Cracks in the Firewall

[InfoSec News <isn () c4i org>]

http://www.businessweek.com/bwdaily/dnflash/apr2002/nf2002049_1803.htm

APRIL 9, 2002 
SECURITY NET 
By Alex Salkever 

Thanks to sophisticated new attack methods, computer security has to
go beyond the old standby of merely keeping intruders out

Is your firewall toast? A new report by Web security giant Internet
Security Systems (ISSX) suggests it certainly could use a few upgrades
and some additional help.

The company combed through data collected from the logs of thousands
of security devices it monitors for businesses ranging from
mom-and-pops to multibillion-dollar global conglomerates. The
conclusion: Perimeter defenses such as firewalls are not enough to
ward off increasingly sophisticated worms and viruses.

Sure, ISS is more than happy to sell you a host of new security
products. But the issues raised by its survey -- a comprehensive look
at the state of Web security -- are quite revealing. The study,
released on Apr. 3, found that 70% of all intrusion attempts now
target port 80. Each computer has thousands of ports used for
different services. Firewalls control, depending on your preferences,
which ports are open or closed. Port 80 is now used on virtually every
computer for Web surfing, so it's wide open. Shielding port 80 would
gum up Web traffic as requests for info and responses from Web servers
got backed up in a domino effect.

"DIFFERENT SCENARIO."  This explains why intruders increasingly play
off this connectivity to target systems that require a certain degree
of openness to function as a business tool. "The [pre-Internet]
computing technologies were designed to keep people out. The Internet
is all about letting people in. That's a different security scenario,"  
explains Joe Duffy, national security practice manager for
PricewaterhouseCoopers.

Other insights can be gleaned from ISS's inaugural quarterly report.  
Until recently, the most common type of Internet attack was "denial of
service," whereby malicious hackers break into computers connected to
the Net and command them to fire incessant data requests at a Web
site. That shuts off access to the site and can damage it.

Now a new, more sophisticated types of attack predominate, says the
ISS study -- "hybrid" attacks. They involve pieces of automated
software that might try multiple avenues to break into a system, such
as e-mail, Web servers, and known vulnerabilities in operating
systems. Sometimes, the goals are hidden. A good example: Code Red,
which sought to insert itself into as many open Microsoft Internet
Information Services (IIS) servers as possible and then tried to
launch an attack on the White House Web site.

MULTIFACETED THREATS.  The first widespread hybrid attacks came last
year with so-called worm-viruses such as Code Red and Nimda. Others
are appearing with frightening regularity. "We started getting these
multidimensional threats wrapped in a single box. It's like the
Unabomber putting a box on your doorstep. There's a bomb containing a
nuclear device, a biological weapon, and a chemical weapon all in one
package," says Tom Noonan, CEO of ISS.

These types of intelligent, multifaceted cyberthreats are changing the
way companies plan security for their networks. "Nimda was very
interesting from a security perspective because we talk about virus
detection and intrusion detection. But just detecting isn't sufficient
any more," says Wyatt Starnes, CEO of Tripwire Security Systems. "In
the case of Nimda, by the time it was detected, it had already
executed. And by then it had pretty much trashed the system file
structure."

Tripwire and other companies have taken the cue and adjusted their
products to reflect the new reality. According to Starnes, his
software has morphed from an "intrusion-detection system" aimed at
detecting hackers as they attack to an "integrity assessment software"  
that can detect untoward changes in files and quickly restore them to
normal. Other companies, such as Foundstone, are focusing on "security
assessment products" that do spot checks on company networks to make
sure they're not at risk.

600,000 LOG-INS?  Another approach is keeping closer tabs on who
should be on the networks. PricewaterhouseCoopers' Duffy tells the
story of a major national clothing retailer that came to him for help
when it wanted to move all of its human resources functions online.

The trouble was only 20,000 of the company's 300,000 employees had
log-in privileges. To link everyone online, the retailer would have
needed to increase the number of people using its network
fifteen-fold. Then Duffy discovered that the company, like many
mass-market retailers, had annual turnover of 100%. That meant it
would have had to provide upward of 600,000 log-in credentials a year
-- a thirty-fold increase.

"You have a cost for security that's going to go through the roof. Any
benefit you get in HR would be offset by the army of administrators,"  
says Duffy. The solution: PwC put in software from a company called
Oblix that allowed the retailer to automate the assignment of log-in
privileges.

STURDIER WALLS.  Now, when part-time store clerks get hired, they
receive network access only to the programs needed to administer their
benefits. The software also removes employees' network privileges when
they leave the company.

Of course, all of these new approaches remain in the earliest stages.  
And no one is advising companies to abandon firewalls, which remain
the foundation for defending any company's network. Companies such as
Check Point Software Technologies (CHKP ) and NetScreen (NSCN ) have
enhanced firewalls to make them far more effective against the newer,
multifaceted Web attacks.

Here's the rub: In the Internet Era, firewalls seem increasingly
permeable. And businesses would do well to look at ways to watch and
control more rigorously what's happening inside the perimeter rather
than put their stock in blocking out barbarians with a firewall.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.