Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
8/16/2012
02:46 PM
Dark Reading
Dark Reading
Security Insights
50%
50%

Porous Network Perimeters Sometimes Caused By People

What a trespassing jet skier and the Citadel Trojan have in common

Maybe it's a stretch, but I see definite parallels in the recent news stories about Daniel Castillo, the jet skier who successfully evaded John F. Kennedy International Airport's $100 million security system, and this week's discovery of a man-in-the-browser attack using the Citadel Trojan that had compromised the virtual private network (VPN) of a major international airport hub.

The common factors that bind both events? Insufficient security measures and inattentive employees.

In Castillo's case, and according to this report on Time.com, his watercraft apparently ran out of fuel while jet skiing in a coastal inlet on Long Island. Unable to summon help on his own, the 31-year-old opted to ditch his craft and swim to the nearest lights on the horizon -- in this case the runway lights of JFK International Airport.

Once he made it to land, he then scaled an eight-foot barbed wire perimeter fence and walked undetected through the airport's perimeter intrusion detection system and across two runways before finally being stopped and detained by an employee in Delta's terminal three.

What followed was predictable: Castillo was charged with trespassing, and the Port Authority -- which manages the airport -- issued an obligatory statement promising an "expedited review of the incident and a complete investigation to determine how (its) perimeter intrusion detection system could be improved. "

In the case of the Citadel Trojan, which was announced by security vendor Trusteer, the attack was serious enough, according to CSO, to prompt the airport to shut down the VPN, essentially leaving 5,000 employees without outside access to the network and attracting the attention of federal agencies.

While Trusteer officials would not name the airport or its location, they acknowledged it's a major international hub.

As is the case in similar such attacks, the bad guys don't target, in this case, a VPN perimeter directly. Instead, they infect endpoint devices (smartphones, tablets, or laptops) of employees and then steal the employee's credentials for accessing internal applications.

As Trusteer affirms, it's that first step -- infecting an employee device -- that enables the breach. Hackers use tactics like social engineering, where employees are forwarded to a website and infected with a drive-by download. Or they're guided to a malicious website, a legitimate site that's been infected, or, more frequently, an email that asks you to download a patch to combat a virus found on your system.

However it's done, once the device is infected, the enterprise firewall comes down and the bad guys can access information and resources associated with that account at will.

So what are the takeaways from these incidents? Let's take up the JFK incident first.

• The human element. Even closed-circuit cameras -- the kind used by the PIDS system -- need employees to monitor them. As the investigation proceeds, it's pure conjecture, of course, to say employees assigned to watch the monitors were inattentive or absent from their posts. But I have little doubt it will prove to be a contributing factor.

• The technology component. This breach strongly suggests that no matter how much you spend on your perimeter security -- whether it's a few thousand dollars or even a million -- it's still no guarantee that it won't be breached and employees won't ultimately be proved to be at least partially or wholly accountable for its shortcomings.

• Pen testing. Penetration testing -- at least in this case -- shouldn't be limited to network testing alone. Castillo's "trespass" is prima facie evidence that in spite of hoping for the best and believing you've done all you can from a technology outlay to protect your perimeter, it can still fall short of your security requirements.

As for the Citadel Trojan, let's extract chapter and verse from the IT security handbook, abridged:

• Mobile security. Make sure you have technology in place that can enforce password complexity, encryption, patch status, and locate/erase devices in the event of loss.

• Enforce an acceptable user policy. Ensure your organization gives clear guidance to users in your acceptable use policy on what devices are allowed and what they are required to do to use them for work.

• The weakest link. The weakest link in your endpoint security is your employees. Make them aware of social engineering threats and encourage them not to click on links for downloadable software just because an email directs them to, or to go to some site they've never been to previously just because one of their peers or friends has suggested it. It always ends badly for the employee as well as the enterprise. Or, in the case of bring your own device (BYOD), make sure they think before they click to protect your data -- as well as theirs.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?