Data Integrity – The Unknown Threat
By Dwayne Melancon, VP of Services and Support Tripwire
Friday, 30 July 2004 07:07 EST
Much of the attention commanded by computer security issues focuses on threats from external sources. Firewalls and perimeter defense tools are deployed to deny unauthorised entry to the network. Experts look for vulnerabilities and ways to ensure that the perimeter cannot be breached.
Administrators monitor network traffic for unusual activities and anomalies, and it is common for users to be warned against suspicious email attachments. The assumption is that malicious intrusions and threats come from external sources. In other words, the focus is on protecting the enterprise from an outside attack.
While all of these measures are valuable and should be deployed to help protect digital assets, none of these technologies protects companies from data loss or damage that occurs from inside the network-whether it be accidental or malicious in nature. None lets you know when your best perimeter defenses and network security policies have been compromised. None are able to establish a “good,” desired state of data and enable quick restoration if an undesired change occurs.
A complete security strategy should be layered, which can be likened to fully securing a house. For example, you can lock your doors and windows and turn on alarms, but if you've accidentally knocked a hole in the wall or are hosting a guest who secretly causes problems once inside, locks and alarms alone won’t adequately protect you.
A layered approach to security will include protecting from outside attackers, internal breaches of security and mishaps caused by both innocent and malicious people on the inside. There are several elements to a layered security strategy that assist in addressing the three elements of trusted security configuration (integrity, availability, and confidentiality). Layered security strategies typically contain all or most of the following items:
- Security Policy
- Incident Response Plan
- Host System Security
- Auditing
- Intrusion Detection Systems
- Router Security
- Firewalls
- Vulnerability Assessment
No matter what type of business you are in, computers and digital assets are an integral part of your operations. Protecting your computer systems, computer operations, and information assets against loss may be your business’s most critical form of digital asset protection.
What is overlooked in many security strategies is the integrity of the “foundation” upon which the critical IT infrastructure is built. Due to the complexities of IT software, it is becoming much more difficult to know for sure what constitutes a clean start or baseline state for client, server, network devices, database management systems, and applications. For example, one IT manager for a service provider interviewed by IDC stated that a vendor’s UNIX server software contained 30,000 files per install. Even after removing files that were not required for the specific task, 16,000 files still remained. What if any of these files is altered, either by a disgruntled employee or innocently by an unaware employee?
Risks inside the Perimeter – Where is the Perimeter Anyway?
It’s no longer easy to determine where the perimeter is in today’s environment of distributed technology. VPNs, extranets, tunneling and simply the many technical possibilities of e-commerce and the Web make it virtually impossible to support a truly contained network with a clear “outside” and “inside.” That’s why the original idea of a “secure” perimeter is no longer enough. The original security architects were government agencies and defense contractors who were experts in handling confidential assets. Their training led them to lean toward perimeter defenses as the cornerstone of defense.
Even though baseline data integrity was recognised as one of the four pillars of conventional security, it was presumed that as long as the perimeter was secure, assets were automatically secure. The architects reasoned that IT assets didn’t need to be monitored or managed for integrity, because the command and control environment gave people assurance that core data was safe.
Today, the situation is different. Any network with an Internet connection is by default an open network. One large financial institution articulated it this way, “Perimeter defense based on firewalls is still important, but more sophisticated security systems are needed because we don’t even know where the perimeter is anymore.”
“Integrity drift” refers to another kind of risk to data integrity that cannot be stopped at the perimeter. It describes movement away from a desired state. Integrity drift is the result of several factors, including the diversity of platforms, applications and processes operating in any typical IT organisation; the complexity introduced by mergers and acquisitions; and the ongoing pressure on IT by business users to “just get it up and running quickly.”
One company’s information security executive related that when he came on board, his organisation had 200+ machines on the Internet, each one configured differently from the rest. The machines that were created with variations also were not properly maintained. The company had a lot of operations staff focused on deployment, but there were no system administrator resources to maintain the machines.
The CIO described the feeling of his lack of control of the assets by stating that, “when I joined, it was clear that, well, the machines weren’t really ours anymore.” Shifting perimeters, internal threats, and integrity drift: These are all facets of security not addressed by the defenses most typically associated with computer security. The omission becomes more apparent when one revisits the goals which drive recommendations behind modern security measures:
Availability (of systems and data for intended use only)
Availability is a requirement intended to assure that systems work promptly and service is not denied to authorised users. This objective protects against:
Intentional or accidental attempts to either:
perform unauthorised deletion of data or
otherwise cause a denial of service or data.
Attempts to use system or data for unauthorised purposes
Deploying a layered security solution will help protect organisations from the many security challenges that exist today. Security challenges fall into several broad categories:
System misconfiguration
Internal users
External threats
Lax security policies and processes
Experimentation and inadvertent errors
Security & Integrity Threats
Businesses must address each of these broad challenges to prevail. Connecting to the Internet,essentially connects the business to the public networks of the entire world, thus exposing business infrastructures to the possibility of exploitation by thousands of people in the outside, online, global community. The key points for consideration when reviewing your security standing are:
System Misconfiguration: A recent analyst report indicates that more than 65 percent of security vulnerabilities in an organisation are as a result of system misconfiguration. These include (but are not limited to) updating systems with the latest vendor-released security fixes and periodic review of risks and policies resulting from changes in services and/or service levels offered. Strong security requires operational diligence, driven by the requirements of policy and processes and a clear understanding of the underlying business risks that the organisation takes when not adhering to the policies/processes.
Internal Users: Threats from internal users can be classified as either malicious or inadvertent/experimentation. The former is a conscious and intentional attack on the system infrastructure to compromise services or information. Of 239 companies polled by the FBI in March 2000, 71 percent reported unauthorised access to systems by insiders.
The latter is a result of well-meaning employees who can cause severe service outage or information compromise as a result of inadvertent or ill-advised actions. Indeed ‘experimentation’ is one of the most common reasons for system outages and has a direct bearing on system misconfiguration. It is also a result of failure to employ policy and the appropriate technology related to change control.
External Threats: A lesser, but perhaps more potentially embarrassing threat to your business comes from outside; viruses, worms, denial of service, web-defacement, and hacker penetration from the Internet can lead to downtime and loss of reputation and business, especially if publicised in the popular media.
Security Policy: An effective security policy will EXPLICITLY make clear the risks that a business has foreseen and how they must address them, while also setting IMPLICIT standards of practice that must be adhered to. We raise the issue of security policy here because policy ITSELF must be created first of all, and it must address the following matters of misconduct, hacking, etc.
Theft: A matter often not considered is simply one of physical security. All computers (and their components) are valuable physical assets, ripe for theft. Theft leads to downtime, embarrassment, loss of business, and leakage of proprietary information.
Fraud: At least two fraud-related risks impact e-commerce businesses and must be addressed: bogus payment, and liability due to theft of customer payment data, such as credit-card details.
Proprietary Information: Your data is your lifeblood. Threats come from physical theft, accidental deletion or destruction (fire, flood)-or more insidiously perhaps from non-destructive copying, leaving no trace of the theft.
Human Error: This is perhaps the broadest yet mildest form of threat; lack of security awareness amongst employees can lead to leakage of proprietary data through personal emails, being locked-out of network resources through loss/forgetting of passwords, and vulnerability to con-artists and “social engineering.”
With data at the heart of today’s business, a company’s ability to compete and survive depends upon the integrity of its IT infrastructure. And that infrastructure is increasingly vulnerable to unintentional misuse and malicious attacks.
Typical and Necessary First Steps
When managers and security professionals consider implementing a security strategy, typically they implement an Intrusion Detection System (IDS) as the key first step: that’s because executives and shareholders alike want to keep all the ‘bad-guys’ out. But who and where are the bad guys?
A complete intrusion detection system (IDS) must consist of three key components: firewalls, network intrusion detection, and data integrity assurance tools. However, while firewalls impose a barrier at the point of connection between the Internet and the protected network, and real-time network intrusion technologies are an effective second line of defense, neither address internal system misuse.
A complete enterprise security solution requires tools that can be quickly deployed and enable a security administrator to rapidly identify malicious or unwanted attacks. When combining layers of defense, these elements work together to form a resilient barrier to unauthorised intrusions and malicious attacks while complementing other security solutions such as authentication and encryption systems.
Whenever network security is compromised, whether due to a new worm attack or an intrusion from an inside source, the integrity of company data is in question. Many e-mail viruses modify or remove files from PC users’ disk drives; successful attacks against Web sites deface their content; and root kits modify system executables with ones that completely cover an intruder’s tracks. These business assets are too valuable to be left open to compromise, which is where Data Integrity Solutions come into play.
One of the primary applications of Data Integrity software is to monitor the integrity of other security products such as firewalls, intrusion detection systems and anti-virus scanners. One of the first things attackers try to do is disable the security tools on the servers that they are attacking. In some cases, a small change to a firewall might have a dramatic impact. For example, a change to the firewall configuration settings might be changed to either open up or shut down ports.
If an attacker can change a firewall rule to allow them to open a port, then that would allow the attacker to gain access through the firewall to other more critical servers or targets. Some security products have configuration files that are stored in plain text that control how the product operates and functions. It is important to monitor these files in order to detect any unauthorised changes that may allow an attacker to subvert the tool. Most Data Integrity tools can easily be configured to monitor these specific configuration files.
Other files to monitor are the binary files of security products in order to verify that no new possible malicious binary versions of the product are replaced.
How Data Integrity Assurance Fits into a Layered Security Strategy
Trust in the network begins with the certainty that you’re starting from a known good state. Data integrity assurance software establishes the baseline by taking a ‘snapshot’ of data in its desired state. It detects and reports changes to the baseline, whether accidental or malicious, from outside or within.
By immediately detecting changes from the baseline, Data Integrity software can trigger fast remediation, and avoid the necessity of having to rebuild servers or routers from scratch. In this way Data Integrity software provides the foundation for data security and ensures a safe, productive, stable IT environment. These software solutions detects change, whether accidental or malicious, from outside or within, and is the only way you can know for certain that your data is safe and your systems remain uncompromised.
As such, this software is used for: intrusion detection, file integrity assessment, damage discovery, change/configuration management, system auditing, and policy compliance, and unlike firewalls the approach is not focused on the prevention of unauthorised access. Instead, it monitors data at rest and identifies data changes, and then alerts the system manager to unauthorised changes or internal or external intrusions. This is an extremely important security function as many intentional and unintentional unauthorised changes on data at rest take place from within an organisation, or inside a firewall.
There are many types of security tools that do many different jobs, but it is important that these applications are also being monitored to allow for immediate notification and remediation of events that could potentially allow for an attacker to penetrate your network infrastructure. Data Integrity software is used in many cases to complete a well-rounded security policy complementing other security tools that may lack integrity verification functionality. In fact, determining the integrity of a system is one of the key components of having a solid security foundation.
There are many data security technologies that a company can deploy that accomplish different goals. Many of these technologies complete specific security objectives and functions and play a key role in building a layered security strategy.
How Data Integrity Solutions Complement Other Security Technologies
Network-Based Intrusion Detection Systems: Examine network packets for suspicious patterns, based on a database of attack signatures.
Host-Based Intrusion Detection Systems: Monitor system or application logs for evidence of attack, based on a database of attack signatures.
Security Policy Implementation: Enables security mangers to automate each step of the security policy from a central console. These tools enforce awareness and assess employee understanding of security policies
Network Vulnerability Assessment: Network-based scanners provide comprehensive views of all operating systems and services running and available on the network, detailed listings of all system-user accounts that can be discovered from standard network resources, and discover unknown or unauthorised devices on a network.
Security Information Management: Enables users to consolidate security reports and information from many different security products to correlate and provide actionable data.
Anti-Virus Scanners: Provide the ability to block viruses from getting to servers or workstations. These products should be deployed to prevent virus attacks from deleting and changing files. Many AV products use a signature database to scan against to detect viruses. Often new viruses will not be in the database until it can be updated, which leaves a system vulnerable.
Host Vulnerability Assessment: Host-based scanners provide comprehensive views of hosts’ operating systems, identifying risky applications and user activities, configuration of specific services, and detection of signs that an intruder has infiltrated a host or is still active on a system.
Data Integrity Assurance Solutions: Located on any system or network device to monitor the integrity of critical files. These products do not rely on a database of known attack signatures-additions, deletions or changes to a file system are always detected.
Two Factor Authentication: Provides the ability to verify that someone who is trying to access a system is actually authorised to access the system. The most common form of authentication is the use of logon passwords, the weakness of which is that passwords can often be forgotten, stolen or accidentally revealed. Often times passwords will be combined with tokens to provide two-factor authentication.
Summary
There are many security practices that companies should implement in order to develop and deploy a layered security solution that prevents, detects and responds to security incidents. Developing a robust layered security strategy requires companies to consider complementary solutions that can address attacks and breaches from the outside and the inside. In today’s environment, organisations connected to the Internet must be more vigilant than ever. Networks are scanned for vulnerabilities many times a day. Viruses and worms abound. And the threat of cyber terrorism looms. It takes a comprehensive well thought-out strategy to protect against all of these problems.
By utilising Data Integrity software companies will not only mitigate security threats, but also create a more stable IT environment. By detecting unauthorised changes, companies can proactively increase the effectiveness of their change control and configuration management. Computer security is in many ways similar to physical security in that no single technology serves all needs-rather, a layered defense is proven to deliver the best results.
Data Integrity software provides the fundamental security layer that provides a high degree of confidence in the integrity of data assets and system infrastructure. This foundation provides the means to detect and understand changes to systems and data over time, and better enforce the security and availability of those assets. As a result, companies and their customers are able to maintain trust in their network and IT infrastructure.
|
|
|
Latest News
eEye released integer overflow auditing tool
16.02.07 Vulnerability research company eEye Security has released a free security vulnerability auditing tool that helps spotting possible integer overflow vulnerabilities.
AES Password Manager 2.3 released
16.02.07 AES software has announced the availability of AES Password Manager 2,3, the latest version of their password management application that allows users automatically access password-protected web sites and email accounts.
IBM safeguards against Microsoft vulnerabilities
16.02.07 IBM’s security division, Internet Security Systems, offers protection from several critical vulnerabilities announced by Microsoft.
Firefox cookie-stealing vulnerability
15.02.07 A new zero-day vulnerability in Mozilla Firefox allows malicious web sites to forge authentication cookies for certain web sites.
Valentine’s Day: a powerful lure for spreading malware
09.02.07 As Valentine´s Day approaches, users should keep a wary eye on any romantic messages received by email, as many of them could contain malicious code.
Skype reads out your BIOS data
09.02.07 The Windows version of the Voice-over-IP software Skype reads and stores the BIOS and motherboard serial number of a user’s computer.
Utimaco SafeGuard Enterprise supports BitLocker
09.02.07 Utimaco has announced that its SafeGuard Enterprise now supports Windows Vista BitLocker drive encryption.
|
|
