|
Computer system vulnerabilities are the perfect channel for worms, viruses, trojans and a multitude of other malicious entities to attack and subvert your network. Year after year, thousands of technical vulnerabilities and security incidents are reported, with most of the attacks exploiting well-known software vulnerabilities. In 2006, Microsoft alone disclosed nearly two critical patches a week. Multiplied by the number of computers, servers and numerous third party software products on your network, the number of attack vectors hackers can exploit is enormous – increasing the probability that someone, some day, will successfully attack your network.
Even the most diligent of administrators have to admit that in spite of all their efforts, they continue to be plagued by security breaches. When securing networks, they often start by implementing anti-malware software and perimeter security (firewalls, IDS, etc.), however network security extends beyond simply installing firewalls, anti-virus and anti-spam filters. These are just tools to improve security. More often than not, the weakest link in a network’s security is not technology in itself, but the people who use it. Administrators also have to learn to deal with another type of vulnerability: human interaction.
The human factor in network security
Computer users can be considered as the least predictable and controlled security vulnerability. In the majority of cases, security breaches caused by employees are often the result of either negligence and a lack of knowledge rather than malicious intent. Businesses lose millions of dollars because employees put their passwords on sticky notes on their monitors, forget laptops or handheld devices in airports, gyms and restaurants, keep computers unlocked or switched on during lunch-breaks, overnight or over the weekend, leave USB sticks with sensitive company information unattended or surf the internet from home while connected to their companies’ networks.
A growing concern for security administrators is the social engineering threat. The ‘attackers’ do not need to be security experts but creative people who charm their way into people’s lives and then use the knowledge they obtain (such as passwords or access codes) to steal important information. An administrator can control employee activity on the network, but there is little he can do to prevent employees from unwittingly giving out security information to outsiders.
Another growing concern is the uncontrolled use of portable storage devices such as USB sticks, iPods, PDAs and Smart phones. This is another problem that is often ignored or underestimated by network and security administrators. According to Gartner Research, more than 100 million USB sticks were sold last year, while on 9 April, 2007, Apple announced it had sold the 100 millionth iPod – and each one of these gadgets is a security threat to companies.
A survey conducted in March 2007 among 370 United Kingdom-based companies on behalf of GFI Software found that 65 percent of businesses underestimated the threat of portable devices. Seventy-one percent said these devices were important or very important for their company’s operations, yet only 21 percent actually knew what data was being transferred from the network and vice versa.
These high density portable storage devices are making it extremely easy for individuals to store personal information, software products and games on a memory stick that can be very easily concealed. The ease with which data can be copied to and from a network has increased the risk of data disclosure incidents. It has also facilitated the upload of malicious code (e.g. a virus) that can expose networks to trojans or rootkits which, in turn, may hijack services and open ports that a hacker can then use to compromise the network.
Portable storage devices also expose networks to other vulnerabilities: employees can download unlicensed or objectionable third party data such as peer-to-peer software, games or pornography for which the corporation can become legally liable through vicarious liability. This not only raises legal issues but it compromises networks because it can disrupt business continuity. It has to be considered a serious threat unless that has to be properly monitored.
The technology factor in network security
The human element is only one side of the coin because technology plays an equally critical role in network security. Software products are never 100 percent secure, free of bugs or security loopholes. Hackers and virus writers target such software vulnerabilities and attempt to launch attacks before the developers can come up with a fix or patch. The longer it takes for a patch to be issued, the greater the window of opportunity for hackers and malicious software developers.
This problem is amplified when administrators have to manage heterogeneous networks using a combination of operating systems (eg. Microsoft and Linux) and servers/clients that use third party software. Undocumented devices on the network and new, untested and non-patched machines are also network vulnerabilities. Each of these elements creates a very inviting environment for hackers unless an administrator is able to keep tabs on every activity happening on the network at any time.
In a large network, it is physically impossible to manually manage each and every machine let alone monitor network activity. To this end, various software solutions are available that address one or all of the three pillars of network vulnerability management: network security scanning, patch management and auditing network activity. Network scanners check networks for thousands of known vulnerabilities but in itself it is only a half-baked solution if you cannot provide a means to fix weaknesses found. This is why administrators also need to implement a solution that enables them to identify and install missing patches remotely over, and above, what Microsoft WSUS server does.
While Microsoft WSUS is an adequate solution for deploying Microsoft patches to all the Microsoft based computers on the network, it should be noted that it is not a perfect solution. It supports all Windows XP, 2000/2003 operating system patches, including those for applications that are part of the operating system such as IIS and Internet Explorer. Additionally, it supports patches for Microsoft Office XP/2003 applications, Microsoft Exchange 2003 and Microsoft SQL Server 2000. However, Microsoft WSUS does not allow deployment of patches to ISA server machines, patches to machines running Windows NT and deployment of third party software patches and software.
More importantly, Microsoft WSUS is a “pull” solution where patches are made available to computers and these are expected to automatically download and install patches according to a patching schedule. Through Microsoft WSUS systems administrators do not have the means to “push” patches to each and every individual computer and have patches installed immediately. This means that administrators cannot feel too confident that they have patched their network if they are just running Microsoft WSUS.
A network auditing solution is also required to advise you on all you need know about your network – what USB devices are connected, what software is installed, any open shares, open ports and weak passwords in use – in real-time. The faster you know what your network’s health status is, the faster you can deal with any threats.
The key to successful network vulnerability management is to address these three aspects in a context where both outsider and insider risks are managed and all network security attack vectors are considered as risks. Achieving network security is all about managing risks and this is a continuous process that includes:
1. Making thorough and continuous assessments of where risks lie
2. Putting up barriers to mitigate the risks
3. Taking a proactive approach to security in general
What can you do?
How can you make your network more secure? There is quite a lot that administrators can do to protect their network. The following guidelines are divided into two parts: the first deals with the human threat while the second deals with the more technical aspects of network security management.
10 steps to protect networks against human vulnerabilities:
1. Start at the top with senior management. When management understands and acts tough on security, then the battle is half won.
2. Implement a clearly defined, and not complicated, security policy. Back it up with clear communication.
3. Educate employees to be careful not to leave mobile devices running around. Make them understand what is at stake.
4. Instruct all staff on the basics of computer security such as good practices for password use, etc. Education is key in securing your network.
5. Introduce non-standard security measures such as biometric scans for top security areas. It is usually cheaper than a data theft incident.
6. Restrict remote network access strictly to those who need it. This also applies to internet access through the company’s gateway.
7. Track employees’ use of their computer resources. Establish control over your corporate network.
8. Limit user changes to a computer’s settings and installed applications. Limit browsing, instant messaging, use of peer-to-peer applications and file-sharing.
9. Restrict the use of portable storage devices. Use only solutions enable you to provide read/write access or block access to those who do not need to use these devices.
10. Implement a strong password policy. Regularly change passwords/access codes to limit damage caused by leaks through social engineering.
10 steps to protect your network from technology vulnerabilities:
1. Install vulnerability management software. This enables you to centralize control of your network’s security.
2. Take control of compliance efforts. Do not depend on end-user compliance for your security needs.
3. Implement your company’s security policy. Define the responsibilities of each user, administrator or manager.
4. Upgrade security. Test and implement the latest stable versions of the OS and applications on computers, switches, routers, firewalls and intrusion detection systems.
5. Patch systems. Keep the operating systems and the applications up-to-date by installing the latest security updates (e.g., patches, service packs, hot fixes).
6. Know your network Create and maintain a list of all hardware devices and installed software.
7. Customize your security. Use custom settings and passwords rather than relying on the defaults that come with out-of-the-box software applications.
8. Scan the network regularly. Shut down unnecessary servers and services and turn off functional areas which are seldom used but potentially have vulnerabilities.
9. Follow the principle of least privilege. Keep the number of administrative accounts to a minimum and use administrator credentials at little as possible.
10. Partition your network according to its security level and enforce strong permissions/rights on folders and data. This eases administration and allows stronger security policies.
Conclusion
No network can ever claim be 100% secure. So long as humans and technology work together there will always be room for errors, new vulnerabilities and security threats. Vulnerability management is today no longer an option and organizations must find ways to mitigate the risk of vulnerabilities and institute measures to protect their computing environments.
Administrators must realize that managing risk is always more cost effective than having to react to breaches or incidents. In an ever-growing networked environment where risk is becoming a major concern, administrators have to be ahead of all threats and not passively reacting to incidents. To do this, administrators have to accept the fact that no vulnerability is more or less serious than another. A weak password, an open port and a missing patch are equally dangerous in the hands of a hacker.
Ultimately, network security is as much about human nature as it is about technology. The challenge is to understand and manage both.
About the Author:
Andre Muscat is the director of product development at GFI Software, an international developer of network security, content security and messaging software. For more information visit www.gfi.com.
Go Back
|
