security?
2. Most of your information security strategy is reactionary with “Penetrate and Patch” methods
3. Few implementations address the collection of information about attackers

The key Elements in Information Security Strategy

Stop reacting and go back on the offensive, with a proactive security strategy based on control, collection, capture and change:

Control: Managing the access of information to and from the network and systems.
Collection: Gathering information about user habits and systems behavior.
Capture: The capture of information from anomalous events on the network.
Change: Adapt the security posture to meet new situations.

By basing both defensive and offensive tactics on these four strategic elements, you can poractively control who accesses your network, collect information about abnormal transactions, capture anomalous events, and adapt your security posture to meet changing situations.
Traditional Information Security Tactics are Defensive

* Backups
* IDM – Identity Management
* Network Access Control using firewalls/routers
* Host Access Controls
* Intrusion Prevention Systems/Intrusion detection systems
* Inbound content filtering for abusive/malicious content

Offensive Information Security Tactics

* Attacking and auditing your own systems.
* Proactive response to attacks.
* Extrusion prevention
* Honey Pots and Honey Nets.

I’d like to thank Chris Neitzert (Chris[at]Neitzert[dot]com) for his ideas on improving IT security with both offensive and defensive tactics. Download Chris’ well-written article at: Guerilla Anti-Penetration Tactics