Intrusion Detection: Be Afraid, Be Very Afraid

[InfoSec News <isn () C4I ORG>]

http://www.techweb.com/wire/story/TWB20010103S0013

By Lisa Morgan, InternetWeek
Jan 3, 2001 (3:34 PM)

If you're not afraid about the state of your company's security, you
should be. Hackers are scanning ports en masse, coordinated attacks
are gaining popularity, and network users who appear to be valid are
often impostors. And that's just outside attacks. The real problem,
experts say, is that 60 percent to 70 percent of attacks come from
inside the company. The message is simple: Be aware -- or be hacked.
Large companies that spend big on their own security staffs and
outsourced expertise aren't always safe either.

One of the largest, Microsoft (stock: MSFT), fell victim last October
to hackers who used the well-known QAZ worm to break into the
company's computer systems to steal product design information about
the Windows operating system and the Microsoft Office suite.

Western Union was attacked in September when hackers gained access to
15,700 customer accounts, including credit-card information.

High-profile denial-of-service attacks like the ones that took down
eBay (stock: EBAY) and CNN.com last February may not occur on a
regular basis, but most security experts agree that Denial of Service
(DoS) attacks do occur daily.

While FBI investigations of the more high-profile attacks make
headline news, most DoS and other hacking incidents are not reported.
That means the problem is far worse than it appears. Most companies
don't report break-ins -- particularly internal hacks -- because they
don't want customers and shareholders to lose confidence.

The reality is that attacks are on the rise. A Computer Security
Institute/FBI survey released last year, said the number of
respondents reporting their Internet connections as a frequent point
of attack increased every year for five years, from 47 percent in 1996
to 59 percent in 2000.

And Pilot Network Services, a secure service provider, reported in its
latest Cyber Barometer online newsletter that the overall frequency of
threats was steady during the past few months, but the number of
different types of attack attempts increased by 15 percent in November
2000.

"We're seeing more NetBIOS attacks, scans, and viruses," said Phil
Simmonds, director of technical marketing at Pilot (stock: PILT).
"We're monitoring attacks and reporting the trends in Cyber Barometer,
but the problem is you don't know what the trends will be. Past trends
are not necessarily indicative of future trends."

Pilot, Alameda, Calif., provides highly secure VPN and hosting
services to a broad range of enterprise customers. Simmonds says one
advantage Pilot has over most intrusion detection system (IDS) vendors
is anonymity. Pilot's intrusion detection tools are proprietary and
therefore can't be purchased and reviewed by a malicious source. Other
service providers argue in favor of managed services over the purchase
and use of tools in-house because they are selling security expertise
that's otherwise difficult and expensive to obtain directly.

Despite the growing popularity of outsourced services, vendors say
they're selling more equipment than ever. Most agree that effective
intrusion detection and enterprise security requires more than a
firewall or IDS -- companies need both, as well as virus detection and
encryption.

More important, businesses need to define security policies and
implement them effectively. Since most IT professionals are not
security experts, the quality of a company's security program may be
limited by a lack of internal expertise.

Vendors say that purchasing an IDS is only a first step. Some
customers are buying security systems but are not necessarily
maintaining them. They fail to download patches and known signatures,
leaving themselves open to the latest attacks.

"We are seeing a massive increase in the automated scans for specific
vulnerabilities," said Tim Belcher, chief technology officer and
co-founder of Riptech, a managed service provider. "A couple of months
ago, this was compromising common Unix services. Distributed DoS
attacks are still a real problem. Customers have to continually
protect themselves."

Most vendors agree that security must become more of a priority for
customers. However, they don't necessarily agree on how security
should be implemented.

Some advocate host IDSes that monitor traffic and logs, while others
promote network systems that reside at the edge of the network. Pete
Lindstrom, a security analyst at the Hurwitz Group, Framingham, Mass.,
says the two security options are converging, and some vendors are
beginning to offer more integrated products and services. Regardless
of the architecture, effective security requires a multilayer defense.

Which security systems are ultimately implemented depends on corporate
security policies, network architectures, business models, and the
company's ability to effectively manage security.

Nir Zuk, chief technology officer at OneSecure, another managed
service provider, says IT managers often have trouble administering
IDSes because they generate a massive amount of log data that they
don't have time to analyze. Zuk and other IDS vendors agree that the
tools for managing alerts and raw data need to be streamlined.

Then there's the problem of staying current. During one fiscal year,
an IT manager or COO may request $300,000 for security expenditures
and the following year request the same amount or more to keep up with
the company's security needs. Sometimes management doesn't understand
why security systems need to be repurchased and may deny or at least
argue with the request.

Staying current while navigating the security maze is an issue. IT
managers who haven't experience an attack may find it difficult to
explain to management why the company needs to continue spending large
amounts on security. IT managers would like to get answers from
vendors, but may not know the right questions to ask.

"Intrusion detection is reactive," says Ryon Packer, executive
director of marketing at Intrusion.com, an IDS vendor. "People buy
tools after the attack, similar to the way they buy firewalls. Worse,
there is a skills gap. The rate at which a person can become and stay
knowledgeable about security systems and malicious methods pales in
comparison to the rate at which the industry is growing. People have
to stay current, and that's tough."

Vendors are also challenged to keep up. Avi Fogel, president and CEO
of IDS vendor Network One, says hackers will always be more agile than
vendors because hackers don't go through a quality assurance process.

"The objective is to minimize vulnerability," Fogel says. "Ideally,
you could find a more generic tool that prevents classes of intrusion
like a Trojan Horse. A tool like that could have prevented the recent
Microsoft break-in.''

Network One offers a host-resident firewall and IDS that monitors
layer 3, 4, and 7 traffic. Higher-level monitoring is important, given
that many of the attacks happen at the application layer (layer 7),
where malicious code is embedded in a popular desktop application.
Network One is an advocate of intrusion detection at the edge of a
network so that the host can see the attacks directed at it.

Piers McMahon, senior business manager for the eTrust suite of
security products at Computer Associates, Islandia, NY, agrees that
different traffic types must be monitored. ETrust detects known attack
patterns at the network, server, and application layers. The product
also provides streaming updates so that IT managers and security
professionals don't have to manually update servers.

"Hackers are trying to get under the social defenses," McMahon said.
"Using Trojan horses, they're getting users to trustingly connect to a
site that may be malicious or may deposit malicious code. Most
companies have a false sense of security."

Not everyone does. Kurt Ziegler, chairman and CEO of traffic analysis
vendor eBSure, was so concerned about his company's security, he
included a security plan and budget in his initial business plan.
Ziegler, who once headed security for Computer Associates (stock: CA),
is familiar with the security risks software companies face. As a
result, intrusion detection -- and security in general -- were top
priorities from the start.

Ziegler said when he started at eBSure he wanted a level of security
the company couldn't afford. Some of the firewall vendors claimed to
be doing intrusion detection, but Ziegler went with Riptech because it
offers an intrusion detection and firewall system that supports VPNs.
The VPN support was critical because eBSure's developers -- many of
whom work from home and are dispersed geographically -- are constantly
exchanging information about the software, as well as pieces of the
software code over the network.

"As a software entrepreneur, I have to protect my assets, which are a
base of programmers, the software they produce and our website,''
Ziegler says. "All three of those elements are affected by being
connected to the network. We're inherently vulnerable."

Ziegler interviewed numerous security vendors, including companies
offering firewalls, intrusion detection, virus protection, and
encryption. Given his desire for a high level of security, he found
that the price points of equipment, software, and a professional staff
were more than he could afford.

"I had two choices," he says. "Make some trade-offs, or look for a
managed service provider that could implement my [security] policies
and provide me with a pay-as-you-go model."

Ziegler spent 30 days analyzing the various solutions and finally
decided to hire Riptech, a service provider that offers risk
assessment, security policy, architecture review, and monitoring
services. Riptech supports 12 different intrusion detection products
and cross-correlates the attacks made on the various systems. Ziegler
says his company went live with Riptech in just a week and now feels
much more comfortable about the network's security.

"Hackers are getting a lot more sophisticated," Ziegler says. "They
are able to tap on thousands of virtual doors simultaneously, looking
for vulnerabilities. I'm in the intellectual asset business--software.
That's why I worry about protecting it. For us, it's not an option,
it's a necessity."

Craig Guinasso, formerly assistant security director at BankServ, also
considers security critical to the success of his company's business.
Guinasso left his BankServ job last year to become a senior security
manager at Slam Dunk Networks. Prior to his corporate jobs, Guinasso
worked for the Department of Energy's Emergency Response Team. One of
his responsibilities at the Energy Department was to test the
vulnerability of its in-house VPN.

"[If you're using a VPN], a hacker will use a tunnel to get into your
corporate network," Guinasso says. "Most people don't care about
security until there's a break-in. We knew from the start we had to
secure [our VPN] connections because they were vulnerable."

Security experts say security is only as robust as its weakest link.
Guinasso says telecommuters are the weakest link because hackers know
companies are guarding the core corporate network. BankServ uses the
Network ICE tools suite to protect its home users. Although Guinasso
is happy with the product, he admits that any security solution is
only secure until a new hole is discovered.

Given the creativity among hackers, vendors and service providers warn
that intrusion detection must become a front-burner issue. Cyber
attacks have separated businesses into two types: Companies that have
been attacked and those that will be attacked. So be afraid...be very
afraid.

Lisa Morgan is a contributing editor at InternetWeek. She can be
reached at lisamorgan () mindspring com.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".