This chapter is dedicated to discussing what we see as potential future trends in the security industry. While none of us claim to have accurate crystal balls, we would like to share with you our thoughts as to what direction this industry may follow. These trends will influence future penetration-testing tools and techniques.
In today's world, one of the most common network or host vulnerabilities continues to be weak passwords. Passwords are the core of the authentication mechanisms generally in use today. The real issue here is that passwords as a means of performing user authentication are generally insecure. This is not likely to change soon because the modern-day character string password method simply is not a good, long-term option even with strong enforcement mechanisms. First, convenience-seeking users generally undermine strong password policies, such as appropriate password lifetimes and histories, to facilitate the ease of committing them to memory. Second, there is continued advancement in the various tools that can crack common password encryption schemes. For these reasons, a password-based authentication method is bound to not provide the highest level of security that is possible. Authentication mechanisms are being developed that are both user-friendly and secure. Three potential approaches are the use of two- and three-factor authentication, biometrics, and token-based authentication, generally all of which are tied to a directory service.
The two-factor concept involves using two components to the password used in the standard user name/password challenge through which authentication is typically granted. The two components are generally something you know and something you have, such as a secret PIN and a randomly generated string, such as that generated by a SecurID card. This method has become popular for securing dial-in connectivity or remote access. The random string can be configured to be longer than the usual six- or eight-character password while requiring the user to memorize fewer digits of the string since the random portion is supplied to the user at the time of the login. Since the string is random, the password becomes a one-time password that even if sniffed could not be reused by a hacker.
The natural progression of this scenario is to include another component in the password string, thus three-factor authentication. The three factors could be something you have, something you know, and something you are, such as a fingerprint.
Such a scheme may not be seen as convenient initially, however, it can first be implemented at locations that require a heightened level of security, such as network data centers. Additionally, a three-factor scheme may be implemented for remote dial-in access to critical systems where the users are generally more understanding of the security risks and the need to take all possible safeguards. And as users become more comfortable with this method of authentication, it can be rolled out to other situations.
Biometric methods of authentication are no longer something seen only in movies. Though perhaps not common, they have been implemented in various places, and use of biometrics should grow over time. There are various ways to use biometric identification including fingerprints, palm prints, facial photographs, voice prints, and retinal scans.
Fingerprints are the most popular method today, perhaps because we are more accustomed as a society to using fingerprints for identification. The technology, however, exists to use any of the above methods or a combination for performing user authentication.
There are two major drawbacks with biometric authentication systems at this time. First, the user community is not entirely ready to adopt the system. Second, as of this writing, the technology is difficult and expensive to implement on a large scale.
However, these drawbacks work well together. While people become more comfortable using biometric authentication systems over time, biometric system developers have time to improve the systems and reduce costs.
Biometric devices use thresholds to pinpoint the closeness of the match between the authentication pattern offered (whether a voice print or a retinal scan) and the authentication pattern stored. If the thresholds are set too low, the device may authenticate one user as another. We have seen this in our lab. We set up an account for a middle-aged white male with a small build using both a fingerprint and a facial photo scan (mug shot) for authentication. Using that individual's correct fingerprint and the facial scan of a 10-years-younger white male with a large build, we were able to gain access.
The threshold on the facial scan was set to a value of 5 (on a scale from 1 to 10). When we raised this value to 8, access was denied when the facial photo scan of the 10-years-younger individual was used.
There are two lessons here. Firstly, using biometrics with multiple factors, while certainly more expensive and slightly more time consuming for the user, is more secure in that a failure in one measure may be stopped by another measure. Further, the thresholds must be carefully set so that multiple people aren't inaccurately authenticated by the system.
The deployment of biometric authentication mechanisms can be spread across a building. For example, we have seen biometrics used for identification at the entrance to server rooms and also to office buildings. In addition, biometrics are used to authenticate to individual systems. Again, instead of authenticating the usage of the correct key card or access code, the concept is to authenticate the human users themselves, through one or more biometric measures.
The process of standing in place outside a door while giving a palm print and allowing the performance of a retinal scan does take a bit of time, certainly more than entering an access code or simply swiping a key card. But it is a stronger, visible deterrent to persons wishing to gain unauthorized access, and the method of gaining access cannot easily be lifted from your person as a key card can be or viewed as an access code can be by those looking over your shoulder.
A token contains information to identify a particular user and may also present his or her access rights. Tokens can be a file with one or a few lines of code, much like a cookie, or a single entry in a directory. For example, they can store a user's private key when used as part of a public key infrastructure (PKI). Tokens are generally implemented as part of a PKI system or in a directory service authentication approach. In either method, when tokens are used, the credentials provided by the user (for example, a password, a SecurID passphrase, or a biometric reading) are compared to the value stored in the token to make the access decision. This information is normally stored in a directory.
Directory services is a technology that provides a way to store all the data used to authenticate a user and determine his or her user rights and privileges in a single, database-like repository. This database is generally called the directory server, or simply the directory. The directory can be queried each time a user attempts to log in to the network, access servers on the network, and even print a file. When digital certificates are used to provide authentication, they are often stored in such a directory. The certificate is encoded with all the relevant information required to identify a user and his or her access rights. This information may include the user name, real name, organization name, password, and various permissions.
Directory servers can store other information in addition to or in place of digital certificates. For instance, if biometrics are used to provide authentication, the key associated with the biometric image would be stored in the directory. In PKI deployments, the directory would store the public key of the individual. Therefore, security of the directory is paramount.
There are certainly challenges in implementing a directory services solution to serve all portions of a network. With industry leaders such as Netscape and Microsoft supporting this technology and the potential benefits it provides, we expect this technology to spread. Also, many services like PKI, Single Sign-On, biometrics, and so on need directories to store and retrieve the information.
Today, a majority of Internet and network traffic travels in clear text. However, there is a trend toward incorporating encryption into both secure and mainstream communication. Signs of this are present everywhere. Secure Shell (SSH) is an encrypted alternative to rlogin and telnet that is available today. A similar alternative is available for FTP, namely Secure FTP (SFTP). Secure Copy (SCP), a component of SSH, also allows for copying files in an encrypted mode. In addition, TCP wrappers are available that can tunnel as well as encrypt traffic over these common services.
A majority of Internet sites that collect credit card or other financial information employ Secure Socket Layer (SSL) technology. Sites that collect nonfinancial but personal information are also beginning to encrypt traffic with SSL. In fact, the American Institute of Certified Public Accountants (AICPA) has mandated the use of SSL as one of its requirements for obtaining its highly regarded Web Trust Seal of Assurance. (The presence of this seal on a Web site indicates that independent accountants have examined the site's information-handling practices and found them to meet recognized standards for maintaining the privacy of client/user information.)
As the computational requirements for performing encryption and decryption diminish (or the computational power available in traditional networking devices increases), encryption is likely to become more and more popular for all traffic, including confidential and less-sensitive traffic. This will help avoid the situation that the mere fact that certain traffic is encrypted reveals that it must involve a sensitive matter between the sender and the recipient.
Again, the tools and solutions for encrypting communications exist today. Pretty Good Privacy (PGP), for instance, is a very user-friendly and effective means of encrypting e-mails as well as individual files and entire directories, as is the Norton Secret Stuff (Norton.ss) tool. Several free Internet e-mail providers, such as Yahoo.com and MailandNews.com, provide secure access to e-mail accounts. Encrypted communication is one of the key benefits of a PKI. As the need for more data privacy and security becomes clear to individuals and organizations, the advent of encrypted traffic will continue to grow.
PKI is a technology whose day has been coming for some time. The basic concept of PKI is to provide secure authentication, nonrepudiation, and encryption for communication between users and network devices. PKI supports technologies such as digital certificates, encryption, and the IP Security Protocol (IPSEC).
Its downsides are its complexity and its reliance on other mechanisms, such as a certificate authority (CA), for its operation. There has been significant improvement in this area over the last few years, but the process of designing and implementing a working PKI infrastructure is still complex. Numerous issues, such as implementing a single root CA and accepting certificates signed by other CAs, as well as the overall cost, have slowed the deployment of PKI.
The general saying, “The network is the computer” has grown in popularity over the past few years. It is clear that as the use and sizes of databases grow, and the number and sizes of applications grow, we won't be able to store everything we need on one machine and pack it with the memory and computational power required to keep the machine both fast and small.
Therefore, it is more and more likely that the traditional desktop machine will provide the front end or GUI to the applications available to the user community. Individuals will make use of these applications, stored on network servers, through their front ends as if the applications were local to their desktops.
This places a considerable burden on providing secure communication and reliable authentication. If either of these two is suspect, the integrity of all the information and data being processed from either end of a connection (that is, the end user and the back-end database or application server) may be compromised—a fact that hackers are sure to note.
Computer forensics is a growing science. Computer forensics involves methodical examination of any and all relevant data that can be found on a host machine in an attempt to discover evidence or recreate events. The data is potentially everything that is stored on that machine, including letters, e-mail, documents, image files, logs written by firewalls, routers, intrusion detection systems, and so on. The data we examine really depends on the purpose behind the review.
Forensics techniques are often employed in computer crime cases. In such cases, typically after the network has been hacked, a forensics team tries to ascertain how the hacker broke in and which machine(s) may have been compromised. The team will try to determine the hacker's activity, specifically to identify and remove any root kits, Trojan horses, or back doors left behind. Any findings are as carefully and accurately recorded and documented as the work product from any technical engagement. In criminal cases, the burden for documentation is magnified by the fact that the material can be considered evidence that may be used by the victim firm or by law enforcement to pursue the prosecution of the alleged hacker. One of the aims of this endeavor is to gather evidence that can help prosecute the offender and preserve the chain of custody. Whether or not to prosecute is a separate issue.
As an example of what forensics teams can do, during the Independent Council's investigation of President Clinton, some of Monica Lewinsky's e-mails intended for the President were recovered from her computer, even after they had been deleted. (After deletion, they were not actually removed from the hard drive, but the location in memory where they were stored was simply marked “available” while the data, the letters, were still there.)
Computer forensics can be applied in other cases as well. It is becoming a growing part of employment cases, where employers cite excessive use of the Internet, or misuse of the Internet, such as visiting pornographic sites during working hours, to defend a disciplinary action toward or even termination of an employee. Such methods are also seen in divorce cases, where a person can have his or her spouse's computer examined for evidence of extramarital affairs or hidden assets.
We anticipate growth in computer forensics, not only as a form of incidence response but also in other areas as computers and networking technology become a larger and larger part of our lives. As this field grows, it will make covering tracks all the more important for hackers since investigators will be coming to find out what the intruder did, where they came from, and ultimately who they are. We also expect hackers and security professionals will become more familiar with computer forensic techniques in evading firewalls, intrusion detection systems, and auditing tools. An understanding of what is used as evidence of intrusion activity will be necessary when attempting to perform intrusions undetected.
It is clear that the Internet may indeed face greater regulation and government intervention in the future. This includes several initiatives supporting privacy on the Internet, the most popular being the Children's Online Privacy Protection Act of 1998, and the banning of Internet casinos (though some argue whether such a ban is a positive act of government).
For companies that do business on the Internet or those that are transforming and moving their business practices online, new regulations may be on the horizon or may already apply. Such regulations generally start out as guidelines but soon gain the force of law. For example, the Health Insurance Portability and Accountability Act (HIPAA) is already binding on the health care industry. The Gramm-Leach-Bliley Act (GLB) is impacting the financial industry. Regulations on other industries will likely follow.
Unfortunately, there are additional activities that are less well received by consumers. Chief among these items is the move to tax the Internet, as well as the Federal Bureau of Investigation's attempt to listen to all Internet traffic with the aid of its Carnivore tool.
One thing that we have already begun to see, and we hope our book reflects this, is that denial-of-service attacks are becoming more prevalent. In addition to script kiddies running DoS attacks against targets out of vengeance or random experimentation, the attacks are being used as a response to the primary security countermeasures, firewalls and intrusion detection systems. As mentioned earlier, as a way to avoid setting off an alert from an intrusion detection system, hackers at times attempt to knock out the host on which the sensor is running as well as the e-mail server through which it sends e-mails to system administrators. There are efforts to counteract this attack, including placing sensors in stealth mode where they are not as easy to identify and using out-of-band communications to manage these assets.
We also see Web-based attacks becoming the primary means of hacking a target company, and not only in terms of Web defacements. Often, companies do not pay a great deal of attention to traffic operating over HTTP, thinking it is used only to access the Web site. This premise may not always be true. HTTP can be used to launch attacks against Web servers. At times, Web servers are hosted on machines that are connected to the core business networks that do carry sensitive information or have user/administrator accounts that also exist on other hosts on the network.
As companies begin to close unnecessary ports, HTTP is one of the few that will remain open. The security of the Web server, any eCommerce code that runs on the Web server, and the overall demilitarized zone is an important issue that companies need to address in order to avoid the embarrassment of a Web defacement and the more serious possible consequences.
We are seeing that countermeasures used to defend networks from attack are being bundled or integrated to provide a single suite of services. For example, firewalls, intrusion detection systems, auditing tools, network monitors, and virtual private network functionality are being made commercially available by one security vendor (or a partnership) in a package. This provides the benefit of one-stop shopping to potential clients in that they may be able to get all the security products they want from one source.
Certainly a well-integrated suite of security products has the best chance of making a network secure. However, firms must decide whether the convenience offered by an integrated package is superior to the security provided by making products created by different vendors work together.
Whatever this may be called, it is insurance against being hacked. As managers begin to understand the risk to the overall organization from being victimized in some way by hackers, they will respond by purchasing insurance that at least partially mitigates the organization's financial risk.
While it is not, in our opinion, a superior option to securing the network and periodically assessing and modifying the security settings, insurance will help mitigate the potential financial loss due to a hacker intrusion. The potential negative effect of a firm's public image, however, will not be addressed by an insurance policy.
We are already seeing that some products are considered to introduce greater risk. For instance, organizations that use Microsoft products are often asked to pay higher insurance premiums than those who use UNIX and UNIX-based applications.
There is a definite trend within both the commercial and federal sectors to take information security and data protection issues more seriously. While security concerns are not ubiquitous throughout all organizations (not all firms have an information security officer), the ranks are growing. In addition, security products continue to grow and mature. Unfortunately, the ranks of those in the hacking community are growing as well. The battle between the security community and the hackers will continue to evolve in these future environments. We hope this book helped get you started on your path toward developing a secure network and enterprise.