TORONTO – Your network is being attacked right now. So says Brian Bourne, a member of the Toronto-based security user group called TASK. The nature of attackers is changing, he said, and attacks are primarily opportunistic
– and automated.
The Toronto Area Security Klatch discussed real-life security lessons at the Canadian IT Pro Community Summit held Tuesday, a gathering of local user groups and Microsoft technicians.
A system administrator of an investment relations firm, for example, called up Bourne’s company, CMS Consulting, with a problem. The firm had a few servers and relied on e-mail to deal with clients. However, many people weren’t receiving the company’s correspondence. The system administrator couldn’t find anything out of the ordinary, so he called up the consulting firm to investigate.
It turned out the company’s IP address was on a DNS blacklist for spam. The company was running an appliance-based firewall that hadn’t been patched in a long time – something an opportunistic hacker had discovered and was using to send out thousands of e-mails a day.
Security isn’t a product, said Robert Beggs, a senior consultant with DigitalDefence.ca and member of TASK. Companies can put point products in place, he said, but they’re all going to fail. “The attackers are going to find a way around it,” he said. “Security is not just a process, because when you think process, you think of something organized.” But in real life, things go to pot all the time, he said. Instead, security has to directly support business.
Companies need to look at their network’s baseline level of activity. “Lots of companies collect information,” he said, “but they’re doing it on an arbitrary basis.” And change control tends to be haphazard. Many people, for example, don’t bother marking down that they’ve applied a vendor patch. “Inventory and document your network,” he said. That way, if something goes wrong, you’re able to backtrack.
System attacks include firewall by-pass, rootkits, known exploits, malware and botnets. Hacking is becoming a part of business practices, he said, and money is driving hacker competence. Recently, Air Canada claimed that budget airline WestJet stole its data. Whether or not this is true, Beggs said we’re seeing hacking and attacking for the sake of business, pitting one company against another. This could involve denial of service attacks or stealing corporate information.
“Hackers aren’t kiddies,” he said. “Hackers are professionals. They get paid.” And they have an economic incentive to build their competency.
But if a company doesn’t have a security budget, how do they put security solutions in place? Bourne said there are three ways to sell security effectively, whether you’re in the business of selling security or whether you’re an internal IT manager, trying to convince upper management to spend money on security.
One is providing security to meet compliance and regulatory requirements, particularly for large companies such as banks, as well as the public sector. The second is tying security into the overall infrastructure. And the third is incidence response – putting a security solution in place after a breach has already occurred.
However, waiting until an incident has occurred isn’t the best time to start a response plan. Decide how you want to respond, he said, and realize that a response can be costly. “Be prepared to police your own network,” he said, since law enforcement agencies are overloaded.
And it’s no time to be an amateur. One company, for example, had a security breach and, in a panic, the system administrator started deleting anything that looked unfamiliar – thereby eliminating any forensic evidence. If no one has training in forensics, he said, either get training or build a relationship with someone who does.
Beggs said companies need to ask themselves if they have an information security policy in place, where it is and what type of things are in it, and where their change control documents are.
But security needs to be more than a process. On the day of Sept. 11, 2001, he asked one company if its employees practiced regular fire drills. The response? They were developing a process to have fire drills and hoped to have one in six months. “You don’t have to make it a process,” he said. “Make it something you just do.”