[ISN] Cracks in the Firewall

From: InfoSec News (isnat_private)
Date: Wed Apr 10 2002 - 01:46:51 PDT

  • Next message: InfoSec News: "[ISN] Scottish ISP floored as DDoS attacks escalate"

    APRIL 9, 2002 
    By Alex Salkever 
    Thanks to sophisticated new attack methods, computer security has to
    go beyond the old standby of merely keeping intruders out
    Is your firewall toast? A new report by Web security giant Internet
    Security Systems (ISSX) suggests it certainly could use a few upgrades
    and some additional help.
    The company combed through data collected from the logs of thousands
    of security devices it monitors for businesses ranging from
    mom-and-pops to multibillion-dollar global conglomerates. The
    conclusion: Perimeter defenses such as firewalls are not enough to
    ward off increasingly sophisticated worms and viruses.
    Sure, ISS is more than happy to sell you a host of new security
    products. But the issues raised by its survey -- a comprehensive look
    at the state of Web security -- are quite revealing. The study,
    released on Apr. 3, found that 70% of all intrusion attempts now
    target port 80. Each computer has thousands of ports used for
    different services. Firewalls control, depending on your preferences,
    which ports are open or closed. Port 80 is now used on virtually every
    computer for Web surfing, so it's wide open. Shielding port 80 would
    gum up Web traffic as requests for info and responses from Web servers
    got backed up in a domino effect.
    "DIFFERENT SCENARIO."  This explains why intruders increasingly play
    off this connectivity to target systems that require a certain degree
    of openness to function as a business tool. "The [pre-Internet]
    computing technologies were designed to keep people out. The Internet
    is all about letting people in. That's a different security scenario,"  
    explains Joe Duffy, national security practice manager for
    Other insights can be gleaned from ISS's inaugural quarterly report.  
    Until recently, the most common type of Internet attack was "denial of
    service," whereby malicious hackers break into computers connected to
    the Net and command them to fire incessant data requests at a Web
    site. That shuts off access to the site and can damage it.
    Now a new, more sophisticated types of attack predominate, says the
    ISS study -- "hybrid" attacks. They involve pieces of automated
    software that might try multiple avenues to break into a system, such
    as e-mail, Web servers, and known vulnerabilities in operating
    systems. Sometimes, the goals are hidden. A good example: Code Red,
    which sought to insert itself into as many open Microsoft Internet
    Information Services (IIS) servers as possible and then tried to
    launch an attack on the White House Web site.
    MULTIFACETED THREATS.  The first widespread hybrid attacks came last
    year with so-called worm-viruses such as Code Red and Nimda. Others
    are appearing with frightening regularity. "We started getting these
    multidimensional threats wrapped in a single box. It's like the
    Unabomber putting a box on your doorstep. There's a bomb containing a
    nuclear device, a biological weapon, and a chemical weapon all in one
    package," says Tom Noonan, CEO of ISS.
    These types of intelligent, multifaceted cyberthreats are changing the
    way companies plan security for their networks. "Nimda was very
    interesting from a security perspective because we talk about virus
    detection and intrusion detection. But just detecting isn't sufficient
    any more," says Wyatt Starnes, CEO of Tripwire Security Systems. "In
    the case of Nimda, by the time it was detected, it had already
    executed. And by then it had pretty much trashed the system file
    Tripwire and other companies have taken the cue and adjusted their
    products to reflect the new reality. According to Starnes, his
    software has morphed from an "intrusion-detection system" aimed at
    detecting hackers as they attack to an "integrity assessment software"  
    that can detect untoward changes in files and quickly restore them to
    normal. Other companies, such as Foundstone, are focusing on "security
    assessment products" that do spot checks on company networks to make
    sure they're not at risk.
    600,000 LOG-INS?  Another approach is keeping closer tabs on who
    should be on the networks. PricewaterhouseCoopers' Duffy tells the
    story of a major national clothing retailer that came to him for help
    when it wanted to move all of its human resources functions online.
    The trouble was only 20,000 of the company's 300,000 employees had
    log-in privileges. To link everyone online, the retailer would have
    needed to increase the number of people using its network
    fifteen-fold. Then Duffy discovered that the company, like many
    mass-market retailers, had annual turnover of 100%. That meant it
    would have had to provide upward of 600,000 log-in credentials a year
    -- a thirty-fold increase.
    "You have a cost for security that's going to go through the roof. Any
    benefit you get in HR would be offset by the army of administrators,"  
    says Duffy. The solution: PwC put in software from a company called
    Oblix that allowed the retailer to automate the assignment of log-in
    STURDIER WALLS.  Now, when part-time store clerks get hired, they
    receive network access only to the programs needed to administer their
    benefits. The software also removes employees' network privileges when
    they leave the company.
    Of course, all of these new approaches remain in the earliest stages.  
    And no one is advising companies to abandon firewalls, which remain
    the foundation for defending any company's network. Companies such as
    Check Point Software Technologies (CHKP ) and NetScreen (NSCN ) have
    enhanced firewalls to make them far more effective against the newer,
    multifaceted Web attacks.
    Here's the rub: In the Internet Era, firewalls seem increasingly
    permeable. And businesses would do well to look at ways to watch and
    control more rigorously what's happening inside the perimeter rather
    than put their stock in blocking out barbarians with a firewall.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Apr 10 2002 - 04:41:37 PDT