As retailers look ahead to the most wonderful time of the year, they'd be well advised to make sure they haven't left critical infrastructure unprotected.
I raise this issue after a company approached me a few years ago because it was experiencing serious network outages. This retailer sold its products directly to the consumer and conducted the majority of its business during the weeks leading up to year-end festivities. A rather frustrated e-commerce manager called to see if I could shed some light on a persistent problem that had already stumped an army of consultants and internal IT staff.
The symptoms were consistent: The very large and redundant Internet connection would slow to the point of becoming unuseable for about 30 minutes once or twice a day. IT staff had worked with the telcos and then some WAN/LAN consultants on the matter, but despite two weeks of their best efforts, including impressive, multicolored, three-dimensional graphs, the problem remained unsolved.
Are you protected against bots? Check out
IE's botnet video tutorial
It's important to note here the severity and mounting expense of the problem. While the company wasn't hosting its own Website internally, all of its customer support and telephone sales ran through a voice over IP (VOIP) system routed through the affected Internet connections. While the systems did include a failover mechanism, it didn't have nearly the capacity to handle the holiday call volume.
To make matters even worse, the company made use of real-time chat from its Website for sales support. This too was rendered useless during the outages. So it was becoming a costly mess and likely to affect year-end sales, profits, and brand image.
When I arrived on site and oriented myself to their infrastructure I decided that what we needed most was a good sample of traffic during one of the outages. We re-purposed several retired notebook computers by using bootable Linux CDs and configured them to collect traffic.
It didn't take long. The outages were being caused by a dedicated denial-of-service (DDoS) attack outbound. Yes, they were attacking someone else and it turned out to be just one bot generating the traffic. That's pretty bad! Here's where the story really got weird though. We traced the traffic to a particular switch port and followed the cable out of the server room, through the drop ceiling, to a machine assigned to the person in charge of network security!
It was a long forgotten, unpatched Sun Solaris machine that had become infected with the Stacheldraht bot and used to attack other companies. We later found out it was part of a larger extortion scheme.
What can we learn from this? I think companies need to think through their reliance on information technology in worst-case or what-if scenarios and plan accordingly. Secondly, this company had well written policies and procedures that were completely ignored by the person who wrote them (to great effect). Lastly, when the problem occurred, they had no plan for troubleshooting, which delayed the solution another two weeks. A parallel approach would have solved it in a few days.
Lastly, although they had intrusion detection and prevention systems (IDS/IPS), they were not using any real detective controls like network security monitoring (NSM), which would have been able to pinpoint the problem within minutes of the first outage... but they do now.
This blog is part of Internet Evolution’s Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts.
The fact that all OS have vulnerabilities is a key realization. One of the biggest challenges is convincing senior management that these vulnerabilities exist and that their is a need to spend the time and money performing vulnerability tests. I know that some companies also experience the challenge of communicating internally between departments. In the example above if the network folks would have known about the old box being on the network they may have been able to monitor the patching of the OS. You can have the most well written policies but if their implementation and execution is poorly managed you just have a bunch of paper to show the auditors at the end of the day.
I think that Gideon brings up some very excellent points in his commentary about a particular bot, which I am sure was more interesting than figuring out how to prevent this from occuring. I see this as a crisis in IT and how things have evolved and our lack of growth. Recall the good ole days where the Network Administrator actually knew what was traversing his network, why has this all of a sudden become a software issue and blame it on the IDS? I blame it on the Network Admin, the IT systems Administrator, RISK MGT, et al..
Some interesting items I have commented on prior and supported in all my endevors as a consultant, what is traversing your network? Sure everyone needs to allow "ALL OUT"? Why? Answer I am always given sometimes programs need to go out on certain ports and we cannot accomidate them all. The true Answer: Wrong, if you are having problems understanding which applicaiton needs what and the difference between emphemeral ports and dedicate/known ports then get a new job. With the ability of many of todays switches to segregate networks either by subnet or by using VLANS it should help the network administrator to understand the type of traffic and its flow from one segment to another. This maybe time consuming, but as everyone seems to scramble when they are infected or breeched the due diligence taken will support the cost effort during the crisis.
Second, why are we still not seeing network deploy the concept of Security Domains? Security Domains should be implemented (i.e. Accounting Department cannot communicate to the Warehouse, but can communicate to the Financial apps, etc..), this would ensure th at a breech or infection in one area does not affect another segment. Very simple DMZ concepts internally.
Another issue is the legacay systems or inability to properly track assests. I understand that enviornments that are complex and large becomes a large operation, but with some time put in, the majority of assests can be tracked and issues corrected. As we continue to see older vulnerabilities and older systems becoming the centers of attack, I blame this again on all the above departments not just the IT guy. The cost to benefit ratio should have removed or updated this system, the network admin should have noticed the out going wire that was different than the other ones.
The basic lack of historical facts, and the concern for ones own postion has degraded to the point where I don't think we can truely assign anyone to the title of network/system admin without the responsibility of understanding their environments. I truely shake my head and wonder why no one remembers to do the simple things?
Stacheldraht has been around a very long time, which shows the amount of "paying attention" that escd was referring to.
All operating systems have vulnerabilities. It is just that Microsoft has been the most heavily targete. With a greater presence of Linux, there is more reason to target them. The vulnerabiltiies are there in all systems, they just haven't all been discovered.
A vulnerability may be common to the Linux OS across multiple distributions or may be limited to a select set of distributions (Debian-based for example). It just depends on where the flaw is.
I find it hard to believe that the network guy wouldn't think to
inspect his own network's traffic, but people do get world-class
brainfarts from time to time.
As far as I know, most or almost
all breakins and so forth occur because people did not act on KNOWN
security issues with KNOWN resolutions. That just falls under the topic
of "paying attention", unless your security guy is hideously overworked.
It
takes a long time to diffuse "best common practices" through all the
layers of society. One day most people will routinely encrypt their
email before sending it, but we see that is decades away still. The
urge to make that the "default behavior" has to be promulgated by ISPs
large and small - there's the time-consuming diffusion.
==
As
usual, best way to fix almost all crap on the Internet is to quit using
Microsoft software on anything connected to the internet. You will see
SPAM, DDOS attacks and so forth drop to 0.25% of the current rate if
you did "just that one thing." Believe it.
Thanks again... I overlooked that, it's totally obvious now...
Those numbers for Linux are surprisingly (to me) large - are they common to all forms of Linux, or particular distributions? Are some of them as serious as the one described in the article?
Just looking at Core Securities IMPACT pen testing tool, it currently lists 151 exploits with 435 target entry points for Linux, 30/86 for Solaris, the Mac OS X gets 9/40, Windows 2003 106/694 and XP lists 201/1160. So yes, Linux, like any system not properly maintained and patched, can be at risk. I like the comment about Social vs. Engineering... nothing is sailor proof.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
3,722: That's the average volume of attacks on Boeing's network in a typical hour, according to this report. If this sounds like a lot to deal with, I can assure you that it is. But the hardest part is that the vast majority of the attacks are actually false alarms.
Recently I attended a conference orchestrated by an organization known as the EastWest Intitute. A week prior to the conference, I had never heard of the EWI. I was invited to attend because some of the film footage of me shot during the making of a documentary film was used to create a video introduction to the conference. After looking over their Website, I agreed to attend and take on the role of rapporteur for one of their “breakout” working sessions.
Lots of big brands are in hot water right now -- witness the many rapid-fire hits Toyota's taken in recent weeks. Now it turns out the beloved Energizer Bunny may himself be a malicious hacker.
Getting to Work on Smart Work: How IT Is Transforming the Implementation of the 'Internet of Things' Organizations in all industry sectors are becoming more instrumented, interconnected, and intelligent -- and that's changing the way they approach virtually every facet of their operations. It's up to IT to help organizations adopt a "Three I's" approach that leverages the emerging Internet of Things and enables them to work smarter. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
An email from Ukraine teaches us that perhaps those who complain about the Internet just haven’t figured out how to spam people’s inboxes with requests for pens and balloons… or something.
Techies are going crazy over the possibility that Google might design and sell its own Android phone. Some writers say it's a very big deal. Reiter questions whether it will happen and, if it does, whether it even matters.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
More companies are trolling social networks to find and vet potential job candidates. Beware the pitfalls of blurring the line between personal and professional lives.
It is 20 years since the invention of the World Wide Web, and the Internet has changed beyond recognition since then. Steve Saunders peers into the future to predict what the Web will look like in another 20 years time – and he doesn’t like what he sees.
There's a public-policy war on copyright that nobody is winning, and inconsistencies in viewpoint and interpretation seem to be multiplying. We need to step back and think our policies over again, or we risk having a strategy that fails everyone.
Ultraviolet is an industry-wide attempt to standardize video content delivery across multiple platforms. Apart from the fact that it’s based in the cloud, relies on the DRM system, and isn’t backed by Apple… it sounds great!
The FCC's Sixth Broadband Report has a hidden secret. But here’s a hint: The regulatory body plans to regulate broadband as a telecommunications service.
Once defined by epic journeys, planning, and maps, the phrase "on the road" takes on new meaning in a digital age, where we can make all our decisions using our connected devices en route.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
