Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
8/16/2012
02:46 PM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Porous Network Perimeters Sometimes Caused By People

What a trespassing jet skier and the Citadel Trojan have in common

Maybe it's a stretch, but I see definite parallels in the recent news stories about Daniel Castillo, the jet skier who successfully evaded John F. Kennedy International Airport's $100 million security system, and this week's discovery of a man-in-the-browser attack using the Citadel Trojan that had compromised the virtual private network (VPN) of a major international airport hub.

The common factors that bind both events? Insufficient security measures and inattentive employees.

In Castillo's case, and according to this report on Time.com, his watercraft apparently ran out of fuel while jet skiing in a coastal inlet on Long Island. Unable to summon help on his own, the 31-year-old opted to ditch his craft and swim to the nearest lights on the horizon -- in this case the runway lights of JFK International Airport.

Once he made it to land, he then scaled an eight-foot barbed wire perimeter fence and walked undetected through the airport's perimeter intrusion detection system and across two runways before finally being stopped and detained by an employee in Delta's terminal three.

What followed was predictable: Castillo was charged with trespassing, and the Port Authority -- which manages the airport -- issued an obligatory statement promising an "expedited review of the incident and a complete investigation to determine how (its) perimeter intrusion detection system could be improved. "

In the case of the Citadel Trojan, which was announced by security vendor Trusteer, the attack was serious enough, according to CSO, to prompt the airport to shut down the VPN, essentially leaving 5,000 employees without outside access to the network and attracting the attention of federal agencies.

While Trusteer officials would not name the airport or its location, they acknowledged it's a major international hub.

As is the case in similar such attacks, the bad guys don't target, in this case, a VPN perimeter directly. Instead, they infect endpoint devices (smartphones, tablets, or laptops) of employees and then steal the employee's credentials for accessing internal applications.

As Trusteer affirms, it's that first step -- infecting an employee device -- that enables the breach. Hackers use tactics like social engineering, where employees are forwarded to a website and infected with a drive-by download. Or they're guided to a malicious website, a legitimate site that's been infected, or, more frequently, an email that asks you to download a patch to combat a virus found on your system.

However it's done, once the device is infected, the enterprise firewall comes down and the bad guys can access information and resources associated with that account at will.

So what are the takeaways from these incidents? Let's take up the JFK incident first.

• The human element. Even closed-circuit cameras -- the kind used by the PIDS system -- need employees to monitor them. As the investigation proceeds, it's pure conjecture, of course, to say employees assigned to watch the monitors were inattentive or absent from their posts. But I have little doubt it will prove to be a contributing factor.

• The technology component. This breach strongly suggests that no matter how much you spend on your perimeter security -- whether it's a few thousand dollars or even a million -- it's still no guarantee that it won't be breached and employees won't ultimately be proved to be at least partially or wholly accountable for its shortcomings.

• Pen testing. Penetration testing -- at least in this case -- shouldn't be limited to network testing alone. Castillo's "trespass" is prima facie evidence that in spite of hoping for the best and believing you've done all you can from a technology outlay to protect your perimeter, it can still fall short of your security requirements.

As for the Citadel Trojan, let's extract chapter and verse from the IT security handbook, abridged:

• Mobile security. Make sure you have technology in place that can enforce password complexity, encryption, patch status, and locate/erase devices in the event of loss.

• Enforce an acceptable user policy. Ensure your organization gives clear guidance to users in your acceptable use policy on what devices are allowed and what they are required to do to use them for work.

• The weakest link. The weakest link in your endpoint security is your employees. Make them aware of social engineering threats and encourage them not to click on links for downloadable software just because an email directs them to, or to go to some site they've never been to previously just because one of their peers or friends has suggested it. It always ends badly for the employee as well as the enterprise. Or, in the case of bring your own device (BYOD), make sure they think before they click to protect your data -- as well as theirs.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5452
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations.

CVE-2014-6041
Published: 2014-09-02
The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.