SecurityPro 2013
Distributed by
NEXT-GENERATION SECURITY The anatomy of APTs
Secure WLANs in the 21st Century: Oxymoron or reality?
Exclusive interview with Alain Penel
Vertical focus: Banking and education
www.fortinet.com
contents
07
12
The anatomy of Advanced Persistent Threats
Fortifying data security defenses
16 04
07
09
04
Interview: Alain Penel
12
Enabling next-generation secure education Interview Alain Penel, Regional VP, Middle East, Fortinet, talks about Fortinet’s presence at GITEX 2013. The anatomy of Advanced Persistent Threats Where do they come from, what do they mean, and exactly what are they capable of?
18 16
18
Protecting against APTs Highly targeted attacks are now commonplace and have resulted in a fundamental change in the way the war against cybercrime is being waged. Fortifying data security defenses Organizations must now turn to the combination of security products and services to better secure their corporate network and data.
Banking on a strategic rethink towards IT security
Enabling next-generation secure education Educational institutions must now be at the forefront of computing, the Internet and international collaboration. Banking on a strategic rethink towards IT security The Financial Services Industry places more demands on their information systems than almost any other.
21
Secure wireless LANs in the 21st Century: Oxymoron or reality? Keen to take advantage of the benefits, many organizations have adopted wireless without thinking through the security implications.
3
Interview | Alain Penel
Fortinet at GITEX 2013 Alain Penel, Regional VP, Middle East, Fortinet, talks about Fortinet’s presence at GITEX Technology Week 2013.
4
SecurityPro 2013
How important is the GITEX Technology Week for Fortinet? This is our eighth participation in GITEX this year and we would not miss this appointment. GITEX is the most important technology event of the Middle East region. According to the organizers, about 140,000 IT professionals and 25,000-plus C-level executives from over 140 countries join for this yearly gathering. At GITEX, entrepreneurs and business people can certainly expect to meet almost any technology company they’re interested in, either on the showfloor or through the networking portal GITEX offers. As a long-time exhibitor, we definitely find this event to be a great networking platform. For us, GITEX remains a unique event during which our local sales/ technical teams and regional executives can meet with end-users to share on our latest solutions. This year, visitors will be able to learn more about our end-to-end IT security portfolio through presentations and demos we will be running on our stand on the following themes: High Performance Testing, Next Generation Firewall, Applications Security Management and Wireless LAN Security. What will be the prominent products and solutions on display at the event? Infonetics recently conducted a survey on high-speed data center firewalls among large organizations (over 1,000 employees) that have already deployed firewalls that currently support greater than 40 Gbps aggregate throughput. The move to faster network technologies is forcing enterprises to look at upgrading every component of their IT infrastructure, and the need to add
new high speed interfaces to firewalls (10 GbE, 40 GbE and eventually 100 GbE) tops the list of drivers for investing in new high-end firewalls. Fortinet addresses that need for speed in the data centers of enterprises, large service providers, cloud providers and carriers with the launch of a new firewall appliance: the FortiGate-3700D, which will be exclusively presented at GITEX. Our new platform includes four 40 GbE (QSFP+) and 28 10GbE (SFP+) ports, and is able to achieve up to 160 Gigabits per second (Gbps) firewall throughput. Using Fortinet’s new custom NP6 ASIC, the FortiGate3700D is able to deliver best-inclass performance, low latency and IPv4 to IPv6 performance parity. Fortinet is the first network security company to deliver 100 Gbps+ firewall throughput and 40 GbE ports in a compact appliance, which redefines the standard for price per gigabit protected, price per port density, power dissipation per gigabit and space per gigabit. On our stand we will also highlight our secure wireless LAN solution that incorporates wireless and wired access, security, authentication, switching and management. Our customers have the flexibility to choose between thick and thin access points (APs), managed by the integrated wireless controller in FortiGate network security platform, delivering comprehensive, proven threat management and policy enforcement. Fortinet’s unique approach allows users to integrate security for wired and wireless networks quickly and easily. Our customers can manage all policies from a ‘single pane of glass’ management console, improving protection while simplifying theirs networks. With it, administrators
For us, Gitex remains a unique event during which our local sales/technical teams and regional executives can meet with end-users to share on our latest solutions. This year, visitors will be able to learn more about our endto-end IT security portfolio through presentations and demos we will be running on our stand on the following themes: High Performance Testing, Next Generation Firewall, Applications Security Management and Wireless LAN Security. gain a broad, unified solution that provides unmatched protection, superior TCO and granular control through user authentication and device visibility across the entire network. Solutions such as our Secure WLAN solution address the major pain points that distributed enterprises face today – securely accommodating the exponential growth of BYOD for both employee and guest access; identifying and mitigating security issues; and reducing costs and complexities associated with provisioning and managing overlay wireless networks.
5
Interview | Alain Penel
We are proud to help organizations in the Middle East securely build and grow their IT infrastructure to move their business forward. We will continue to innovate, develop and expand our portfolio of products and services to make sure our solutions address the new IT security challenges of our customers.
How committed is Fortinet to the Middle East market region? Very! The Middle East region is strategic to sustain our growth on the market. As you know, Fortinet is a world leader in high performance network security. In 2012, we enjoyed a strong growth, with 533.6 million dollars of global revenues, a 23 percent increase compared to 2011. According to the latest IDC tracker published in September 2013, Fortinet is now the number three worldwide on the network security appliances market, in front of Juniper. IDC also indicates that in the Middle East region, Fortinet represented over 30 percent of the UTM market over the first six months of 2013 and that our growth in the region was higher than 25 percent. Those results stem from our continued investment in the Middle
6
SecurityPro 2013
East region to provide strong sales and support to our customers. In the past 18 months, we hired additional pre-sales and sales resources in Pakistan, UAE and Saudi Arabia including a new country manager for Saudi. We have increased the number of Fortinet Resident Engineers in the region based in Saudi Arabia, UAE and Oman to deliver higher levels of after sales support to end-users across the region. Also I joined as regional vice president for the Middle East this year for driving an aggressive growth plan in the region. Our growth in the region is also based on our strong channel. We added Oxygen as our second value added distributor in the region to cover Saudi Arabia, Iraq and Pakistan, and grew the delivery of professional services to select channel partners, including placement of Fortinet Resident Engineers on various projects. With our distributors, Secureway, Mantrac, Oxygen ME and On-Line Distribution PK, we have invested in local RMA depots in UAE, Egypt and Pakistan respectively, allowing faster turn-around time for hardware replacement in the region. All those investments just show how committed we are to the region. In terms of business perspective, what are your main achievements in the Middle East region during the last 18 months? Our solutions are widely adopted in the region and deployed across all verticals. Our customers include Saudi Telecom, Mobily, du, Emirates Post, Dubai Municipality, Abu Dhabi Islamic Bank, Qatar Gas, Amman Stick Exchange, Balqa’ Applied University, and Oman Data Park. Along our key achievements in the Middle East region in the last 18 months, I would cite:
The success of our FortiMail messaging security solution, which is now deployed within five top telco operators in the region to help them eliminate both incoming and outgoing spam traffic on both their fixed and mobile networks. FortiMail is also being utilized to offer “Secured Email Hosting Services” to Enterprise Customers, in a ‘Security as a Service’ model. We accelerated the penetration of the FSI sector. Our nextgeneration network security solutions have been successfully deployed at eight major banks and financial institutions to address specific requirements in terms of high firewall throughput, Web application firewall, database security, DDoS protection, or security infrastructure consolidation through virtualization – all at the lowest latency available on the market. Several major government implementations have been done delivering high performance firewalling, IPS/application control, gateway antivirus and security virtualization, offering a reduction in CAPEX and OPEX expenditure reflecting on an overall improvement in TCO. The education sector is also a sweet spot for us. Seven major universities in the region have implemented our solutions securing their wired/wireless networks and ensure consistent policy enforcement across the campuses. We are proud to help organizations in the Middle East securely build and grow their IT infrastructure to move their business forward. We will continue to innovate, develop and expand our portfolio of products and services to make sure our solutions address the new IT security challenges of our customers.
APTs | in depth
The anatomy of advanced persistent threats Organizations should jump into the world of APTs before the opposite occurs. Where do they come from, what do they mean, and exactly what are they capable of?
One of businesses’ biggest threats today is the stealthy online infiltration by attackers to steal valuable proprietary information. Ghostnet (a botnet deployed in various offices and embassies to monitor the Dalai Lama agenda), Shady RAT (much like Ghostnet but with government and global corporate targets), Operation Aurora (monitoring of Chinese dissidents’ Gmail accounts) and Stuxnet (an attempt to disrupt Iran’s uranium enrichment program) are just a few high-profile examples the world discovered. In recent months, these so-called “Advanced Persistent Threats” (APTs) have become so rampant and unrelenting that they are forcing
7
in depth | APTs
enterprises to question the current security paradigm. Firms are beginning to wonder if it makes more sense to stop focusing on keeping attacks out, and start accepting that sometimes attackers are going to get in, and aim to detect them as early as possible and minimize the damage.
Internet. While individual components of the attack may not be particularly “advanced”, their operators can typically develop more advanced tools. Attackers often combine multiple targeting methods to reach and compromise their target and maintain access to it.
An APT is highly targeted at a specific organization and takes a muted and often slow and prolonged approach to penetrating an organization, with the aim of gathering intelligence rather than making immediate financial gain. The successful embedding and execution of malicious code on a network can cause havoc to an organization with the biggest risk now laying in the theft of intellectual property. Competitive advantage, insider information, valuable and saleable IP are all highly valuable to both the professional cybercriminal and the emerging (and as yet unproven) state-sponsored attackers.
Persistent – Cybercriminals give priority to a specific task, rather than opportunistically seek information for financial or other gain. A key requirement for APTs, as opposed to an “everyday” botnet, is to remain invisible for as long as possible. As such, APT perpetuators tend to focus on “low and slow” attacks that let them move quietly from one compromised host to the next, without
Precise definitions of APT vary but one can get a good idea of its characteristics through its component terms: Advanced – Cybercriminals behind the threat have a full spectrum of intelligence gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but may also extend to conventional intelligence gathering and profiling methods. Malware can also hunt and phish for specific information from targeted individuals – this information is then used in a second stage attack. Social engineering techniques are often employed at this stage. Other techniques include: zerodays allowing an attacker to execute unintended code or gain control of a target computer; forged and fake certificates to get a victim to visit a page that pretends to be from a safe site or an attacker recruits an insider to assist in launching an attack. This is often the only way an attacker can reach a target computer that is not connected to the
8
SecurityPro 2013
An APT is highly targeted at a specific organization and takes a muted and often slow and prolonged approach to penetrating an organization, with the aim of gathering intelligence rather than making immediate financial gain. generating regular or predictable network traffic, to hunt for their specific data or system objectives. Tremendous effort is invested to ensure that malicious actions cannot be observed by legitimate operators of the systems. Threat – APTs are a veritable threat because they have both capability and intent. There is a high level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. Cybercriminals target high value assets and are skilled, motivated, organized and well funded.
Whilst each APT is customized for its intended target, the lifecycle of every APT attack typically consists of the following stages: choosing a target, then doing some investigation about the organization - its employees, policies, the applications and systems it uses - and building its profile with a detailed list of potential human targets inside the organization. After that, the attacker finds the appropriate techniques, such as social engineering or the distribution of an exploit through malicious emails, in order to plant remote access malware on one of the target’s computers. Once the attacker has gained a foothold inside a target’s network, an attempt is made to exploit vulnerabilities on other internal computers to gain further access to the network. With access to the network, data can be easily exfiltrated. Passwords, files, databases, email accounts and other potentially valuable data can be sent back to the attacker. Finally, even after data theft is completed, an attacker may decide to remain present on the target’s network and maintain observation on its data assets. Certainly, APTs are a lot more subtle, intelligent and dangerous than their random and generally less sophisticated predecessors. And their proliferation is aided by new working trends such as BYOD, where endpoints are also used for non-business use such as social media. For the cybercriminals developing APTs, something as simple as a link on Facebook to an infected webpage can prove the entry point into an organization’s network. Nowadays, every company or governmental organization should be concerned by the risk of Advanced Persistent Threats. The high media profile of ‘cyberwar’ raging between nation states may lead you to believe that APTs are not a threat that applies to your organization. But don’t be mistaken, no matter how large or small your organization is, it is a potential target.
Advanced persistent threats | HOw-TO
Protecting against APTs
Highly targeted attacks are now commonplace and have resulted in a fundamental change in the way the war against cybercrime is being waged. Here are some tips on how to combat them. Advanced persistent threats (APT) that rely on subtle and very intelligent methods of attack are forcing organizations to not only defend themselves, but to identify when their networks have been compromised. Such is the subtlety and effectiveness of APTs that many organizations will already have been compromised without their knowledge.
Consequently, in order to defend against advanced threats, organizations must update their existing network security and adopt a comprehensive approach that includes: • A multi-layer defense system • Multi-pass anti-malware protection • Integrated systems and security tools
Multi-Layer Defense System Next generation threats use multiple vectors of attack to exploit weak defenses, avoid detection and increase the odds of penetration. To detect these threats, organizations can no longer simply rely on a single solution; multiple layers of defense are needed to fill possible network security gaps. Multi-layer defense seeks to detect polymorphic malware, prevent receipt of phishing emails, block connection to compromised websites, and deny malware access to its command channel. Multi-Pass Anti-Malware Protection Detecting and blocking stealthy malware is becoming more challenging. Many malicious codes are now designed to evade traditional signature-based filters. Although antivirus signatures remain a critical part of the solution, new proactive
9
HOw-TO | Advanced persistent threats
real-time technologies that don’t rely on signatures are necessary for effective protection. An intelligent virus inspection engine is key to proactively detect these threats. Cloud-based services with real-time databases and robust processing resources are also an important component. Integrated Systems & Security Tools Cybercriminals now collaborate for coordinated expertise and share resources, producing disparate components that challenge many typical network security implementations. They make it difficult to collate information to identify and deter advanced threats. It is therefore key to integrate security components in the network, including threat and network activity correlations. There should be abilities to correlate threat landscape information, enabling administrators to use a cumulative security ranking of network terminals to spot suspicious activities that might evade detection in a typical isolated setup. Spotlight on Two Key Strategies for Detecting Signs of APTs: Client Reputation and Sandboxing Client Reputation Client Reputation and Scoring is a dynamic technique of aggregating and correlating security information gathered from a network and comparing it with an existing baseline. At the network level, the major types of behavior and activity that impact on reputation and scoring are as follows: Connection Attempts Bad connection attempts can be a signal that malware is trying to connect to a host which does not exist because the malware home has changed to avoid detection. Of course there can be legitimate reasons why a host is not available, but repeated failed attempts to connect to non-existent hosts will generate a negative score.
10
SecurityPro 2013
Application Profiles A host that installs a P2P file sharing application can be considered to be more risky than a host that installs a game. While both actions can be considered problematic, the organization can add weight to each action and score each accordingly. Geographic Location Visits to hosts in certain countries can be considered risky, especially if there is a significant amount of traffic involved. For example, staff in the UK may have little need to send or receive large files from Iran or North Korea. When calculating scores, reference to a white list can be used to exclude well-known foreign sites. IP Session Information A typical host initiates a session but is less likely to terminate. So if a host starts to listen on a port to receive connection from outside, it could be viewed as a suspicious or risky activity. Destination Category Visiting certain types of websites, such as adult sites, should be considered as a risky activity and scored accordingly. By applying a scoring system based on activity of both a network and people using the network, actions that are abnormal or which carry high risk can be identified, investigated or avoided. Client Reputation and
Cybercriminals now collaborate for coordinated expertise and share resources, producing disparate components that challenge many typical network security implementations.
Scoring can also be used as a basis for setting thresholds and alerts for administrators to better defend and control their networks. Sandboxing Sandboxing is not new, but it is proving increasingly useful in countering APTs, which try to disguise themselves and are ‘aware’ of their surroundings. The sandbox – which can be local or cloud based – provides a tightly controlled virtual environment in which only the basic resources are provided to allow suspicious or unknown software to run, and where network access and other critical functions are restricted. The malware is thereby tricked into believing it has reached its destination so that it can be closely observed for revealing behavior. There are five initial exploit and exfiltration behaviors that, either in isolation or in tandem can help define which piece of software is suspicious and needs to be executed, Random generation of IP addresses Some APT payloads include code that randomly generates strings of IP addresses. They do this to aid propagation. Command and control connection attempts Once infiltrated, APTs may elect to connect with a command and control server in order to exfiltrate data or to signal further attack resources i.e. via a botnet. Detection is based on control signatures and rendezvous detection. Host mimicry An APT may begin to mimic the behaviour of its host device or application in an attempt to evade detection. JavaScript obfuscation Documented APT cases have involved numerous techniques for obscuring (obfuscating) the real meaning and
intent behind malicious JavaScript code. Encrypted traffic The trend toward encrypted malware within APT payloads renders all encrypted traffic at elevated risk. For more effective protection and greater control, sandboxing should ideally operate as part of a layered strategy. The first line of defense will be the antivirus engine supported by an inline real-time onboard sandbox. If the threat proves sufficient, the suspicious files can be submitted to a cloud-based sandbox for further analysis. This layered and unified approach delivers more control and speed for countering a potential attack. APT Defense in Action – FortiOS 5 Advanced Persistent Threats are taking advantage of an evolving IT environment in which practices such as BYOD, cloud computing and social media are blurring the traditional boundaries between corporate and personal use. In order to combat these advanced targeted attacks, network security now requires an intelligent layered approach that gives visibility on what’s happening at the level of the user, device and application. Fortinet’s FortiOS 5 operating system delivers superior levels of security, control and intelligence to help organizations in their fight against APTs. Fortinet’s operating system offers a full suite of advanced security technologies and networking functions that includes next generation firewall, SSL and IPsec VPN, application control, IPS, Web content filtering, gateway antimalware, on-device sandboxing, cloud-based IP reputation management, antivirus (AV), antispam, WAN optimization, vulnerability management, identity management and DLP. At the heart of the FortiOS 5 is integrated and advanced identification
and control of users and devices accessing the network, including reputation-based policies, and also the identification of sophisticated threats through botnet detection and protection and inspection of encrypted traffic. The OS gives enterprises of all sizes the ability to better protect their networks by bringing more intelligence into their security. FortiOS 5 in Practice IT administrators must regain control and visibility on what is happening on the network and thus have the ability to define and enforce smart security policies by incorporating both ‘User’ and ‘Source’ identities. With FortiOS 5, a user can be identified through various authentication methods, including single sign on. It also enables the automatic adjustment of role-based policies for users and guests based on location, data, and application profile. Armed with this information, the policy engine can make more granular security decisions based on user and device behavior. Beyond allowing the definition of smart policies, FortiOS 5 gives more precise control through its client reputation feature. This unique feature enables advanced analytics on vast amounts of information from a variety of sources, including searching for patterns in packets, applications, and websites that the end user visits. Based on these analytics, it provides a ranking of each client device and sets thresholds on the network, allowing the administrator to be alerted if a user starts performing actions that are not ‘normal’. Another important feature of FortiOS 5 is the advanced antimalware detection, which combines an on-device behaviour-based heuristic detection system, with onboard and cloud-based sandboxing capabilities for executing unknown malware. This complements a unique ‘Compact Pattern Recognition Language’ processor that enables
Fortinet’s operating system offers a full suite of advanced security technologies and networking functions that includes Next Generation Firewall, SSL and IPsec VPN, application control, IPS, Web content filtering, gateway antimalware, on-device sandboxing, cloud-based IP reputation management, antivirus (AV), antispam, WAN optimization, vulnerability management, identity management and DLP.
single signatures to cover well over 50,000 different viruses, plus millions of zero-day variants. This feature delivers superior multi-layered protection against today’s sophisticated malware. FortiOS 5 allows IT administrators to better understand the behavior of individual users and apply the relevant security measures depending on behavior and risk, device type, location, usage and profile. This delivers superior protection against advanced threats such as APTs. IT security is becoming more complex as threats and usage evolve, demanding increasingly intelligent solutions. Fortinet’s FortiOS 5 operating system addresses the enterprise requirements for next-generation network security.
11
solutions | Data security
Fortifying data security defenses As the threat landscape continues to evolve, traditional security solutions are no longer adequate to protect them. Organizations must now turn to the combination of security products and services to better secure their corporate network and data. 12
SecurityPro 2013
Every day, you read stories of organizations being attacked, networks penetrated, data stolen, resulting most times in important financial damage. This increase in cybercrime is not ready to stop considering the thousands of new malware variants found every day and the proliferation of new advanced targeted attacks, including Advanced Persistent Threats. Unfortunately, traditional security solutions such as firewalls, intrusion detection systems, and host-based antivirus are no longer adequate to protect against the escalation and growing sophistication of cyber attacks. These tools are effective against only 30–50% of current security risks and cannot recognize threats for which no signature has yet been developed. Despite increased expenditures on security detection and prevention systems, enterprises are arguably in worse shape now because of inadequate protection against the growing and evolving arsenal of sophisticated and highly targeted security threats. Organizations of all sizes need sophisticated, agile security platforms with nextgeneration security capabilities. Such capabilities should be delivered as part of a multi-layer modern security approach that includes advanced threat research and response services for dynamically combating known and unknown threats.
On the Front Line with FortiGuard At Fortinet, advanced threat research and response services are delivered by its own FortiGuard Labs, a global team of more than 200 dedicated research analysts, engineers and forensic specialists that provide “follow-the-sun” worldwide coverage. Fortinet is the only security vendor to have such team in-house for constantly analyzing the threat landscape and delivering original research – including discovery and responsible disclosure of zero day vulnerabilities – as well as rapid signature updates to provide practically instant protection from new and emerging threats. Leveraging Research for Anticipating Threats To identify new threats, Fortinet’s FortiGuard Labs leverage many data sources from the world’s leading threat monitoring organizations and Fortinet’s FortiGate network security appliances and intelligence systems in production worldwide. Once the team has detected and analyzed a threat, it generates rapidly a package to protect against it by pushing out signature updates to every Fortinet customer in the world within minutes. This is a unique Fortinet advantage since competing security companies do not have in-house security analysts and rely on third-party security companies to provide them with the latest malware protection. The FortiGuard team creates protection packages for not only
Fortinet has been maintaining a global database/ threat library generated from its continuous multi-threat security research that leverages intelligence from multiple security disciplines, as well as feedback from its installed base and major infrastructure vendor partners.
viruses, but also for botnets, intrusion detection and protection, web filtering, Distributed Denial of Service (DDoS) attacks, phishing attacks, vulnerabilities, exploits, IP reputation and anti-spam. It is critical to protect organizations against today’s advanced targeted attacks since those often use multiple components: a malware sample may have a virus component, a spamming component, an intrusion component and a botnet component (with its related command and control information). One of the other features of FortiGuard Labs is that it uses a unique and powerful proprietary programming language that allows its analysts to describe entire families of malware with a single program instead of the traditional signaturebased “one signature, one variant” model used by other vendors. The FortiGuard team proactively uses that program not only to protect against today’s threats, but to predict tomorrow’s zero-day malware. Once a threat has been investigated and the program has been created, it is thoroughly tested by the FortiGuard team. These tests ensure the new program detects what it is expected to detect and eliminate also the risk of a false positive by checking a database of known clean content. Detecting clean files as malware is never a good thing. Sharing Knowledge to Defend Against Malware Families For more than a decade, Fortinet has been maintaining a global database/ threat library generated from its continuous multi-threat security research that leverages intelligence from multiple security disciplines, as well as feedback from its installed base and major infrastructure vendor partners. That database has hundreds of millions of malicious code samples and FortiGuard’s engineers, analysts and intelligent systems add an average of 160,000
13
solutions | Data security
new samples to the database every single day of the year. This knowledge store facilitates Fortinet’s ability to identify and protect its customers against known and potential threats, attacks, and exploitations. In addition, thanks to individuals dedicated to proactively researching the latest rootkits, botnets, packers and malware for both computers and mobile devices, FortiGuard Labs has synergistic security intelligence and true zero-day protection from new and emerging threats. Here, the team also collaborates with the world’s leading threat monitoring organizations (such as FIRST, StopBadWare and Team Cymru) and contributes to the overall security industry by identifying and responsibly reporting vulnerabilities directly to vendors of hardware, operating systems, and applications. The team covers the entire spectrum
14
SecurityPro 2013
of research: covert surveillance of malware and botnets; reverse engineering of malware; signature generation; and world-class zero-day research. It also studies how complex or polymorphic forms of malware modify themselves as they replicate. To conclude, the evolving threat landscape continues to drive spending on security products as organizations battle to keep their infrastructures secure and their data and other information protected. However, few organizations have the IT and security staff or the financial resources needed to have their own threat researchers to accurately identify and protect against new vulnerabilities and attacks. Consequently, organizations are turning to services, such as the ones provided by FortiGuard Labs, to enable advanced and more cost-
in a typical week FortiGuard Labs adds or updates approximately: • 1,300 antivirus definitions • 70 IPS signatures • 60,000 URL-ratings for Web filtering with 69 languages supported • 34,000,000 antispam signatures In addition, FortiGuard Labs deliver comprehensive protection with more than: • 2,400 application control signatures • 600 database security policies • 9,000 vulnerability management signatures • 1,000 Web application firewall attack signatures
effective security solutions. These types of advanced services improve on-premise solutions by providing real-time threat information and are the key to enhanced protection against known and unknown threats.
Vertical focus | Education
Enabling nextgeneration secure education Over the past 20 years, the higher education sector has gone through major transformation. Educational institutions must now be at the forefront of computing, the Internet and international collaboration.
16
SecurityPro 2013
schools or universities rely on a secure computing and network platform for a greater collaborative capability and to deliver higher-quality education through content and data-rich applications. In parallel, many educational establishments look to develop their brand internationally through partnerships with other universities or the creation of extension faculties, a trend that is rapidly growing in the Middle East region. Key to the success of such strategies is rapid yet secure wide area networking linking such sites together to share resources. Demonstrable Duty-Of-Care and Acceptable Use Policies Despite the fact that the majority of users of establishment networking and Internet access are over the age of consent, a demonstrable duty-of-care remains necessary for educational institutions. Use policies that define e-safety must be distributed widely to staff, students and visitors alike. User Identification for Profiling and Segmentation Different user categories (i.e. students, staff, visitors) must benefit from different levels of access to internal and Internetbased resources. User identification and security policies that are based on identity and the type of device used are key to establishments for defining and implementing solid boundaries. The methods of educational institutions have evolved rapidly handin-hand with the availability of contentrich education focused on computing applications. The easy access to the world’s knowledge on the Internet has also increased the risk of exposure to the worst ills of our global society. A number of current and future drivers within the higher education sector have a direct impact on how the organizations’ IT infrastructure, systems and security must be architected and implemented.
Heterogeneous Systems, Networks and Applications The constant evolution of educational networks coupled with the required connectivity to regional or national networks, such as the global SINET network, drive demand for appropriate firewalling and segmentation. Incorporating local, regional, national and international wired and wireless resources into a homogeneous network without undue complexity and cost represents a significant but necessary challenge to address.
Competition Between Non-Public Educational Establishments In face of competition, many business
Campus Topologies and High Density Access Many colleges and universities
comprise multiple faculties and departments located in disparate buildings, some of which may be temporary. For many institutions, deploying wired networks is seen as cost prohibitive or simply impractical. An attractive alternative might be wireless connectivity to offer rapid and cost-effective extension of existing networks across an entire campus. Dynamic Security Provisioning Educational institutions need rapid provisioning and re-configuration of the security profiles attributed to part of the network for their college projects, research projects or external conferences. Secure Messaging Having an establishment mail domain is now commonplace for all levels of education. The key challenge however for educational institutions is to provide cost-effective email messaging whilst also ensuring that usage policies are being followed with respect to email content, privacy and backup. Budget Challenges In the public and private education sectors alike, budgets are under severe pressure. Delivery and support of technical systems are usually relegated to be secondary in priority in favor of front-line services such as staff, capital assets and buildings. Higher education establishments are looking to expand their IT infrastructures to meet the demand from students, staff and the business community. National education guidelines lean ever more heavily on secure IT, interconnectivity and the Internet to fulfil education and research objectives. Forward-thinking establishments are pushing their boundaries internationally to develop new markets and attract overseas students and investment. In such context, Fortinet helps higher education institutions rethink their IT security implementation through a more comprehensive approach that simplifies deployment and cost while ensuring greater visibility and control over their network, users and data.
17
Vertical focus | Banking
Banking on a strategic rethink towards IT security Information is the lifeblood of global finance, and the Financial Services Industry places more demands on their information systems than almost any other industry. Data security, privacy and integrity are critical, both commercially and legally.
18
SecurityPro 2013
In a competitive environment where opportunities appear and disappear in microseconds, speed, agility and responsiveness are equally essential. Many financial services organizations struggle with the competing demands of security and performance. Virtualization, application consolidation, offshoring and outsourcing, combined with the evergrowing sophistication of the online marketplace, are all creating new and exciting opportunities for the financial industry. Nevertheless, new opportunities also carry new risks. Fraud, identity theft, spam, phishing and a host of other malicious threats are evolving as fast as the technologies used to conduct business. More than ever before, the Financial Services Industry needs to ensure that their networks and data are protected. Security Challenges of the Financial Services Network Like any vertical industry, the Financial Services Industry includes
a broad range of organisations, which have widely diverse requirements for the network security. These organizations share, however, several common objectives: reducing operating costs, improving customer service, and maintaining their competitive edge through better access to information and increased network performance. Branch of the Future Although the Branch of the Future concept seems new, the retail banking industry has been changing the public face of the branch with technology for the past 30 years. What is different now is that rather than try and replace the branch with technology, the focus is currently on incorporating technology to bring customers back to the branch. The typical Branch of the Future will take advantage of both wired and wireless technologies, providing customers with direct access to their accounts and other services using either an in-bank terminal or their own mobile device.
The Financial Services Industry is more than just retail banking. It also includes trading organisations, brokerages and the exchanges themselves. Here, the focus is on data volume, speed and accuracy. Trades also need to be tracked with sub-microsecond precision to meet customer requirements, placing the network under an enormous strain.
Online Banking Services It is difficult to think of modern banking without online banking. It has opened up the door on a wide range of features and services but, at the same time, is a convenient point of unauthorized entry. The Financial Services Industry has been fighting a battle since the beginning of the online banking era to make it secure and keep clients’ accounts safe. In spite of its efforts, the number of successful attacks targeting these institutions has continued to grow. Today, financial institutions must keep on providing online banking services and must also maintain the investments in network-based security solutions, both for the confidence of their customers and for their financial health. The Underlying Infrastructure The Financial Services Industry is more than just retail banking. It also includes trading organizations, brokerages and the exchanges themselves. Here, the focus is on data volume, speed and accuracy. Trades also need to be tracked with sub-microsecond precision to meet customer requirements, placing the network under an enormous strain. The Need for a Comprehensive Security Solution Like the companies themselves, the network is composed of different elements, each with their own set of requirements. Moreover, the network is not static so these requirements may change. Looking for a comprehensive security solution, the companies must take into account different elements of the network, as branch offices, trading floors, data centres and so on. However, several requirements should not be neglected:
19
Vertical focus | Banking
Securing The Entire Network In order to effectively protect the organization, the security solution must address the needs and diversity of the entire network, not just the core or the remote sites. Minimizing Impact on Performance Whilst the Financial Services Industry requires the highest levels of network security, it cannot be at the price of performance. High performance and low latency are both critical in the execution of trades or transactions.
Integrating Security into the Network Fabric Tight integration of the security solution to the network is necessary to help eliminate redundant elements, reducing the Total Cost of Ownership (TCO) of the solution, and avoid performance bottlenecks. Single Pane-Of-Glass Management A full-featured security solution is inherently complex and normally requires multiple administrators, particularly in larger environments. In such a context, centralized
configuration requirement.
is
an
absolute
Controlling the Users Maintaining or regaining control over access is vital. Beyond authentication, control means being able to recognize the type of users, their “normal” behaviour, as well as their device and level of access to different network resources – this is key to identify suspicious behaviour on the network. Enabling Mobility The increasing use of personal wireless devices makes the integration of the wireless component of the network into the security solution a key requirement. Mitigating Advanced Internet Attacks Threats targeting the network are constantly evolving and advanced targeted attacks such as APTs are now a reality. Real-time protection including rapid signature and software updates to critical security functions is a must. The evolution of the financial services business environment forces firms to move towards a new strategic IT security model based on convergence and greater alignment to business needs. The legacy of point security solutions added over time has resulted in complex security implementations and the accumulation of rules and policies, which have all made financial institutions less effective in addressing the changing threat landscape. Industry-leading performance, an extremely rich feature set and an end-to-end solution that adapts to a dynamic environment and can be centrally managed, are all part of Fortinet’s proposition. The Fortinet choice is being made by more and more FSI organizations – from trading firms to retail banks. Shouldn’t it be your next choice?
20
SecurityPro 2013
Wireless LAN | Insight
Secure wireless LANs in the 21st Century: Oxymoron or reality? Wireless has swept through the enterprise and changed the way people work in the process. But, keen to take advantage of the benefits, many have adopted without thinking through the security implications.
There have been a number of moments in the IT and network industry that can be considered as a “Paradigm Shift�. The personal computer, Ethernet over twisted pair, Digital Subscriber Line (DSL) and Voice over IP (VoIP) are just some of these. The introduction of wireless LAN (WLAN) is certainly another one of these moments. The ability to cut loose from the tether of the Ethernet cable has revolutionized the work place and completely changed the role and use of computers and other devices in the home. But the time has come to look more closely at WLAN technology in the 21st Century, which is full of user trends and cyber-threats that are exploiting the rapid growth and deployment of WLANs and their inherent weaknesses. A Historical Perspective So why, when compared with the traditional Local Area Network (LAN),
21
Insight | Wireless LAN
does a WLAN come up short from a security perspective? It has nothing to do with technology but rather with history. Since the beginning of time, networking time that is, computers have been connected together by cables to form a LAN. In fact, the evolution of computers has been in lockstep with the evolution of LANs. As computer became cheaper, faster and smaller, the network evolved as well adding new features and capabilities including many facets of security that were integrated into the fabric of the network. Convenience, Convenience, Convenience Into this environment came the WLAN offering convenience and freedom. No matter where you went you could still be connected to the network, what could be better than that? That level of convenience led WLAN technology to be rapidly adopted for facilitating accessing the Internet from public places. Because the technology did not have any inherent security capabilities, most public WLANs adopted an approach of logging into secure server to gain access to the Internet. For the average user the requirement of needing some sort of login credentials was sufficient to control access to the network. It did not, however, keep a user off of the actual WLAN and a sufficiently skilled user could bypass the access control server. The risk, however, was a loss of revenue, not a loss of data, and was considered acceptable. Eventually a solution was developed to integrate a basic access control mechanism via a pre-shared key. Without the key it was not possible to connect to the WLAN. While flaws have been discovered, new versions of the mechanism have been developed and the majority of WLANs rely on this basic security strategy.
22
SecurityPro 2013
Keeping the Honest People Out The problem, however, of using a pre-shared key to secure the WLAN is analogous to relying on a locked door to protect your home. All it does is keep the honest people out of your home. In a typical environment, the access key to the network is widely distributed and is rarely changed, automatically weakening its capability. Regardless of which algorithm is used – WEP, WPA or WPA2 Personal (Pre-Shared Key mode) – problem remains the same. Once the access code is compromised, the network is no longer “secure”. Focus on Today’s Threat When evaluating the different WLAN offerings on the market today the tendency is to focus on the RF side of the solution – what 802.11 standard does it support, what’s the maximum throughput, how many antennas does it have and how many users can be supported? Security, if even looked at, is relegated to a quick check of the algorithms supported and how cumbersome the network key will be to remember. However, security needs to be at the forefront of the decision making process rather than as an afterthought. Regardless of the size of the network, the first criteria must be security – how to protect it from the different threats that will be present from Day 1, threats that will grow and change during the network’s lifetime. The probability of these threats entering the network is greater than ever with the growth of “Bring Your Own Device” or BYOD – the use of unprotected personal devices on the network – whether authorized or not. Considering the threat environment that the network will be subjected to, is there a strategy that ensures maximum security throughout the whole of the network?
The probability of these threats entering the network is greater than ever with the growth of “Bring Your Own Device” or BYOD — the use of unprotected personal devices on the network — whether authorized or not. In most, if not all instances, the WLAN is part of a larger, wired network and that network can be thought of as having two distinct components; the underlying infrastructure and an access layer. The network should have a single access layer for all of the wired and wireless connections, tying all of the users and applications to the infrastructure. At the same time, the security fabric of the network, which normally stops at the infrastructure, is extended so that the infrastructure and access layers are tied together by a single, strong security environment. This architecture ensures that all users – regardless of access method – are protected through a common set of rules and policies. Integration and Security Rather than the traditional approach of looking at the WLAN as an overlay network with some degree of integration into the underlying wired network, the Secure Wireless LAN architecture described here provides a fully integrated extension of the wired network, offering the full range of wireless features and conveniences, complemented by a single and comprehensive security capability.