Simon Heron – SecureNet

Much has been made of Obama’s security review. Should we do the same in the UK? There are a growing number of people here (myself included) who would welcome a review of how we tackle international cyber crime, but what is the state of the UK’s security in comparison to our US neighbours?

UK cyber security is a bit like Mac security. It’s reputedly pretty good, but there are some holes. And it benefits massively from not being the primary focus for attacks.  So in the same way that hackers generally target Microsoft because the user base is in the majority, it could be argued that the US is targeted over the UK, because it too is a bigger, more attractive target. 

As an outsider I cannot definitively say that UK security is better than the US. It should, after all, be an easier job as the task is smaller.  However, given the huge number of data leaks that are happening in the UK, I do not have a great deal of confidence that the UK government is doing such a good job on infrastructure security. Perhaps it is time for that review, after all.

We have introduced a significant development in the war against spam this month, with a new heuristics package that significantly improves the way we can detect and block spam. We also released our own high-performance rules engine, which increases scanning speeds by 100 per cent. We think this means we now have the most effective product on the market, and when we introduce our new Relationship-based product next month, we’ll have spam detection and block rates of at, or near, 100 per cent.  More on that to come in the next few weeks.

The heuristics package we’ve released now includes two mail scanning modules. The first one searches an email for suspicious characteristics of a threat, including variants that haven’t yet been ‘officially’ recognised (or a signature released). The second is a module that recognises attributes that define a spam email as having been produced by a botnet – for example, the formation of the email header, and the mechanics of SMTP transaction – including variants of botnet-produced emails. In the first few hours, it picked up more than 25,000 malicious spams from 16,000 sources.

The rules engine replaces the current system, and we’re migrating customers to it as I write. It targets rules at particular message sections, choosing which signatures should be run against which sections of the message, based on analysis of that message.

The battle against spam is never completely won, and we’re certainly not complacent. But I like to think we’re making the spammers’ job just that bit harder.

We have been providing Intrusion Detection and Prevention systems as part of our service for over eight years.  It is one very important part of any organisation’s defences but is frequently ignored.  So we have been trying to decide what is needed in a UTM device to continue enhancing this feature. There has to be flexibility in what is deployed as organisations vary and it isn’t the case that one size fits all.  So over the years we have realised that there are four solutions that need to be implemented:

1.  A lightweight, zero latency, very fast and high performance intrusion detection and prevention system.
2.  A full stream disassembly, packet inspection system.  This must be able to operate in promiscuous mode (with a switch tap port, or hub), IP-less if required, and in three modes:

• Passive IDS – alerting and logging of traffic, side-by-side with the data stream. Useful for policy enforcement and more aggressive rules.
• Active IDS – alerting and logging of traffic, side-by-side with the data stream, but can actively tear-down connections.
• Inline IPS – alerting and logging of traffic, inline with the data stream, and can drop traffic.

It must be possible to combine these modes to fit in with the requirement of the site being protected.  By being able to deploy a highly-customised approach, this allows the highest protection levels, given monetary and performance constraints placed upon the provider by the customer’s requirements.

Signatures need to be maintained and updated frequently and rapidly, and must be able to be deployed on a global, per Operation Centre, and/or a per-customer basis.  An on-the-box system should be able to take the signatures, configurations, heuristics, and produce a live configuration on a per-box basis. Each rule should be documented with a help page that can be retrieved for reporting and analysis purposes.   Also, to benefit from other providers in the industry it would be sensible to use a standardised form of signatures like VRT (or whatever), so that it can integrate with licences or arrangements that are held by customers.

This new engine should give a much more powerful rules language, compared to what exists now, and more stream and protocol decoders.  Obviously the full blown system would come with a performance impact.  The solution is to offer the four modes of operation, to balance protection level (and latency) with performance.  Also it is important to be able to configure different interfaces to operate in different modes (for example; active IDS for LAN policy enforcement, and inline IPS for NET). Or, to operate as many do now and run with one mode for all traffic.

Logging should be integrated into the Operating Centre stats/reporting/monitoring systems, as well as customer reporting and user interface administrative functions.

The CTO of our American operation, Peirluigi Stella, has recently written a well argued article that outlines many of the advantages of using a managed security service like Network Box.  The reasons given in this article always seem so obvious to me that I find it surprising that more companies don’t go down this route but I guess I would!

There seem to be three categories of reasons why organisations decide not to use a managed service:

1.  It is because the technical person on site is interested in technology and is keen to get experience with security and new hardware and claims they can do it more cheaply.  This, of course, is not a good reason but it is understandable and managers need to be aware of it.  Security is a minefield and allowing people to experiment with the organisation’s security is not a good idea. Check that they have the right experience and then consider the following point.

2.  Another reason is not doing the costing correctly.  It is assumed that an extra peice of equipment will resolve the security issue and that is the sole cost.  Of course what this new responsibility requires is that the IT resource gets up to speed on the new kit, configures it, tests it, installs it and then the real issues that are rarely address sufficiently, it is maintained and monitored.  If done correctly, this will require a significant amount of time, and the IT resource isn’t cheap.

3. Then there is a situation where management have a technical resource and just assume that since they can configure an Exchange server then the security is also something that they should be able to do.  This is quite common, the technical resource of course doesn’t want to disappoint but is frequently not trained and doesn’t know what to do but do their best and leave the company vulnerable.

The other issue that is rarely addressed is thinking about what to do when this resource goes on holiday, or is sick or leaves the company.  Some staff are really dedicated, they will never leave, they are happy to come back from holiday or to rise from their sick bed and address a crisis but this can be too late and if they are sick, it can lead to errors.  Other staff, after years of doing this, are not so happy and who addresses the problem then?  Either way, this needs to be addressed and many companies have not set up a procedure to deal with it.

So if you do security in-house, be sure you have the right staff both in terms of training and numbers, that they are correctly trained, rather than improving their CV and that they have the right equipment.  Or you might just want to use a managed service which is more resilient and more easily replaced if they don’t do their job right.

There’s been a bit of a hullaballoo about Conficker.  While the world was not brought to its knees, it is important to say that this was not a hoax.  If we listen to the serious researchers, it is clear that the event, such as it was, was mainly the change in how it dialled home.  The likelihood is that the writers are somewhat alarmed first, by the publicity – not good for someone wanting to have a big botnet – and second, by the bounty, US$250,000, which might loosen some tongues.

The thing I would like to look at is the flurry of activity this warning caused, or should have caused.

By now, IT managers should have verified that they activated the correct applications on the gateway device that protects their networks.  Also, they should have checked the settings, as frequently they will not be set to the best values by default.  So questions to answer are:

1.    Are the anti-virus services set up on all interfaces of the gateway device?  The default may be to just scan the Internet side.

2.    Is the Anti-spyware activated?  This can frequently be an extra that needs to be bought, installed, configured and tested.

3.    Do the firewall default settings cover the current threat, for instance it may be the case that the firewall default settings may not block NETBIOS ports.

4.    Is the intrusion protection monitoring and blocking malicious traffic on all interfaces?  The default may be to do just one or indeed none!

Furthermore are the features of the device part of the release of software installed on that device?  If not then, it is time to visit the supplier or the vendor’s website, locate what is needed, pay for it, download it, install it, test it and then implement it.

This is time consuming, open to error and misconfiguration and is really just the first step in defending the network.  In the case of the Conficker brouhaha, it was also necessary to inspect each machine on the company LAN to see if had been infected, for example by someone bringing in an infected USB stick.  This entailed downloading another update or special tool from a vendor and then allocating someone to carry out the scan.  The trouble is that this has to be done whilst still doing all the day-to-day work which is expected of IT staff and is crucial to the organisation to keep it operating profitably.  For most IT staff this is quite an ‘ask’ requiring overtime or the delay of other tasks.

At Network Box, we take it as our responsibility to do all this for our customers.  We ensure that the boxes are fully equipped to do the job requested by the customer.  So Network Box configures the perimeter defence for each customer ensuring that settings are correct before the crisis hits.  We also PUSH out updates that have been fully tested so that our customers don’t have to.  So for instance in the case of Conficker, we uploaded a tool to scan our customers’ networks to check that they were not infected which we carried out on their behalf, identifying which machines, if any, were infected.

This is where a managed service really shows its return on investment.  An organisation has access to a team of security professionals with CISSP and SSCP qualifications.  Furthermore, these security professionals have lots of experience across a number of different companies and industry verticals.  Which all means that they can really add value and save money by allowing the internal IT team to get on with their primary tasks rather than being dragged off to crisis manage a particular event that they may not be ideally suited to tackle.