Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
8/16/2012
02:46 PM
Dark Reading
Dark Reading
Security Insights
50%
50%

Porous Network Perimeters Sometimes Caused By People

What a trespassing jet skier and the Citadel Trojan have in common

Maybe it's a stretch, but I see definite parallels in the recent news stories about Daniel Castillo, the jet skier who successfully evaded John F. Kennedy International Airport's $100 million security system, and this week's discovery of a man-in-the-browser attack using the Citadel Trojan that had compromised the virtual private network (VPN) of a major international airport hub.

The common factors that bind both events? Insufficient security measures and inattentive employees.

In Castillo's case, and according to this report on Time.com, his watercraft apparently ran out of fuel while jet skiing in a coastal inlet on Long Island. Unable to summon help on his own, the 31-year-old opted to ditch his craft and swim to the nearest lights on the horizon -- in this case the runway lights of JFK International Airport.

Once he made it to land, he then scaled an eight-foot barbed wire perimeter fence and walked undetected through the airport's perimeter intrusion detection system and across two runways before finally being stopped and detained by an employee in Delta's terminal three.

What followed was predictable: Castillo was charged with trespassing, and the Port Authority -- which manages the airport -- issued an obligatory statement promising an "expedited review of the incident and a complete investigation to determine how (its) perimeter intrusion detection system could be improved. "

In the case of the Citadel Trojan, which was announced by security vendor Trusteer, the attack was serious enough, according to CSO, to prompt the airport to shut down the VPN, essentially leaving 5,000 employees without outside access to the network and attracting the attention of federal agencies.

While Trusteer officials would not name the airport or its location, they acknowledged it's a major international hub.

As is the case in similar such attacks, the bad guys don't target, in this case, a VPN perimeter directly. Instead, they infect endpoint devices (smartphones, tablets, or laptops) of employees and then steal the employee's credentials for accessing internal applications.

As Trusteer affirms, it's that first step -- infecting an employee device -- that enables the breach. Hackers use tactics like social engineering, where employees are forwarded to a website and infected with a drive-by download. Or they're guided to a malicious website, a legitimate site that's been infected, or, more frequently, an email that asks you to download a patch to combat a virus found on your system.

However it's done, once the device is infected, the enterprise firewall comes down and the bad guys can access information and resources associated with that account at will.

So what are the takeaways from these incidents? Let's take up the JFK incident first.

• The human element. Even closed-circuit cameras -- the kind used by the PIDS system -- need employees to monitor them. As the investigation proceeds, it's pure conjecture, of course, to say employees assigned to watch the monitors were inattentive or absent from their posts. But I have little doubt it will prove to be a contributing factor.

• The technology component. This breach strongly suggests that no matter how much you spend on your perimeter security -- whether it's a few thousand dollars or even a million -- it's still no guarantee that it won't be breached and employees won't ultimately be proved to be at least partially or wholly accountable for its shortcomings.

• Pen testing. Penetration testing -- at least in this case -- shouldn't be limited to network testing alone. Castillo's "trespass" is prima facie evidence that in spite of hoping for the best and believing you've done all you can from a technology outlay to protect your perimeter, it can still fall short of your security requirements.

As for the Citadel Trojan, let's extract chapter and verse from the IT security handbook, abridged:

• Mobile security. Make sure you have technology in place that can enforce password complexity, encryption, patch status, and locate/erase devices in the event of loss.

• Enforce an acceptable user policy. Ensure your organization gives clear guidance to users in your acceptable use policy on what devices are allowed and what they are required to do to use them for work.

• The weakest link. The weakest link in your endpoint security is your employees. Make them aware of social engineering threats and encourage them not to click on links for downloadable software just because an email directs them to, or to go to some site they've never been to previously just because one of their peers or friends has suggested it. It always ends badly for the employee as well as the enterprise. Or, in the case of bring your own device (BYOD), make sure they think before they click to protect your data -- as well as theirs.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?