|
Last month, we celebrated Thanksgiving and mine was spent out of town. I remember when I used to go out of town for a week, it was truly a vacation. I would sleep in late, see the sights all day and then drink too much at night. Ah yes, the good old days. But after adding two kids and a wife to the mix, the routine has been drastically changed.
Now, I am up at the crack of dawn feeding the kids, spending the day playing Sherpa to my wife who sees shopping as an extreme sport, and by the time I have strapped the kids into bed at the end of the day, I am trapped in the hotel with only enough energy left to watch Gilligan’s Island reruns on TV. It’s funny that I didn’t see these changes coming; and really it was not even clear to me just how much my life has changed until I hooked up with some friends who are still single. As they talked about partying at bars and their latest conquests in the bedroom, I realized that I had lost touch with everything hip. I am now simply Mr. Stickley. Women who I once thought were attracted to me now refer to me only as sir. As in “Excuse me sir. I am trying to get past you in the aisle.” Yes, somewhere I lost it and never saw it go.
Of course I am not alone. This happens everyday to people all over the world. But what is more important is that it not only happens to people, but it happens to networks. I have witnessed this at numerous locations throughout the United States and in every case, it has always come down to the same few issues as my own life.
They start out very solid. They bring in the latest equipment, software and training. They integrate everything properly and smile at their accomplishments. Time passes and they continue to pat themselves on the back for their solid network, while they continue to use the training materials they received when they first implemented the network. Five years later, they get hacked, their database is stolen, and their image tarnished.
If you were to put that into human translation, they just ate bacon and burgers for the last 20 years, got fat, lost their hair and now they have just grabbed their chest -- a la Fred Sanford -- as they prepare for the “big one.”
People Are Creatures of Habit
You find something that works and you stick with it. A network that was installed five years ago and has had little updating is probably a network that is in serious trouble. Hackers change and adapt to the latest security technologies. There was a time when it was thought that anti-virus was simply a phase that would only be needed for a short time because improved security in software would make it unnecessary. Of course, that turned out to be optimistic thinking. Why? As software gets better, hackers find new and inventive ways to exploit it.
Online banking applications, for example, seem to have become more secure than when first released. Hackers realized that rather than hack the software, they could trick people into giving them passwords. Suddenly, phishing attacks sprung up everywhere. To ask someone what phishing attacks were five years ago, I imagine they would refer to such movies as “Jaws.” As technology changes, administrators must change as well. If you’re an administrator and you hate change, you are probably at the highest level of risk.
I am not advocating that an administrator rebuild their network from scratch every six months and, realistically, the idea of changing out any technology that frequently is not feasible from a budgetary standpoint. However, an administrator who is not budgeting for updates on a yearly basis should definitely be re-evaluating their network infrastructure. Though every network is different, there are certain areas of security that should be considered when preparing your budget, and though this is by no means the only list one should consider, I do feel that these are the basics that continue to change with time.
Firewalls
Firewall have changed significantly over the years. In the beginning, you had free versions such as the Firewall Tool Kit. This was not very user friendly, but it did offer organizations the ability to secure themselves from the internet. You also had commercial versions, such as Gauntlet, Raptor, Firewall 1, Sidewinder and many others. Today, I am still finding companies that have Gauntlet installed on their networks, though that product was discontinued years ago.
Yes, Gauntlet was a very good firewall back in the late 90s; however, it is a dinosaur by today’s standards. Firewall 1, on the other hand, had numerous problems when it was first released with vulnerability after vulnerability. The idea of deploying that firewall on a secured network was simply frightening. Today, that firewall has made tremendous improvements in security and is now a dominant player in the firewall market. You also have appliance firewalls that are inexpensive, yet offer more functionality than the most expensive firewalls from five years ago. I find small organizations wasting their budget on expensive firewalls that are overkill for their environment because they have not researched changes in technology.
Intrusion Detection/Prevention
Years ago, it was known as IDS for intrusion detection, but today most products fall under IPS or intrusion prevention. The difference being that in the old days, you would just get log files, emails, and text messages that informed you that your network was under attack. Now the applications will not only notify you about the attack, but they will also attempt to block the attack before it happens. This additional level of security is obviously a major improvement to any network.
In addition, most products are now tied with some sort of managed service. While I think that a managed firewall is pointless and a waste of budget, I am a huge advocate of managed IDS/IPS. The problem is most administrators do not have the time and bandwidth needed to properly monitor an IDS device. Constant false alarms cause the admin to become complacent with notifications; and notifications that take place in the middle of the night are often ignored until the next day. The only way the system can be truly utilized is through 24/7 management (note, the company I work for, TraceSecurity, does not offer managed IDS/IPS). It is clear that most organizations do not have the manpower needed to manage IDS adequately.
In addition to simply having IDS, I strongly encourage having sensors on both the internal and external network segments with the internal segment setup in “promiscuous” mode. Promiscuous mode is where every packet on the network is monitored generally through a managed switch. Some devices will be installed in “pass through” or “proxy” mode. This means that only traffic that is passed directly through the device is monitored. For an external network segment this works nicely but for an internal network segment this does not work at all and should never be implemented. If you are uncertain how your internal IDS / IPS has been setup, you should verify it. I If it is not in “promiscuous” mode, make sure to have it changed immediately. Without it, only a very limited about of traffic is actually being monitored on your internal network and your organization is left at risk.
Patch Management
One area that is so important is patch management. Microsoft allows you to set up your servers and workstations for automatic patching. In many cases, this works for organizations. However, in some cases where there is concern of any downtime, this solution is not acceptable. Since some patches have been known to cause other bugs that bring down servers and workstations, some organizations opt to manually apply patches as needed. This is acceptable as long as the patches are applied in a timely manner.
Several worms have been released to the internet within less than a week of a vulnerability and patch being made public. This means that if patches are not applied within that amount of time, servers and workstations are at risk. Once a worm is released, it can spread through the world in less than 24 hours. A number of companies offer patch management solutions. These solutions allow you to roll out patches to specified systems at specified times. After applying the patch, if a problem occurs, you can remove the patch and put the system back to its previous state.
The attraction to these tools is the ability to manage everything from a central console. These tools also provide patches for products other than Microsoft.
Ultimately, deciding how best to manage the update of patches is left to the administrators. What is critical is that these patches are applied as fast as possible. Anything more than a few days after the release and you are putting your organization at risk.
Be Proactive
Please do not send me nasty emails telling me that you can’t apply a patch because a third party vendor has installed code on your server and will not allow you to apply a patch until they have given you permission. Instead you should be sending emails to those vendors, if they are not approving those patches within 24 hours of release. If your network is compromised, it is unlikely that they will take the blame for it, nor will they be the ones looking bad to your customers.
I have spoken of just three technologies that should be reviewed and or changed/updated to newer technology at least once a year. Obviously, I have not even touched on other important technologies, such as wireless and VPNs. Nor did I touch on budgeting for security audits and training.
The point is that no security technology can be depended upon as a long-term solution. What is cutting edge today will most likely be outdated tomorrow. It is up to the administrators to avoid being creatures of habit and instead seek out and embrace new technology as it becomes available. My path in life has been carved in stone and it’s clear that there is no going back. Don’t wake up one morning and find out that you have doomed your network to the same fate.
About the Author
Jim Stickley is the CTO of TraceSecurity, Inc. (www.traceSecurity.com), a provider of enterprise-class vulnerability management solutions and security assessments. He can be reached at jstickley@tracesecurity.com.
Go Back
|
