ACHIEVING CYBER SECURITY READINESS WITHIN AN EVOLVING THREAT LANDSCAPE

Transcription

1 ACHIEVING CYBER SECURITY READINESS WITHIN AN EVOLVING THREAT LANDSCAPE February 2013 Rev. A 02/13

2

3 SPIRENT 1325 Borregas Avenue Sunnyvale, CA USA Web: AMERICAS SPIRENT EUROPE AND THE MIDDLE EAST +44 (0) ASIA AND THE PACIFIC Spirent. All Rights Reserved. All of the company names and/or brand names and/or product names referred to in this document, in particular, the name Spirent and its logo device, are either registered trademarks or trademarks of Spirent plc and its subsidiaries, pending registration in accordance with relevant national laws. All other registered trademarks or trademarks are the property of their respective owners. The information contained in this document is subject to change without notice and does not represent a commitment on the part of Spirent. The information in this document is believed to be accurate and reliable; however, Spirent assumes no responsibility or liability for any errors or inaccuracies that may appear in the document.

4 Achieving Cyber Security Readiness Within an Evolving Threat Landscape CONTENTS Executive Summary... 1 Cyber Security Readiness... 1 The Evolving Threat Landscape... 3 Government Involvement... 3 Cloud Computing... 4 Bring Your Own device... 5 Responding to New Threats... 6 Achieving Cyber Security Readiness Through Testing... 8 Conclusion SPIRENT WHITE PAPER i

5 EXECUTIVE SUMMARY CYBER SECURITY READINESS Cyber security is evolving rapidly owing to three key trends: Government interest and involvement in cyber security is expanding due to considerations of national security, including the need to protect government and corporate networks from threats of cyber espionage and cyber warfare. Cloud computing imposes a layer of abstraction over a physical network, presenting an amorphous environment where the requirements for cyber security are anything but straightforward. The growing tendency of employees to access corporate networks with personal devices significantly increases the sheer number of devices that need to be secured and greatly expands the potential for introducing compromised equipment. This white paper examines the implications of these trends for security processes and presents a number of recommendations for the development and use of security test tools. In summary, test tools must emulate sustained real-world attacks on large numbers of devices, including attacks native to virtualization and BYOD environments. They must also keep track of known network vulnerabilities and allow for easy updates to address new threats as they are discovered. Corporate and government networks are literally bombarded with security threats. Denial of service attacks flood networks and hosts with unwanted traffic, rendering them slow or inoperative. Corporate data including customer information is routinely stolen and compromised. Bank accounts are accessed and drained. Attacks targeting classified government information and critical economic infrastructure are becoming routine. The true cost of these attacks is hard to quantify, as organizations are understandably shy about providing this information, but estimates run into the hundreds of billions of dollars annually for the US alone. 1 SPIRENT WHITE PAPER

6 Following are a few examples of the types of threats networks are experiencing: A series of attacks dubbed Night Dragon originated in China. Beginning in November 2009, hackers were able to take over servers in the US and the Netherlands to launch attacks on oil, gas and petrochemical companies and obtain sensitive confidential information. A Trojan horse named Zeus has been used since 2007 to steal information from the US Department of Transportation, Bank of America, NASA and other large organizations. More recently several US Banks experienced denial of service attacks, allegedly initiated from Iran, despite their sophisticated defenses. The attacks slowed servers and impacted customer service. These examples are just the tip of the iceberg. To get a rough idea of the scale of the problem, Symantec claims to have blocked over 5.5 billion malware attacks in 2011, an increase of 81% over The cost of such attacks to both federal organizations and corporations can be considerable in terms of denied service to customers, inability to access internal resources, compromised information and impaired reputation. It is no exaggeration that the survival of a business might depend on effective cyber countermeasures. The implications for national security are even more frightening. In the words of President Obama: It doesn t take much to imagine the consequences of a successful cyber attack. In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we ve seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill. Critical to the success of cyber countermeasures is the ability to test the capacity of networks, hosts and applications to withstand the various known cyber attacks. Passive means like corporate firewalls, while still necessary, are not sufficient in such a threat-rich environment. SPIRENT WHITE PAPER 2

7 Indeed, this fall the European Network and Information Security Agency launched Cyber Europe 2012, a massive denial of service attack aimed at more than 300 European public and private institutions to assess their robustness to cyber threats. However individual network test teams continue to employ the test processes and procedures they know. Unfortunately with millions of applications, devices and users active on the Internet, and thousands of attacks being discovered every day test teams are struggling to quickly and effectively test the security aspects of their cloud applications and infrastructure. In addition to the sheer numbers of new attack vectors, the nature of cyber security continues to change. In order to maintain cyber security readiness, test teams must understand the evolving threat landscape and appropriately update their approaches to security testing THE EVOLVING THREAT LANDSCAPE The cyber threat picture, like the IT industry itself, is in a constant state of flux, making it difficult to keep track of newer threats and new variations on existing threats, let alone develop effective countermeasures. However three key trends can be identified that we expect to have a significant effect on the evolving threat landscape: government involvement, cloud computing, and user of personal mobile devices at work. Government Involvement Governments have a critical need to protect industrial infrastructure and national security from cyber attacks. Governments need to withstand and, where appropriate, initiate sophisticated information-based attacks. Fortunately, they have the deep pockets necessary to achieve this. Indeed, the very nature of war is beginning to evolve from a focus on conventional warfare to a rapidly increasing emphasis on cyber warfare, i.e., attacking the enemy s information capabilities and, of course, protecting your own. For these reasons, governments are expected to play an increasingly influential role in the future development of cyber security. 3 SPIRENT WHITE PAPER

8 The Stuxnet worm was part of the US-Israeli Operation Olympic Games, a series of cyber attacks on Iran s developing nuclear capability. Stuxnet was aimed at Siemens supervisory and control (SCADA) equipment and represents the first large-scale attack on another country s industrial infrastructure. It is hard to overestimate Stuxnet s significance and probably not an exaggeration to say that it ushered in the age of cyber warfare. While Stuxnet did indeed damage Iran s nuclear infrastructure despite denials this type of attack is a two edged sword. Stuxnet managed to find its way into the internet and affect equipment in several other countries besides Iran. Moreover other countries notably Russia and China are believed to have the ability to launch such an attack at US infrastructure, and several others are believed to be working on such a capability. Governments need to be concerned with all types of malware that infect corporate networks e.g., viruses, worms and Trojan horses and, especially where classified information is at issue, guard against data loss and compromise. The size and scale of government networks including military networks and the sensitive nature of classified information, requires governments to be concerned with very sophisticated attacks, involving multiple vulnerabilities Uniquely, governments need to address cyber espionage and cyber warfare and, as such, need to develop both offensive and defensive capabilities wearing black hats and white hats at the same time. Cloud Computing Cloud computing refers to the delivery of computing resources as a service over a network and typically employs virtualization technology, where the physical infrastructure of the network is overlaid with virtual resources, such as virtual machines, virtual hosts and virtual networks. Users and applications access virtual resources in the same way as they would access physical resources, unaware of the physical hardware that is actually in play. Cloud computing exploits multi-tenancy, where a large number of geographically distributed users share the same hardware resources, permitting efficient use of hardware, and centralization of resources in lower cost locations. SPIRENT WHITE PAPER 4

9 However it adds additional challenges with respect to security: The virtual environment often changes rapidly in the face of varying loads on the physical resources, so end users and even administrators are not always aware of the exact physical hardware and software configuration that runs the virtual infrastructure. Much data is moved between on-premise equipment and cloud data centers, making it vulnerable to outside hacking. The virtualization software the hypervisor is itself a potential target for a cyber attack. User access to security log files within multi-tenant public clouds may be inconvenient or impossible. Owing to its clear economic advantages, use of cloud computing by enterprises is growing rapidly, even to the point where corporate users are circumventing their IT organizations and employing cloud services without approval, presenting an additional security problem. Nonetheless, ensuring corporate security is every bit as critical for off-premise cloud environments as it is for on-premise networks. It is just more difficult. Bring Your Own Device Bring Your Own Device (BYOD) refers to the growing use of personal mobile devices at work typically smart phones, tablets and laptops and their need to access the corporate network. This trend has its advantages in saving businesses money on personal devices and offering employees a choice in selecting them, but it presents a number of security challenges: Devices may be independently compromised and then used to access the network, e.g., phones that may have accessed unsecured Wi-Fi hotspots. Lost personal devices may contain proprietary data which is then compromised. The proliferation of new types of devices makes it hard to keep track of them and develop appropriate security procedures. New hand-held technologies, such as Android and Apple ios, present new vulnerabilities and opportunities for security breaches. The sheer numbers of mobile devices that might access a network at any given time present a scaling problem, making it difficult for a security tool to keep track of all of them. We feel that these three trends government involvement, cloud computing and BYOD present some of the greatest challenges to cyber security in a rapidly evolving environment and that an understanding of their implications is necessary to the design of effective countermeasures. 5 SPIRENT WHITE PAPER

10 RESPONDING TO NEW THREATS Cyber threats continue to evolve with the rapid development of information technology. As the bad guys discover and exploit new vulnerabilities, the good guys need to develop products and procedures to meet the ever-expanding threats. Most damaging are zero day attacks, which exploit hitherto unknown vulnerabilities. Here the hacker gets ahead of the developer, allowing zero time to fix the vulnerability. Government and enterprise IT teams need to find and implement process-based solutions, not just product (anti-virus/ips) and consulting-driven solutions (penetration testing/compliance). What is really needed is an understanding that network security is an ongoing process rather than simply a product or service that can be purchased. Security testing is a critical component of the process. Ongoing security processes should include the following set of related considerations: Ease of Use: Security processes should be designed for the skill levels of the personnel tasked with carrying them out. They need to be userfriendly, easily deployed and well-documented. Given the rapidly changing nature of the field, they need to be reviewed frequently and updated as necessary. Tools need to be designed for easy updating in order to address new threats as they are detected and recognized. DDoS Protection: Distributed denial of service is a powerful attack technique that attempts to deny the service provided by a particular network resource by attacking it from multiple sources, compromising both the target and the commandeered sources. DDoS countermeasures need to focus on minimizing downtime associated with DDoS attacks by employing techniques to: Prevent DDoS attacks in the first place Detect DDoS attacks that survive preventive measures Recover from DDoS attacks where prevention has failed, and Update preventive methods based on assessments, tests and experience SPIRENT WHITE PAPER 6

11 Fuzz Testing: Fuzz testing refers to the automated launching of large numbers of random attacks involving invalid or unanticipated variations on legitimate traffic. Fuzz testing identifies new vulnerabilities hopefully before the hackers do and provides a general indication of the health of the system or network under study. It is effective at detecting dramatic failures such as system crashes, but often fails to discover more subtle problems. Fuzz testing should be incorporated into test tools and executed on hosts, networks and applications periodically or on as-needed basis. Published Vulnerability Testing: Vulnerability assessments, both automated and manual, identify and prioritize network vulnerabilities. They should be conducted periodically and after security updates and used to generate comprehensive reports and databases identifying known vulnerabilities that can be exploited by a hacker. The reports should be made available to staff and, where appropriate, equipment vendors. Vulnerability testing should be accompanied by manual penetration tests designed to exploit detected vulnerabilities. In effect, the tester emulates a hacker in order to verify a vulnerability and assess the associated risk. Vulnerability testing is a good complement to fuzz testing. Mobile Emulation: The revolution in the use of mobile devices and the need for BYOD policies presents a new battleground, where mobile devices of varying types and in large numbers are demanding access to the network. To address this trend, network security policies need to address appropriate firewall capabilities, encryption of the various access technologies and device certification. Security testing methodology needs to complement these policies by employing emulators that present the sort of attacks likely in an environment with a very large number of access devices. Particular attention should be paid to protection against mobile malware as incidences of these attacks are skyrocketing. Actionable Results: Of course none of the security testing processes described above is of any value without actionable results. Test teams need reports that clearly identify any detected vulnerabilities and include as much information as possible on how to respond. Procedures for incorporating fixes with as little downtime as possible must be defined, documented, and updated as necessary. 7 SPIRENT WHITE PAPER

12 ACHIEVING CYBER SECURITY READINESS THROUGH TESTING Testing needs to expand to address the newer challenges posed by increasing government involvement, the rise of cloud computing and the demands placed on the network by BYOD trends. In addition to technology to prevent or neutralize attacks, there remains a real need for test tools that emulate attacks to verify the integrity of the techniques in place. Testing techniques need to emulate attacks that address all aspects of cyber security. Tests need to be designed that attempt to breach network perimeters, compromise internal assets, and circumvent data extrusion detection mechanisms in as thorough and comprehensive a fashion as possible, attacking applications as well as network infrastructure. Test tools must have sufficient capacity to emulate a large number of simultaneous, heterogeneous and sustained attacks to determine network behavior under an avalanche of attempted breaches. Performance testing is, perhaps surprisingly, another important aspect of security testing. Performance tests must be done with real world application traffic mixed in with attacks. The reality is that attacks do not happen in isolation but along with valid application driven traffic. Increased security control can mean reduced performance in many cases. Therefore security and performance are two sides of the same coin and need to be done together. Testing methodology also needs to get more sophisticated and agile. Test tools need to provide canned tests for known attacks and configurable templates to permit a user to craft specific penetration tests against any active protocol, application or service to address newly discovered attacks. Accurate emulation of real attacks, including spam, worms, viruses, trojan horses and denial of service, is critical to testing whether the preventive mechanisms in place, are, in fact, doing their jobs. Test signatures need to represent as accurately as possible the real threats experienced by the network. SPIRENT WHITE PAPER 8

13 Malware testing is an additional test activity that should be included to ensure security. This includes replicating malware binaries being sent through firewalls and IPS/IDS devices as payload over HTTP and FTP transports. It also includes replication of the behavior of infected end devices. This latter step is essential to detecting and eliminating advanced persistent threats that may have embedded themselves inside a protected network. Speed of response is yet another key aspect of security testing. Administrators should respond quickly and decisively to new threats. Since threats are constantly changing, the test tools need to be correspondingly agile, constantly addressing new threats by permitting threat configuration by users and by use of fuzzing techniques to vary the attack signatures. Finally, test tools must be comprehensive in their coverage. Cyber threats are numerous and widely variable. Tools need to be as exhaustive as possible in identifying and addressing them. To this end they require a comprehensive repository of test signatures and, of course, the ability to create new ones and variations on old ones as newer threats are identified. Scale is important here too. The tools need to have the capacity to generate a large number of threats of different types over a sustained time period. 9 SPIRENT WHITE PAPER

14 CONCLUSIONS It should now be clear that achieving cyber security readiness is becoming increasingly difficult, owing to the evolving threat landscape. To address the challenges of increased government involvement, adoption of cloud computing and trends toward BYOD policies, test tools will need to: Present attacks that a network is likely to encounter in the real world Support the capacity to test simultaneously a large number of devices and offer attacks that are massive, heterogeneous and sustained in time Thoroughly assess vulnerabilities and generate appropriate reports and databases Provide a comprehensive repository of test signatures, offering breadth across the universe of known threats and depth in the available variations of each individual threat Permit the creation of new signatures as new threats are identified and possess the agility to quickly emulate new attacks and modify existing attacks Accommodate the rapidly changing nature of virtual networks, offering comprehensive testing in such an environment, including testing directed at the virtualization software itself, and, where necessary, the ability to run the tests from platforms in the virtual environment Present attacks native to a BYOD environment, with particular emphasis on mobile malware SPIRENT WHITE PAPER 10

15 11 SPIRENT WHITE PAPER

16