SAN FRANCISCO -- Examining firewall logs is not enough and most common network penetration tests often miss network misconfiguration issues, leaving sensitive information vulnerable
You've got to test the entire network and focus on the outcomes. When you look at the entire network, the errors just pop right out.
chief scientistRedSeal Systems Inc.
Hunting for security errors in network configuration logs is like trying to find a needle in a haystack, said Mike Lloyd, chief scientist at San Mateo, Calif.-based RedSeal Systems Inc., a firm that models networks to find loopholes that can be used by attackers. Lloyd was one of a dozen speakers that spoke about security and compliance issues Monday at the Security B-Sides conference adjacent to RSA Conference 2011.
"What we've been trying to do here is come up with better metal detectors," Lloyd said. "You've got to test the entire network and focus on the outcomes. When you look at the entire network, the errors just pop right out."
There are a number of software makers, including RedSeal Systems, that can conduct firewall analysis and security posture management based on network configurations and find network misconfigurations. Others include Lumension Security Inc., Tufin Software Technologies, Qualys Inc. and Rapid7. Analysis tools from these vendors and others map how data flows through systems and can detect various access points that have been put in place, Lloyd said. The process is often done manually, but with limited results, he said.
"If you look at the methodologies people use today, most of them are stone masons examining brick by brick and that's entirely laborious," Lloyd said. "A person can take their entire career examining every brick they have surrounding their systems, except that the castle only has three walls instead of four."
Network configuration errors are common and can lead to costly data security breaches. In 2008, a Hannaford Bros. network misconfiguration may have enabled an attacker to place malware onto servers, sniffing credit card data from nearly all of Hannaford's 300 grocery stores. The malicious software ran in stealth mode and was responsible for bilking up to 4.2 million credit and debit card numbers from the grocer's systems before the intrusion was detected.
"When you live in a world with a security team and a network operations team, the phone only ever rings for an availability problem; they call when the network's down," Lloyd said. "There are no phone calls when there are too many permissions into the network, so you need a way to monitor and find when that's occurring."
Network security pros can use network modeling to find errors, including serious vulnerabilities like outdated connections to sensitive systems given to partners or contractors that no longer need access, Lloyd said. Next, network modeling may provide an important tool to auditors, proving sensitive systems are surrounded by a secure network. Third, modeling can help network professionals examine access request orders to ensure any new connections to systems are necessary.
"It's an important process in having that visibility and being able to prove to outside auditors that you're keeping all four wheels on the ground as you have ongoing changes to your network," Lloyd said.
Lloyd highlighted an incident in which a prominent networking giant had an outdated connection to a former outsourcer based in Malaysia. The organization had a primary server handing out data certificates, and in its backup environment they punched three holes -- one for a telecommuter and two others for a manufacturer that wouldn't sign a contractual agreement with the firm unless it could conduct extensive security tests.
"They punched some holes, did lots of testing and then the testing phase was over and when the contract got signed; the hole was never removed," Lloyd said. "That's a typical story. We find time and time again when we go into organizations most of the lines in the firewall were added for a very good reason, but nobody ever cleans them out."