Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
8/16/2012
02:46 PM
Security Insights
Security Insights
Security Insights
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Porous Network Perimeters Sometimes Caused By People

What a trespassing jet skier and the Citadel Trojan have in common

Maybe it's a stretch, but I see definite parallels in the recent news stories about Daniel Castillo, the jet skier who successfully evaded John F. Kennedy International Airport's $100 million security system, and this week's discovery of a man-in-the-browser attack using the Citadel Trojan that had compromised the virtual private network (VPN) of a major international airport hub.

The common factors that bind both events? Insufficient security measures and inattentive employees.

In Castillo's case, and according to this report on Time.com, his watercraft apparently ran out of fuel while jet skiing in a coastal inlet on Long Island. Unable to summon help on his own, the 31-year-old opted to ditch his craft and swim to the nearest lights on the horizon -- in this case the runway lights of JFK International Airport.

Once he made it to land, he then scaled an eight-foot barbed wire perimeter fence and walked undetected through the airport's perimeter intrusion detection system and across two runways before finally being stopped and detained by an employee in Delta's terminal three.

What followed was predictable: Castillo was charged with trespassing, and the Port Authority -- which manages the airport -- issued an obligatory statement promising an "expedited review of the incident and a complete investigation to determine how (its) perimeter intrusion detection system could be improved. "

In the case of the Citadel Trojan, which was announced by security vendor Trusteer, the attack was serious enough, according to CSO, to prompt the airport to shut down the VPN, essentially leaving 5,000 employees without outside access to the network and attracting the attention of federal agencies.

While Trusteer officials would not name the airport or its location, they acknowledged it's a major international hub.

As is the case in similar such attacks, the bad guys don't target, in this case, a VPN perimeter directly. Instead, they infect endpoint devices (smartphones, tablets, or laptops) of employees and then steal the employee's credentials for accessing internal applications.

As Trusteer affirms, it's that first step -- infecting an employee device -- that enables the breach. Hackers use tactics like social engineering, where employees are forwarded to a website and infected with a drive-by download. Or they're guided to a malicious website, a legitimate site that's been infected, or, more frequently, an email that asks you to download a patch to combat a virus found on your system.

However it's done, once the device is infected, the enterprise firewall comes down and the bad guys can access information and resources associated with that account at will.

So what are the takeaways from these incidents? Let's take up the JFK incident first.

• The human element. Even closed-circuit cameras -- the kind used by the PIDS system -- need employees to monitor them. As the investigation proceeds, it's pure conjecture, of course, to say employees assigned to watch the monitors were inattentive or absent from their posts. But I have little doubt it will prove to be a contributing factor.

• The technology component. This breach strongly suggests that no matter how much you spend on your perimeter security -- whether it's a few thousand dollars or even a million -- it's still no guarantee that it won't be breached and employees won't ultimately be proved to be at least partially or wholly accountable for its shortcomings.

• Pen testing. Penetration testing -- at least in this case -- shouldn't be limited to network testing alone. Castillo's "trespass" is prima facie evidence that in spite of hoping for the best and believing you've done all you can from a technology outlay to protect your perimeter, it can still fall short of your security requirements.

As for the Citadel Trojan, let's extract chapter and verse from the IT security handbook, abridged:

• Mobile security. Make sure you have technology in place that can enforce password complexity, encryption, patch status, and locate/erase devices in the event of loss.

• Enforce an acceptable user policy. Ensure your organization gives clear guidance to users in your acceptable use policy on what devices are allowed and what they are required to do to use them for work.

• The weakest link. The weakest link in your endpoint security is your employees. Make them aware of social engineering threats and encourage them not to click on links for downloadable software just because an email directs them to, or to go to some site they've never been to previously just because one of their peers or friends has suggested it. It always ends badly for the employee as well as the enterprise. Or, in the case of bring your own device (BYOD), make sure they think before they click to protect your data -- as well as theirs.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web