Honey Pots and Honey Nets - A new defense mantra !!

We keep saying that , we need to invent measures to track down any malicious activity coming to our website or application or our network. But for that, what do we invent?we cone down to those traditional measures of having a bunch of firewalls or IPS, heavily configured on signatures to guard our premises. One more step, is deploying enteriprise monitoring and management systems to help us to keep an eye on the activity happeing outside the network.

But then also how to catch a hacker, who comes ane easily hacks down the site even having these technologies in place. The problem is, we are not thinking like a hacker, rather we are thinking like a administrator, who do not have any inovative ways of solving this problem because he has his boundaries set. One needs to be very much innovative these days to catch these smart fellows.

First thing to remember, no hacker will reveil his own identity. If at all you are successfull in getting hold of an identity details, be sure that this one is nothing but FAKE. If you realize, you still be on the same step from where you started some days back. So, what to do??

There is an intresting technology, which attracts the hacker to hack the resource and there by catching the person beind the intention, this is called "HONEY POT" or "HONEY NET".

The concept is very simple, its like putting a goat to catch a tiger. Here also we do the same thing, we create a trap to attract the hackers and then we catch them. These applications create a trap, by opening some fake  ports or services, making the hacker realize that the target is very vulnerable. He feel excited to see many backdoors, enabling his easy access. In thiswhole process, the application captures all the necessary credentials and alerts the user of the activity and that is how the person gets caught.

I have personally used it and tested with many situations. I also tried to integrate the application with my incident management framework and it worked. Now i dont have to over configure my security devices nor introduce any new technology to ensure the security of my organization. Honey Pots cater a single network setup and if an organization has multiple networks then they can go for Honey Nets.

Specifically, these types of traps are used by organizations, which are dealing with national security or dealing with high level classified data like defense organisations, space research, ordinance factories etc. the threat to these type of organization is always alrarming and needs to be stringent in terms of security. But at the end, we also understand that irrespective of the type of the organization , the data is always critical in itself and to ensure its security , it is advisable to implement this as an additional defense layer.

Controls, Policies and Procedures - A corporate jargon!!

Organizations consider that if they have implemented strict controls, policies or procedures, they are secure. But they, fail to understand that one simple question, “what to secure and from whom?”

This is a very common practice to have this type of mind set because when a security has to be implied to prevent a information from getting leaked out from an organization, then I don’t think, any stringency would be of any help in doing this. The reason is very simple, “Are we feeling the every possible gap within the organization?”

The answer to this question will be “No” every time because it is not possible to close all the gaps because, we are not aware of all the gaps. We are putting our thinking on what is visible but there would be many things, which are not visible. So is an organization safe?

Due to an increase in the pressure of getting organizations comply on various standards; we have shifted our thinking to the real problem of limiting data theft. The biggest threat prevailing in this area is on the human mind , acting a vital role in data leakage. The behavior of a non satisfied employee is always uncertain and there is no policy to govern the mind.

It is and was never possible to control over a human mind and there will be always a non-compliance in this aspect, then “what are we preventing and from whom?”, this is the reason, why we always emphasize on awareness. It is very important to minimize the internal threat against external. Till today, people working in an organization, are considered to be the biggest threat against the external entities.

For me, having policies, procedures and controls are just good to have for an organization, to say “ I have security implemented” but when you look at the granular level then you will realize the purpose of having all these is never achieved. One talking to limit the data theft is impossible, if it is not implemented at the level where humans dealing with the data, take the responsibility of its security. I don’t believe, any technology can go above the intelligence of human brain. This is the only weapon which can cause and prevent the damage from getting worse.

Blackberry Enterprise Solution Security - A Snap shot

This solution helps a blackberry user to transfer data securely from one point to another, through wireless networks. This application uses a symmetric key to encrypt the data sent between them , thereby preventing the third party wireless providers from accessing an organization’s critical data.

Blackberry Enterprise solution uses symmetric algorithm to provide and maintain the confidentiality, Integrity and authenticity of the data. This happens because, before sending a data, the blackberry client authenticates itself with the blackberry server and then only the data is transmitted. No other peer knows there is a transmission happening.

Some of the striking security features in this suite are

Data Protection	The data is protected in the transit from one device to another device by using a unique symmetric algorithm. The data is encrypted and stored in a configuration database and can be made to be accessed using a password, smart card or both.
Encryption key protection	The device is programmed to encrypt the keys stored in the device. It automatically decrypts the keys automatically when the device is locked.
Control of device connections	The suit is designed to control Bluetooth and wi-fi networks
Seamless administration	The device can be administrator by sending administrative commands to lock the device, delete user or data etc.

General Architecture

The above figure depicts the connectivity model from a centralized Blackberry Enterprise Server to the clients. The inherent connectivity may differ as the organization's requirements.

Wireless with a Hole !!!

Do you always pay for your internet usage? And do you think that you pay more than what you use? If the answer is Yes, there we need to find a way where we can use internet but do not pay for that. There are at times we know that most of the public places in today’s date are equipped with the complimentary wireless and WIFI functionality. They give you access to internet for some time and then you have to go for buying a voucher. What if we can have something, which can give an unlimited access to the internet without paying a penny for that.

Whenever I visit UAE, I make sure that I don’t have to pay for my internet connectivity and by god’s grace, I haven’t paid for my access till date . The concept is very simple; I often keep my laptop in a position or a place which is open, where I can get as many access points while I scan the surroundings. When I get a good amount of access points in my laptop, I go for filtering them to search for those who are unsecured in nature or WPA enabled. I end up getting some of them.

Then I try to connect randomly to all those access points, this seems to be easy, but the real challenge is when there is a possibility of a Honey pot running at the other end and the person can easily detect your location using your IP address/ MAC Address. So it is always recommended, to hide the IP and MAC addresses from getting broadcast.

You need to be very carefull while doing this, sometimes applications stop working after changing the IP or MAC Address, so to prevent this, it is always recommended, to apply an alias on your physical and logical addresses and then plan for something like this.

If you are lucky enough, then you can get a successful connection of the target access point and you can browse internet endlessly, the fun part is, all wireless controllers saves the IP addresses in its buffer and the next time, any session initiated by those IP addresses are not authenticated. So since you have already established a connection, the next time you can directly connect the access point and start a session.

One cannot guarantee the speed you will be getting from this. The speed will depend on the no. of connections on the device and also the burst rate of the device.  But believe me, I always got a more than decent speed, although it was on wireless.

You might be thinking, why I am not talking about cracking a wireless network?

The answer is very simple, most of the cracking tools needs a Wireless Card supporting a specific driver called “WinPcap”. This driver enables us to probe into the access point and get the passwords or keys. The main problem is , our standard laptop models do not have the card compatible to this driver…. I have checked this on my laptop and almost crashed the card..:)

Have a clear an good intention while trying this ….:)

Defense-in-depth Technologies in networks

Defense-in-depth technology comes from a long back historical background, where kings used this concept to build their forts. The basic principle of this is to neutralize enemy's attack as maximum as possible, for that they would build secure postures at every point of invasion.

This kind of defense patterns starts with:

1. Location

2. Perimeter level defense

3. Sub perimeter level defense

3. Core Level defense

Given below is a pictorial depiction of defense-in-depth concept.
  

Later on this concept was introduced in creating security into corporate networks. It doesn't make a difference on the size of the network or complexity of the network, what matters here is the thinking involved in creating defense layers in the network.

One should think on:

1. What needs to be protected?

2. What is the critical value to protect?

3. Business damage, if not protected?

Only then, one can devise a defense-in-depth plan for the network.

Shown below, is the Cisco's concept towards defense-in-depth designs:

The Security Life Cycle....

Security is not a start to end process, but its a continuous flow of the activities which makes it a cycle. Please keep in mind that when there is no DATA, there is no Security needed.

Will firewall help in securing your network?

Well.. people think that implementing firewalls usually makes any network secure. But, the case is different, every security device implemented in the network introduces a blocking point in the network thereby causing bottlenecks or latency in the network.

We have to think of an security option, which not only secure the network but also do not add to the latency to the normal flow of the traffic.

Post your comments in this as to what you think of this??