|
Protecting TCP/IP
Tim Keanini, Chief Technology Officer
nCircle
Available online 16 December 2005.
Organisations are already so deluged with attacks that the current strategy of responding to intrusions no longer works because the alarms are turning into a new source of organisational ‘white noise’. An approach combining reactive technology such as Intrusion Detection systems, and Proactive Network Security offers realistic protection by treating threats and vulnerabilities not as isolated events but as permanent “features” of the new networked environment.
Article Outline
What makes TCP/IP vulnerable?
The network
Security is not one of the underlying reasons for this structure
Complex applications
Changing threat: unstructured vs. structured
The customer problem
Proactive and reactive
Getting pre–emptive
Influences on policy
What should be vs. what is
Summary
Vitae
Display Full Size version of this image (13K)
Security has of course become one of the highest priorities of every company. Despite all the hype, the extent of the problem isn't always understood. For example, a typical Global 2000 enterprise security system generates over 2,000,000 alerts every day. In 2004, digital attacks did over $150 billion dollars worth of damage. And, the number of attacks is doubling every year. Security is no longer a matter of guarding against occasional attacks. Organisations are under perpetual and continual attack.
Digital attacks are now more frequent than spam. And, just as it is no longer possible to deal with spam by opening each message for visual inspection, digital attacks need to be dealt with proactively. The constant flood of attacks is a new fact of life for organisations and it requires a new approach to security.
What makes TCP/IP vulnerable?
There are only two reasons why TCP/IP networks are vulnerable to attack: the network itself and the software applications that run on it.
The network
TCP/IP's vulnerability is a consequence of a fundamental design decision: it is a “stupid” network, in the words of David Isenberg in a paper he wrote while working at AT&T. A stupid network doesn't have many services built into it. In contrast, a smart network, like the telephone system, puts in lots of features and services: call waiting, caller ID, and the like. This works well for the phone companies because it is a private network that they completely own and can control. For example, they have the power to decide which services are put in; they can charge several dollars a month for caller ID even though it does nothing but transmit a handful of information at the beginning of a call.
But the designers of the Internet had different aims. They wanted a public system that would easily integrate existing networks, would be easy to join, and would encourage innovation. So, they built a “stupid” network, or end-to-end that does little more than move bits from any A to any B. That way, the network can accommodate any project that needs to move bits around without deciding ahead of time which sorts of projects it will favour.
The Internet has worked out better than its designers could have ever imagined, in large part because of its end-to-end architecture. But this success comes at a price - especially when it comes to security.
Security is not one of the underlying reasons for this structure
With the “end-to-end network” there are solid network architectural and economic reasons for building services at the “ends” of the network rather than into the middle. However, security is not one of the underlying reasons for this structure. As the Internet is by its very nature decentralised and open, there is no control over who gets onto the network. The result is that it is so easy to hook devices into the network, most companies literally do not even know what they have on their network. And because the end-to-end Internet leaves security to the ends of the network, applying uniform and effective security controls on every single TCP/IP device is pretty much impossible.
Complex applications
The other reason TCP/IP networks are vulnerable to attack: complex applications. Software applications are not getting any simpler. They have more features, they interact with more applications, and they work over increasingly complex networks. Inevitably, this complexity breeds error.
Currently, there are three categories or errors that create network vulnerabilities and exposures:
• Design error: There is little that a customer can do about design errors in the software his or her company uses.
• Implementation error: Errors the vendor has made in implementing its software leave the customer with no recourse except to apply the patches as soon as they become available.
• Configuration error: The customer can continuously work on fixing configuration errors, but in a complex software environment – i.e., every organisation's software environment – perfection is not an option.
Continuous improvement is the best that can be expected. To sit and do nothing offers your attacker a target-rich environment.
Changing threat: unstructured vs. structured
The current realities faced by organisations when dealing with network security are largely the result of the original design goals of TCP/IP that fall short in providing an effective platform for security controls. Also contributing to the challenges of network security is the growing complexity of applications that make them inherently insecure. This means that for most organisations the need to find and fix errors before your opponent can exploit them has become like a game that you have to play every single day. And as with any good game, you must get inside the mind of your opponent to understand your own position.
Post 9/11, the awareness and categorisation of threats have changed. Most of what the connected world has experienced are unstructured threats, i.e., attacks directed not at a specific organisation but at a technical or social flaw present in many organisations, often at the infrastructure level.
Your Aunt Alice and Uncle Bob have the same chance of getting hit by an unstructured attack as a large financial institution or government agency. The perpetrator of an unstructured threat presumably “succeeds” if some indefinite percentages of machines are vulnerable.
Over the past few years, the number of structured threats has been steadily rising. These sorts of threats are far more dangerous to organisations, for they are targeted specifically and will be repeated until they succeed. The opponent is patient, well funded, and will enter your network in ways creative enough to entertain a Hollywood audience.
If an organisation does not have an effective security program that can handle unstructured threats, they probably don't have a fighting chance to fend off a structured attack.
The customer problem
Companies face an unprecedented problem securing themselves against intruders and attacks. Every single day, their infrastructure is changing, the threat environment is evolving and more and more business functions make their way onto the TCP/IP network.
To get a sense of the magnitude of the problem, it is not sufficient to just look at the growing number of known vulnerabilities or the reported incidents. The other important parameter to the dimensions of this problem is the number of IP devices connecting to the network. What is important to your opponent is how much of a ‘target surface’ they will have to attack. Using publicly available statistics, we can estimate how target-rich the Internet is today. There are statistically more untapped targets for your opponent to exploit.
In determining the number of vulnerabilities, a conservative approach is to assume an average of 10 vulnerabilities per connected host. There are a number of questions to be considered in estimating such numbers. Is the attack surface available to attackers really that large? Do the attackers have even more untapped targets to comprise? You could sit and argue the numbers, but not knowing the target surface of networks with your organisation is not acceptable. Not only should you know what the target surface looks like today, but last week and last month as well. Are your resources operationally fit and battle ready? In the spirit of Sun Tzu, have you made your position unassailable?
One thing is for certain: there are more targets for the bad guys, more bad guys, and more creative attack methods. Enterprises have to assume that their IP networks will continue to be assailed.
With so many risks, organisations cannot wait for attacks to damage them and then respond. Organisations need to guard proactively against the attacks that are a new part of the network infrastructure, not merely react to them.
Proactive and reactive
The Proactive Network Security approach offers a new strategy by combining five key elements:
• detailed assessment of all the devices on the network
• continuous monitoring of those devices
• maintenance of a database of known vulnerabilities
• evaluation and prioritisation of threats based on the business value of each of the networked devices or information on those devices
• management of corrective actions through ownership and workflow.
Reactive systems, such as intrusion detection or intrusion prevention systems depend on an attack, incident, or loss of some degree to occur before they start the information gathering and analysis that ultimately drives some form of automation or reporting. They complement proactive security measures the same way fire-fighting complements fire prevention.
A proactive system constantly tests the organisation's network for vulnerabilities and exposures. It then assesses and prioritises those vulnerabilities and exposures and manages the process by which those vulnerabilities and exposures are addressed. All IP devices attached to the network are periodically or continuously scanned and profiled for changes, violations to policy, and vulnerabilities and exposures. Analytics are applied so that the administrators and business owners are presented with actionable intelligence relative to the risk to their business. The defect is then corrected, before security can be breached.
In contrast to reactive systems, proactive systems have the advantage of providing valuable intelligence about an organisation's network and networked devices even when they are not under attack. Of course, proactive systems work best when complemented with appropriate reactive systems. This provides organisations with a layered approach to network security where vulnerabilities are detected and dealt with on multiple levels.
So, why are reactive measures more common than proactive ones? First, there is an illusion of immediacy to reactive measures: A company only reacts if it recognises that it's been attacked. This makes reactive measures seem more urgent, and often more easily justified. On the other hand, a company may never know exactly what attacks its proactive measures prevented, so the immediacy of the value of those measures isn't as obvious.
Reactive measures and technologies are better understood as they have been around longer and are widely deployed. The initial costs involved with a reactive security program are much lower than those associated with creating a proactive system. However, while making the move to a proactive system requires a substantial investment in building and maintaining a database of vulnerabilities and remedies, this preventative stance will save your organizations money in the long run. The benefits easily outweigh the additional work and investment – damage is prevented before it happens and more of the network is understood and protected. An ounce of prevention is worth a pound of cure.
Getting pre–emptive
There is no realistic possibility of eliminating all threats. The very nature of the basic architecture of TCP/IP and the inevitable complexity of applications makes this impossible. True success consists in proactively reducing risks to the network.
Each organisation has its own level of risk tolerance, embodied in its policies and practices. In looking at reactive network security, the focus is on detective measures and recovery measures. These detective measures try to identify incident or loss resulting in some level of recovery. No system is 100% accurate so detective and recovery measures complement the proactive measures much like how fire safety has both fire-fighting and fire-prevention.
Avoiding the rear-view mirror approach
Why not just track the number of attacks or security incidents per year? Historically, this was the case but it is dangerous because for one, not all incidents are reported and two, any smart biological agent knows that it is far more important to compromise its host but keep it alive. It is much more valuable for your opponent to take control of a computer and use it for secondary activities (stealing credentials, exploiting the trust this machine might have with other machines, etc.) than to affect the machine in a way that is easily detected or kill the resource they just compromised. For that matter, basing your strategy on the attack and security incident statistical data is like driving your car while looking only at your rear-view mirror when someone is trying to run you off the road.
To take a proactive stance to network security, organisations must make the shift from using only detective and recovery measures and include the following:
• Directive measures state the goals of “how things should be or how things should be done”. Directive measures are usually known as security policy.
• Preventative measures go out and evaluate “what is” and compare it to “what should be”
• Corrective measures which are the result of preventative measures and are focused on bringing these defects or outliers back in to the norms of operations.
Display Full Size version of this image (23K)
Figure 1. Proactive security in summary
Implementing such proactively focused measures is not about deploying a point-solution or point-product. It is a lifecycle product involving technology, processes and people and the types of proactive measures discussed above. Let's look at the major steps in this lifecycle represented by this workflow diagram.
Influences on policy
A sound security policy begins with an assessment of the standards and processes by which it is going to measure compliance. This is influenced by three sources, two external to the organisation and one internal, which are as follows:
• The External Vulnerability Catalog lists the known external threats. Catalogs such as the Common Vulnerability and Exposures (CVE), Bugtraq (Symantec), Vigilinx (TruSecure), and iDefense list all known vulnerabilities of every piece of software.
• External Regulatory Criteria within regulated industries establish a framework for auditors so that security can be measured in a uniform manner. Examples include HIPAA, GLBA, and FIPS-199.
• Enterprises usually have various working groups and committees that create policies designed to make the network and software environment secure. These are closely aligned with the business's tolerance for risk and change as the business changes.
It is important to keep in mind that enterprise security policies are not carved into stone and will evolve and change over time. Sometimes a vulnerability will be deemed acceptable, or a new vulnerability will emerge that requires “patching” the policies (e.g., “Henceforth, handheld computers cannot be left unattended in the restrooms”). The critical element here is that business owners have ownership over their computing environment and accept the responsibility and accountability of the vulnerabilities and exposures their infrastructure brings to the business.
Display Full Size version of this image (17K)
Figure 2. Workflow diagram for proactive lifecycle
What should be vs. what is
Once policies state what is acceptable and what is not acceptable, an organisation assesses its existing network infrastructure, comparing “what should be” to “what is.” This assessment must encompass not only the search for known vulnerabilities but also the violations to system and network baselines sometimes referred to as ‘gold standards’. This can be done intermittently, with the risk of being vulnerable to attack in between assessments, or it can be done continuously. When vulnerabilities are found, they are presented to the enterprise, preferably in prioritised, easily understood reports so that the information is fully actionable.
If an organisation finds something on its network that is either a violation to policy or a vulnerability, there are only three actions that can take place: Remediate, mitigate or accept the flaw. It is important at this point that someone take ownership over the flaw itself. If the business owner chooses to accept the flaw, the internal security policy must be modified to represent this exception and the workflow continues.
Summary
When comparing Information Technology security practices to mature systems like fire safety that dates back to 300 BC, we see how immature the industry really is. It is a safe bet that the industry will continue to evolve as change is happening at the threat level, at the technical level, and at the business level.
The most significant shift in your organisation's strategy will be moving from the reactive side of the incident line to the proactive side. This is true with any other system that has an active opponent. Many organisations have already made the shift and experience positive results on a daily basis. |
