New age security threats and how to Protect your enterprise
New age security threats and how to Protect your enterprise
Security threats have moved beyond virus and worm attacks to Infrastructure misuse, information theft, and the like. We give you an insight of the possibilities and what to do about it
It's a pity that despite having firewalls, UTMs, antiviruses, spam filters, and the works, organizations still fall prey to hackers. This is because there is no single standard available to protect each deployment, due to which some flaw always go unnoticed. Then it's completely upto a hacker's skills on how quickly he can exploit it. The moral of the story therefore is that no network can be 100% secure. So you need to go beyond hardening the security of your network. What you also need is a proper incident response management strategy. This comprises of a set of measures you'll take to do damage control. The damage could be financial in nature, or it could be loss of reputation. Or worse still, if the hacker is from a terrorist organization, then you'll also have to deal with law enforcement agencies. How ready is your security team to do all this? Do you have measures in place, which would allow you to gather sufficient data to track the hackers?
This might have sounded unrealistic a few years ago, but today, you seriously need to think about it. And when it is about terrorism, computer forensics becomes extremely important, because even a single evidence can save a lot of lives.
So, this time we are not going to tell you how to deploy the right security devices but discuss how exactly you can isolate a compromised machine on your network and get as much of an evidence from it as possible.
Before we start going into detail, one has to understand the difference between standard information and evidence. Essentially an evidence in computer forensics is a piece of information which is retrieved from a compromised device in such a way that one can proove the data has not been changed or modified after the retrieval. So, in simple terms forensics tools are nothing but data recovery tools but while recovering the data they save checksums at every level so that at any point of time and at any level the consistency of data can be checked.
Evidence collection One you receive an alert from your IDS or some other sources that a machine has been compromised, the first thing to do is to isolate the machine from the network so that it can't be accessed remotely by anyone. Remember that you musn't restart the affected machine. This would destroy any volatile data in the main or virtual memory, thereby reducing chances of finding evidence.
Backing up the Pagefile The first thing you would like to do is to take a backup image of your pagefile (Windows) or Swap (Linux) so that whatever data is there can be analyzed later on. Usually, a hacker not only runs a script on your computer, but also removes that script from your hard disk. But, you can find such scripts in the swap area, unless the system has been rebooted. Before running any command, if it is a Linux machine, run the script command so that a log can be maintained about what all you did on the system. This will help you track the steps you've followed. The command is as follows:
Data leakage and loss prevention
What are some common cyber terrorism threats an enterprise is facing today? Cyber terrorism is the misuse of cyber space for different kinds of activities. The current threats posed by cyber terrorism have attained monumental proportions, and for many reasons. First, Wi-Fi misuse has generated a lot of debate, as it's a key tool through which people can get into corporate or individual networks. Over the past few years, hacking attacks have been on the rise, mainly due to improper configuration of Wi-Fi systems in organizations. They have default admin names and passwords, and fall easy prey to hackers. Second, know your employees and external customers. Proper monitoring of employees is necessary. You need to pay attention to their activities.
How can an enterprise effectively monitor its users and prevent misuse of resources? Many enterprises today are aware of external threates like hackers, worms, viruses and deploy solutions to secure against them, but internal threats to security are equally important. To combat those, three key security management solutions could be deployed:
- Identity and access management
- Security information management
- Threat management
Integrating these components into a comprehensive solution helps you achieve operational efficiencies and regulatory compliance, as well as contain costs, mitigate risks and ensure continuous business operations.
What policies could make us secure? Policies that are based on international standards such as BS7799-1, ISO 17799 set out the requirements of good practices for Information Security management. ISO 27001 defines the specifications for an Information Security Management System (ISMS). It was developed from BS 7799 Part 2:2002. The scope of any ISMS includes people, processes, IT systems and policies.
Your comments on data leakage detection? Data leakage is the unauthorized transmission of data (or information) from within an organization to an external destination or recipient. This may be electronic or via a physical method. Data Leakage is synonymous with Information Leakage. The term 'Unauthorized Use' does not automatically mean intentional or malicious; unintentional or inadvertent data leakage also comes under its purview. There are several examples of information/data leakage. Most involve important and confidential information leaving an organization due to accidental emails or other means. A high profile example is the confidential memo leak in the Hillary Clinton campaign.
How can organizations prevent data leakage? Data loss prevention or DLP solution are available that can offer information leak prevention, content monitoring & filtering, IP protection, outbound content compliance, Information discovery and policy enforcement.
Rajendra Dhavale, Director, Technical Sales CA India
- script /script.log
Now, for a Linux machine, to take the backup, first mount a removable disk on your machine or a network share and run the command like this:
- dd bs=1024 if=/dev/hdxy of=/mnt/output/swap.out
Here /dev/hdxy stands for the partition mounted as your swap partition. You can find it by running fdisk�l command. And the /mnt/output is no-local media mounted for taking the backup and swap.out is the file that will contain the image of the swap partition.
If it is a Windows machine just check the path of the pagefile.sys and copy it. Once done you can use tools such as grave-robber (Linux) or mac-robber (Windows) to get information from the images. Further the steps for all the OSs will be similar. Now you can easily reboot the machine as the volatile data has already been saved.
Next you have to take a backup image of the compromised disk. The image is required because if something goes wrong during the investigation, you will still have the data intact. For this, the best approach will be to connect the compromised disk to a fresh Linux machine, run the script command again and create an image of the disk by running the dd command. Once the image is taken you can start recovering data from it. There are many tools for doing so, but the one which can work on both Linux and Windows is called Sleuthkit. It is essentially a combination of different tools for doing forensics testing. You can even get a browser based front end for Sleuthkit which can even record multiple forensics cases. This frontend is called Autopsy. Some things which autopsy can do is include recovere deleted files from both page file images and disk images. It can create an activity timeline so that one can see what all has happened on the machine between two distinct points in time. And obviously it creates and saves checksums of the image at every stage. The usage is pretty simple. All you have to do is to download Sleuthkit and autopsy from sleuthkit's website http://www.sleuthkit.org/�, then install it on a fresh Linux machine and start accessing it through any web browser on the network.
Controlling mobile devices The other thing which is very important for an enterprise is to keep a very strict watch on mobile devices like mobile phones and laptops that it allots to its users. This can cause risk in two different ways. First if the laptop is stolen it can be misused, and second, the original himself might be disgruntled or involved in suspicious activities.
Preventing infrastructure misuse
After the terror email racket was busted last week, the biggest challenge for any enterprise today is to know how can they make sure their infrastructure will not be exploited by terrorists. How to go about it?
Enterprise networks are becoming quite complex with mobility aspects like Wi-Fi, Laptops, blackberry and work from infrastructure. A comprehensive approach is needed for enterprise security and should cover the following:
- Have a clear security policy and among other things the guidelines should cover identity and access management, confidentiality and privacy aspects.
- Employee awareness:the processes and guidelines need be backed by awareness of employees and constant reinforcement of policies.
- Technology: Networks and resources need to be supported by suitable technologies in terms of Identity implementations, encryptions and enforcement of policies etc.
- Regular security audits: These need to be conducted to measure and maintain the security posture.
In quite a few countries today, keeping a backup of each and every email for at least three years is compulsory for enterprises. But, doing this alone is of no use if there is no alerting mechanism attached to it. How can one deploy alert mechanisms to control email misuse?
Keeping a back up will not be the solution for alerts. backups are kept for regulatory comliance. Intrusion detection systems need to be installed along with firewalls to keep track of access of critical resources like email servers, web servers, etc. Again depending on the criticality, 24*7 monitoring will also need to be implemented for alerts and logs.
Organizations take all possible measures to secure their endpoints and prevent their misuse. But what do you do when there are solutions like Live OS distros that completely bypass OS security? How can organizations prevent their usage?
That is why it is important to control the enterprise computing environment. Depending on the criticality, Internet access needs be restricted, access rights for installing software needs to be controlled, and Media (pen drives, mobile phones etc) needs to be banned in work place.
What are the implications for an organization, if their IT infrastructure is found to have been misused? Enterprises should be concerned about this for multiple reasons:
- Some regulatory aspects might actually implicate the enterprise if misuse has happened by one of its own employees.
- Loss of credibility with customers.
- Brand value destruction and loss of face.
- Misuse might also indicate the vulnerabilities in the network and criminals might target the Enterprise.
Web Resource for Reference of the Above Mentioned Article: