Laying the IT Security Foundation

Key Steps to Preventing Cyber Attacks

Government systems are getting hit on a daily basis by new and ingenious external attacks. Federal, state and municipal agencies, plus government contractors, must find a way to adjust to this evolving threat landscape to prevent these threats from wreaking havoc.

It is imperative that government organizations get back to the basics of security and lay a strong security foundation to weather these attacks by proactively addressing their root causes.

February 2010

WP-EN-02-04-10 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks

Disengaging from the Arms Race The numbers are in, and it’s clear to most that tacks (48 percent) and software vulnerabilities (26 they don’t bode well for those within government percent). Another survey of federal IT profession- IT security. The latest statistics show that on als conducted by CDW Government in November the , a new Web site is compromised by 2009 showed that more than half of agencies are host every five seconds. Cybercriminals experiencing cyber security incidents on a daily or and cyberterrorists are amassing large fortunes weekly basis. through the sale and trade of information from each of these exploits, only to reinvest more and This relentless barrage of attacks infiltrates sys- more resources into developing even more sophis- tems in a cloaked manner to fool detection mech- ticated attacks as time goes by. Their attacks are anisms. Plus, attackers are constantly changing highly polymorphic, and they are obfuscated. They them to evade signature-based protections, such don’t just attack vulnerabilities in applications, but as antivirus. Not only are they sophisticated, but also fundamental flaws in the way agencies protect these pieces of malware are flooding the playing their machines. These attacks are coming at a diz- field. The idea is to keep security professionals zying speed, especially as foreign states employ a guessing, to keep them engaging with old attack loose-knit network of , however informal- approaches while the new ones sneak in the back ly, to extend their long arm of intelligence into as door. And for the most part, security teams are un- many American government systems as possible. able to keep up with the barrage of new threats with a set of old tools and a limited budget. It’s no wonder, then, that the National Association of State Chief Information Officers (NASCIO) voted The problem is that government security profes- IT security as a top 10 strategic priority for 2010 sionals are stuck in a rut. We’re involved in an arms and security enhancement tools in the top five hot- race with the bad guys that can only benefit them. test product categories for 2010. Meanwhile, half Rather than addressing the fundamentals that allow of agency CISOs at the federal level worried that, an attack to occur in the first place, we’re address- even though their organizations may be making ing each individual attack as it crops up through a progress in security practices, they are still “not detect-and-block schema. Every time we get that getting ahead of attackers,” according to a survey rock to the top of the hill, it just rolls back down. conducted by ISC2 in April 2009. Tops on their list It’s time to take a new approach. It’s time to get of most pressing problems today are external at- some bulldozers and flatten the hill.

1 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks

Addressing Security’s Biggest Problem The attacks are largely successful because vulner- on machines across the federal government. abilities and mis-configurations exist within appli- Since 2009, federal agencies have been required cations and throughout the government IT frame- to adhere to FDCC on their workstations and lap- work. If those vulnerabilities didn’t exist, the vast tops as part of greater Federal Information Security majority of attacks wouldn’t succeed no matter how Management Act (FISMA) compliance. According plentiful they were. In fact, more than 90 percent to Karen Evens, the then-administrator for OMB’s of attacks exploit a vulnerability for which a patch Office of E-Government and Information Technol- already exists. ogy, who wrote the first memo outlining FDCC in 2007, the idea for establishing this baseline was “to Think about it. If you had a door with a broken lock improve system performance, decrease operating that was being taken advantage of by burglars, you costs and ensure public confidence in the confi- wouldn’t start by spending your money on expen- dentiality, integrity and availability of government sive closed-circuit cameras, on booby traps within information.” the home or on chaining your big-screen TV to the wall. No, you’d address the root cause of the break- One of the pilot adopters of this FDCC approach ins and fix the lock first. was the U.S. Air Force, which managed to not only improve security by reducing its patch cycles from Many within government are starting to buy into seven weeks to three days, but it has also achieved such an approach. According to the ISC2 survey, cost savings as the number of help-desk calls of all the cyber security programs they’re tasked “have dropped drastically because there are fewer to participate in, the Federal Desktop Core Con- one-off configurations and mysterious problems to figuration (FDCC) is one that federal CISOs feel address,” reported FedTech Magazine. is making the most progress — likely because the FDCC offers such a good security ROI. The example provided by FDCC has a lot of benefit as a case study in endpoint configuration, not just The idea behind FDCC is simple: With the help of at the federal government, but also at state and Microsoft and the National Institute for Science and municipal levels because, at the end of the day, se- Technology (NIST), the Office of Management and cure configuration is the very bedrock of any secu- Budget (OMB) developed a standard configuration rity program. It always has been and will continue setup for managed endpoints using Windows XP to be so in the future — one only need look at the and Windows Vista so that the tenets of security — current threat environment to understand why. such as the rule of least privilege — are followed

2 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks

Adjusting to the Evolving may not have ever been intended for outside con- Threat Landscape nectivity. Many of these back-end systems contain valuable citizen, operational and financial data, as As much heat as Microsoft receives from the secu- well as national security secrets. The combination rity research community, the company has actually of these factors has been like the lining up of cher- made a lot of progress over the last several years ries in a Vegas slot machine for the state and non- in building defenses within Windows. In that time state hackers. And there’s no end in sight. we’ve seen the advent of the built-in firewall, user access control and improvements in the data ex- Many of these Web-based programs utilize SQL ecution system. The protections were not perfect, Server as the back-end technology that holds all but enough roadblocks were thrown up to make of the content seen by users as they browse a site. hackers look for easier prey. When they shifted The drastic spike in 2009 of SQL injection attacks their crosshairs to the application layer, what they — the insertion of specially crafted queries to break found was a target-rich environment that was not the technology to reveal sensitive information and only more vulnerable to attacks, but also more allow attackers to install malware or redirect them profitable to attack. to malware-laden Web sites — comes by way of insecure coding practices by developers rushing to And just as improvements in the operating system meet this need for Web application expansion. (OS) were gaining steam, there was a convergence in user behavior that made Web-based applica- And these Web-based attacks aren’t all we have tions extremely appealing to attackers. Known as to worry about, either. State and non-state actors the Web 2.0 movement in common parlance, this have also turned their attention to Microsoft Office confluence of action saw organizations double, and browser-related weaknesses that hadn’t been triple and even quadruple their number of custom previously exploited because the OS used to be so applications. easy to attack. They’re also more closely scruti- nizing opportunities in countless other applications This Web 2.0 revolution has seen the rise in Web- from vendors such as Cisco, Apple and Adobe. based collaborative tools, mash-ups, social media, They’re even attacking firmware on hardware such enriched instant messaging and user-contributed as printers. The attack surface has clearly expand- content online. Not only have many of these ap- ed dramatically. plications been built hastily with minimal regard for security to take advantage of quickly chang- Not only are Web-based applications riddled with ing market conditions, but they’ve been tunneled vulnerabilities, but many users exacerbate the through the network firewall to provide Web-based problem by surfing the Web and running docu- access directly into back-end systems that may or

3 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks

ments on old, insecure versions of browsers and easily avoided a spread in infection had they im- productivity applications. Attackers not only find proved their password policies to protect fileshares. new vulnerabilities each day, but they are also able And thirdly, organizations could have stopped the to exploit the many more tried-and-true vulnerabili- evolved worm in its tracks had they managed and ties on un- or mis-configured systems. The enforced device usage policies to stop propagation 2009 outbreak is a stark example of how via USB devices. a known and patchable vulnerability can still be taken advantage of en masse and to great effect by Herein lies the crux of the problem. As cybercrimi- the cybercriminal element, which not only includes nals increase the ingenuity of how they attack the financially motivated bad guys that most civil- government systems and consistently change the ians think of when they imagine hackers, but also rules of the game, many IT organizations have the state-sponsored hackers with ties to govern- tried to simply take the same old detect-and-block ments who may carry out attacks with political or approach they’ve grown comfortable with over the military objectives in mind. years. But the truth is that the only way to real- ly block these threats is not to just chase tens of Regarded as the worst mass infection vehicle since thousands of variations of the latest killer worm. It’s SQL Slammer, Conficker works by taking advan- to root out the common vulnerabilities that these tage of a vulnerability in the Server pieces of malware attack in the first place and pre- Service within Windows platforms. In March 2009, vent users from downloading malicious content. researchers estimated that Conficker infected more than 10 million machines. What is so galling It happens again and again — Conficker isn’t the about the rapid spread of Conficker is the ease by only external threat taking advantage of known vul- which it could have been prevented. If more organi- nerabilities. In 2009 we saw a huge surge in both zations had already instituted three simple security and infections, which both take ad- practices, Conficker would have died on the vine. vantage of known Adobe Reader vulnerabilities. And made significant in-roads attacking First and foremost, it was allowed to spread out social networking users visiting sites such as Face- of control due to the failure to install the patch Mi- book and Twitter by convincing them to download a crosoft released in October 2008. When the worm bogus Flash update. evolved later on, many organizations could have

4 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks

As James Quinn, senior research analyst for Info- »»protecting information from being improperly Tech Research Group, told IT World Canada: transferred out of government networks “These are problems for which a pro- via removable devices and preventing the tection mechanism already exists be- introduction of malware via these devices fore the problem came along. There »»delivering agency-wide visibility of compliance are patches for the vulnerabilities in ad- and IT risk management postures, vance. Application patches are the sin- assessment of technical, physical and gle thing — the most important thing — procedural controls and continuous IT risk and that organizations can do. Patch, patch, compliance monitoring and reporting patch. It can’t be said enough.” Application whitelisting provides an additional layer of defense that allows only the known good Taking Action applications on the approved list to run within the environment. All other applications are prevented If government agencies take a comprehensive vul- from running at all until they are approved. This nerability management approach, they will be able keeps new and stealthy malware from running in to more effectively address those external threats the first place, completely eliminating the need that worry so many agency CISOs. In the process, to dedicate resources to finding the day’s newest they’ll be able to lay a strong security foundation malware. And removable device control and data that completely bypasses the costly and ineffective encryption provides yet another layer of defense. arms race with the cybercriminal element. Organi- This prevents malware from entering government zations need to start by: networks via new paths and also protects data be- »»automating and streamlining vulnerability ing transferred off of networks. assessment and patch management, a long- overlooked lynchpin to securing systems By controlling access to data, reducing vulnerabili- »»automating important configuration policies, ties and preventing malware from executing, orga- such as the rule of least privilege, to minimize nizations can lay the groundwork for a fundamental how much damage a zero-day attack on change in security “rules” that can finally give IT an unpatched vulnerability can do before departments an edge in the cat-and-mouse game vulnerability management processes kick in with attackers. »»leveraging application whitelisting mechanisms in addition to antivirus and Clearly, the puzzle pieces of antivirus, application behavioral analysis to control the application control, vulnerability management and device con- environment trol fit snugly to form a security mosaic that looks

5 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks

best when all the pieces are working together. Lu- ensure that only authorized applications are al- mension offers one of the most comprehensive and lowed to run on laptops, PCs, mission-critical serv- complementary sets of these tools available today. ers and POS terminals, preventing the execution of unknown or malicious code. Lumension® Vulnerability Management solution, which consists of Lumension® Patch and Reme- The Lumension® Data Protection solution en- diation, Lumension® Scan, Lumension® Security forces usage policies for removable devices (such Configuration Management and Lumension® Con- as USB flash drives) and other removable media tent Wizard, centralizes vulnerability assessment (such as CDs/DVDs) to control the flow of inbound and remediation into a single vulnerability manage- and outbound data from your endpoints. It also en- ment system. forces encryption of removable media so that it can be safely used and transported without the fear of Providing a more complete and unified view into an exposing sensitive data to unauthorized users. The organization’s security posture, Lumension Vulner- products that comprise Lumension Data Protection ability Management allows organizations to quickly include: and easily discover and inventory network IT as- »»Lumension® Device Control, which enforces sets and to automate the propagation of security organization-wide usage policies for agents to distributed and diverse endpoint devices removable devices, removable media and data — including Windows mobile devices. By doing so, (such as read/write, encryption). an agency or other public sector organization gets »»Lumension® Device Control for Microsoft® the benefit of threat assessment from a hybrid of System Center, which seamlessly integrates network-based and agent-based scanning technol- the capabilities of Lumension Device ogy. Once risks have been found, automated reme- Control into the already-established SCCM diation addresses vulnerabilities in real time. environment to reduce implementation costs and quickly enhance security policy Complementary to the Vulnerability Management enforcement. solution, the Lumension® Endpoint Protection so- lution combines the robust functionality of Lumen- Lumension® Compliance and IT Risk Manage- sion® Application Control with Lumension® AntiVi- ment solution automates and streamlines IT audit rus to protect endpoints from malware and unknown workflows to reduce the cost of supporting numer- threats while enforcing the use of authorized soft- ous compliance requirements, and ensures that IT ware — creating a trusted network in today’s fast- risks are prioritized by their potential impact on the paced working environment. By employing an ap- organization. Key capabilities include risk profil- plication whitelisting approach, organizations can ing of IT assets and business interests, use of the

6 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks

Unified Compliance Framework (UCF), which har- TOP THREATS OF 2009 monizes IT controls across hundreds of compliance Unsurprisingly, 2009 was another landmark year mandates; automated assessment of technical, in malware creation. Here’s our list of the top ex- physical and procedural controls; and continuous ternal threats government agencies had to con- monitoring and reporting to satisfy a diverse IT risk tend with over the past year. and compliance audience. »»Koobface: Attacked social networkers by In today’s hazardous environments, it is neces- convincing them to download fake Flash sary to build a strong foundation based on security updates. fundamentals rooted in proactive methods. Rather »»Zeus: An information-stealing Trojan from way than reacting to new threats over and over again, back, it made a resurgence in 2009 by taking agencies should be able to strengthen their con- advantage of an Adobe Reader vulnerability. figurations and minimize risk so that attacks of all »»Conficker: Conficker blew up in 2009 due to stripes lose their effectiveness. By using an inte- a large number of Microsoft users failing to grated solution base from Lumension that includes patch their systems. all of the necessary elements of protection, includ- »»Gumblar: One of several mass injection ing vulnerability management, configuration man- attacks that made inroads in 2009, Gumblar agement, patch remediation, as well as device and attacked known Adobe Reader vulnerabilities. application control, government agencies will better »»Nine-Ball: A drive-by download malware be able to attend to the increasingly sophisticated that attacks unsuspecting visitors to infected attacks that are barraging their infrastructures. Not Web sites, this one takes advantage of known only that, but Lumension solutions also aid govern- vulnerabilities in Acrobat Reader, QuickTime, ment organizations in proving these controls to au- Microsoft Data Access Components (MDAC) ditors. No more scrambling for evidence or losing and AOL SuperBuddy. sleep when audits come due. Instead, audit capa- »»Beladen: Another big mass injection attack, bilities are built directly into the foundational se- Beladen exploited browser and content curity controls, meshing compliance and security management software vulnerabilities. requirements in an efficient and effective manner. »»AutoRun: This worm spread pervasively via USB devices by exploiting a well-known vulnerability in Windows AutoRun. »»: This polymorphic piece of malware shut down the court system in Houston by attacking executable files and then using IRC server connections to create back doors to perpetrate further attacks.

7 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks

About Lumension Lumension Security, Inc., a global leader in operational endpoint

management and security, develops, integrates and markets se-

curity software solutions that help businesses protect their vital

information and manage critical risk across network and endpoint

assets. Lumension enables more than 5,100 customers world-

wide to achieve optimal security and IT success by delivering a

proven and award-winning solution portfolio that includes Vulner-

ability Management, Endpoint Protection, Data Protection, and

Compliance and IT Risk Management offerings. Lumension is

known for providing world-class customer support and services

24x7, 365 days a year. Headquartered in Scottsdale, Arizona,

Lumension has operations worldwide, including Virginia, Utah,

Florida, Texas, Luxembourg, the United Kingdom, Germany, Ire-

land, Spain, France, Australia and Singapore. Lumension: IT Se-

cured. Success Optimized.™ More information can be found at

www.lumension.com.

Lumension, Lumension Patch and Remediation, Lumension

Vulnerability Management Solution, “IT Secured. Success

Optimized.”, and the Lumension logo are trademarks or

registered trademarks of Lumension Security, Inc. All other

trademarks are the property of their respective owners.

Global Headquarters 8660 East Hartford Drive, Suite 300 Scottsdale, AZ 85255 USA phone: +1.888.725.7828 fax: +1.480.970.6323

www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management 8