Threats to Enterprise Security

{LANG_NAVORIGIN} Enterprise Security
By: Dan Sullivan, 04/18/2005



[Editor’s Note: The following excerpt is from Chapter 2 of the free eBook The Definitive Guide to Security Management (Realtimepublishers.com) written by Dan Sullivan and available from a link at http://www3.ca.com/ebook/default.aspx?sacid=60453.]

Threats that have emerged over the years have followed a similar pattern: Attackers find a way to breach a system to gain access to valuable informational assets; in response, systems administrators and security professionals develop detection and prevention methods; attackers then find new ways to breach systems and avoid detection; and systems administrators and security professionals again develop new detection and prevention methods; and on and on.

With attacks becoming more aggressive, faster, and multi-pronged, there is growing emphasis on consistent assessments, preventative measures, and security information management. No longer will an attack entail a single virus—often well-thought out assaults are being implemented. Simultaneously, organizations are exposing more systems that are effectively dissolving the boundaries between what have been considered internal and external threats. In addition, the need for IT groups to find new ways to do more with less are discovering ways to reuse legacy mainframe infrastructure. This recycling has, in turn, exposed more IT resources—such as mainframes that until recently have been considered very secure—to the same challenges faced by distributed systems.

To truly understand the current security environment, we must explore the past experiences that have lead us here. We’ll build on this foundation as we explore continuing threats to resources and assets, which will lay the groundwork for a discussion about emerging threats.

Evolving Threats to Information Security

Consider examples of early security threats. When attackers break into computer systems, they inevitably leave traces of their activities. Systems administrators could use operating system (OS) utilities to detect the breach, so hackers responded with Trojan Horse versions of those utilities to mask the attackers’ behavior. In response, systems administrators used more sophisticated techniques such as searching binary files for tell-tale strings of intrusion. Figure 2.1 shows the evolution of early breaches on UNIX systems.


Figure 2.1: Threats and safeguards evolve in response to each other.

Systems administrators, in theory, can monitor the state of their systems with utilities that log and display information about processes, network configuration, and resource utilization. These programs were some of the first targets of attackers who wanted to avoid detection. As methods were developed to break into systems and erase footprints, attackers collected these programs into packages called root kits and shared them freely with other attackers. The unfortunate result of this collaboration is that an attacker with limited knowledge and expertise poses a serious threat to system and network security.

For more information about the early history of UNIX break-ins and the evolution of root kits, see Dave Dittrich’s "Root Kits and Hiding Files/Directories/Processes After a Break-in” at http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq.

Consider email viruses as an example. Originally, email viruses were detected by finding a specific pattern, or signature, within an email message. Virus writers responded by encrypting viruses and encoding decryption routines along with the virus payload. Decryption engines are detectable, so virus writers developed metamorphic engines to change the syntactic properties of decryption routines. This development significantly changed the virus-detection landscape. Rather than detecting a specific code pattern, antivirus software had to detect viruses based upon execution behavior or some other non-pattern matching method (see Figure 2.2).


Figure 2.2: The dynamic attack/response pattern seen in earlier types of attacks continues today.

Email viruses have thus evolved into more sophisticated methods of attack. Some viruses, known as blended threats, use multiple methods to breach a system and, once inside, launch multiple types of attacks. The recent Mydoom email virus, for example, employs several malware components:

• A backdoor installed through Windows Explorer to launch a DDL that listens on an available port, presumably for instructions from the virus author
• A distributed denial of service (DDoS) attack against http://www.sco.com (Mydoom.B includes a DDoS attack on http://www.microsoft.com)
• A routine to harvest email addresses
• A replacement hosts file to prevent the infected computer from reaching the antivirus company and other vendor Web sites

Principles Learned from Past Experience

Just from these basic examples of early OS breaches and email viruses, one can note several generalizations about the nature of threats and their relation to security management. First, the goal of security management is to protect resources and assets. These include the obvious, such as applications, servers, and confidential data, as well as intangibles, such as company brands, customer goodwill, and contractual obligations.

Second, security management is not a static process. Information systems are constantly changing as new applications are deployed, configurations are changed, and new technologies— such as wireless networking—are introduced. Malware (such as viruses, worms, spam, and malicious mobile code) threatens to disrupt and damage IT systems. These threats exploit multiple vulnerabilities, taking advantage of weaknesses in email, scripting languages, browser features, server configurations, and other characteristics of distributed systems. The days of depending on perimeter defenses to prevent the introduction of malware are gone. The boundaries between “internal” and “external” have become blurred as enterprises integrate processes across organizational lines.

Third, the damage from a breach can quickly grow beyond the initial intrusion. OS files might be changed, configuration files modified, and backdoor programs planted. These, in turn, can become the launch pad for a second round of attacks, such as executing DDoS attacks against other systems.

Finally, security management requires systems administrators to keep their systems from becoming components, or zombies, in distributed attacks on other systems. These include both DDoS attacks and email virus proliferation. Poor security in one system can lead to attacks on many others.

The security environment we experience today is a product of past experience and current technologies. The next section will address threats that have been with us for some time and will set the stage for discussing emerging threats.

















Your IP address will be sent with this e-mail

From e-mail to e-mail