I’ve spent quite a lot of time recently working on some material for a new Foursys training course, which is aimed at raising security awareness amongst regular users. Preparing the course meant spending time researching the kind of issues that however obvious they may be to a techie, end-users simply don’t care about or understand. The challenge, as I saw it, was finding a way of presenting these problems to our employees whilst remaining largely non-technical, and making the information relevant and genuinely useful.

My approach to this was actually fairly simple – trying to blur the line between workplace and personal security. Lecturing staff about the importance of passwords in the workplace is not interesting or useful, whilst explaining to them how a criminal might hijack their credit card information is. The basic message is the same, use good passwords - be careful with open wireless - don't ignore certificate errors, you get the idea.

Another important aspect when it comes to end-user education is the attitude of your IT department, something not so easily dealt with in a half-day training session! A recent article on DarkReading.com (http://bit.ly/xGTGC0) contained a statistic that, on the face of it, surprised me. They claimed that in the US only just over 1% of all IT staff were in information security. I’m convinced that the number can’t be that reliable – and what is classed as an InfoSec role? – however it did get me thinking.

Some positions are obviously security orientated (security officers et al), but all technical positions are security related. This seems quite obvious really, from 1^st line support technicians through to developers - DBAs - IT managers - server operators, every single position should have security at the very centre of everything they do. For most IT pro’s security is not something they do; rather it is the way in which they do something.

All too often IT staff are not encouraged to work in a secure way – and you don’t usually have to look far to find examples. I frequently encounter organisations where IT staff routinely do things such as asking users for passwords, removing antivirus software to “fix” issues, using seriously awful passwords for administrator accounts, and so on. All of these violations are ones we’d chastise an end-user for, and in fact we’ll often specifically tell them they mustn’t do such things – so why should it be any different for us?

Usually these misdemeanours are full of good intentions, and help us appease the end user who’s having a problem – but whilst asking their password so you can logon and resolve an issue over lunch might be easy, it’s sending all the wrong messages to the user.

Educating our users is clearly a crucial part of any organisation’s information security strategy, but IT departments need to keep their side of the deal as well. We too must ensure that everyone from helpdesk technicians up to the IT director follows the same rules, and that we no longer undermine those rules and policies we impose on the rest of our employees. So next time there’s a security incident stop for a moment before you blame a user and ask yourself, could I have done anything more to prevent it?

Follow Stuart on twitter @Stuart83w

Most IT departments have a fairly good understanding of the threats they face. It’s unthinkable that anyone would not be running a solid antivirus solution, external firewalls, and other traditional defences. Most will now be using an effective web and email content scanning solution, and organisations are slowly beginning to realise that client firewalls are a good idea too.

All of the technologies I mentioned above are fairly commonplace, easy to get hold of and implement, and not particularly expensive. They mitigate risks that most people understand, but there are many other vulnerabilities that very often aren’t even considered. In this post I’ll discuss a couple of attacks that many organisations are still vulnerable to, and attempt to explain why these risks are more difficult to protect against. We’d be interested to hear comments about what you believe to be the biggest threats to your organisation, and whether you feel vulnerable to the exploits explained below.

Apologies in advance, but it’s not possible to explain these attacks without getting slightly technical.

ARP poisoning
ARP stands for address resolution protocol. All networked devices have physical hardware addresses, they look like this 54-E3-FC-91-BA-5F and aren’t particularly easy to remember. ARP is the protocol which helps us to translate these addresses to and from IP addresses, which we’re more easily able to remember and manage. When one device communicates with another it needs the hardware (MAC) address of that device, so when you connect to 192.168.1.1 your computer uses ARP to translate that to a MAC address and then establishes a connection to it.

ARP poisoning (or ARP spoofing) exploits a vulnerability within the ARP protocol, whereby an attacker can send a fake ARP message to a victim which causes it to wrongly associate a MAC address and IP address. For example, I might ARP poison my victim so that the IP address of the default gateway is associated with my MAC address (I’d also poison the default gateway, making it associate my MAC address with the victim’s IP address). This would cause all of the victim’s traffic to be routed to my machine, allowing me to perform subsequent attacks on the victim’s computer- this is known as a man-in-the-middle (MITM) attack.

This attack is difficult to defend against, particularly on large networks. One option is to use static ARP entries, which need to be present on all devices on the network. This is not particularly practical because of the massive management overhead. The most obvious defence is not technical at all – prevent unauthorised physical access to your site, although an attacker could remotely use a compromised machine already on your network.

As ARP poisoning requires the attacker to be on the same subnet as the victim, using VLANs can help to prevent the exposure to this attack by limiting the devices an attacker could poison. Extra security could then be implemented on VLANs considered to be more sensitive. Other potential solutions include client software and OS changes to lower the risk of attack. Hardware devices are available that monitor ARP traffic, and some switches allow port level security which binds MAC address to specific ports. Implementing network encryption or IPSEC authentication could also help to reduce the risk of a successful attack.

Fake access points
The fake access point attack is quite simple. An attacker creates an access point and encourages users, or their devices, to connect to it. The attacker is then able to monitor traffic on the fake network, and perform attacks on any vulnerable devices that may connect to it. Users can be tricked into connecting to fake AP’s easily by using network names that are appealing, either because they offer free wireless, or because they appear to be legitimate.

Some devices automatically probe for previously used wireless networks when they aren’t already connected, and an attacker can easily see these network names. If a fake AP was then created using the same name, the target device could automatically connect to it without the victim even realising.

Although most organisations secure their wireless networks this is still a viable attack if your devices are able to connect to any network. For instance most devices will choose the wireless network with the strongest signal, and smartphones not configured for corporate wireless networks may automatically join any available network – possibly without the victim realising. This can then expose credentials used for services such as Outlook Web Access.

Restricting the wireless networks your devices are permitted to connect to is one way of preventing this attack (but requires client software). You may also utilise a wireless intrusion prevention/detection system to protect your own premises.

Follow Stuart on twitter @Stuart83w

As the technical director at Foursys I have seen our consultants respond on many occasions to security incidents occurring within organisations computer networks.

Clearly at Foursys we have a bigger insight into network security than our respective customers, which is why I wanted to use this article to help highlight how intruders or hackers can gain access to a computer network using some rather easy techniques.  The ultimate objective is to give you the knowledge to defend against such attacks.

Below I have highlighted one of the easiest methods that could be used to trigger an attack from outside your local network.  In subsequent articles I will discuss other ways in which attacks can occur from both outside and inside the network.

Email a web link in.

I know what you’re thinking; surely this won’t work if you have email and/or web gateway system(s) in place, right?

Let me be clear here.  It is absolutely WRONG to presume this is the case.  Please read on.

Let’s say an attacker sends an email into the organisation being targeted.  The hacker finds the website of the organisation that they would want to attack and makes a note of the domain name, which will be used to formulate the email addresses to send the mails to.

The email needs to be setup to appear humorous i.e. it could say something like “Look at this elephant from India”.  Humorous emails are far more likely to be read than those equating to financial or other matters, since users have become a little wiser to these now.

An attacker would be best placed to use some kind of anonymous email account, maybe through a web-based email solution such as Hotmail or Gmail.

The link within the email would go to a crafted pdf file, hosted on a new website.  The pdf file itself is designed to exploit versions of Adobe pdf reader that are not fully up to date.  As a techie, I know that it’s a difficult task to patch Adobe PDF reader across an entire computer estate.

The PDF file itself delivers a payload that allows an intruder to gain remote control over the machine, using the web based protocols.  As its user initiated (by the end user opening the file), most local firewalls won’t prevent the attack.

To distribute the payload to as many recipients as possible the attacker emails the link to the website hosting the crafted pdf to group receipts, something like;

• This e-mail address is being protected from spambots. You need JavaScript enabled to view it
• This e-mail address is being protected from spambots. You need JavaScript enabled to view it
• This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Most organisations have email addresses similar to this, which are groups of recipients.

So what about email filtering?

The email filtering solution won’t find anything to check.  The contents will be plain, except for one URL link that goes to a new website.

So what about URL Filtering?

If someone sets up a brand new website, 90% of web filtering solutions won’t categorise the content and hence URL filtering (and email products that look at URLs) won’t normally provide accurate blocking against uncategorised sites.

So what about web based anti-virus checking?

In the majority of cases this is avoided by ensuring that the pdf file is password protected.  Simply write the password into the email that’s being sent with the link.

So what about desktop anti-virus checking?

Its very easy to bypass the outer perimeters of defence using the above techniques.  However, it might surprise you that its more difficult to get around desktop anti-virus than you may think.

Speed of attack. Many traditional AV products were slow to respond to some of the crated pdf files being utilised for these types of attacks (some took many months).  So any type of attack would look to utilise a newly published/discovered vulnerability to ensure the chances of successfully network penetration are high.

The other alternative is to utilise a vulnerability that’s initiated in memory (Buffer Overflow), since many Anti-Virus products don’t scan RAM, they only scan for files read/written to a drive.  Whilst many more up to date examples are available, the most widely known example was ms08-067 which was successfully utilised by the conficker virus to infect machines regardless of Anti-Virus products running on computers within the network (in the majority of cases).  The payloads that can be delivered are all very similar and so it’s the exploit that’s the key to success in many cases.

We recently demonstrated both the Microsoft and PDF style of attack at our Threat Landscape events held over the Autumn and it gained a lot of interest.

So how do you stop this style of attack occurring in the first place?

• Patch Management
• Carefully constructed web policies around encrypted (un-scanable) documents.
• Two way network client firewall
• Security Awareness Training
• End User Education

Foursys offer Security Awareness Training courses that allow you to recreate this type of attack within the confines of a test network, allowing you to get a significantly better understanding of how such attacks occur by replicating them in a secure environment.

Follow us on Twitter @FoursysLtd

This is a question that has long been asked by IT professionals and in the following paragraphs I have tried to summarise the pros and cons to each option.

Reasons and benefits for two layered AV defence (i.e. separate web/email gateways to that on the endpoint)

Content delivered by gateways (such as email/web) is first checked by a totally separate AV provider, delivering true two layered defence against malware and ensures content that reaches end user machines via these gateways has been analysed for malware twice.  In short malware that is missed by one vendor should be picked up by the other.

Dis-advantages to separate solutions

Complexity.  Typically it is easier to manage solutions from the same security provider (vendor), than trying to manage two or more separate security products delivered by different companies. Complexity and security don’t go well together.  The more complex a computer network becomes, the more difficult it is to secure in the first place and the more chance there is of having a security misconfiguration, which may nullify any advantage of having two AV providers in the first place.

Advantages of a single security supplier

Most security vendors provide significant discounts for purchasing more than one product from them, taking multiple security products from the same vendor normally results in less overall cost and in some cases significantly less.

It may be possible to introduce appropriate content rules that block the majority of content that might contain malware anyway (i.e. exe, pif etc.), thus mitigating the risk of using one AV vendor significantly.

Most edge/gateway solutions don’t just rely on Antivirus, many utilise blacklists, URL data, reputation scoring amongst other technologies designed to stop undesirable content reaching the desktop regardless of the AV utilised.

In most cases one vendor means gateway and endpoint solutions that have a similar user interface and are usually easier to operate, mitigating the risk of security misconfiguration due to complexity.

Summary

Security is always a balancing act between absolute protection versus cost, complexity and management.  Its Foursys opinion that if your organisation has the resource and budget to cope with multiple AV vendor products at the gateway and endpoint then it is absolutely the case that two AV providers do provide better security than one.

However in today’s world of limited budgets and staffing resource, implementing solutions from the same vendor could actually be more secure in some cases.  This is particularly relevant if it reduces overall complexity, thus minimizing the chance of configuration mistakes having taken place.  Not to mention that budget saved by using the same vendor in this scenario could result in additional money being available to spend in other areas of IT security (such as Encryption or Intrusion Prevention technologies).