The Brave New World of Distributed IT Security
by Peter Rive
All over the world, people are severing formal, structured, pre-existing and on-site digital bonds with companies and doing their jobs remotely on desktops, laptops and other next-generation devices, far away from headquarters.
The economic benefits of the Distributed Work Revolution are strong and compelling for enterprises. But the security challenges for corporate IT administrators as they attempt to support this atomized model are formidable.
Ensuring continued protection against security threats and timely mitigation when trouble actually strikes is a major problem - especially for IT departments seeking to provide distributed workers with service that is comparable to that received by employees within a company's "four walls."
Standardizing antivirus software and similar security solutions across the scattered enterprise is also a vexing issue, as is protecting data confidentiality and data loss on laptops and mobile devices.
Another big conundrum in trying to secure a distributed workforce's technology is the IT staff's loss of control, which permits remote employees to freely load and download whatever applications and software they choose without the same strictures or supervision they might be under were they headquarters-based. To make matters worse, sprawling geographic boundaries often deny enterprise IT personnel the visibility necessary to monitor the status and compliance of technology being used by distributed employees.
The unfortunate irony is that the financial upside that comes with the deployment of a distributed workforce can be partially dissipated if IT security throughout the enterprise - from headquarters to the most remote location - isn't vigilant and vigorous. Everyone feels the productivity loss, which runs into the tens of thousands of dollars, when computers go down because of security problems. And the threat is serious and pronounced: the SANS institute estimates that an unprotected computer running Windows XP experiences an average "survival" time of 26 minutes on the Internet before hackers identify it as vulnerable.
From a technical perspective, maintaining security policies in a distributed or mobile IT environment is particularly difficult because the usual network defense techniques - such as perimeter-based firewalls and intrusion-prevention systems - are not typically available. And in a Windows network, mobile users can often go weeks without logging onto a Domain, making security policies enforced by Active Directory Group Policy useless as they do not necessarily logon to the corporate network
The types of attacks that can be mounted in a distributed or mobile IT system are also more elaborate. Typically, an attacker doesn't have control over a device inside the network - or at least one would hope that's the case. But when an IT staff has little or no control over parts of a network, criminals can use a myriad of techniques to launch attacks on exposed computers.
For example, attacks that depend on intercepting subnet broadcasts or exploiting susceptible ports on a PC shouldn't be possible in a controlled, secure network; yet, in an unprotected network, the risk of such attacks - and the vulnerability - escalate significantly.
One highly relevant - and highly possible - attack of this nature takes place when Address Resolution Protocol (ARP) poisoning re-directs DNS requests. This type of attack depends on a man-in-the-middle device being on the same broadcasting subnet as the vulnerable computer.
One attack vector for ARP poisoning could be to take advantage of the Windows Metafile (WMF) vulnerability, which is a hypothetical but essential starting point because an exploit to this vulnerability was published shortly after the vulnerability was discovered. What makes this vulnerability especially interesting is that in most scenarios a user must be tricked into opening a WMF image file - either by visiting a malicious website or by getting the user to somehow open a malicious WMF image.
Assailing any of the numerous network-based vulnerabilities in Windows is easier than re-directing DNS requests and commercially available exploit frameworks like metasploit make this simple - even for unsophisticated attackers.
Anti-virus protection products are useful tools in defending against generic "commercial" malware, but they are useless in defending against targeted attacks with custom exploits.
A targeted attack against a management team's laptops must be protected against in order to fend off corporate espionage activities. In some cases, this attack may even be random - digital "mercenaries" out in cyberspace may control a vast number of machines and then comb through the data for information they can monetize.
It's easy to paint a grim picture when the true vulnerability of distributed and mobile IT systems is taken into account. But what are the options for ensuring that these systems are secure enough to ward off the kind of attacks described above? One key reality that must be accepted is that perimeter defenses can't be depended upon because they are not controlled in foreign networks that mobile users typically connect to, so everything has to be focused on the computer itself.
To solve this problem, it's clear that a combination of software and people will be needed. On the software front, the table below shows that at least the following is required to be installed on the laptop:
Software Purpose/Requirements Patch Management Assessment, distribution, and installation of patches to application and operating system vulnerabilities.
- Assessment: centralized reporting of all vulnerabilities
- Distribution: a patch delivery mechanism that typically must have some bandwidth management features
- Installation: a patch installation mechanism with user interfaces for sign posting and reboot management
Anti-virus and Spyware Protection Signature-based anti-virus products (e.g. Symantec) are a good way of defeating generic malware infections. Anti-virus definitions must be kept up-to-date and centralized reporting and verification of the proper operation is required. Data Backup and Restore Internet-based secure data backup. Critical data files must be encrypted and uploaded to a remote data store. In the case of a mobile workforce the only remote data store that can be depended on is an Internet-located data backup facility. Theft Remediation Computers or devices of mobile users are particularly susceptible to theft. Some sort of theft remediation application that will lock or disable the data on the computer so that unauthorized access is not possible is required. Additionally, publishing some aspects of the computer that may suggest physical location (e.g. network traces) should be available for analysis. Software Distribution Having the ability to remotely automate tasks and distribute arbitrary software is an important tool in an IT Administrator's toolbox. As an example, in the absence of something like Active Directory Group Policy, a script that sets the default screen server saver to lock-out can be distributed using a software distribution mechanism. Centralized monitoring, bandwidth management, packaging, and other standard software distribution features are required. Remote Control Having remote control access to the computer is always a good fallback for security or hardening tasks. For a remote workforce an Internet-based remote control tool that does not require a direct IP connection to the host is a requirement Personal Firewall Restricting inbound connections to the computer will assist in zero-day vulnerabilities and a layer of protection against network-based attacks. Centralized reporting on the status of the firewall and rule administration is required. Host-based Intrusion Prevention An emerging malware defense technique that shows great promise for zero-day vulnerability defense. This software uses process behaviors to prevent malware infections and in general does not depend on definition files. Rootkit Detection Until Anti-virus vendors support good rootkit detection an independent rootkit detection mechanism should be deployed for high risk systems.
Most of the systems above have server counterparts with whom the laptop-resident agent must communicate. Putting aside the hassle of hardware procurement and ongoing maintenance, one of the many problems in deploying the servers is where to place them on the network. See Figure 1. If we place them inside the LAN, then mobile users can't access them unless they VPN in. And this doesn't happen regularly enough. Ideally, they would be placed on the Internet because this is typically the lowest common denominator in network access. Mobile users - as well as LAN systems - can connect to the Internet. There are some difficulties in setting up an Internet management segment, but in order to truly secure mobile and distributed users, this is clearly the way to go. Setting up an Internet Management segment requires the installation and maintenance of communications layer devices like firewalls, intrusion detection systems, additional routers, etc.
Figure 1. The Management Segment must be accessible from the Internet to effectively manage mobile and remote users.
Another problem with all of the systems described above is integrated reporting. It's important to be able to look at a single screen and know if there are any security-related problems across the entire enterprise environment. The ideal report would display missing critical patches, virus-definition updates, personal firewall setup, and other security-related signals next to one another.
But it's so time consuming to hunt down each of these issues by visiting individual consoles that this probably won't get done without a considerable investment of time and energy. So, the options are either integrate all of these databases using a data warehouse technique or use one of the commercially available integration platforms now on the market. The solution is to increase visibility and to do that integrated and centralized reporting must be deployed for managers and executives.
Armed with the software, the next step is developing a business-centric risk model on top of network-security data because it's important to translate IT vulnerabilities into potential bottom-line perils.
A business-risk model should be an index based on factors such as sensitivity of data, extent of vulnerability and ease of exploitation. A missing critical patch on the CEO's laptop, for example, poses a higher risk than the same missing patch on the receptionist's workstation.
This point is illustrated in the graph below Figure 2, which represents a sample patch compliance report:
Figure 2. A typical patch management report may appear satisfactory on the surface but it does not provide risk analysis intelligence.
The graph lists critical vulnerabilities and the percentage of laptops that have been patched for that vulnerability. On the surface, things look pretty good - most of the systems have been patched; but what if it's the CEO's laptop that remains unpatched? This is exactly the kind of "risk knowledge" that must be derived from network security data.
The solutions listed above are a crucial need within fragmented enterprise IT systems for enhanced security visibility. The better the visibility, the greater the security; and improved security in a distributed or mobile IT environment leads to a much desired and truly virtuous circle consisting of more computer uptime, lower costs, improved internal customer satisfaction and fewer IT headaches.
In the end, securing your mobile users requires that you deploy end-point-based security products, use the Internet as the management network, and have the analysis data to know how protected your important systems are.
About the Author
Pete Rive, Chief Technology Officer of Everdream Corporation, has been designing software to manage the security of computers for the past six years. He conceived and designed Everdream's on-demand management platform, which is currently responsible for managing in excess of 100,000 desktops worldwide.
Article © Copyright 2006 Everdream Corporation. Used by permission.