Real World Security Threats:: The Anatomy of A Hack

Download as pdf or txt
Download as pdf or txt
You are on page 1of 8

Real World

Security Threats:
The Anatomy
of a Hack
By Daniel V. Hoffman, CISSP, CWNA
1

CONTENTS

Introduction 2

Understanding the Threats to Your Mobile Workforce 2


Threat #1: Sniffing 2
Threat #2: Malware 3
Threat #3: Direct Attack 4

Anatomy of a Hack Video Companion Guide 5

In Summary 5

Robust Mobile Workforce Solutions from Fiberlink 6

© 2005 Fiberlink Communications, Corp.


2

The increasing mobility of the enterprise workforce poses significant Understanding the Threats to Your Mobile Workforce
security challenges for the global enterprises. With mobile workers Prior to implementing a comprehensive mobile workforce solution,
accessing corporate resources from a variety of networks, including it is important to understand the risks that threaten your mobile
Wi-Fi hot spots, hotel broadband, and home broadband, the need for workers everyday. The threats fall mainly into three categories:
a comprehensive mobile workforce security strategy is no longer an network sniffing, malware and direct attacks.
option, it’s a necessity.
Below, you will find descriptions of each threat, and some
Today’s mobile workforce no longer just refers to road warriors like examples of best practices for how to protect your enterprise
traveling salespeople and business executives. Mobile technologies against that specific form of attack.
have given companies the flexibility to deploy workers in ways that
allow the company to meet new business challenges and increase Threat #1:
productivity, posing a new series of security challenges for IT. It’s Sniffing – a technique for capturing network traffic. Sniffing can
inevitable that keeping mobile devices connected often increases also be used legitimately or illegitimately to capture data being
your company’s exposure to Internet-based security threats. transmitted on a network.2

The inherent complexity of the mobile workforce, emerging new Mobile workers using mobile endpoint devices that are not compliant
security threats, and tightening security resources leave many with corporate security policies are highly susceptible to the threat
security managers wondering where they should turn to protect of data sniffing. Sniffing falls into two fundamental categories:
their networks. Easier said than done since ensuring mobile endpoint
device compliance with corporate security policy is an extraordinary Credentials “Sniffing”: As enterprises continue to adopt a model
challenge. of using a single, unified client application to enable multiple forms
of connectivity, including dial-up, wireless, and broadband, there
are also certain advantages from a security perspective. With a
According to a study of more than 8,200 IT security professionals from 62 single client comes the advantage of having authentication for
countries, companies experienced an average of 824 security incidents or all transports proxied back to a central location, commonly the
events over the past 12 months with the majority of these events being the corporate network.
result of malicious code or unauthorized entry to information assets.1
The State of Information Security, 2005, CIO Magazine and PWC However, along with these advantages also comes risk. Frequently,
the authentication credentials are the same as the mobile user’s
network credentials, or have significant value to the end-user and/or
Live Hacking Demonstration the enterprise. Consequently, it is very important to ensure that
Fiberlink has developed an on-demand video demonstration to credentials are protected during the proxy process. With standard
accompany this guide. In it you can watch Fiberlink system RFC Compliant RADIUS Proxy (a commonly used authentication
engineer and mobile workforce security expert, Daniel V. Hoffman protocol), the username is always sent “in-the-clear” and the
(CISSP, CWNA), show how a hacker can take complete control of password is hashed with MD5, then un-hashed and re-hashed on
a mobile endpoint system without the proper security protection each RADIUS server that the credentials pass through.
and attack it. Hoffman reviews the more commonly used steps and
procedures that hackers use to access mobile endpoint systems, and In order to maintain the integrity of the credentials, a truly secure
ultimately the corporate network. solution must encrypt both the username and the password
using 256-bit AES (Advanced Encryption Standard) on all forms
Hopefully, this guide and its accompanying video demonstration will of connectivity. This form of end-to-end credentials encryption
leave you with a better understanding of: provides significantly greater protection from sniffing than RFC
Compliant RADIUS Proxy.
Common security risks and vulnerabilities that threaten today’s
mobile workforce;

Techniques, skills and tools used by hackers to exploit Fiberlink Extend360TM uniquely provides end-to-end
vulnerabilities on mobile endpoint systems; encryption of all end-user credentials information,
such as user IDs, passwords and other personally
Best practices and essential tools necessary to help protect your identifiable data.
endpoints and corporate resources from attacks.

© 2005 Fiberlink Communications, Corp.


3

Data “Sniffing”: Data is under constant attack from a growing Personal Firewall Protection: Anti-virus and anti-spyware
number of sources. With an increasing number of mobile workers applications are not sufficient enough. A third tool that is equally
using public Wi-Fi and hotel broadband networks, the threat of important in combating malware is a properly configured, enterprise-
hackers sniffing application traffic exists. grade personal firewall with IDS/IPS capability. Enterprise-grade
personal firewalls with IDS/IPS capability have the ability of
In virtually all cases, public Wi-Fi and hotel broadband locations do performing zero-day protection, where malicious behavior can be
intelligently identified and stopped as it is occurring. Alone, anti-virus
not offer any form of inherent encryption for data leaving a system
and anti-spyware are unable to stop behavior as it is occuring
on these networks. At the same time, these networks are readily because they are reactive in nature. This means that definition files
available to a number of simultaneous users. The best way to are only updated once a piece of malware has been identified as a
protect against the sniffing of data is to ensure that a VPN tunnel threat by the various anti-virus and anti-spyware vendors.
is active throughout the life of the public Wi-Fi and hotel broadband
network connection. In addition, disabling split-tunneling will ensure Patch Management Protection: An important element of a
that all data leaving the mobile system will be encrypted via the VPN comprehensive corporate security strategy, and until recently an
client, which commonly uses DES, 3DES or AES encryption. often-overlooked means to mitigating risk from malware, is an
effective system for patching mobile endpoints. It is essential that
Threat #2: all endpoints have the latest operating system and application
Malware (Malicious Software): software designed to destroy, security patches and that the mobile system is properly configured
aggravate and otherwise do harm to a computer. Malware includes from a security perspective. Without the latest patches and proper
configuration, malware will often take advantage of system and
computer viruses, worms, Trojans, and expanded threats like
application vulnerabilities that would not be present if the mobile
spyware, adware, and joke programs.2 endpoint were properly patched.
Deploying Security Software Alone is Not Enough “…more than one in four impacted companies were hit by (the) Zotob (virus)
No single tool will solve all your security problems. In order to because no firewall was in place or firewall policies were incorrectly set.”
effectively manage the security of your mobile endpoint systems (TechWeb News, 10/26/2005).4
and corporate network, enterprises need integrated systems.
Just When You Think You’re Covered
There is always risk that certain malware will disable the security
Anti-Virus Protection. When it comes to malware, people typically applications that enterprises have put into place to protect endpoint
think of viruses. And erroneously, most IT managers believe that systems. Therefore, it is important to run frequent checks and
deploying a standard anti-virus software solution will protect the scans to ensure that all security applications are up-to-date and
enterprise against the universe of malware threats. In reality, it running. If during the scan endpoint vulnerabilities are identified,
is not enough to just deploy anti-virus software for your mobile the suspected machine or machines should be deemed “out of
workers. For an anti-virus solution to be effective, the software compliance” and denied access to the Internet and/or the corporate
needs to be running and the virus definitions and signatures network until the deficiency is remediated.
need to be up-to-date on each mobile endpoint device. With new
malware threats being identified daily, this can present a significant According to Trend Micro, most malware programs (as observed in
challenge. the majority of 2004 bot programs) will continue to employ anti-
antivirus and anti-security routines to ensure infection, requiring
Two-thirds of IT professionals and security administrators say spyware is the use of system cleaning services to ease the impact on system
the top network security threat of 2005. Viruses (23 percent) and Phishing security.5
(10 percent) were the next most popular threats.
(Watchguard, 2005).3 The logic for vulnerability scans and remediation should reside on
the mobile endpoint, as today’s systems need to be in compliance
Anti-Spyware Protection. In addition to anti-virus protection, the
with security policies at all times. In the past, enterprises have
deployment of anti-spyware applications should not be forgotten as relied upon VPN concentrators or NAC (Network Access Control)-
part of a comprehensive security strategy. Spyware installs itself type functionality to check the security posture of the mobile
without warning, opens dangerous security holes and reinstalls itself endpoint as it is gaining access to the corporate network. With
after its been deleted. The worst of these programs allow online today’s mobile workers potentially spending more time directly
criminals to hijack users’ sensitive personal information at will. connected to the Internet, than connected via an active VPN session
Keeping anti-spyware applications running and current on mobile to the corporate network, this method of checking the state of the
endpoints is as important and as challenging as it is for anti-virus system’s security posture is inadequate.
software.
© 2005 Fiberlink Communications, Corp.
4

What percentage of your users are in compliance with your information Real-Time Remediation. Mobile endpoint systems that have up-
security policies?1 to-date security patches and are configured properly help protect
your corporate network from attack. Hackers gain direct access
North America 74% to mobile endpoints by running exploits that take advantage of
South America 60% vulnerabilities on mobile systems that would not exist if the systems
Europe 63% were properly patched and configured in the first place.
Asia 66%
Most patching systems and solutions available today simply
Middle East 54%
quarantine infected machines versus providing a means to remediate
The State of Information Security, 2005, CIO Magazine and PWC the mobile system by pushing, in real-time, necessary patches or
configurations to the system when the endpoint is not connected to
Threat #3: the corporate network, or connected to the corporate network with
Direct Attack – an assault against a computer system or network a VPN.
as a result of deliberate, intelligent action.2

The most malicious form of attack, is a direct attack on the


network. This type of attack is most dangerous because it entails a
hacker using their cognitive skills to exploit a mobile system, leaving
it vulnerable for attack in the future by widespread vulnerabilities. Extend360TM provides an enforcement capability
In this case, the hacker can also consciously dissect and analyze that prohibits an end-user from surfing the Internet
data on the mobile system. or connecting to the corporate network if the mobile
endpoint system is not up-to-date and properly
Some Best Practices to help protect against a direct attack include: configured with security patches. More importantly
it also provides the capability of remediating the
vulnerable system by pushing the necessary update
Personal Firewalls, Anti-Virus, Anti-Spyware. Not unlike other
or configuration change anytime the system is
threats, the importance of security applications being up-to-date,
connected to the Internet, but not the corporate
properly configured, and always running on mobile endpoint devices network. The ability to remediate in real-time
is crucial in helping prevent against a direct attack. As stated in the inevitably increases mobile user productivity.
section on malware, the use of personal firewalls not only prohibits
a hacker from accessing the mobile endpoint system, but it also
provides stealth capabilities that help make the endpoint invisible to
scans that may be run by a hacker.

In addition, outdated anti-virus and anti-spyware applications


will not provide protection against newly developed malware. Click to view “The Anatomy
Commonly, a hacker will place malware on a victim’s machine to of a Hack,” a live hacking
either further exploit the machine, or to provide a means to exploit demonstration
it in the future. An endpoint that is in compliance with corporate
security policy and is able to constantly scan for the existence of
malware, will be able to detect when a hacker attempts to place
malware on a mobile endpoint, and perform the necessary actions to
address the threat.

© 2005 Fiberlink Communications, Corp.


5

Anatomy of a Hack Video Companion Guide How to Protect


Step-by-Step Hack of a Mobile Endpoint Device • Ensure enterprise-grade personal firewalls are running, properly
configured and up-to-date in order to stop a mobile intrusion, and
1) Footprinting and Scanning – The first step in attacking a sense when malicious activities are taking place.
mobile endpoint is finding a live system. There are many tools
• Anti-spyware and anti-virus applications that are running, and up-
available on the Internet to search for live targets. The one used in
to-date are also able to find malware and address information left
this demonstration is Foundstone’s SuperScan.
behind to further exploit the system.
How to Protect In Summary: Ten Things You Can Do to Protect Your
• Your best means in protecting mobile systems from being seen Enterprise from a Hacker
during a scan is to run fully operational enterprise-grade personal
firewall software on each mobile endpoint. 1. Deploy properly configured enterprise-grade personal firewall
with IDP/IPS component;
2) Enumeration – Once a target is found, more information needs
to be uncovered to determine the best approach for exploiting the 2. Ensure anti-virus and anti-spyware agent software is active and
target system. Like scanning tools, there are many enumeration up-to-date;
tools available for free use on the Internet.
3. Make certain your mobile system is updated with the latest
How to Protect operating system and application security patches;
• Ensure that the mobile operating system is properly patched and
configured, so that information is not accessible through the “back 4. Only run a mobile system that is properly configured against
door” of the corporate network.
vulnerabilities and configured to prevent disclosure of sensitive
system configuration information;
• Employ fully operational enterprise-grade personal firewalls on 5. Establish a means to provide authenticated and encrypted access
mobile endpoint devices. to corporate resources, such as an IPSec or SSL VPN;
3) Launching an Attack – Once a live system is found through 6. Lock down a process that requires end-users to utilize stronger
scanning and information is gathered through enumeration, a direct and fresher passwords for authenticating to corporate resources
attack can be launched against the system. (non-dictionary, combination of alpha-numeric, possibly two factor);

How to Protect 7. Set policies that disallow mobile access credentials from being
• Make sure your mobile endpoint systems have the latest operating stored in cache locally on the mobile workstation;
system and application security patches.
8. Configure endpoint machines so that local users do not have the
• Employ fully operational enterprise-grade personal firewalls on ability to disable security components of the mobile workstation;
mobile endpoint devices.
9. Ensure you have a means to easily report that all mobile
endpoints are in compliance with corporate security policies at any
• Ensure anti-virus and anti-spyware software is running, up-to- given time;
date, and utilizing real-time scanning. It is a common tactic for
hackers to place Trojans and other malware on hacked systems. 10. Require an endpoint agent to ensure that all security
Real-time scanning programs will help catch malware as it is being applications are active, up-to-date, and have the ability to
transferred to the hacked machine. automatically remediate deficiencies, while prohibiting access to
corporate resources. Quarantining, security application enforcement
4 ) Leaving the Mobile System Vulnerable to an Attack – Once and remediation should not be dependent upon physical or VPN
a hacker has exploited the system, he or she will commonly take access to the corporate network.
steps to leave it vulnerable to future attacks. This can be done by
installing a Trojan or mobile control software, or installing a key Click to view “The Anatomy
logger that routinely sends all keystrokes from the system, etc. of a Hack,” a live hacking
demonstration

© 2005 Fiberlink Communications, Corp.


6

PROTECT YOUR ENTERPRISE FROM AN ATTACK WITH


ROBUST MOBILE WORKFORCE SECURITY SOLUTIONS,
FROM FIBERLINK

Fiberlink mobile workforce solutions eliminate the need to rely on Mobile Endpoint Compliance and Remediation
a piecemeal strategy for mobile working because it brings together Extend360™ can ensure that enterprise mobile systems are up-
everything you need to protect, connect, and control the mobile to-date with security patches, configured properly and that all
enterprise. Fiberlink solutions combine a world-class collection of required security programs such as personal firewalls, anti-virus
transport options with the industry’s most robust security measures and anti-spyware, etc. are operating. If a system does not meet
to keep mobile workers fully productive while protecting mission- the customized security policy criteria established by the enterprise,
critical assets. Fiberlink solutions also provide the industry’s most Internet access can be disabled, VPN sessions can be torn down and
comprehensive set of administrative tools enabling IT managers Extend360 can remediate the security deficiency by pushing down
to efficiently push policy and security software updates to mobile applicable patches and configuration changes, or by restarting the
workers throughout the enterprise. security application that has become disabled. Remediation can
be accomplished anytime the mobile system is turned-on. Pushing
Extend360™ (e360) is Fiberlink’s proprietary, software-based patches and configuration changes can be done anytime the system
service designed to keep mobile workers protected and connected has access to the Internet, NOT only when there is an active VPN
while working outside of the traditional office setting – utilizing a session to the corporate network.
single client interface.
Managed Enterprise-Grade Personal Firewall
At the core of Extend360 is an enterprise vulnerability management Fiberlink’s integrated personal firewall & intrusion detection solution
(EVM) security service designed to secure the mobile endpoint from actively inspects all traffic going into – and out of – the computing
unwanted intruders and hackers and ensure the highest levels of device - searching for any suspicious or hostile activity. It prevents
“always-on” protection for your mobile workforce. This service outside agents from compromising the mobile worker’s system,
consists of an EVM agent that provides continuous assessment of keeping your corporate network safe and your mobile workforce
the mobile endpoint from system start-up to shutdown – proactively productive.
identifying and remediating vulnerabilities as they occur. Services
offered under the EVM suite include patch management, anti-virus, Fiberlink offers ISS’ Real Secure Desktop Protector as a turn-key
anti-spyware, managed personal firewalls and managed IPSec and managed service. In addition to inbound blocking of application
SSL VPNs. ports, protocols, and IP addresses, the service supports a firewall
feature known as “outbound blocking.” If a worm infects a
Fiberlink rounds out its mobile workforce solution suite with a single workstation, outbound blocking will prevent it from propagating
interface for one-click connectivity to a variety of transport options further or delivering proprietary information back to the attacker.
that include Wi-Fi, hotel broadband, wide area wireless (CDMA/EV- Outbound blocking can also prevent mobile workers from running
DO), dial-up, ISDN, PHS, etc). applications like peer-to-peer or instant messaging programs that
are notorious for their security shortcomings.
With mobile workforce solutions from Fiberlink, it’s never been
easier for organizations of any size to deliver a full 360° of Outbound blocking can also be used to prevent malicious activity
productivity, protection, and control. from hackers that use Trojans. By piggybacking on an open
inbound port, even where there’s already a restrictive inbound policy
enforced, hackers can use Trojan modules to steal information or
remotely control the mobile device. With outbound blocking, the
Click to view “The Anatomy desktop agent can isolate the infected device more effectively and
of a Hack,” a live hacking prevent the hacker from receiving confidential information being
demonstration transmitted from the Trojan module.

© 2005 Fiberlink Communications, Corp.


7

Managed Anti-Spyware and Anti-Virus To view the live demonstration, The Anatomy of a Hack, use the link
Fiberlink also integrates a turn-key anti-spyware solution that below:
utilizes Computer Associate’s Pest Patrol technology. With 1 in 15
corporate laptops being infected with spyware system monitors, http://www.demosondemand.com/clients/fiberlink/002/page/index_
such as key loggers, an enterprise-wide anti-spyware solution has new.asp
become a requirement for global enterprises.6
Fiberlink has been recognized by Gartner as a leader in their 2005
The anti-spyware managed service, leveraging the EVM agent and Magic Quadrant for U.S. Managed Remote Access and Mobility
infrastructure, will detect and remove spyware from the endpoint Services. Click here to view the report.
in addition to proving the necessary definition updates for the anti-
spyware application. Sources:
1. The State of Information Security, 2005,
Fiberlink also provides up-to-the-minute version control of integrated A Worldwide Study Conducted by CIO Magazine and PricewaterhouseCoopers
anti-virus technologies - ensuring that your mobile workforce is fully
2. Definitions from SearchNetworking.com
covered by the latest versions of our partners’ virus protection.
When updates become available, we install them automatically. 3. Watchguard Technologies, February 2005, (http://www.csoonline.com/metrics/
viewmetric.cfm?id=775)
Fiberlink can monitor your anti-virus and anti-spyware software in
much the same manner it monitors the personal firewall. Fiberlink’s 4. TechWeb News, October 26, 2005, (http://www.techweb.com/wire/172900645)
integration of leading personal anti-virus and anti-spyware products
ensures that virus protection and anti-spyware software is active 5. Trend Micro 2004 Roundup (http://www.trendmicro.com.au/global/products/
and properly configured . Based on the security policies set by collaterals/white_papers/2004annual_roundup_final.pdf)
IT, we can admit or restrict mobile user access to the Internet or
corporate network based on whether or not that users’ endpoint is 6. “State of Spyware,” Webroot, November 2005 (http://www.webroot.com)
compliant. If an updated version of software is required, Fiberlink
will push the upgrade out to the endpoint before allowing access to Real World Security Threats: The Anatomy of a Hack video
the corporate network. This process is seamless and unobtrusive to demonstration and companion guide is published by Fiberlink
the end-user. Communications Corporation, 1787 Sentry Parkway West, Building
18, Suite 200, Blue Bell, PA 19422. Please direct inquiries to
Customer Control Kristen Muckleroy at 215-664-1690 or [email protected].
Business intelligence and reporting are critical to every business and
Fiberlink delivers this via its Customer Resource Center (CRC). The
CRC provides secure access to support and services, documentation,
reporting such as CostView, ConnectView, usage reports, managed
services reports, security services reporting, account administration
and downloads. Click to view “The Anatomy
of a Hack,” a live hacking
360° of Productivity, Protection and Control demonstration
Fiberlink mobile workforce solutions combine a full range of
professionally managed enterprise security services and a full suite
of connectivity options, resulting in a comprehensive solution that
simultaneously empowers mobile workers, and the IT managers
who seek to enforce compliance with corporate policies within and
beyond the traditional enterprise perimeter.

© 2005 Fiberlink Communications, Corp.

You might also like