 
|
|
In partnership with:
|
Bruce Potter, founder and Shmoo Group It's been said that the internet is a global community made of all the users on the network. Like any community, there are businesses conducting commerce, individuals going about their daily lives, and even a few bad actors. But unlike our physical communities, there are no police cars roaming the neighbourhoods looking for these bad actors. There aren’t even boundaries that help law enforcement activities. At the end of the day, this global community without boundaries means that every enterprise has to be on the lookout for not just the security of their own systems, but also the security of the community as a whole. This is obviously a difficult situation. It's hard enough to secure your own systems; being on the lookout for the entire internet is an impossible situation. Further, it is outside the commonly accepted mission of most IT security departments to be accountable for security beyond the network boundaries. So, how do you balance the need to be a good security citizen with the need to minimise operational costs and maximise the assurance of your systems? Passive mechanisms Being a good security citizen starts with your local configurations and operational procedures. If your networks and systems are vulnerable, they can become Petri dishes for attackers. Much like a pool without a fence, an insecure network is an attractive nuisance that will draw in attackers. These attackers will then use your systems to attack other networks. Botnets and zombies are a huge problem on the net, and the propagation of these types of malicious code is often due to known vulnerabilities and system weaknesses. Applying patches, using strong passwords, and employing other industry best practices is the best thing you can do to be a good internet security citizen. Thankfully, these actions are the same actions we take every day to protect our assets and our employees. So the first step in being a good citizen is one most of us have taken already. Even with industry best practices in place, the potential for security incidents still exists within your network. Also, if you are a product vendor, security researchers may find vulnerabilities in your products that they wish to disclose to you. To facilitate security communication with the outside world, you should create predictable and reliable contact mechanisms. The Organization for Internet Safety (OIS) recommends some simple solutions for communications. Foremost among them is the creation of a security page on your corporation's primary webserver (for instance, http://www.yourcompany.com/security/) that provides appropriate information for those looking to contact you. Also, an alias of security@yourcompany.com should be set up and monitored for email communication in absence of web access. There is more information available on the OIS website at www.oisafety.org. Controlling rogue code within your enterprise is a critical aspect of being a good security citizen. Many worms and bots use spoofed IP addresses to obscure the location of the infection and decrease the likelihood of detection. Spoofed addresses can only be successfully stopped in the location of origin for the traffic. An enterprise knows the source addresses that should exist in outbound traffic. For instance, if your network is 192.168.0.0/24, your border router should only see outbound traffic with source addresses from that netblock. If a different source address is detected, then some entity is spoofing source addresses. Blocking spoofed source addresses at the outbound border is called egress filtering. Egress filtering, if done on a large scale across the internet, can have a profound effect on the detection and deletion of bots and worms. Active mechanisms The passive mechanisms described above recommend the generally accepted minimum required to be considered a good security citizen. There are many other actions you can take if your budget and/or morals allow. If your network detects an active or attempted intrusion, you may chose to do more than just prevent the attack from being successful. Many times, attacks originate from other systems that have been compromised. By investigating the attack, you may find that another enterprise is a victim too. You may choose to notify system administrators of the other network in an effort to assist them in stopping an active infection. Note, however, that the act of notifying and conveying the needed information takes time and depending on the level of sophistication of the victim enterprise, you may be simply wasting your efforts. You may also choose to track down the original attacker in an effort stop the attack once and for all, and potentially to notify law enforcement. This action is likely even more time intensive than reaching out to other enterprises. Tracking down attackers and getting them to stop is a technically and politically difficult problem. Attackers have the upper hand in protecting their identity and hiding their true location. Even if you are successful in finding the attacker, if they are in a foreign country you may have no real recourse to law enforcement. Participating in a honeynet initiative is potentially a great way to give back to the community without the cost of tracking down attackers directly. Honeynets are systems where fake hosts are set up to lure in attackers and deceive them into believing they have compromised legitimate systems. These systems then report back to a central authority on the actions and tools used by the attackers. In turn, the central authority can analyse input from many sensors in order to determine new attack techniques, changes in attack patterns, and overall threats to the internet. Honeynets can be a sophisticated mechanism for learning about attackers and providing intelligence to the broader security community. However, honeynets are also a distraction from the day to day operations of your enterprise and may represent a security risk as attackers are essentially invited into your network to perform malicious activities. Parting shots The internet is still young, and from a security perspective it is still a bit like the wild west. Individual actors can cause great harm to networks and systems half a world away. The security of the internet is not the responsibility of a single organisation. Rather, security is the responsibility of every operator plugged into the network. There is no single set of actions that make a good security citizen. Rather, it is the intent of your actions and your ability to balance your needs versus the needs of the broader network community that ensure that you are positively contributing to the security of those around you. About the author Bruce Potter is the founder of The Shmoo Group of security, crypto, and privacy professionals. He helps organise ShmooCon, a yearly information security conference in Washington DC that draws over 1000 attendees. Bruce has a background embedded system security, software assurance, and enterprise IT operations. He is a senior associate at Booz Allen Hamilton.
|
|
