By Kim Khor.
When assessing a protective stance, it is possible that our subconscious urge to protect territory interferes with a true view of things.
This is true for information security, and the enemy knows it. In years past, information security was focused on protecting the network, the perimeter, and the data and operations within. The game has changed since then and understanding data in transit is critical.
Much of information security has evolved from signals operations: the twentieth century romanticised secure communications and the code-breakers that gave us such great leverage. Principles, concepts, and lessons from that era are just as relevant in the information age.
What Is In Transit?
Regular communications such as email and remote access are simple examples of data in transit. But there is much more travelling to and fro than might appear on the surface.
Most organisations have a disaster recovery plan in place which mandates off-site backups and ‘hot spare’ duplicate systems. To become ‘off-site’ the backups must travel, often through a wire.
When you view a map on your GPS-enabled phone, the location of your phone is often sent somewhere in order to download the correct map.
When you log on to a work database from the airport lounge, guess what? Your sensitive data is uploading and downloading through the wireless hotspot system and other systems in between. There may be dozens of companies involved with provisioning these systems.
Why Is This News?
The cyber-enemy is probing us for vulnerabilities. Even if we don’t have any specific enemies, organised crime and unscrupulous governments are constantly patrolling cyberspace looking for opportunities, or vulnerabilities to exploit.
We have all put much effort into closing out vulnerabilities in the recent past. The enemy is now seeking softer targets. For example, now that we are doing our operating system updates, the baddies are not as interested in Windows vulnerabilities as they are in other software on our system. Some current examples include PDF, Flash, Java, and Office software. Delivering payloads of malware through PDFs (email attachments) and Flash objects (video on a news site, or games on social networking sites) is quite popular. These attacks are successful because we are not updating (or ‘patching’) these application software components as much as we are the operating system beneath.
Similarly, data in transit is often a softer target than the fortified castle at the data-centre.
What Are The Typical Targets?
Unfortunately, email continues to be a major area of interest. Most email traffic is shunting around in plain sight, relatively easy to snoop. However the content of the email is not the end game. The content of the email most often forms part of the attacker’s reconnaissance. They look for nuggets that will get them another step towards a more significant treasure.
From a pinched email the attacker can discover lots of technical information about your computer network. They can learn email addresses that are intended to be kept private. They can learn about relationships between people or amongst organisations. One innocuous email can provide many points of leverage to advance the attacker.
Wi-fi is another common problem area. The previous standard for securing a wi-fi connection (called ‘WEP’) is still commonly used. However there are recipes and software for breaking this security easily available on the internet and we have seen this vulnerability successfully used over and over. Once compromised in this way, your network does not benefit from all the fortification of the ‘front door’. The attacker is likely not detected at this stage and can explore your network. They can listen for more useful information whizzing around on the inside network, such as passwords. Quite often they can simply open and take documents, databases and so on.
If you have a server controlling mobile devices the attacker can potentially access text messages and voicemail from your mobile phones.
These two examples show that the content of your data in transit is not necessarily the final goal for an attacker. They are looking for ‘information about your information’ that will allow them to make further steps towards a different goal.
Other Angles?
What you think is your data in transit may not be what it appears. Receiving an email from a trusted partner is common, and habit-forming. If an attacker knows this, they could send an email that appears to be a trusted communication but is in fact a payload vehicle.
If you have a malware infection on the inside of your network, that malware might send notice back to home base informing the attacker (via their command and control system) of its location (your network) and local information gathered for use in the second assault. This communication back to home base will probably use the same communication path as you do to surf the web. Your system would need to know the difference between your browsing and the malware communication if it was to alert you or stop the improper data in transit.
If the malware infection came from a compromised website, the arrival of the malware and the departure of your confidential information might occur only seconds apart. With such tolerances, only automated systems can withstand such attacks. Human intervention will arrive too late.
If the malware functions as a keylogger, recording everything a person types, there could be a constant stream of new confidential information leaving your network. This could go on indefinitely.
Breaches of a huge entertainment company’s gaming network recently spilled an unprecedented amount of personal confidential information. This raises the question of who to trust to receive and hold your transmitted information. It has also identified that the insurance industry is lagging behind the information revolution.
Another topical example is that of phone hacking. The UK parliament has recently held special events to hear from a media mogul and the prime minister regarding their knowledge of systemised hacking on an ‘industrial scale’. Consider what would be gleaned from your phone and from messages stored on your phone company’s network (voicemail). Also consider what you send to others’ phones including voice messages you leave.
What Are Some Options?
Here are some security techniques, technologies and approaches that are current, and can provide leverage in dealing with data in transit in the new threat environment. This is not a recipe, but a list of current options that may suit your strategy. This list can also be used to review your current information security stance or simply to spark useful discussions about integration and budget.
- Patch/update application software (such as PDF reader) as well as operating systems.
- Use ‘white-listing’ – everything is denied other than items on the list. This concept can be applied to web addresses, executable software, email and web content filtering, and more.
- Employ ‘sender policy framework’ (SPF) to protect the integrity of email communications. This prevents someone ‘spoofing’, or impersonating you, sending email that appears to have come from you. It is also used conversely, to identify incoming email that could be pretending to have come from a legitimate sender.
- Educate users – almost always the weak link. Training should address password behaviour, exposing ‘information about information’, discerning between work use and personal use (as well as work gadgets and personal gadgets), why the policy says what it says, assisting and observing peers to raise the bar overall, recognising symptoms of an adverse event, and incident reporting.
- Review your insurance and other risk instruments (such as commercial contract clauses) for coverage of adverse cyber events. Ask ‘what if’ scenario questions.
- Use firewalls on devices such as personal computers to control what can come in and out of the device – especially mobile computers.
- Compartmentalise (segment and segregate) the internal network including remote access and wireless connections as well as bridges to such things as mobile phone networks. This makes it much more difficult for a hacker to move from their entry point to where the treasure lives. It may even prevent them gathering the information they need to make that initial entry in the first place.
- Use multi-factor authentication, particularly for traffic crossing significant boundaries, such as remote access. This is where you need another code (for example a FOB token or text message code) to log on, along with your normal password.
- Enforce a sound password policy for all authentications. Short or simple passwords can be broken with ‘brute force’ quite quickly these days. Think of short passwords as using a plastic padlock on a gate. It may deter by appearing to be a lock but will fail if tested with intent.
- Use antivirus software from different vendors – perhaps one on the workstations and a different one on servers, then different again on perimeter gateways. They all cover ninety-something percent of viruses and each has different shortcomings.
- Centralise collection of log files and keep them for months or years. Security process should review these logs periodically and incident response plans should address these logs specifically. The review methodology should correlate logs of various different kinds to form a consolidated chronology. This can provide critical early warning capabilities. In forensic operations, central and aggregated logs can make all the difference.
- Disable things you are not using and disable unnecessary privileges. In times past, some application software required administrator privileges on the personal computer. This is quite unacceptable now. Often legacy features are enabled by default so things work (such as ‘LanMan authentication’) but really they are significant vulnerabilities.
- Require transport layer security (TLS) encryption for all email relay (server to server) communications. This will make email traffic unreadable to the casual observer performing an opportunistic wire tap.
- Enforce use of automatically locking screens on mobile devices. Consider auto-wiping of the device after some number of failed attempts to log on. Also consider a tracking function that will locate the device if used by a thief. This is not so much to recover the hardware but to assist law enforcement or others assisting.
Kim Khor is a computer forensics expert. Kim consults on network security, incident response, risk and compliance, investigations,and electronic evidence management in the Asia Pacific region. Kim can be contacted at: kim.khor@khorwills.com.
