What are botnets?

Botnets refer to a group of computer systems that are infected with a malicious software in order to take control of the host systems systems (when required) to send out spam messages, conduct DDoS (Distributed Denial of Service attacks), etc. Usually, there is some sort of centralized command and control server/ system from which all the botnets receive instructions and updates. The victim, on whose system the botnet resides, is usually not aware of botnet activity happening from their computers.

Botnets are technically similar to worms. They can be a combination of computer systems running various operating systems including Windows (largely), Linux, Mac, Unix etc. A single (large) botnet group might comprise of even a million systems or more (but not all of them are active always). The main reason for their deployment is to make money through nefarious means. For example, they can conduct DDoS attacks on a web-server and demand a ransom to stop it. There are people who control a huge group of botnets and lend them out for a small period to clients, and charge money for it.

How do botnets spread?

Botnets spread mainly due to ‘Drive by download’ initiatives and email attachments/ links. Malicious software can be attached with illegal software/ media downloads. Once a user clicks on the links in the sites that host them, botnet software downloads and gets installed in the host system. Botnets are sent as attachments (mostly executable files) in email messages. Botnet programs can become a gateway for installing other malicious software programs.

Botnets  may be disguised as fake anti-virus programs (Conficker, for example). When users click on the fake anti-virus download link, the botnets can get installed in their systems. Some bots are intelligent enough to scan for vulnerabilities in computer applications and spread by taking advantage of them. They can access a desktop email client (for example) and send spam messages to all the email addresses saved in them.

Some botnets can even carry out dictionary attacks to guess passwords in a computer system (to execute malicious programs). Botnets are generally controlled from a centralized C&C (command and control) server but more recent ones spread using P2P programs/ protocols. While IRC protocol was used in centralized C&C based botnets, P2P programs use more commonly used http protocol.

The P2P (Peer to Peer) botnets are difficult to identify and control because each bot have some level of C&C functions embedded in them (and hence doesn’t require a centralized control server), can use SSL (encryption) to mask inter-botnet communications and can pass through corporate firewalls (because http traffic is allowed, especially in encrypted formats). Botnets can even replicate themselves, if they are programed to.

What can botnets do?

• Botnets can send millions of spam messages within a short period of time. These messages might contain some executable attachment which installs the botnet software on victim systems when users open them. Or they can just send (spam) marketing emails.
• Botnets can initiate a DDoS (Distributed Denial of Service) attack where a whole group of botnet systems keep bombarding certain target systems with numerous messages/ requests in the intention of crippling their services and making them unavailable for normal activities. A web server can be subject to DDoS attack to take a website down, for example.
• Botnets can install malicious software in the host systems that can monitor for critical information (for example, they can install key-loggers/ spyware which can find out user-names, passwords, credit card information, financial information and anything else that is typed on the keyboard of the unsuspecting hosts).
• Botnets can initiate web-based attacks like phishing/ pharming which extract financial information like online banking ID and password, etc by misdirecting users to a fraudulent site, mostly using malicious links sent out through an email spam campaign.
• Botnets can even start web-servers on infected machines to aid in phishing attacks.
• Online games and polls can be manipulated to obtain favorable results using botnets.
• Bots can steal and transfer a software license from the host, to another computer.
• The Command and Control centers of certain botnets may use Dynamic DNS to hide themselves as it allows changing IP addresses of host-names at will.
• Botnets can even carryout a DDoS attack to hide themselves from machines scanning for them.
• Some botnets may be updated at a regular frequency to avoid being detected by anti-virus vendors.
• Botnets can even destroy a large amount of data in their host system and can self-destruct themselves if they are identified.
• Botnets can temporarily go offline. They can stop / reduce their activity for a temporary period and come back when the time is ripe/ targets are unsuspecting.

How to protect against botnets?

At the host level (individual computers) -

• Install Anti-virus/ anti-malware/ anti-spam software on the computer and keep them updated regularly
• Install personal firewalls
• Update the OS/ Software applications to the latest version and install patches regularly
• Do not download illegal stuff (like pirated music files, games, videos, etc) from the Internet
• Do not click on links/ open attachments from unsolicited email messages
• Try to reformat your system and re-load the OS/ applications at least once in a year

At the network level -

• Have appropriate network protection technologies in place – Gateway level anti-virus/ anti-spam/ UTM/ Firewalls, IDS/ IPS Systems, Content filtering, etc
• Monitor firewall/ UTM logs (for both allowed and denied connections) to identify botnet Command & Control centers
• Unusual increase in traffic / traffic patterns could be an indicator for DDoS attacks. Have DDoS protection for your network in place
• It is important to remove malware/ botnet software from individual hosts quickly. Otherwise, other systems in the network might get affected as well
• If you can identify the executable file/ code used by botnets, submit it to anti-virus vendors
• Honeypots can be set-up to incite botnets to infect a system in order to study its activities / goals. This can make it easier to prevent them from affecting real systems in actual networks
• Its important to identify and disable botnet Command & Control infrastructure. Often, this is not possible by individual organizations and hence you might want to take help from Federal/ Government IT security authorities/ experts, on the same

excITingIP.com

You could keep yourself updated on the latest Computer Networking/ Enterprise IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’

Short Story of Stuxnet:

How does one attack/ disable a nuclear facility that is several stories underground and does not have any connections to the Internet/ external world? That’s exactly the challenge that Stuxnet was designed to overcome.

It seems Stuxnet was planted in the area surrounding the nuclear facility so that it can spread to as many computers as possible in a short period of time. It then had to mask itself and remain undetected from the existing computer security mechanisms.

Since this was the area where scientists and other workers in the nuclear facility went to their homes, there was a chance that some of them would bring their work home in a pen drive / removable disk. It seems some of them did, and the worm copied itself and was able to infect systems inside the nuclear facility.

Once inside, it had to learn the complex network security mechanisms in place and evolve in order to remain undetected. It then had the job of infecting the proprietary operating system of a vendor’s nuclear plant control system.

It then targeted the frequency converters which regulated the speed of the centrifuges used to create nuclear fuel. It made them run too fast/ too slow in order to ensure that the nuclear fuel was never enriched properly and hence un-usable for plant operations.

More importantly, it masked this operation by adjusting the readings in monitoring systems so that the scientists would not come to know the actual reason for centrifuge malfunction.

Though it was later discovered by a third party vendor having operations inside the plant, it was effective enough to jeopardize the nuclear program for many months.

This is what worms are capable of doing, and this particular example is thought of being a part of ‘Cyber warfare’.

You can read the entire story about Stuxnet from this link. It takes 20 minutes to read, but reads like a thriller.

What is a Network/ Internet Worm?

Worms are self-sufficient malicious code that can be remotely controlled (most of the time) to cause some form of damage to the computers they infect. They can move from one system to another over the network and try to mask themselves from being detected by existing network security mechanisms.

Unlike a computer virus, worms are self-sufficient and network enabled. They need not have to get attached themselves to some host document and use it to spread around the network – they can do it by themselves. Worms can replicate themselves and communicate with their controller/ other worms using the infected system resources.

How do worms infect systems?

Worms infect systems either by exploiting a known flaw in the software (like buffer overflow) or using any configuration errors or due to some action initiated by the user (like opening an email attachment containing worms / downloading worms disguised as pirated software or system updates).

What else can worms do?

• Worms can disguise themselves (using encryption, etc.) and hence they can be hard to deduct / analyze.
• Worms may disable security update systems in the host or prevent the host from accessing such systems.
• Worms can leave a system completely but still leave a back-door to enable future attacks.
• Worms can copy themselves to USB drives/ external hard disks and other portable storage media.
• A new version of the worm can update the old version through peer-to-peer interaction.
• Worms can attack a large number of systems over the Internet by choosing random IP addresses.

What kind of damage can be inflicted by worms?

• Worms can cause network flooding and induce excessive network traffic, thereby chocking the bandwidth.
• Worms can be designed to extract sensitive information from target systems like user-name/ password, financial information, etc.
• Worms can delete important files and make a system / hard-disk unusable.
• A worm can use dictionary attacks on systems to guess passwords and get administrative access, after which the systems can be remotely controlled.
• Worms can execute scripts or commands on a remote system, without the user’s knowledge.
• Worms can take control of a group (zombie) of systems to launch coordinated DDoS attacks from multiple locations.
• Worms can do many more things that they are programmed to do. Some of them don’t cause much damage, but many of them do.

excITingIP.com

You could stay up to date on the various computer networking/ enterprise IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’

What is a Trojan Horse?

The name comes from an ancient Greek war story. The Greeks were facing a particular enemy who were proving increasingly difficult to defeat in an open war. So, they made peace with them and offered a large wooden horse as a token of their peace initiative. But inside this large wooden horse, the Greek army men were hiding and they come out of the horse at the appropirate moment to break open the enemy fortification from inside. This enabled the Greeks to get inside their enemy territory and capture them, when they were least expecting it.

Someone liked this story very much and named this computer security threat as Trojan Horse because it does pretty much the same thing. The program disguises itself as a genuine program or attaches itself to a genuine program, tricks the users to download and install it in their computers/ servers and then takes control of the system through the back-door opened by the Trojan Horse.

So, a Trojan Horse is a program that looks useful on the surface but hides some malicious functionality. Further, it tries to blend in with the normal processes of a system and disguises itself as a genuine program, to prevent the user from un-installing it.

If a Trojan Horse is installed in a system, an attacker can go up to the level of executing arbitrary commands on the system / remote controlling the system.

How do Trojan Horse programs get into user systems?

Trojan Horse programs are mostly pushed into unsuspecting user systems by infecting web distribution programs like software updates, software installation services, OS updates, games and free applications that are frequently downloaded by a large number of users. The attacker infects the web servers where they are hosted so that all the users downloading them would be infected in-turn. This is one reason why you should be wary of downloading and installing free software programs like games and applications.

Trojans can even be combined with genuine programs or placed into genuine programs (sometimes it takes just a few lines of code). Another way of pushing them to users is to develop a free software (with a Trojan horse) and promise that it provides a lot of applications / offers a lot of excitement and luring the users to download it from the Internet.

If a website offers a free download of pirated movies / pirated music or pirated applications (or license keys), there is a good chance that they make the users to click on a link that first downloads a Trojan Horse into the users systems before offering any downloads.

How to prevent Trojan Horse programs from infecting systems?

• Trojan horse programs/applications can be detected and eliminated by using good Anti-Virus softwares.
• By having proper update policy (through the right channels) in companies and not allowing users to download / update software programs by themselves.
• Administrators could download multiple copies of the same software/application from various mirrors and check each of them using a common hashing algorithm to make sure that all of them are similar and none of them have any extra code embedded into them.
• By checking the digital certificates available with certain software distribution sites, for the authenticity of their code.
• By preventing the users from accessing unwanted sites like pornography, pirated movies/ music, games, hacking sites, etc using a good content filtering system.
• By frequently patching the web-browsers/ OS with latest security updates.

excITingIP.com

You could stay up to date on the various computer networking / enterprise IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’

What is a MAC Address?

A MAC address is a permanent address which is assigned to the network interface of every network connected device (NIC Cards, Wireless Adapters, etc) by the hardware manufacturers. Even though every network connected device has an IP address to identify them at the network layer (L3), the IP address is frequently changed (by a DHCP Server, for example). In contrast, MAC addresses are fixed and they function at the Data Link Layer(L2). A MAC address is also known as the physical address or the hardware address of a device.

A network device (like a computer, server, etc) can have multiple Network Interface Cards and each of them is assigned a unique MAC address. The ARP Table (Address Resolution Protocol Table) maintained by network devices contains the mapping between IP address and its corresponding MAC address, in order to identify and enable the network devices to communicate with each other. So, even though you identify and send a packet to a network device using its IP address, the IP address is mapped to its corresponding permanent MAC address.

A MAC Address has a standard naming convention overseen by the IEEE which enables all the hardware manufacturers to assign unique MAC Addresses to their device. This popular convention is referred to as MAC-48 (for network hardware) and each MAC address consists of a 12-digit hexadecimal number. These twelve digits are further broken into six sets of two hexadecimal numbers each separated by a ‘:’ or ‘-’ . So, the MAC address looks like hh:hh:hh:hh:hh:hh where h refers to a hexadecimal digit. So, a MAC address can look like this: 05-b6-12-28-7c-da.

What is MAC Filtering?

In Wireless Network devices like Wireless Access Points / Wireless Routers, etc there is an option for MAC Filtering. The Wireless Routers / Access points connect to only those devices whose MAC addresses have already been approved to connect to them (Using a list of White Listed MAC addresses that is already stored inside them). This provides some basic level security and can prevent casual network browsers from connecting to the wireless network. But MAC filtering does not give adequate security for wireless networks due to MAC Spoofing which is discussed below.

In fact, MAC filtering is also employed to provide selective access to other types of network devices like wired switches, etc. Even multiple VLAN ‘s (Virtual LAN) can be formed, each containing a group of devices with certain MAC addresses. When using a corporate directory authentication like LDAP /RADIUS /Active Directory, it is possible to verify both user id / password (and) device MAC address before giving network access to a user.

What is MAC Spoofing?

MAC Spoofing refers to the ability of changing your computer’s MAC address to any MAC address you want and then connecting to the networks that have MAC filtering in place. This method is used by hackers to sniff a valid MAC address used in a wireless network and connect to the Wireless LAN after having changed their own MAC address to that valid MAC address.

A wireless network can be monitored from a near-by place where the wireless network signals are available and a valid MAC address used in that network can be identified using freely available programs on the Internet like Nmap. After that, it is simple to change the MAC address to any MAC address desired by you, using commands like ifconfig in Linux, MAC, BSD (or) changing the Windows Registry entry for MAC address in Windows (or) using freely available software programs.

excITingIP.com

You could stay up to date on the various computer networking / related IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’

Applications/ Advantages of SSL Certificates:

• Securing website communications (between the server and browser).
• Securing e-commerce transactions – payment gateway, order processing, etc.
• Securing partner log-in.
• Increase confidence in visitors, which might result in more e-commerce transactions.
• Prevent phishing/pharming and other Internet scams.
• Securing communications within the Intranet for employee portals.
• Securing partner log-in in Extranet portals.
• Securing email communications.
• Securing important documents/files from being modified when they are shared.
• Securing communications between multiple IT systems (Servers, for example).
• Protecting download-able code from being modified, when users download it from a website.

Encryption Methodology used in SSL Certificates:

Before we move on to encryption methodology, first let us try to understand the problem with unencrypted communications. Sometimes, it is possible for hackers to intercept the messages that go from inside an organization to a web server through a technique called MITM – Man In The Middle attacks. It is done to understand more about the network and to launch further attacks like Replay attack which tampers / changes the messages sent between different users/ systems.

In order to secure the communications between web-server and browser, encryption technology is employed through SSL Certificates which use PKI – Public Key Infrastructure to do the same.

In SSL, there are two types of encryption – Symmetric & Asymmetric. Symmetric encryption advocates the process of using the same key for both encrypting and decrypting messages & SSL uses symmetric encryption to encrypt bulk data transfers. Though Symmetric encryption is faster and uses lesser resources, it is not very secure because of the issues faced in securely transmitting the key.

So, SSL uses a technique called as Asymmetric encryption for authentication (initially, before actually sending the bulk data). In Asymmetric encryption two different keys called ‘public key’ and ‘private key’ are used to encrypt and decrypt (respectively). Anyone can encrypt the messages using the public key but only the person (or entity) with the paired private key can decrypt the message and view it. Actually, the process is more complex than that.

Though Asymmetric encryption is more secure, it is computationally very intensive. Hence only the authentication happens using Asymmetric encryption and the actual messages are encrypted / decrypted using Symmetric encryption.

How can the presence of SSL certificates in a website be identified?

It is possible to identify the presence of SSL certificates in a website using certain visual cues like the closed padlock on a web-browser, URL indicates https instead of http, URL bar turns green and displays the name of certificate authority/ company, presence of an image of the seal of a certificate authority which can be clicked to find out information like the validity of the SSL certificate, which organization the SSL certificate is registered with, etc. These features may slightly vary with each browser.

How can an SSL certificate be purchased / implemented?

There are Certificate Authorities (CA) which sell SSL certificates to websites. But it is also possible to create self-signed SSL certificates by companies themselves and maintain them in-house.

A Certificate Authority would issue an SSL Certificate to companies/ websites after verifying their credentials. They also maintain the PKI (Public Key Infrastructure) that is required for encryption/decryption of website content.

Generally, one SSL certificate is issued for a particular server / website domain and it is valid for a certain period of time (generally one year). Companies need to renew them every year, for a certain fixed cost.

But, based on the Certificate Authority, it is also possible to purchase special types of SSL certificates that can be applied to multiple sub-domains of a same company (or) even multiple domains (website addresses).

excITingIP.com

You can stay up to date on the various computer networking / related IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’

What is a Personal VPN Service?

The personal VPN service is similar to the organization wide VPN (Virtual Private Network) employed by the network administrators. But in this, the user directly forms a tunnel between his laptop/desktop to the server hosted by the personal VPN service provider and encrypts all the content that travels between his computer and the server.

So, if a user wants to access a website (that can be accessed only from a particular country – tracked based on the Geo-location of IP addresses), he uses a personal VPN service, reaches their server, picks up a new IP address based on the servers location and from there he is redirected to the website (that he wants to browse) by the VPN service provider. So, instead of visiting the website directly, they visit the website through the server hosted by the personal VPN service provider.

For example, certain websites like Pandora, Hulu, etc can be accessed only from the United States. So, people outside the United States can sign up for a personal VPN service provider who has a server within the United States, connect to the server and from there browse those websites with a newly acquired US IP address! One more reason for using the personal VPN service is to browse anonymously without revealing your original IP address.

The price for such a service ranges mostly from 5 USD to 20 USD per month and most of them provide multiple VPN access methods like PPTP,SSL,SSTP, etc. Some service providers have a monthly maximum bandwidth cap, while most of them offer unlimited browsing. Many personal VPN service providers have multiple servers in multiple countries and enable the user to choose which country IP address they want to use for their Internet session.

Benefits of Personal VPN Service

In certain countries that have genuine websites/services blocked, users might use them to access these services. Data encryption makes it more secure to browse websites from public Wi-Fi hot-spots/ premises where Internet is shared. Personal VPN Services can also be used to browse anonymously (to a certain extant) without revealing your IP address and hence it is possible to hide your personal details/ browsing habits to search engines/ other e-commerce based websites.

Disadvantages of Personal VPN Service

Even though people use VPN and change their IP address while browsing websites, their identity could still be traced back – Its just slightly more difficult. The VPN Service provider might get their IP address blocked, for offering such a service. Some ISP’s block all VPN connections going through them (in certain countries) but a few providers might support browsing through Stealth SSL / SSTP VPN which are difficult to block. The bandwidth consumed is still the same, if not slightly more (for the users) and their computers need to encrypt and decrypt all the sessions which might put additional strain on the processors.

Besides, a Personal VPN service could be mis-used by users in the following ways:

1. Users accessing websites that are needed to be genuinely blocked in schools/ colleges/ offices etc like social networking sites. video streaming sites. etc.

2. Users can use this service to download MP3, Videos etc anonymously.

3. Users might use this service for illegal/ disallowed activities.

4. Users might make cheap VOIP Calls (as they can pick up another countries IP address and pretend to be in that country while making those calls)

Well, like it or not these services are currently available and as a network administrator you need to be aware of them. So, next time when there are too many VPN tunnels opened by employees (which are not controlled by the organization), you might as well want to check what they are doing.

excITingIP.com

You could stay up to date on the various computer networking/ related IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’

What are Database Firewalls?

Database Firewalls are a type of Web Application Firewalls that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases.  Database Firewalls also enable to monitor and audit all access to databases through the logs maintained by them. A Database Firewall can generate specific compliance reports for regulations such as PCI, SOX, etc.

Generally Database Firewalls are security hardened appliances/ software that is deployed either in-line with the database server (just before the database server) (OR) near the network gateway (when it is protecting multiple databases in multiple servers). Some Database servers support host based agents that can be installed in the database server itself to monitor the local database events. But hardware based firewalls support host/network monitoring without any additional load on the database servers. Both the hardware appliance and software agents can be deployed to work simultaneously, as well.

How do Database Firewalls protect databases?

The Database Firewalls include a set of pre-defined, customizable security audit policies and they can identify database attacks based on past incidents / threat patterns called ‘signatures’. So, the SQL input statements/ queries are compared to these signatures, which are updated frequently by the vendors to identify known attacks on the database (Many tasks inside a database are implemented as a series of executable SQL statements).

But all the attacks on the databases may not be familiar. So, Database Firewalls build (or come with) white list of approved SQL commands/ statements that are safe. All the input commands are compared with this white list and only those that are already present in the white list are sent to the database. Database Firewalls can also maintain black list of certain specific and potentially harmful commands/ SQL statements and do not allow these type of inputs.

Some Database Firewalls can also identify the database, operating system and protocol vulnerabilities in the databases and intimate the administrator, who can take steps to patch them. Some Database Firewalls can also monitor for database responses (from the DB server) to block potential data leakage. Database Firewalls can also notify the suspicious activities, instead of blocking them right away.

SQL Injection and Buffer Overflow are two common types of Database attacks and Database Firewalls can block such attacks. Sometimes, stolen credentials might result in database hacking attempts, but since Database Firewalls monitor for irregular database activities constantly, such attempts can be identified.

Certain Database Firewalls can evaluate factors like IP address, time, location, type of applications (source), etc from which the abnormal database access requests are emanating and then decide whether to block them or not, based on these factors as per the policies set by the administrator. But, the possibility of False positives and False negatives in Database Firewalls, is an issue.

Some Best-Practices for Database security:

• Unused accounts could be deleted and shared accounts can be prevented (for database access), as far as possible.
• Its a good practice to encrypt database contents – especially sensitive contents.
• Employees and users could be given different privileges for database access (Read Only vs Insert/Delete Records, for example).
• The privileged user access could be controlled/ restricted to certain parts of the database.
• In some situations, it might be better to allow users to update a database through authorized applications instead of letting users to update the database directly.
• Users could be authenticated and authorized using LDAP / RADIUS Servers / Active Directory etc, and their individual access policies could be restricted based on their role defined in these directories.

Open Source Database Firewall: GreenSQL is an open source based free to download database firewall that can be used to protect MySQL and PostGRE SQL databases. Basically, this software acts as a reverse proxy for the SQL connections and monitors all the connections to the database server. This can be deployed in the same server as the database, or in a separate server in-line with the database connectivity.

excITingIP.com

You could stay up to date on the various computer networking/ related IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’

Why is there a requirement for an additional application specific firewall?

Don’t we have enough Firewalls/ Unified Threat Management devices in the network already? So, why do we need another one now? The answer is simple – We have (recently) changed the way in which we access applications! Almost every application developed these days is web enabled and they can be accessed from anywhere using a standard web browser.

Previously, these applications (and hence the databases related to them) were securely restricted to the Intranet, which was difficult for hackers to access. Now since everything is available on-line, they are accessible from anywhere and hence specific vulnerabilities for specific applications have been identified by hackers to get control over critical and confidential information.

E-Commerce applications, for example, deal with credit card numbers and other customer details day in and day out. CRM applications  might deal with all your customer/ order information – All these have become mainstream Internet based applications. A hacker might able to get access to such critical information stored in applications (and databases). So, Web applications firewalls were devised to prevent such hacking attempts and secure web based applications.

What is a Web Application Firewall?

Web Application Firewalls have the ability to prevent attacks that are specific to a wide range of web servers, databases and programming platforms by enabling application/ http session awareness. A Network Firewall might be able to control port based access to applications. But they have limited visibility in the application layer and cannot prevent certain application specific attacks that take advantage of coding/ development based anomalies.

Lets face it – Applications can never be 100% secure. There are always some vulnerabilities due to the overlooking of certain development/ coding aspects. So, a Web Application Firewall de-constructs HTML/XML data payload fully and tracks the state of each application session in-order to get full application layer visibility.

Web Application Firewalls use the Positive Security model which gives them a unique advantage of being able to prevent Zero Day attacks along with previously known signature based attacks on web applications. Mostly, Web Application Firewalls identify and map all good user activities to detect (few) activities that are abnormal, and block them if they look to be highly suspicious. That is an effective way to prevent malicious activities that keep evolving specific to applications.

As you can guess, this requires detailed understanding of legitimate user transactions within each application – Including (but not restricted to) URL structures, http methods, XML/SOAP Schema, Cookie behavior, Session ID formats, etc. Some web application firewalls are specific to certain applications, but others are more general.

But as you can guess, this method is more vulnerable to false positives. So, blocking suspicious activities totally is up to the user/ application criticality as application structures change frequently and web application firewalls are also expected to learn them at the same pace.

How are Web Application Firewalls deployed?

Web Application Firewalls are deployed as stand alone hardware/software applications (or) self contained softwares on the application servers itself (or) as an overlay on network firewalls/ application load balancers, etc. They may be placed right in front of the application servers they need to protect, or they may also be placed at the edge of the network.

Are there any examples of Web Application specific attacks?

A few examples of such application specific attacks are given below:

• SQL Injection: This technique consists of direct insertion of malicious code in to user-input variables that are linked with SQL commands and executing the code. Using this method, an attacker can try to gain access to the back-end SQL database used by the application.
• Cross site scripting: If Java script can be run on a web-page (either by inserting it in a modified URL or through form submissions), it can (under certain configurations) access cookies / active sessions to gather sensitive data like user-name/password etc.
• Buffer Overflow: Web applications try to store excess data in a temporary storage space called buffer (having limited memory capacity). Often, the additional data overflows to other buffers. If that additional data contains malicious code, it might get executed.
• Cookie Poisoning: By changing the information contained in a cookie before sending it back to the web server, an attacker can tamper with important variables either to impersonate other users (and hence gain transaction details) or tamper with vital data.

How does a Web Application firewall prevent such threats?

As mentioned earlier, web application firewalls map (learn) all the legitimate user activities and identify (and block) those activities that are clearly abnormal. They also perform signature based threat matching for identifying/mitigating known threats.  They track every session for data that goes out of the web server to ascertain if any critical information (like credit card numbers, etc) is being leaked out. Web Application Firewalls generally encrypt cookie names/values and also check if the returned cookie elements/ form field elements/ URL’s have been tampered with.

Web Application firewalls try to hide most of the information about the application environment by a technique called cloaking where:

• A proxy architecture where TCP traffic is terminated and re-initiated on both sides, hides network related info to the outside world.
• Response headers are removed from web servers to prevent disclosure of information like type of server (Apache/IIS etc), host-names, etc.
• URL components are re-written to hide application directory structure, etc.

There are many more methods used by different vendors and some are specific to certain applications. Modsecurity, is an open source based free to download Web Application Firewall.

excITingIP.com

You could stay up to date on the various computer networking/ related IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’

Is it even possible for monitoring all the various enterprise systems (including the Internet communications, USB drives, NAS boxes, etc) and identify that certain confidential information is being sent/ stored in them?

The answer, is surprisingly ‘yes’. There are comprehensive DLP (Data Loss Prevention) systems that are available, which can, from a central location monitor most of the enterprise networks/ devices/ communications to identify and even prevent data loss. Of course, they are far from being accurate/ efficient, but could be sufficient for most cases of accidental or malicious data breaches.

So, what are the sources from which data loss is continuously monitored/prevented by the DLP systems?

Well, think of the common sources through which employees (or guests) can send confidential data from the company – Email, Web-mail, Instant Messengers/ Skype, FTP, USB Pen-drives, DVD disks? Well, the good news is, all these common methods of communications can be monitored. Of course, certain uncommon programs (with uncommon protocols) on the web/ network cannot be monitored, but nevertheless enough progress has been made to cover the common modes of communications.

Employees transferring data is one thing, but what if an employee or a system is not supposed to read/ hold a certain confidential file? Can this be detected?

The answer, again surprisingly is ‘yes’. DLP systems can monitor employee computers/ laptops/ Storage devices/ Servers etc, and can either notify the administrator of the presence of a confidential document there / just delete them automatically, if found.

What all can be monitored by using DLP systems?

Most of the common types of files/ email – web communications etc can be monitored. Even a spreadsheet embedded in to a word document / email can be monitored. Even an encrypted email/ web-page communications can be monitored! For doing this, DLP systems re-construct the whole file/ message at the gateway, and then apply the rules/ policies to them. As you can guess, there is some processing overhead, but most of the DLP systems have enough processing power to monitor enterprise level communications without inducing noticeable latencies/ delays.

But one wonders – how is this even possible? Well, there are so many methods used by DLP vendors, but I will just highlight some of them here, for a better understanding of how DLP systems detect/ prevent confidential data from leaking out.

• Rules. There are certain common types of data (like credit card numbers, social security numbers, etc) that have a common structure (number of digits, checksum, etc). So, rules can be created to scan all the outgoing messages/ communications for such patterns. This is simple, but may not be accurate as even an employee doing some online shopping/ booking flight tickets online might be scrutinized.
• Databases. Well, if a customer credit card data-base is available, the above mentioned rules might be tweaked to monitor – not for any credit card number, but the credit card numbers of the customers present in the database alone, to reduce the number of false positives.
• Pre-configured rules/ categories. Credit card numbers is just one type of data that needs to be monitored, but there are a lot of other common information that can be leaked out from a company, and most DLP vendors have assimilated and organized these rules as categories in their DLP systems. The administrators can choose which rules (or) categories they want to use in their environment. Of course, they can make their own rules as well.
• Contextual Analysis. Some times, we want to prevent certain communications (like harassment, obscene words, etc). In these cases, the context of the communication is analyzed for identifying such incidents. Similarly, statistical analysis can be done for mapping/ detecting large files (Like AutoCAD files) from being leaked out of the company.
• Partial or Complete File Matching. The content of the files can be hashed and be compared with the outgoing messages, either fully or partially.
• Agent/ Agent-less monitoring. For monitoring computers, servers, storage systems etc, where confidential data is not supposed to be stored – but still is, agents can either be installed on those devices which can search for confidential documents (or) DLP systems can send temporary agents to search those systems at regular intervals.

A Gateway level hardware appliance / server is used by Data Loss Prevention (DLP) systems. Some vendors use separate devices for End point DLP/ Network DLP/ Monitoring-Reporting etc. If multiple branches are present, one appliance (minimum) at each location would be required.

There are Comprehensive DLP Systems which can provide a centralized policy creation, monitoring/ reporting interface through a GUI based analysis tool for the DLP system as a whole, including multiple branches/ locations. Individual versions (that scan email only/ network devices only, etc) are also available.

False positives, are the biggest problem with DLP systems. For example, a number in an email message that closely resembles a credit card number might be identified as a data breach. Another issue is the sheer size and diversity of Web based systems (which use different protocols) that makes it almost impossible to scan each and every web-based system used by the employees to communicate. Also, unless a data breach actually happens, its difficult to quantify the losses, and hence the value offered by the DLP systems to an organization.

excITingIP.com

You could stay up to date on various computer networking/ related IT technologies by subscribing to this blog with you email address in the sidebar box that says, ‘Get email updates when new articles are published’.

What is Two Factor Authentication?

When you use user-name and password to access your system resources or network resources, it may not be very secure because the user-names and passwords can be stolen or guessed. That is the reason for implementing two factor authentication, where you need to authenticate with any of the two methods from below. Similarly multi-factor authentication uses more than two methods to authenticate users.

Something you know (password, PIN number, etc)

Something you have (USB tokens, Smart Cards, OTP Devices, etc)

Something you are (Biometric identification – finger print, iris, voice recognition, etc)

One example scenario of two factor authentication is when you use user-name/ password or PIN number (and) USB tokens to connect to a VPN network back to your office from a remote location. Without either of those, you would be refused remote network connectivity.

USB Tokens for Two Factor Authentication:

USB Tokens are small pen-drive like devices which can plug in to a computer through the USB ports. They are quite portable and can be attached even to a key-chain (and) they are also quite secure as people with a user-name/ password still cannot impersonate and access employees resources  if they don’t have this physical device, where two factor authentication is enabled. Since they can be plugged in to any computer with a USB drive, special readers are not required (Unlike the case with Smart Cards). Even the technical know-how for installing and using them is quite simple, and can be done by users themselves. Some of the USB tokens even have finger print readers to provide additional security via biometric authentication.

USB Tokens use Digital Certificates for authentication (mostly) in addition to user-name and passwords/ PIN. USB tokens are popular for secure network login & remote access login (through VPN networks). They can also be used to encrypt the contents of laptop hard-disks, with  some vendors. Some USB tokens have LCD screens for generating One Time Passwords (OTP) which are temporary passwords that can be used for getting remote application access. These USB tokens either works with pre-installed software in the computer (or) even without any pre-installed software in cases like authentication to web-applications.

Some vendors have taken the USB tokens beyond just Two Factor Authentication by allowing users to store their data/ applications on the memory available inside, which helps the USB tokens double up as USB pen-drives as well. To ensure security, the contents (data) are encrypted. So, employees can take such USB tokens anywhere they go and put it in a private/ public computer to access their data/ applications, after proper authentication. A virtual workspace is assigned to them in such cases (which keeps their session separate from the public computer) and all their contents are erased from the public computer when they remove the USB token. They can also connect to the office network through Internet & VPN, from public computers/ hot-spots securely using these USB tokens as all the communications are encrypted over the VPN network. That’s one way of accessing work related information and applications securely, where ever you go without having to carry a whole laptop!

excITingIP.com

You could stay up to date on the various computer networking/ related IT Technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’.

]]> http://www.excitingip.com/1513/two-factor-authentication-with-usb-tokens/feed/ 2