Information Security News mailing list archives
Intrusion Detection: Be Afraid, Be Very Afraid
From: InfoSec News <isn () C4I ORG>
Date: Thu, 4 Jan 2001 01:23:21 -0600
http://www.techweb.com/wire/story/TWB20010103S0013 By Lisa Morgan, InternetWeek Jan 3, 2001 (3:34 PM) If you're not afraid about the state of your company's security, you should be. Hackers are scanning ports en masse, coordinated attacks are gaining popularity, and network users who appear to be valid are often impostors. And that's just outside attacks. The real problem, experts say, is that 60 percent to 70 percent of attacks come from inside the company. The message is simple: Be aware -- or be hacked. Large companies that spend big on their own security staffs and outsourced expertise aren't always safe either. One of the largest, Microsoft (stock: MSFT), fell victim last October to hackers who used the well-known QAZ worm to break into the company's computer systems to steal product design information about the Windows operating system and the Microsoft Office suite. Western Union was attacked in September when hackers gained access to 15,700 customer accounts, including credit-card information. High-profile denial-of-service attacks like the ones that took down eBay (stock: EBAY) and CNN.com last February may not occur on a regular basis, but most security experts agree that Denial of Service (DoS) attacks do occur daily. While FBI investigations of the more high-profile attacks make headline news, most DoS and other hacking incidents are not reported. That means the problem is far worse than it appears. Most companies don't report break-ins -- particularly internal hacks -- because they don't want customers and shareholders to lose confidence. The reality is that attacks are on the rise. A Computer Security Institute/FBI survey released last year, said the number of respondents reporting their Internet connections as a frequent point of attack increased every year for five years, from 47 percent in 1996 to 59 percent in 2000. And Pilot Network Services, a secure service provider, reported in its latest Cyber Barometer online newsletter that the overall frequency of threats was steady during the past few months, but the number of different types of attack attempts increased by 15 percent in November 2000. "We're seeing more NetBIOS attacks, scans, and viruses," said Phil Simmonds, director of technical marketing at Pilot (stock: PILT). "We're monitoring attacks and reporting the trends in Cyber Barometer, but the problem is you don't know what the trends will be. Past trends are not necessarily indicative of future trends." Pilot, Alameda, Calif., provides highly secure VPN and hosting services to a broad range of enterprise customers. Simmonds says one advantage Pilot has over most intrusion detection system (IDS) vendors is anonymity. Pilot's intrusion detection tools are proprietary and therefore can't be purchased and reviewed by a malicious source. Other service providers argue in favor of managed services over the purchase and use of tools in-house because they are selling security expertise that's otherwise difficult and expensive to obtain directly. Despite the growing popularity of outsourced services, vendors say they're selling more equipment than ever. Most agree that effective intrusion detection and enterprise security requires more than a firewall or IDS -- companies need both, as well as virus detection and encryption. More important, businesses need to define security policies and implement them effectively. Since most IT professionals are not security experts, the quality of a company's security program may be limited by a lack of internal expertise. Vendors say that purchasing an IDS is only a first step. Some customers are buying security systems but are not necessarily maintaining them. They fail to download patches and known signatures, leaving themselves open to the latest attacks. "We are seeing a massive increase in the automated scans for specific vulnerabilities," said Tim Belcher, chief technology officer and co-founder of Riptech, a managed service provider. "A couple of months ago, this was compromising common Unix services. Distributed DoS attacks are still a real problem. Customers have to continually protect themselves." Most vendors agree that security must become more of a priority for customers. However, they don't necessarily agree on how security should be implemented. Some advocate host IDSes that monitor traffic and logs, while others promote network systems that reside at the edge of the network. Pete Lindstrom, a security analyst at the Hurwitz Group, Framingham, Mass., says the two security options are converging, and some vendors are beginning to offer more integrated products and services. Regardless of the architecture, effective security requires a multilayer defense. Which security systems are ultimately implemented depends on corporate security policies, network architectures, business models, and the company's ability to effectively manage security. Nir Zuk, chief technology officer at OneSecure, another managed service provider, says IT managers often have trouble administering IDSes because they generate a massive amount of log data that they don't have time to analyze. Zuk and other IDS vendors agree that the tools for managing alerts and raw data need to be streamlined. Then there's the problem of staying current. During one fiscal year, an IT manager or COO may request $300,000 for security expenditures and the following year request the same amount or more to keep up with the company's security needs. Sometimes management doesn't understand why security systems need to be repurchased and may deny or at least argue with the request. Staying current while navigating the security maze is an issue. IT managers who haven't experience an attack may find it difficult to explain to management why the company needs to continue spending large amounts on security. IT managers would like to get answers from vendors, but may not know the right questions to ask. "Intrusion detection is reactive," says Ryon Packer, executive director of marketing at Intrusion.com, an IDS vendor. "People buy tools after the attack, similar to the way they buy firewalls. Worse, there is a skills gap. The rate at which a person can become and stay knowledgeable about security systems and malicious methods pales in comparison to the rate at which the industry is growing. People have to stay current, and that's tough." Vendors are also challenged to keep up. Avi Fogel, president and CEO of IDS vendor Network One, says hackers will always be more agile than vendors because hackers don't go through a quality assurance process. "The objective is to minimize vulnerability," Fogel says. "Ideally, you could find a more generic tool that prevents classes of intrusion like a Trojan Horse. A tool like that could have prevented the recent Microsoft break-in.'' Network One offers a host-resident firewall and IDS that monitors layer 3, 4, and 7 traffic. Higher-level monitoring is important, given that many of the attacks happen at the application layer (layer 7), where malicious code is embedded in a popular desktop application. Network One is an advocate of intrusion detection at the edge of a network so that the host can see the attacks directed at it. Piers McMahon, senior business manager for the eTrust suite of security products at Computer Associates, Islandia, NY, agrees that different traffic types must be monitored. ETrust detects known attack patterns at the network, server, and application layers. The product also provides streaming updates so that IT managers and security professionals don't have to manually update servers. "Hackers are trying to get under the social defenses," McMahon said. "Using Trojan horses, they're getting users to trustingly connect to a site that may be malicious or may deposit malicious code. Most companies have a false sense of security." Not everyone does. Kurt Ziegler, chairman and CEO of traffic analysis vendor eBSure, was so concerned about his company's security, he included a security plan and budget in his initial business plan. Ziegler, who once headed security for Computer Associates (stock: CA), is familiar with the security risks software companies face. As a result, intrusion detection -- and security in general -- were top priorities from the start. Ziegler said when he started at eBSure he wanted a level of security the company couldn't afford. Some of the firewall vendors claimed to be doing intrusion detection, but Ziegler went with Riptech because it offers an intrusion detection and firewall system that supports VPNs. The VPN support was critical because eBSure's developers -- many of whom work from home and are dispersed geographically -- are constantly exchanging information about the software, as well as pieces of the software code over the network. "As a software entrepreneur, I have to protect my assets, which are a base of programmers, the software they produce and our website,'' Ziegler says. "All three of those elements are affected by being connected to the network. We're inherently vulnerable." Ziegler interviewed numerous security vendors, including companies offering firewalls, intrusion detection, virus protection, and encryption. Given his desire for a high level of security, he found that the price points of equipment, software, and a professional staff were more than he could afford. "I had two choices," he says. "Make some trade-offs, or look for a managed service provider that could implement my [security] policies and provide me with a pay-as-you-go model." Ziegler spent 30 days analyzing the various solutions and finally decided to hire Riptech, a service provider that offers risk assessment, security policy, architecture review, and monitoring services. Riptech supports 12 different intrusion detection products and cross-correlates the attacks made on the various systems. Ziegler says his company went live with Riptech in just a week and now feels much more comfortable about the network's security. "Hackers are getting a lot more sophisticated," Ziegler says. "They are able to tap on thousands of virtual doors simultaneously, looking for vulnerabilities. I'm in the intellectual asset business--software. That's why I worry about protecting it. For us, it's not an option, it's a necessity." Craig Guinasso, formerly assistant security director at BankServ, also considers security critical to the success of his company's business. Guinasso left his BankServ job last year to become a senior security manager at Slam Dunk Networks. Prior to his corporate jobs, Guinasso worked for the Department of Energy's Emergency Response Team. One of his responsibilities at the Energy Department was to test the vulnerability of its in-house VPN. "[If you're using a VPN], a hacker will use a tunnel to get into your corporate network," Guinasso says. "Most people don't care about security until there's a break-in. We knew from the start we had to secure [our VPN] connections because they were vulnerable." Security experts say security is only as robust as its weakest link. Guinasso says telecommuters are the weakest link because hackers know companies are guarding the core corporate network. BankServ uses the Network ICE tools suite to protect its home users. Although Guinasso is happy with the product, he admits that any security solution is only secure until a new hole is discovered. Given the creativity among hackers, vendors and service providers warn that intrusion detection must become a front-burner issue. Cyber attacks have separated businesses into two types: Companies that have been attacked and those that will be attacked. So be afraid...be very afraid. Lisa Morgan is a contributing editor at InternetWeek. She can be reached at lisamorgan () mindspring com. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Intrusion Detection: Be Afraid, Be Very Afraid InfoSec News (Jan 03)