The Art of Cyber War —- Keeping Hackers on a Tight Leash

29 09 2011

Many of us may have envisioned that future human warfare will be predominantly conducted in cyber space. Cyber warfare (CBW) may still be an abstract concept to the general population, but as information security professionals, we know that the battle has already begun. CBW includes not only international espionage, but also domestic intrusion into organizations’ information network systems, such as, corporate and banking networks and government databases. Countries are spying on each other and individual hackers are exploiting the vulnerability of information systems. The most frightening part of CBW is that it only takes one hacker to create extensive irreversible damages. Given the risk that we are facing, continuously revamping security systems and creating new techniques are not enough to confront invaders who are also upgrading and transforming and becoming more advanced. A more proactive effort to approach the challenge from other angles is needed.

The ancient Chinese military treaties, “The Art of War,” suggested a basic principle that applied to any kind of warfare; if you know your enemy as you know yourself, then you will always be in a win-win situation for every battle.  The underlying rationale of the principle is that one can only gain absolute control over the subjects or objects that they profoundly understand. In order to keep hackers on a tight leash, cyber security professionals need to study who and what they are against. This principle may sound exaggerated; yet its significance has been authenticated by the victory of wars won in Chinese history.

For this principle to work, a precondition has to be met.  We need to be experts of every aspect about ourselves, such as our goal for securing systems, our information management technology, our competence to secure the information networks, our ability to respond immediately to incidents, and our potential to improve and develop methodologies in the field. This is what many information security professionals are focusing on.

However, by accomplishing this precondition, we only have 1/3 of the probability to win the war, as Sun Tzu, the author of “The Art of War,” would say. To gain the other 1/3 of a chance to win, we need to study every aspect of the intruder’s aspirations. For example, who in the population is capable of being an intruder? What is the geographical information about this sub-population? Among them, do they have the kind of personality and motive to commit an intrusion? Are there any observable abnormal behaviors in their daily work? Where in the system would they be likely to start to act out? What kind of technique will they be likely to use?

Through scientific studies, including both experimental and non-experimental, we can have an objective understanding about the intruders. For instance, between 2002 and 2007, the inside threat study team at CERT collaborated with U.S. Secret Agents. Together they collected data about 250 cases of incidents that caused different levels of damage on the information system of affected organizations.1 The data significantly showed the general trends of the characteristic of the attackers.  Seventy-seven percent of the attackers were former or current full time employees.2  Eighty-six percent of the intruders held technical positions, including 36% system administrators, 21% programmers, 14% engineers and 14% IT Specialists.3 Although 96% of the 250 attackers are male, there was not enough evidence to support the hypothesis that hacking behavior is associated with gender.  The issues of random sampling and ratio of gender working in IT jobs can be two confounded variables. The subjects are demographically varied in terms of age, racial, gender, and marital status.

Researchers also found that the main motive of their action was revenge.4 The attackers, in 92% of the cases, were triggered by a unpleasant work-related event.5 After subjects experienced cognitive dissonant from the negative events, they were likely to develop a motivational drive to reduce their degree of discomfort by means of what was accessible to them. Thus, to use their specialty in technology and authentication to intrude into the network system is a way to retaliate against their employers. In addition, revenge is not only justified due to religious’ beliefs, but also it is due to concerns about social law reinforcement, such as the death penalty. For details of this finding, please refer to the original article.

After the above simply analysis, we now have a better idea of who are more likely to commit the violation of 18 USC §1030 and why they decide to do it. This sub-population needs to be studied explicitly to obtain the second 1/3 of winning probability.

For questions, you may contact me at yinghan@andrew.cmu.edu or make a common on www.theartofcyberwar.blogspot.com.


1.   Insider Threat Study, CERT at Carnegie Mellon University, May, 2008 https://www.cert.org/insider_threat/study.html

2.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

3.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

4.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

5.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

Advertisements




SQL Injection is still alive (and more than ever)

28 09 2011

Nowadays everyone has a website, or at least it feels that way. I have a couple myself. Every single day that goes by, several thousands of new websites are created (or at least registered) all over the world [3]. Considering the importance of the Internet in the present we can assume that most (if not all) of the “big” companies worldwide have already a presence in the Internet, therefore leaving the spot of those newborn sites to small businesses, personal pages, etc.

But when you create a website, how do you do it? Do you build it from scratch? Use a template? Or even outsource it? Whatever the case is, it is important to consider that if your website has a database you should take measures against SQL Injection.

SQL Injection is not a new term; it dates back to 1998 and sometimes is taken for granted when creating a website [7]: an issue that has allowed it to survive till present times while many other vulnerabilities have been addressed. In present times they have even been increased by the use of automated attacks [1] which require less time invested from the attacker.

Although the potential to attack websites through malicious SQL code is known and in some cases addressed, it is one of those subjects we know is there but don’t pay too much attention to. Nevertheless, it is a significant factor to be considered in modern information security. In the last few months there have been attacks of known impact to websites of large companies like MySQL.com or Nasdaq among several others known and unknown [4].

For those who don’t know much about SQL Injection, it refers to a type of security exploit that allows attackers to use SQL statements (something unexpected by the application) through the input values or parameters of websites [2]. These statements are later used to gain access to resources and from there on it is a playground for the attacker. Just consider the value of accessing the database of Nasdaq or a financial institution, the value of the information contained and the potential effects that this could have for the organization, in some cases it might even allow to get information on other linked resources.

The web hacking incident database [8] shows that in 2010 the main attack method for websites was SQL Injection with 20% of the total attacks, and related to it the main weakness was the improper handling of outputs and inputs. However, protecting a website from these attacks is not a one-step easy process, but rather a set of processes and policies determined in the software. Most of the attacks progressively gather information from erroneous queries and use the result to get another level of information and so on; therefore, a proper management of exceptions could mitigate the impacts of these queries.

SQL Injection is not a problem related to the Database Management Software or the Web Servers, it is a flaw in the code of the website. So when you built your website did you take this into consideration? If you used a template or outsourced, did the source take it into consideration? Do you know what measures should you take to protect your website?

_____________________

[1]. Acohido, Byron. The rapid spread of SQL attacks. The Last Watchdog. 2009. http://lastwatchdog.com/faq-sql-injection-attacks/

[2]. Chapela, Victor. Advanced SQL Injection. OWASP. 2005.

[3]. Domain Tools. Domain Counts and Internet Statistics. 2011. http://www.domaintools.com/internet-statistics/

[4]. Grossman, Jeremiah. Recent SQL Injection Hacks – Things you should know. White Hat Security. March 2011. https://blog.whitehatsec.com/recent-sql-injection-hacks-things-you-should-know/

[5]. Kerner, Sean Michael. SQL Injection Most Dangerous Software Error. eSecurity Planet. June 2011. http://www.esecurityplanet.com/trends/article.php/3936581/SQL-Injection-Most-Dangerous-Software-Error.htm

[6]. Messmer, Ellen. 2008 was the year of the SQL injection attack: IBM. Network World. 2009. http://www.networkworld.com/news/2009/020209-sql-injection-attack.html

[7]. Litchfield, David. SQL Injection and Data Mining through Inference. 2005. www.blackhat.com/presentations/bh-europe-05/bh-eu-05-litchfield.pdf

[8]. Web hacking incident database. http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database#RealTimeStatistics





Web Browser Security Attacks – Cross Site Scripting (XSS)

26 09 2011

Web browsers are software programs that allow us to access web pages on the Internet. Nowadays we do a lot of tasks online, we access our bank accounts, send emails with private data, we shop etc. We send out a lot of information like out bank account details, personal information. There are attackers out there who can gain access to this information and use it for malicious activities. Attacks are techniques used by attackers to take advantage of and exploit vulnerabilities in an application. One such attack is called Cross Site Scripting (XSS).

XSS is a technique in which an attacker sends a malicious piece of code to a user. It takes advantage of the web application’s vulnerabilities and injects malicious scripts into webpages. When a user visits these webpages, the web browser believes that this script has come from a trusted source and executes it. When this script is executed, the attacker has access to user information in the form of cookies and session information. Using this the attacker can impersonate a legitimate user and gain access to webpages accessible to the user. The attacker may also perform malicious activities on the user’s computer and can access/destroy files.

We might think that an attacker has to break into a web server to inject his malicious code into a webpage. This is not the case. Today most of the content on webpages are dynamic. The attacker could go to a webpage and if it had a section for leaving user comments, he could inject a script in the comment session. Now when any user requests this page, the malicious script in the comment section will run on the browser and gain access to user information.

The attackers could use another approach as well. They find a webpage that they want access to and that has some XSS vulnerabilities. They then generate a customized link to this webpage and send it as an email to a list of potential users. The link in the email will have some HTML elements embedded in them. When a user clicks on this link, it takes the user to that webpage and it will send a copy of the users session to the attacker. Through this the attacker can get access to the webpage.

One way of preventing XSS attack is to use user input validation and strip out all the special characters from the input. Allow only few special characters like hyphens, periods. Another way is to have better validation and checks for cookies. When a cookie is generated, the ip-address of the user should be noted. So if an attacker tries to use the same session, his ip-address will be different and access can be denied. The best way probably is to develop better web applications. Developers should generate web applications that do not need any client side code to run for the webpage to be displayed properly. This will allow users to disable scripting on their browsers.

__________________________

http://en.wikipedia.org/wiki/Cross-site_scripting#cite_note-HopeWalther-9

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

http://www.acunetix.com/websitesecurity/cross-site-scripting.htm





BEAST SSL attack

23 09 2011

Security researchers Juliano Rizzo and Thai Duong have created a new attack on the ever so prevalent SSL 3.0 / TLS 1.0 communication protocols which are used to secure a majority of the private transactions over the internet.  It has not been a great period for confidence building with regards to secure internet communications as earlier this month attackers were able to obtain a valid certificate for multiple domains including Google.com from certificate authority DigiNotar. While other attacks on HTTPS such as the DigiNotar attack have concentrated on the certificate system attempting to masquerade as a website, this attack is the first to break the confidentiality model of SSL/TLS. Rizzo and Duong are claiming that they are simply able to defeat SSL encryption and read in plain text the contents of the traffic flowing to an HTTPS address.

The attack has been compiled into a tool coined BEAST (Browser Exploit Against SSL/TLS) that allows a would be attacker to steal and decrypt HTTPS cookies in an encrypted active client/server session including cookies marked as HTTPS only. BEAST actually performs a plain text recovery attack on a vulnerability in TLS that has been known almost since the inception of the protocol. However, the vulnerability has long been considered only a theoretical problem as many security experts regard it as impossible to exploit. The vulnerability is in how TLS encrypts the data, the protocol will arrange the data in a series of blocks. TLS will then encrypt each block using the previous encrypted block. The vulnerability is that an attacker can make an educated guess regarding the contents of the encrypted block. If the guess is correct, the attacker will see that their guessed block will produce the same cipher text as the legitimate block and they will be able to subsequently decrypt the following blocks of data.

In order to execute the SSL attack an attacker will first need to acquire a man in the middle position (MITM) on a network that will allow them to eaves drop on a victim’s traffic to a HTTPS site. After the position is acquired, they will need to inject the BEAST agent into the victim’s browser as they try to visit a high value target such as a bank website or PayPal. BEAST will now sniff the network traffic looking for active TLS sessions and then decrypt the secured cookie which then allows the attacker to hijack the secured session.  Rizzo and Duong claim that their attack can decrypt and hijack an SSL session within minutes allowing the process to be unnoticeable to the victim.

While it is yet to be seen if this is a “OMG the sky is falling” sort of breakthrough as the technical details of the attack are still unknown ,  Rizzo and Duong plan to present the attack in full detail at the Ekoparty Conference in Argentina on Friday (9/23/2011). Until then much of the security community has yet to comment on the severity of the attack and we (the internet) will need to wait to see how browser developers move from here.

It is important to note that this vulnerability is not present in TSL 1.1 or 1.2 which have been available for years however only adopted by small percentage of content providers.  I believe this highlights how the reactive model that has been present in information security for many years has essentially painted much the technological world in a corner.  SSL 3.0 and TLS 1.0 is the most common security protocol available for internet transactions on the planet and to have TLS 1.1/2 suddenly adopted worldwide would be a major overall potentially causing companies large amounts of money and/or customers.  For example, the current releases of Firefox and Chrome do not support communications on TLS 1.1/2 and IE9 while capable of using TLS 1.1/2 does not allow it by default so if you are a bank that allows only TLS 1.1 traffic Chrome, Firefox, and IE users will not be able to use your online banking option.  This would put your bank’s website at a significant disadvantage. Duong and Rizzo have stated that “Actually we have worked with browser and SSL vendors since early May, and every single proposed fix is incompatible with some existing SSL applications,” Duong wrote. “What prevents people is that there are too many websites and browsers out there that support only SSL 3.0 and TLS 1.0. If somebody switches his websites completely over to 1.1 or 1.2, he loses a significant part of his customers and vice versa.” (4)

If this attack is anything close to as serious as the initial reports seem to allude to we could be in between the proverbial rock and a hard place.

_______________________

  1. Threat Post, http://threatpost.com “New Attack Breaks Confidentiality Model of SSL, Allows Theft of Encrypted Cookies”, September 19 2011, Dennis Fisher.
  2. The Register, http://www.theregister.co.uk “Hackers break SSL encryption used by millions of sites”, September 19 2011, Dan Goodin.
  3. Information Week, http://informationweek.com “HTTPS Vulnerable To Crypto Attack”, September 20 2011, Mathew J. Schwartz.
  4. Softpedia, http://news.softpedia.com, “SSL Encryption Turns Out to Be Highly Vulnerable”
    September 20 2011, Eduard Kovacs.




Security of Google Wallet

22 09 2011

Just this past Monday, Google released its newest app: Google Wallet.  Google Wallet (GW) is a virtual wallet application for certain android based phones.  GW can store your Citi MasterCard information and wirelessly transmit that information when you wish to make a payment.  The technology that it uses to work is called near field communication, and is identically to the tap-and-go cards that you may see around.  This app currently works only with the Nexus S 4G on the Sprint network, however, Google is planning on bringing this to other phones.2

In theory this product sounds like a great idea.  Let’s say you go into the grocery store, pick up a few things and head to the register, to pay all you do is launch the app on your phone (which is probably already in your hand) and tap the phone to the tap-and-pay system.  There isn’t a reason to search through your pockets or purse looking for cash or cards, and who doesn’t leave the your home without your cell phone.

This all sounds great, but is it secure?  Your phone will be holding and sending all of your credit card information.  So the two biggest places for vulnerability in this system is in the storing of the data, and then in the transmitting of the data.  In order for the phone to protect the data while in storage Google has come up with a special chip to hold the information, they call it the Secure Element.  This chip uses an asymmetric key encryption to read and write to the data stored within.  Neither the OS or any applicant can access this chip.  It is completely separate and secure from the rest of the software.

The only time that information is able to be accessed from this chip is when it comes in range of the near field communication device.  Not only does it have to be in close proximity to the device, the screen on the phone must be active, and a four digit pin must be entered.2  This authentication system helps prevent hackers from just bumping into your phone to collect the data.

There are some other additional features that Google has implemented.  The pin that is required to send the information has to be reasonably strong.  The top ten codes such as 1234, 1111, 0000 are not allowed.  Not only does this help prevent people from guessing, but you only have 5 attempts to enter the pin before you are locked out.3

Google has definitely worked hard to make this system secure as possible.  They have defiantly done some of the correct things, like separating the chip from the OS and no allowing the android device to have a key.  However, once the credit card information is set it seems like it is very difficult to change.  Also, the authentication to make a payment sound fairly secure, but in the wild there are other holes that might not have been thought of.  With this new technology there are bound to be positives and negatives, as well as loop holes the designers haven’t thought of.  The only way to find out more information is put it in the wild and see how it fairs.

___________________

  1. Bradley, Tony. “Google Wallet Security Has a Weakness | PCWorld.” Reviews and News on Tech Products, Software and Downloads | PCWorld. Web. 21 Sept. 2011. <http://www.pcworld.com/article/228959/google_wallet_security_has_a_weakness.html&gt;.
  2. “Google Wallet – How It Works – Security.” Google. Web. 21 Sept. 2011. <http://www.google.com/wallet/how-it-works-security.html&gt;.
  3. Yin, Sara. “Google Wallet: Security Experts Raise Concerns Over PIN Numbers | News & Opinion | PCMag.com.” Technology Product Reviews, News, Prices & Downloads | PCMag.com | PC Magazine. Web. 21 Sept. 2011. <http://www.pcmag.com/article2/0,2817,2393246,00.asp&gt;.




Cyber Warfare and the Increased Need for Protection

21 09 2011

The stereotype that only small groups or individuals with limited resources can be threats to information security is no longer a valid norm.  Now such threats have gone mainstream and even governments have become more actively involved as defenders and attackers. We may not realize it but we are currently observing the dawn of what can arguably be the next generation of combat, cyber warfare.  This form of assault has become a serious threat that only recently caused our own government to invest seriously in the technology to defend itself.1 Recent reports indicate that instances of system security exploitation have been on the rise, without any sign it will decrease in the near future.2

Threats to information security are originating more frequently from larger entities that have more resources at their disposal. One such example is the recent allegation from Google back in June that hackers from China infiltrated email accounts of senior U.S. officials and hundreds of other individuals in and outside of the United States. A similar attack occurred back in 2010 and Google believes in both instances that the Chinese government was responsible.3  The Chinese have denied all accusations despite evidence to the contrary. Though this particular instance was not malicious in nature it demonstrates that governments are participating in cyber attacks in order to enhance their own agenda.

A great example of an effective cyber war attack in action occurred back in July of 2010, when a computer worm called Stuxnet was discovered by the public.  It was the first exposed malware that infiltrators and destabilizes industrial schematics among other advanced capabilities.  The worm program is most famous for having targeted and impaired Iranian uranium enrichment facilities, basically setting Iran’s nuclear research back by about ten years.  No one has claimed responsibility but many have speculated that because the software was extremely sophisticated it could have only been designed “with nation-state support.”4  Evidence has indicated that the attack was a joint effort accomplished by Israel and the United States.  This is one instance of cyber warfare; many more attacks of this magnitude probably occur but are kept secret for one reason or another.

The use of the Stuxnet program also demonstrates how cyber attacks can be applied with the intention of maintaining peace rather than imposing damage (Iran was planning to use enriched uranium technology to create nuclear weapons among other things).  However, there have been rumors that parts of the code which belong to the worm design are now in the hands of those who could use it to strike at the US and Europe.  Despite the apparent ability to implement  stealth assaults on its enemies, it has been speculated that the US, Europe, and other countries lack the infrastructure protection necessary to stop a Stuxnet type assault.  While there are safety measures in place, they are often outdated.  Ralph Langner, one of the first analysts of the Stuxnet program was interviewed this week by the Washington Post and he stated, that despite almost a decade of cyber security and warfare knowledge, the US and others have not adopted any significant protocols for protecting against cyber terrorism.5   Mr. Lagner and many like him believe that only a serious attack on infrastructure will cause the public to finally repair weaknesses in the system.

On numerous occasions it has been reported to the public that the United States has been lacking in its efforts to improve its cyber security capabilities.  Only a year ago former NSA director Mike McConnell stated to the Washington Post that, “The United States is fighting a cyber-war today, and we are losing.”6  The last few years have seen only minor improvements that focus more on military security rather than civilian protection.  As the country waits for the proper legislature to be passed that will allow for increased initiative to improve information security, reports are beginning to show that future attacks have the potential of being more destructive. The current head of the NSA, General Keith Alexander, warned at a conference this week that the cyber war is diverging from current tactics of theft and system sabotage to harmful attacks “that (could) cause widespread power outages and even physical destruction of machinery”7 There are instances of this type of occurrence in other countries, like in Russia during 2009 while an offline dam turbine generator was being repaired, a computer 500-miles away re-started it, sending the turbine into the air before it exploded.

The motive behind using software as an assault weapon is that it is inexpensive to implement and most targets are unable to retaliate against the attackers.  As of now the cyber war will continue indefinitely until progress is made in the field of Information Security that effectively prevents and defends against such attacks.  As we can see from the examples above that it is difficult to defend against cyber warfare, especially since, “there is no coherent picture of who is targeting what and which systems and services are potentially vulnerable to cyber attack.”8 While there are instances that show governments, like Israel and the US, actively participating in the cyber war to accomplish constructive outcomes, there is plenty more that could be done.  In the meantime, entities with the right resources continue to wage the cyber war in order to further their agenda, more often for nefarious purposes rather than for good.

___________________________

[1] Gerry Smith, “Former Government Officials Stand To Profit From Cybersecurity Boom,” (9/15/2011) http://www.huffingtonpost.com/2011/09/15/former-government-officials-cybersecurity-boom_n_958790.html.

2 Kuala Lumpur, “Cybersecurity Incidents Continue to Increase,” (9/20/2011) http://www.thesundaily.my/news/150756.

3 Amir Efrati, “Google Discloses China-Based ‘Hijacking’ of Gmail Accounts,” (6/2/2010) http://tinyurl.com/ChinaGoogleWSJ.

4 Chloe Albanesius, “Report: Stuxnet Worm Attacks Iran, Who Is Behind It?,” (9/27/2010) http://www.pcmag.com/article/print/254978.

5 Jason Ukman, “After Stuxnet, Waiting on Pandora’s Box,” (9/20/2011) http://www.washingtonpost.com/blogs/checkpoint-washington/post/after-stuxnet-waiting-on-pandoras-box/2011/09/20/gIQAOkw0hK_blog.html.

6 (Smith, “Former Government Officials Stand To Profit From Cybersecurity Boom”)

7 Warwick Ashford, “Cyber Attacks Are Becoming Lethal,” (9/20/2011) http://www.computerweekly.com/Articles/2011/09/15/247897/Cyber-attacks-are-becoming-lethal-warns-US-cyber-commander.htm.

8 (Ashford, “Cyber Attacks Are Becoming Lethal”)





User Desktops: Leaping the Great Wall

20 09 2011

Security measures in an enterprise environment are often focused on securing the borders of a network. This is sound logic given that border security of valuable entities has worked so effectively dating to ancient civilizations; remember the Great Wall of China? While ensuring that the borders of a network are securely protected is sound network security practice, it is ineffective on its own. Attackers are not looking for the hardest target, when a soft target will get the job done. Would a bank robber spend the time to drill through the vault, if the door is already open? In networked environments, attackers will look for the path that provides them the easiest access into their target network. The softest target, as is evident in the recent RSA security breach, often is a user desktop system inside the perimeter. As computer usage increases in all aspects of a corporate network and networks continue to expand, a greater focus should be placed on end-user security.

As many of you know, the security company RSA was compromised earlier this year. Through the compromise, attackers were able to gain access to seed data associated with RSA SecurID® tokens. This was a well-publicized network compromise given that RSA is a large company focused on information security, and many of RSA’s biggest customers, such as Lockheed-Martin and Northrup Grumman, handle highly sensitive information. Security company F-Secure recently identified the initial point of compromise for the RSA breach as a phishing email containing a malicious Microsoft Excel document.[1] While the ultimate exploit identified was a zero-day vulnerability in Adobe Flash, the initial vector of attack, the phishing email based on social engineering, is quite unsophisticated. Through exploiting a vulnerability in end-user security, the attackers were able to infiltrate the network.[2]

The RSA breach is important for two reasons. One, it shows the importance of security in depth to protect network infrastructure. And two, it shows that even at a company dedicated to information security, there are still weak links. The user, who eventually opened the email attachment that led to the attackers’ access to the system, may not have been the CEO or network administrator. The user could have been in human resources, the shipping department or other business segments we would typically not consider prime attack targets.[3] These business segments may not be handling the sensitive SecurID® data, but they reside on the same network as those that do. While the point of this post is not to discuss network segregation, it is for reasons like this that end-user security should get greater focus than it does in many network environments.

A recent Secunia security report found that there was a substantial increase in vulnerabilities on end-user systems in their customers’ networks.[4] End-users are not typically information security professionals, even at RSA. The end-user may be an administrative assistant or accountant, whose understanding of secure computing and information security may be quite limited. It is these individuals who may provide an attack vector for intruders into the company network. In fact, they will often raise fewer red flags to network administrators as their internal traffic is often less scrutinized. There will always be a balance of usability and security in regards to networked systems, however it is likely that many of the vulnerabilities in the end-user environment can be remedied through user education and enforcing secure desktop-configuration management.

Shooting cannonballs at the walls of a fort seems like a lot of work when you can just ask someone inside to open the gate for you. Attackers are looking for the soft target when attacking systems. Sometimes the most effective attack vector is from the inside out. Networks administrators are often spending a great deal of time, effort and money to protect their network exterior through Firewalls, Intrusion Detection and Intrusion Prevention Systems (IDS and IPS), while end-user security remains an afterthought.[5] Less focus is often placed on monitoring what legitimate users are doing inside the network and educating the users on how to properly use the network. Firewalls, IDS and IPS cannot prevent every attack on a company’s network because with enough time and effort, an attacker will find a way in. It is for this reason that network administrators, corporations and governments should put a greater focus on educating the end-users about recognizing the indicators of “badness”, as all layers of an enterprise are responsible for its security. Education about sound information and network security practices can help to patch one of the most vulnerable network segments, the users of the network themselves.


[1] “How We Found the File That Was Used to Hack RSA.” News from the lab. F-Secure.com. 26 Aug 2011. Web. 18 Sept 2011. <http://www.f-secure.com/weblog/archives/00002226.html&gt;

[2] Higgins, Kelly J. “RSA SecureID® Attack Began with Excel File Rigged With Flash Zero-Day”. Tech Center: Advanced Threats. Security Dark Reading. 1 Apr 2011. Web. 18 Sept 2011 <http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/229400772/rsa-secureid-attack-began-with-excel-file-rigged-with-flash-zero-day.html&gt;

[3] Rivner, Uri. “Anatomy of an Attack”. Speaking of Security: The Official RSA Blog and Podcast. RSA. 1 Apr 2011. Web. 18 Sept 2011 <http://blogs.rsa.com/rivner/anatomy-of-an-attack&gt;

[4] Secunia. Secunia Half Year Report 2010. Copenhagen: Secunia, 2010.

[5] “At RSA: Napera Will Demonstrate New Approach to Solve Today’s Network Security Crisis for Small and Medium Enterprises”. Napera. 31 Mar 2008. Web. 19 Sept 2011 <http://www.napera.com/archived-press-releases/at-rsa-napera-will-demonstrate-new-approach-to-solve-today%E2%80%99s-network-security-crisis-for-small-and-medium-enterprises&gt;