Addressing the New Urgency of Endpoint Security
Unless enterprise security architecture addresses endpoint security comprehensively (i.e., taking into consideration things like virtualization, mobility, and social networking), cyber-security will remain elusive
By Sreedhar Kajeepeta
Lately, thanks to improved technologies and compliance in perimeter security, many of us corporate denizens of the Net, those who work behind enterprise firewalls, have not been severely hurt or otherwise inconvenienced by the exploits of cybercriminals. Arguably, the last three to four years have been much quieter when it comes to email cyber-attacks.
Unfortunately, that’s no indication that the digital world has suddenly become a safer place. Instead, the sad reality that confronts us is one in which the threats are increasingly more targeted and the criminals are becoming seasoned activists and professionals. As the criminals up the ante, their prime targets — the establishment and the enterprise — find new vulnerabilities exposed.
The challenge of safeguarding against this latest breed of advanced attacks is further compounded as IT (in public and commercial sectors alike) tries to embrace emerging trends that are inherently weaker against attacks. Such trends, which in fact are business imperatives, range from the infrastructural (as in wanting to be more virtual and more mobile) to the social (as in wanting to be more available on social networks).
Cybercriminals are fully exploiting this situation and are unleashing a new wave of attacks by targeting a different layer of enterprise security: the endpoints, which, as it turns out, were where cyber-attacks first started back in the 1980s, mostly through break-ins and sneaking in “Trojan horses” as part of software releases on mini-computers and mainframes.
Before we examine the nature of these new attacks and the way technology and related cyber-security solutions are rising to the occasion, let us first gain an understanding of the vulnerabilities we just talked about.
The Common Vulnerabilities and Exposures (CVE) system tracks publicly known information security vulnerabilities and exposures. This reference database is maintained by MITRE Corp. with the endorsement and support of the National Cyber Security Division of the United States Department of Homeland Security. Other federal agencies that recommend and/or require the use of cyber-security products that use CVE identifiers are the National Institute of Standards and Technology (NIST) and the Defense Information Systems Agency (DISA).
In 2010, a total of 4,651 vulnerabilities were identified in the CVE system. (See Fig. 1.) Endpoint operating systems (OSs)/applications such as Windows, Internet Explorer (IE), Java, and Adobe were all hit by these vulnerabilities.
Where Endpoint Security Fits In
The CVE represents just one quantitative analysis that we can use to understand and appreciate the persistent nature of this stealth activity. To get back to our broader discussion, let us first restate what endpoints are and the position that endpoint security occupies in the broader map of enterprise security architecture.
In the strictest sense, endpoints are defined as network devices with an IP address and a port — in effect, any device that is formally attached to the corporate network. For the purposes of this discussion, however, endpoints are defined as servers, desktops, laptops, smart phones, embedded systems, and the like.
Technically, endpoint security is just one of a handful of security layers, and seemingly an independent one at that (in the sense of “separation of concerns”). However, it is also a layer in which trust can be quickly eroded, and one that is difficult to keep tabs on.
Take IBM’s security framework, for example. The layers in that framework include (from top to bottom): People and Identity; Data and Information; Application and Process; Network, Server, and Endpoint; and Physical Infrastructure.
The People and Identity layer can have effective checks and balances built into it with identity and access control (and an accompanying audit log of who did what, when). Things can get very murky, however, when that layer comes in contact with the Network, Server, and Endpoint layer underneath. (See Fig. 2.)
When people use and manage endpoints, there can be a lot of room for contamination, whether willful or unintended — contamination that can never be tracked or accounted for. Surreptitious access to other enterprise assets, including systems and data through the many devices (laptops, desktops, smart phones, gaming consoles), servers (especially public-facing Web servers), and related (high-speed and high-capacity) multimedia ports available on the new and emerging endpoints, leave enough room for criminals to conduct their activities expeditiously, and without ever leaving fingerprints.
The April 2011 attack on Sony’s gaming networks, which reportedly involved the theft of millions of records of consumer data, is a great example of how clear and present (and yes, very enormous) the danger still is at this layer.
These attacks were followed by attacks on Sony Online Entertainment and on Sony’s Greek website. Indeed, all of the biggest security breaches of 2010 were attacks on endpoints. The details of these attacks are:
* Aurora/Hydraq,in January 2010, was targeted at high-tech companies (such as Google, Yahoo!, and Rackspace) and defense contractors (such as Northrop Grumman). It exploited an IE loophole to deliver malware capable of modifying applications.
* Stuxnet,in July 2010, was targeted at industrial software and programmable logic controllers (PLCs) of Siemens control systems. It was Windows-based, and its many variants attacked uranium enrichment infrastructure in Iran. In a related development, Iran reported that it had uncovered a new espionage virus, called Stars, that is aimed at damaging its government institutions.
* WikiLeaks,in October and November 2010, was targeted at U.S. defense and state departments. Exploiting unprotected (downloading without encryption) peripherals (as described above), WikiLeaks managed to steal 400,000 classified documents and more than 2,000 sensitive cables. The leaks continued into April 2011 with the publication of 779 documents related to the Guantanamo Bay prison camp.
* LizaMoon,in October 2010, was targeted at consumers and websites. Using SQL injection, it spread “scareware” and encouraged users to install rogue antivirus software. The attacks, according to McAfee, continued into April 2011, and affected more than amillion sites.
A 2008 study conducted by the European Network and Information Security Agency (ENISA) found that the most common infection methods used in the preceding years were browser exploits (65 percent), email attachments (13 percent), OS exploits (11 percent), and downloads (9 percent).
That confirms that the attackers are indeed becoming adept at bypassing the perimeter to aim at the endpoints. Their efforts are getting a boost from malware or crimeware toolkits such as FakeAV and Zeus (which help in building botnets, which can control computers remotely; and zero-day attacks — for known (to hackers, but so new that they are unknown to most developers) vulnerabilities that are still being fixed by the software vendor.
A Rogue’s Gallery of Endpoint Threats
Let us now examine the full range of endpoint vulnerabilities, and some of the attack types that can target them.
Attacks Related to Virtualization
Inefficient and sub-optimal as they were, physical servers nevertheless offered a level of built-in security that was inherent in their segregation and dedicated functionality. They had their own unique access, security controls, and administration. Unless similar segmentations are implemented using virtual local-area networks (VLANs) with appropriate role-based policiesto restrict unauthorized access to a VLAN, virtual data centers and cloud infrastructures will be vulnerable to attacks.
Full-disk encryption on such mobile assets as laptops has been standard practice for certain types of users, and it covered OSs, program files, temp data, and user data. But virtual machines (VMs) can be much more mobile than such physical assets; they can be moved around at the click of a mouse to enable dynamic provisioning. Full-disk encryption must be applied to sensitive virtual images as well. In addition, moving to a policy-driven, data-centric encryption will ensure protection against copying through multimedia ports.
VMs are only as safe and risk-free as the host. Limiting the host’s attack surface area (with fewer OSs and an optimal number of general-purpose endpoint applications) will make them that much safer.
Virtualization software itself could become a vulnerable area as attacks on endpoints get deeper and more persistent. Regular patch management of the software is a basic defense measure against that threat.
Attacks Related to Mobility
The ever-increasing computing power, convenience of form factor (made only more attractive by the new wave of tablets led by the iPad), and perpetual connectivity that most mobile devices offer these days have contributed to a significant growth of mobile endpoints that the enterprise must now worry about.
So it won’t be long before even-newer OSs, such as iOS and Android, are the focus of targeted attacks. They do come with built-in local/remote wipeout features, as well as 256-bit Advanced Encryption Standard (AES) encryption, but they can be very vulnerable to targeted attacks unless they are required to operate within the perimeter. This can be done through virtual private networks (VPNs) and enterprise mobility server connections, or through corporate virtual desktop infrastructures (VDIs) in the case of tablet computers. The C-level clamor for tablets often sidesteps measures to have a formal mobile device management (MDM) system in place before allowing access to mobile enterprise assets.
Local data sitting on mobile devices is another significant area of vulnerability. With the abundance of native mobile apps, more and more mobile devices are storing data locally, thereby subjecting them to the same security threats as standard desktops and laptops.
Although some mobile OSs offer application “sandbox” capabilities that isolate an application and its data from other apps within the mobile device, not all apps are designed to take advantage of OS features. This situation is further exacerbated by the fragmentation of mobile OSs in the market today. All of it leads to inconsistent security.
An emerging and rapidly growing area in mobile apps is mobile commerce and payments. Banks and payment processors are already implementing solutions to make mobile devices into “virtual wallets,” leveraging OS support and mobile hardware innovations such as near-field communication technology in modern smart phones, such as Google’s Nexus S. These new features will also make it necessary for mobile devices to become compliant with, for example, the Payment Card Industry Data Security Standard (PCI DSS), to protect credit cardholder’s personal data.
Wi-Fi sniffing has become a new concern. Software such as “Firesheep” has exposed the vulnerability of our Wi-Fi networks. In a typical coffee shop, which normally has a common, shared Wired Equivalent Privacy (WEP) password, an attacker running Firesheep can easily sniff out and decrypt the cookies of folks accessing Facebook and other social networks.
Threats Related to Social Networking
In social networking, the threats we need to worry about are server endpoints that now host customer data of some kind (as opposed to just marketing collateral and catalogs) and are public-facing — and, in many cases, on public clouds, which are owned/managed by the dominant social sites, such as Facebook and Twitter. So the concerns here would be about security of data and regulatory compliance issues related to the vertical industries involved.
E-commerce sites have had many years of experience in safeguarding themselves against theft of credit card information by complying with the rather exhaustive PCI DSS. This standard covers a broad range of topics related to security of data, network, and computers (endpoints) in a given industry. Similar regulatory standards include, but are not limited to:
* The Health Insurance Portability and Accountability Act (HIPAA), for healthcare
* The Federal Information Security Management Act (FISMA), for the public sector
* The Gramm-Leach-Bliley Act (GBL), for financial services
Corporate websites that connect to the social-networking sites (with the famous “Follow us on” invitations and/or “Like” buttons) should reconfirm their authenticity by complying with Extended Validation SSL (EV SSL). This will demonstrate a commitment to the security of customers, and it will combat phishing as well.
Technology/Vendor Options and Solutions
In an effort to offer comprehensive protection against emerging and traditional endpoint threats, endpoint security products have evolved into suites offering the following set of features:
* Anti-malware, which broadly includes protection against malware, viruses, and spyware
* Endpoint firewalls, as a second level of defense behind the perimeter
* Host Intrusion Prevention Systems (HIPS), to prevent malicious attacks on servers and PCs
* Centralized management for patches, configuration, and reporting
Gartner’s term for these suites is “Endpoint Protection Platforms (EPP),” and in its December 2010 Magic Quadrant for EPP, the firm laments the fact that in 2010, malware effectiveness was on the rise in general, gaining an upper hand over recent enhancements in EPP products. The firm shares a concern that most of today’s EPP vendors are working more on reactive signature-based detection techniques and less on attacking related root causes proactively. The Magic Quadrant of EPP vendors shows that Symantec, McAfee, Trend Micro, and Sophos lead the pack.
The report that accompanied this Magic Quadrant presents a thorough evaluation of EPP products from across the industry using an exhaustive set of business, technical, and financial criteria, and it highlights the strong and cautionary aspects of the products included in the analysis.
To build comprehensive endpoint security solutions, corporate IT groups and system integrators (SIs) first have to conduct a broader business and IT security analysis (including business drivers and threats). This will help them plan, build, and sustain a strategy for endpoint security. The approach should be an integral part of a broader enterprise cyber-security initiative and unified threat management (UTM) solution.
IBM strongly recommends, in its Redpaper on the IBM Security Framework,1 that companies adopt relevant aspects of internationally accepted frameworks and best practices for IT governance. Two such recommended frameworks are Control Objectives for Information and related Technology (COBIT) and International Organization for Standardization 27002:2005 (ISO 27002:2005).
In addition, the vertical-industry security compliance standards that we listed earlier should be studied and strategically adopted.
The resulting planning, building, and sustaining/strengthening activities for endpoint security would involve:
* Business goals and related threat modeling and analysis
* Endpoint-security blueprint and related total cost of ownership and return-on-investment calculations
* Endpoint security use case analysis
* Endpoint security architecture (with an eye to how it fits with the company’s overall enterprise security architecture) and implementation
* Ongoing vulnerability detection and patch management
* Audit and compliance enforcement
Gartner’s concerns around EPP playing catch-up to the exploits of the cyber underworld underscores the need of the hour and is a call to action for greater shared responsibility and accountability across the ecosystem. This catch-up is supposed to have taken the EPP products market to $3.96 billion in 2010, resulting in a 30-plus percent growth year over year. This growth speaks well of the efforts made, but the effectiveness of endpoint security must go up as well in 2012.
EPP vendors should certainly be analyzing root causes and developing remedies, but they should not be doing so in isolation. Collaboration is needed to plan and execute an industry-wide, unified counter-attack on cybercrime. Yes, scanning, patching, and personal firewalling through EPP is fine, but the overall security of the stack on the endpoint cannot be an afterthought.
Infrastructure vendors have to adopt “secure by design” principles (an evolving discipline that is actively being promoted by IBM and Citrix, among others) when they develop/enhance platforms that constitute the surface area of attacks on endpoints. And corporate IT and the SI community must do the same with the applications layer, showing some leadership in defining and implementing comprehensive UTM systems and policies.
Sreedhar Kajeepeta is global VP and CTO of technology consulting for GBS at CSC. CSC’s consulting groups specialize in cloud computing, SOA, enterprise transformation, data warehousing and business intelligence/analytics, and application consulting (open source, JEE, and .NET). Kajeepeta is based in Farmington Hills, Mich., and can be reached at firstname.lastname@example.org.
Jan2012, Software Magazine