Security

Seven overlooked network security threats for 2011

Mark Underwood considers the network security threats that administrators might tend to overlook in the new year. Some are low tech, some are worst-case scenarios, but all will require preparation and vigilance.

No one working in network security can complain that the issue has been ignored by the press. Between Stuxnet, WikiLeaks server attacks and counterattacks, and the steady march of security updates from Microsoft and Adobe, the topic is being discussed everywhere. IT workers who have discovered that consolidation, off-shoring, and cloud computing have reduced job opportunities may be tempted to take heart in comments such as Tom Silver's (Sr. VP for Dice.com) claim that "there is not a single job position within security that is not in demand today."This and similar pronouncements by others paint a rosy picture of bottomless security staff funding, pleasant games of network attack chess, and a bevy of state-of-the-art security gadgets to address threats. Maybe.

In these challenging times, separating hype from visionary insight may be a tall order. Yet it's important to strike a sensible balance, because there are problems both with underestimating the problem as well as in overhyping the value of solutions. This situation became readily apparent when making a list of overlooked threats for the upcoming year. The task of sorting through the hype must not become a cause that only managers will be inspired to take up.

Table A summarizes a modest list of security threats that are likely to be overlooked in the coming year. The list thus adds to the mélange of worry-mongering, but at least the scenarios are plainly labeled as worst case scenarios.

1. Insider threat

Millions of dollars can be spent on perimeter defenses, but a single employee or contractor with sufficient motivation can easily defeat those defenses. With sufficient guile, such an employee could cover his tracks for months or years. Firms such as Symantec Vontu have taken a further step and characterized the insider threat issue as "Data Loss Prevention" (DLP). Also in this category are attacks on intellectual property, which tend to be overlooked in favor of more publicized losses.

2. Tool bloat backlash

Recent TSA changes to airport security demonstrate that the public's appetite for security measures has limits. The same is true for network security. As demands for more and more tools taking an increasingly larger percent of the IT budget mount, backlash is inevitable. Many tools contribute to a flood of false positives and may never resist an actual attack. There is a network security equivalent of being overinsured.

Threat Area Worst Case Scenarios
1. Insider Threat Enterprise data including backups destroyed, valuable secrets lost, and users locked out of systems for days or even weeks.
2. Tool Bloat Backlash Decision-makers become fed up with endless requests for security products and put a freeze on any further security tools.
3. Mobile Device Security A key user's phone containing a password management application is lost. The application itself is not password-protected.
4. Low Tech Threats A sandbox containing a company's plan for its next generation of cell phone chips is inadvertently exposed to the public Internet.
5. Risk Management A firm dedicates considerable resources to successfully defend its brochure-like, ecommerce-less web site from attack, but allows malware to creep into the software of its medical device product.
6. SLA Litigation Although the network administrator expressed reservations, a major customer was promised an unattainable service level for streaming content. The customer has defected to the competition and filed a lawsuit.
7. Treacheries of Scale A firm moves from a decentralized server model to a private cloud. When the cloud's server farm goes offline, all users are affected instead of users in a single region.

Table A. Worst Case Scenarios for Overlooked Network Security Threats

3. Mobile device security

There's lots of talk about mobile device security, but despite prominent breaches employing wireless vectors, many enterprises haven't taken necessary precautions.

4. Low-tech threats

Addressing exotic threats is glamorous and challenging. Meeting ordinary, well-understood threats, no matter how widespread, is less interesting and is thus more likely to be overlooked. Sandboxes, "test subnets," and "test databases" all receive second class attention where security is concerned. Files synchronized to mobile devices, copied to USB sticks, theft of stored credentials, and simple bonehead user behaviors ("Don't click on that!") all fit comfortably into this category. Network administrators are unlikely to address low tech threats because more challenging tasks compete for their attention.

5. Risk management

Put backup and disaster recovery in this category, but for many, having servers with only one NIC card or relying upon aging, unmonitored switches and exposed cable routing are equally good use cases. Sadly, most organizations are not prepared to align risks with other business initiatives. To see where your organization stands in this area, consider techniques such as Forrester's Lean Business Technology maturity for Business Process Management governance matrix.

6. SLA Litigation

Expectations for service levels are on the rise, and competitive pressures will lead some firms to promise service levels that may not be attainable. Meanwhile, expectations for service levels by the public continue to rise.

7. Treacheries of scale

There will be the network management version of the Quantas QF32 near-disaster. Consequences of failure, especially unanticipated failure, increase as network automation is more centralized. Failure points and cascading dependencies are easily overlooked. For instance, do network management tools identify SPOF? A corollary is that economies of scale (read network scalability) lead directly to high efficiency threats - that is, risks of infrequent but much larger scale outages.

What's a network administrator to do? Address the issues over which some control can be exerted, and be vigilant about the rest. Too much alarm-sounding is likely to weaken credibility.

About

Mark Underwood ("knowlengr") works for a small, agile R&D firm. He thinly spreads interests (network manageability, AI, BI, psychoacoustics, poetry, cognition, software quality, literary fiction, transparency) and activations (www.knowlengr.com) from...

17 comments
Wild Wombat
Wild Wombat

Quantas QF32 near-disaster. This is a great article until I hit the reference above and I nearly spilled my coffee all over the keyboard. Qantas Airways Limited (pronounced /?kw?nt?s/) (ASX: QAN) is the national airline of Australia. The name was originally "QANTAS", an acronym/initialism for "Queensland and Northern Territory Aerial Services". Nicknamed "The Flying Kangaroo", the airline is based in Sydney, with its main hub at Sydney Airport. It is Australia's largest airline and the world's second oldest continuously operating airline.[3] Qantas headquarters are located in the Qantas Centre in the Mascot suburb of the City of Botany Bay, Sydney, New South Wales. Currently the airline is considered a four-star airline by research consultancy firm Skytrax. In 2010, Qantas was voted the seventh best airline in the world by the firm, a drop from 2009 (sixth), 2008 (third), 2007 (fifth), 2006 (second), and 2005 (second).[4] http://en.wikipedia.org/wiki/Qantas

reisen55
reisen55

A firm can have the BEST inside security templates and protocols, from retina scans to finger prints, door bad, security background check. All of these failed when Private First Class Bradley Manning sat down at a secure computer with a thumb drive (tip: should never have been allowed to take a thumb drive INTO that room) and just copied cables to it for the whole Wikileaks mess. All it takes is the disgruntled employee and stupid network administration to kill something off. Thumb drive should NEVER be in that room and the administrator should have also used epoxy glue to seal up the USB ports on that system, or encase it in a steel shell.

puneet96
puneet96

honesty is the best policy. 29

puneet96
puneet96

honesty is the best policy. 29

puneet96
puneet96

India is best. [url=www.[url=www.google.com]google[/url]] 29[/url]

IkariX
IkariX

It's weird. Usually the last thing someone would expect to be a security risk. Might well be a huge security risk

Neon Samurai
Neon Samurai

A wistleblower may also be disgruntled but I'd see the two as seporate. The first is making information public rather than supporting a coverup or otherwise for the benefit of the public and/or the named company. They have a moral drive to reveal the truth. The second may have only hostile intentions stemming from perception of being underpaid, poorly treated, respected less than wished for or whatever. They have a self justified drive to get revenge for real or perceived slights. Mr Manning, if allegations are true, was a whistle blower releasing information about a cover-up which otherwise would not have come to light. If he was simply disgruntled, there where far worse things he could have done. Since you mention the Manning case again specifically (pretty sure you posted the near exact same wording elsewhere), there was much the US mil could have done to improve security; this was not simply a insider threat abusing access to systems. Why was removable media permitted around let alone for use with secure network terminals? Why was Mr Manning able to access information unrelated to his work. Maybe if the officers where more focused on security rather than being able to have Lady Gaga on a burnt CD things would have been different (though at the determent to the US citizens). From the security side, MR Manning is a proof of concept that security was very lacking.

AnsuGisalas
AnsuGisalas

From here: [i][b] "I would come in with music on a CD-RW labelled with something like 'Lady Gaga' - erase the music - then write a compressed split file. No one suspected a thing ... I listened and lip-synched to Lady Gaga's Telephone while exfiltrating possibly the largest data spillage in American history"[/i][/b] But why there was a burning drive on that console, that I don't know. I guess they got a good deal from DELL or something.

HAL 9000
HAL 9000

I've been in more places where they have holes in cases where any form of Optical Drive was removed before the computer was sent out to the Secure Areas. Whoever allowed this to happen needs to be Drawn & Quartered for their [b]Complete Stupidity.[/b] I can remember working in so called Secure Buildings and I was allowed to take anything inside but anything recordable was not allowed to leave the place. That included Burnt Disc's that had tools on them and things like Thumb Drives. But the really silly thing was that I didn't need any of those anyway I could just have transfered anything I wanted out of the building over the Internal Base Network. At least I was a Tech there in Charge of the Network allowing someone like this guy that level of Access and the ability to have Recordable Media defies belief. Not only did the systems that I setup not have any way to record things but the software which allowed this to be done was either disabled or removed so that if somehow something was brought in they couldn't actually use it to begin with. If those Responsible for Security chose to be So Lax they get exactly what they deserve and I hope it hurts them so that the [b]Powers That Be Learn a Lesson.[/b] However because Bureaucrats are involved here that's not likely to happen. They will just Jump Hard on the person involved and do nothing about the Open Systems that allowed it to happen to begin with. Col

AnsuGisalas
AnsuGisalas

From here: "A drying room for hides was arranged with a blower at one make a current of air along the room and thence outdoors through a vent at the other end. Fire started at a hot bearing on the blower, which blew the flames directly into the hides and fanned them along the room, destroying the entire stock. This hazardous setup followed naturally from the term "blower" with its linguistic equivalence to "that which blows," implying that its function necessarily is to "blow." Also its function is verbalized as "blowing air for drying," overlooking that it can blow other things, e.g., flames and sparks. In reality, a blower simply makes a current of air and can exhaust as well as blow. It should have been installed at the vent end to draw the air over the hides, then through the hazard (its own casing and bearings), and thence outdoors." Message to Powers that Be : accidents can and should be prevented... dumbass tools

HAL 9000
HAL 9000

Seem to think that a Security Breach without Malice isn't really a Security Breach. It's just one of those things that Happens. Like a few years ago a Consultant took a Thumb Drive with Patient Details out of a Hospital and lost it on the way to a new Hospital that was being setup. The idea was to transfer all the Patient Records to the new establishment and be ready to go when they opened their doors but they dropped the Thumb Drive. Because that wasn't intended it was considered as an [b]Accident.[/b] Still cost them Millions but as it wasn't intentional it fell under the category of [b]Shite Happens.[/b] ;) I still saw it as a security breach which shouldn't have been allowed to be done in the first place let alone allowed to happen. :0 Col

AnsuGisalas
AnsuGisalas

1) The willful traitor/whistleblower 2) The dumbass who forces IT to sell F-Disked HDDs (and similar stupidities) 3) The tools who fall for social engineering. Putting password post-its in the trash goes under 2 AND 3.

AnsuGisalas
AnsuGisalas

as some people, for some strange reason, find the correct term insulting - "Brain-crutch-for-dumbasses" that is :)

OH Smeg
OH Smeg

Would remove the drives get Blanking Plates from the Maker free and then sell the Optical Drives. I know that's what I used to do with all new purchases for Secure Locations. We even used to make money selling the Optical Drives. But as we bought at [b]Government Prices[/b] if you are unable to make money selling things then you are completely incompetent. We still made a profit when we sold the units after 2 years of use without a HDD in them. But back when I used to do this we would fit a new blank HDD and add another $200.00 to the sale price of the unit. I remember one Government Department who thought that I was wasting their Money and insisted that running F Disc on a Drive destroyed all Data on it as one of the Internal Staff had insisted that this was correct. They went ahead with the sale and then took a Kid who recovered Data off 2 HDD to Court for Theft of their Data. I appeared as a Defense Witness in that case and was derided by the Prosecution and a Week Latter was the Same Prosecutor Star Witness in a different case. The good thing about that was that the Government stopped the Individual Departments Offices selling their decommissioned computers and they all had to be returned to a central point where they where suitably decommissioned and then disposed of. You just have to love the Petty Bureaucrats who are all out to save as much as possible and end up costing so much more money. In the case above they lost their complaint partly based on my evidence and they had to pay the Costs of the Defendant. The Defendant then Sued the Department and won that case as well then there where the members of the General Public who dealt with the Particular Office who sued the Department for allowing their Medical Records out to the Masses and won. They saved about $200.00 to end up paying over several million $ in legals. You just have to love them. Naturally the Person responsible for that mess was promoted to a higher Position and Pay Rate where they could do even more damage next time that they screw up. :^0 Or another case that I heard of where a Non Secure system was sold with the OS and Data Intact. But as there was nothing Important on the system it was not necessary to wipe it or remove the HDD. 3 Days after the sale was complete the State Premier [i]Governor for our US Peers[/i] started receiving E-Mail with requests for Donations to Charity. Apparently the Address Book had this guys E-Mail Address but as it was not a Secure System this wasn't important. There most certainly was no Sensitive Information on it. :D Col

AnsuGisalas
AnsuGisalas

I can hear it now, at the congressional hearings; "But, they'd have been more expensive without those drives..." "And couldn't these drives have been removed?" "But we'd already paid for them!" "But you only took them to save money" "Yes, but that's government money, we didn't want to waste it" *sound of a bunch of congressmen rolling on the floor laughing their furry asses off* "heh, heh *wheeze* - you know kid, you didn't even twitch when you said that, how'd you like to run for president?"