The Changing Network Perimeter
Traditionally, the network perimeter was the first and primary line of defense from outside, untrusted networks and devices. It was the first and last point of contact for security defenses protecting the network and usually consisted of one or more firewalls and a set of strictly controlled servers located in a portion of the perimeter referred to as the demilitarized zone (DMZ). When networks were relatively static and unchanging, the perimeter was the gateway to the outside world and, conversely, the outside world’s gateway to an organization’s network.
Everyone is familiar with attacks that originate from outside the network perimeter, but security threats to networks no longer come only from outside. While still necessary, protecting the perimeter is not sufficient to conform to security best practices. Because traditional perimeter security systems must allow for a wide range of network traffic through firewalls, sophisticated hackers have discovered ways around them. While firewalls can block certain types of unauthorized network connections and traffic, they have little effect on attacks that may be embedded within web site traffic, peer-to-peer applications or even more deceptive types of attacks. Many recent worms have been effective at subverting firewall and antivirus solutions because they hide within legitimate network traffic and sometimes trick end users into assisting in their propagation.
Today, networks are much more porous, as a result of wireless, VPN and dial-up access. Peer-to-peer messaging, music- and file-sharing programs connect individual desktop computers to open virtual networks that pass unabated through the perimeter defenses surrounding most networks, such as firewalls, antivirus and other security defenses. As a result, organizations have been forced to rethink their approach to network security, which now includes all endpoint devices connecting to the network—externally and internally.
The Rise of Internally Launched Attacks
Although much of the industry is still focused on external hacks, internal threats are on the rise and need to be taken into account. International Data Corporation (IDC) estimates that more than 60 percent of all serious threats (i.e., a threat that damages revenue generation, decreases profitability, lowers worker productivity, violates intellectual property, breaches regulatory compliance or endangers customer trust) come from internal sources, including employees, contractors, consultants, systems integrators, partners, distributors and even customers who have privileged access to a corporation’s resources.
IT departments should expect that the next worm to attack the network could come from someone within the organization. Because insiders have established a certain degree of trust, they already have legitimate access to corporate resources. That is not to say that such an attack would be intentional or that the employee would even be aware of what was happening. Regardless, the likelihood of being attacked from inside the network has increased dramatically.
Most businesses have suffered financial losses from worms, Trojan horses, viruses and spyware. An Aberdeen Group study shows that revenue losses attributed to Internet-based business disruptions now average US $2 million per incident, with almost one business disruption incident per organization per year. Midsized businesses (revenues of US $500 million) experience a loss rate of more than US $335,000 per incident. Even small businesses (US $10 million in revenue) feel this impact, with losses averaging US $6,700 per incident.
Many of these Internet-based business disruptions result from attacks that originate inside the network. It is becoming common for organizations to fall victim to internal attacks launched from visitor laptops (those of contractors, vendors or business partners), machines connecting through VPN or modems, wireless devices or employee desktop computers. These are referred to as endpoints, and it is the dirty little secret of network security that endpoint devices are not really secure.
Attackers are increasingly taking advantage of these unsecured endpoints. Many of the worms and Trojan horses and much of the spyware attest to this shift in the nature of attacks. Network and security administrators are grappling with exploits such as Download.Ject that take advantage of browser deficiencies. At the same time, they are deluged by the many variants of MyDoom, Beagle, Sasser, Netsky, Sober, Sobig, Phatbot, Witty, Blaster and many others.
Attacks Leveraging User Behavior
This shift toward exploiting the endpoint is somewhat of a natural progression. Historically, attackers have sought to exploit operating system or application software that contains vulnerabilities or is improperly configured. Many of the commonly deployed security defense systems are directed at preventing such attacks by blocking malicious traffic or reporting known vulnerabilities that need to be repaired.
More recently, attacks are increasingly leveraging end-user behavior. Many common—and even desired—end-user activities can be exploited to facilitate an attack. For example, attacks can be launched when the end user clicks a link on a web page or within an e-mail that appears to be legitimate. Successful attacks of this type bypass traditional defenses, such as firewalls and antivirus solutions, and give direct, immediate access to core network devices and other endpoints. By leveraging end users, attackers have an almost unlimited number of unsecured corporate and home computers by which to gain access to business and government networks.
How do the new worms and Trojans leverage the end user as part of the attack? In the case of MyDoom, malicious payload is delivered when end users open a zip file. Sober.D relies on end users clicking a link to download a security patch contained in what seems to be a security e-mail bulletin, thereby delivering the worm directly to end users’ devices.
Mobile and remote users pose as great a threat. Such users who have unknowingly compromised devices can get into the network via a virtual private network (VPN), dial in or connect their laptops to the LAN when returning to work and infect or reinfect the network. Visitors and contractors regularly connect to the network with their own endpoint devices and spread contamination through attacks present on their computers.
In these situations, attacks enter behind perimeter defenses and have a wide-open network on which to spread. Not only does this make it easier for attacks to enter the network, but frequently security administrators must respond to the same attack multiple times. Beefing up the defenses at the network perimeter does not necessarily decrease the likelihood of this type of attack occurring.
Antivirus and Firewalls Are Not Enough
Until recently, it was common for attacks directed at end users to be delivered as a virus within an e-mail. But the new generation of attacks leverages vulnerabilities, web sites and peer-to-peer applications as well. Even devices with up-to-date antivirus solutions are not protected from attacks exploiting these pathways.
Is better antivirus software needed? Are personal firewalls the solution? IT organizations are in a rush to determine what is required beyond these traditional solutions. Vendors argue that product upgrades, enterprise-managed versions of their product, and even OS upgrades that include antivirus and personal firewalls are the answer. But, it is not about locking down the endpoint device. It is about protecting the network. End users often knowingly or unknowingly disable security applications (such as antivirus or personal firewalls), neglect to install up-to-date security patches, improperly configure security settings, install restricted software (peer-to-peer, file sharing or instant messaging) or are subject to spyware contamination. All of these threats have historically been beyond the control of IT administrators.
Bottom line: one cannot assume users can secure their own devices; administrators must protect the network from all endpoints—foreign and domestic. In short, endpoint devices must be considered suspect, and administrators must regain control over them.
Protecting the Network Through Endpoint Compliance
Rethinking endpoint security means that the security of endpoint devices must be viewed from a network perspective. A new class of endpoint solutions works to protect the network from unsecured and unknown devices. This approach views all endpoint devices attempting to connect to and use the network as suspect.
Endpoint solutions protect against these dangers by prohibiting devices from accessing the network until they meet the necessary security requirements. These solutions test devices for compliance with the organization’s security policy in the areas of antivirus, personal firewall, patches, security settings, and required and restricted software. They also ensure that worms, Trojans, viruses or spyware have not already compromised the device. Devices that meet the security requirements are allowed access to the network and are then retested during their connection to ensure continued compliance. Those devices that fail compliance testing are quarantined, and their users are provided with direction and resources for updating the device with the necessary patches and security setting.
Endpoint compliance includes devices under the control of the organization, such as corporate desktops and laptops, as well as foreign endpoints that are not under the organization’s direct control. Foreign endpoints include laptops and desktops that may be brought into the organization by visitors, contractors or employees. Also, devices that the organization may never physically see, such as employees’ and contractors’ home computers and devices attaching to the network via WiFi, are considered foreign. While most IT shops tend to focus their efforts on securing corporate-owned endpoints, foreign endpoints and corporate-owned devices need to be part of any organization’s endpoint security program. In fact, foreign endpoints pose a greater risk than corporate-owned machines, because their security is unknown and likely to be inadequate or nonexistent.
Network endpoint compliance must be addressed from an external and internal perspective. The external perspective entails controlling the access of devices that connect to the network remotely, such as through a VPN, dial-up or WiFi. All external endpoints accessing the network should be tested prior to gaining full access to network resources. Noncompliant devices may receive only limited access through a quarantine policy, or may have no network access until they meet endpoint security requirements. For example, the IT administrators may not want people updating their home computers through the corporate VPN.
The internal perspective pertains to controlling the access of the devices that connect directly to the internal LAN. This includes devices at a central location as well as devices at smaller or remote offices. Similar to external machines, these devices should be cordoned off into a separate quarantine network with only the access necessary to receive virus definitions, update software or receive updates from a patch management solution.
Endpoint compliance means more than checking for the latest patches and antivirus files. Endpoint compliance requirements should include a wide range of security settings on the device. Examples of security requirements that should be considered for each endpoint include:
- OS updates, hotfixes and critical updates
- Windows automatic update settings
- Antivirus software installation and up-to-date virus definitions
- Personal firewall and up-to-date firewall rules
- Installed software, programs or services
- Registry entries
- Prohibited software, including peer-to-peer and spyware applications
- Application security settings, including macros
- Browser application, version and security settings
- Storing local credentials, such as user IDs, passwords and .NET credentials
Rolling Out Endpoint Compliance
There are three primary considerations when assessing endpoint compliance options:
|Is the organization seeking protection for corporate assets only, or does it also need protection from endpoints not under the control of the organization (i.e., foreign endpoints)?|
|Is the organization willing to take on the burden of installing or downloading agents on each endpoint, or does it require an agentless solution?|
|Does the organization want to enforce endpoint requirements only for software patches and antivirus software, or does it want to enforce a more comprehensive security policy? Many organizations need the flexibility to create security requirements beyond those that come out-of-the-box with most solutions.|
Although a number of options are available for securing internal endpoints, only a few focus on the foreign endpoint security problem. Almost all of these require the installation of an agent (similar to a personal firewall or VPN client) or are limited to Secure Socket Layer (SSL) web-page-based applications. It is not realistic, though, to assume the organization will have the resources or the level of control needed to install a client on every foreign device. Also, most organizations would prefer not taking on the administrative burden of supporting an agent regardless of whether the device is corporate owned or foreign.
A more recent development is agentless (also called clientless) endpoint security solutions that are network-based and do not require the download or installation of software on the endpoint device. Agentless solutions offer significant advantages over the agent-centric approach. Since no software runs on the endpoint, agentless options do not suffer the deployment problems or the increased administration that arise when software has to be installed and supported on each device. Software compatibility issues, upgrade deployment and support issues, and increased help desk calls are all avoided.
Clearly, the agentless approach offers a compelling answer to the problem of foreign endpoints as well.
To truly ensure that endpoints are secure, a solution should meet the following three requirements:
|Deliver a full suite of testing capabilities—Most endpoint security solutions check endpoints for the latest software patches and the presence of up-to-date antivirus signatures, but as discussed in the previous section, much more is required to truly ensure endpoints are secure.|
|Verify that harmful software does not reside on the device—Endpoint security solutions should proactively check endpoint devices to determine if any worms, Trojans or spyware have compromised them. Ultimately, this is what endpoint security is about.|
|Provide the ability to create custom tests—More advanced solutions have the capability to add user-created sets of endpoint tests, allowing one to check for requirements that may be unique to the organization.|
Network attacks have become much more widespread and damaging. Basic security measures that once sufficed, such as firewall, VPN and antivirus, are proving incapable of blocking today’s advanced threats. Furthermore, intrusions that once originated from outside the network perimeter are increasingly launched from within.
The dirty little secret in network security is that the endpoints are not secure, and hackers know it. Taking a network perspective to endpoint security is a fundamental requirement for any organization to effectively defend itself. Organizations cannot rely on the end user to keep the network safe, but they can require them to comply with their organization’s security policy before granting network access. While it is an unfortunate state of the security market, all endpoint devices must be treated as suspect to outsmart the hackers.
Mitchell Ashley is chief technology officer (CTO) at StillSecure, where he is responsible for the product strategy and development of the StillSecure suite of network security products. Ashley has more than 20 years of industry experience, holding leading positions in data networking, network security, and software product and services development. Ashley can be reached at firstname.lastname@example.org.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2005