You are on page 1of 10

CLYDE

consulting
October
2010

CLYDE
Beyond the Wall: CONSULTING
Security in a Post-Perimeter World

Walls have served multiple purposes throughout history. The Great Wall of China
defended against invaders, while the Berlin Wall kept citizens from freely traveling
beyond the control of their rulers.
Network security relies on similar premises. For years network security professionals
touted “perimeter security” as the primary solution to keep the bad guys out and
the good guys in. However, just as guns and air attacks overcame protective walls,
changes in malware attacks have rendered network firewalls and perimeter-centric
security an ineffective defense. Simultaneously, the increasingly mobile workforce
makes an on-premise approach even more futile. Walls can no longer keep the bad
guys out, nor can they keep the good guys in.

Welcome to the post-perimeter world.


The Bad Guys Are Getting In
“Protect the perimeter” is no longer an effective strategy against the attacks of malicious code writers. Malware programs
like worms and Trojans are aptly named. They are able to get inside the wall. As the volume of these malicious programs
explodes, the perimeter cannot hold.
As the volume of these According to NSS Labs, an independent product analysis lab, most attacks are exploit-based attacks that are delivered
malicious programs via e-mail or compromised Web sites. They target vulnerabilities in Web browsers, plug-ins and client-side applications.
Once these exploits are inside the wall, the pillaging of valuable data begins. The Open Security Foundation’s annual
explodes, the perimeter Data Loss report lists 586 publicly recorded data breaches in 2009 that affected more than 200 million records of
cannot hold. “personally identifying information.”

FIGURE 1 Breakdown of 2009


Recorded Data Breaches by
CCN (7%) MISC (7%) Sector and Data Type
MED (7%) CCN Credit Card Number
DOB (9%)
EDU DOB Date of Birth
ACC (6%)
(15%) SSN Social Security Number
GOV
MED NAA Names and/or Addresses
(18%) FIN (5%)
(15%)
EMA (1%) EMA Email Addresses
SSN (25%) ACC Account Information
BIZ FIN Financial Information
NAA (33%)
(52%) MED Medical Information
MISC Other personally identifying
information,such as other logins and
passwords to various sites and applications
Source: Open Security Foundation

Mercenaries for Hire


The proliferation of malicious code is driven by a sophisticated underground economy. Password-stealing Trojans and
programs that export user data are rampant. A decade ago, many virus and malware writers sought publicity. Now,
virtually all seek financial gain. In fact, in some countries, writing code for organized crime syndicates is a prestigious
career. It presents an opportunity for both personal wealth and economic growth for developing economies. There are
vast sums of money made in the black market of IDs and credit card numbers and login credentials. Symantec found
There are now vast the estimated value of advertised stolen credit cards exceeds five billion dollars, and the value of advertised stolen
bank account IDs/passwords is more than seven million dollars. This underground economy funds the development
sums of money made of malicious code to facilitate the collection of marketable data.
in the black market As a result, the volume of dangerous code being launched at network security perimeters continues to mushroom. The
of IDs and credit number of new signatures has doubled year-over-year and will likely approach four million in 2010. This never-ending
explosion of malicious code limits the effectiveness of traditional signature-based antivirus programs. A recent
card numbers and NSS Labs test found that many products are ineffective at stopping exploits and estimated that 70 to 75 percent of
login credentials. companies are under-protected.

FIGURE 2 Numbers of New Signatures


3,000,000
20,254

19,159

74,981

113,081

167,069

708,742

1,691,323

2,895,802

2,500,000

2,000,000

1,500,000

1,000,000

500,000

0
2002 2003 2004 2005 2006 2007 2008 2009 Source: Internet Security Threat Report,
Symantec April 2010

2 Beyond the Wall: Security in a Post-Perimeter World


© 2010 Clyde Consulting, LLC CLYDE
consulting
One might think that increasing protection through perimeter reinforcement can keep thieves out. These cyber
mercenaries-for-hire have mastered the ways to appear legitimate. While it is widely understood that credit card
numbers, bank account numbers and social security numbers are valuable information, one might not realize
that Web site and application login credentials are also highly sought data.

When a keylogger finds its way on to an employee’s laptop while it is outside the wall of the corporate network, it can
gather login information to Customer Resource Management (CRM) and Human Resource (HR) applications. Then
the bad guys don’t need to hack in to steal valuable customer billing data or employee personal data because they have
the keys to open the door. As a result, the market to buy and sell logins and passwords continues to grow.

FIGURE 3

ITEM RANGE OF PRICES

Credit card information $0.85 – $30


Bank account credentials $15 – $850
Email accounts $1 – $20
Email addresses $1.70/MB – $15/MB
Shell scripts $2 – $5
Full identities $0.70 – $20
Credit card dumps $4 – $150
Mailers $4 – $10
Cash-out services $0 – $600 plus 50% – 60%
Website administration credentials $2 – $30
Source: Internet Security Threat Report,
Symantec April 2010

Bad Guys Posing as Good Guys


The “Beefmaster” case in 2009 demonstrates the value of login credentials and the harm that can be inflicted after that
information is compromised. Andrew Brandt, Lead Threat Research Analyst for Webroot, documented the details of
the case in the January 2010 edition of the Network Security Newsletter.

In this case and others like it, the bad guys start by stealing Web site administration credentials from a Web site
administrator who works on a legitimate Web page. This is done using a keylogger. In this case, a keylogger found its
way onto a friend’s laptop and when the Web site administrator used that laptop to login to do his job, his FTP login
credentials were captured and later sold on the black market.
2002 the compromised
After being purchased, 2003 credentials
2004 were inserted2005 2006 program2007
into another malicious 2008
that systematically
3000000
logs into sites, identifies html files with “ index” or “default” in the name and replaces them with another piece of evil
2500000
code that loads a keylogger onto the computer of anyone who visits the Web page.

2000000
FIGURE 4
Keylogger Adding Malware infects users
1500000 malware who visit the site

1000000
500000
Beefmaster
Webmaster
0

Removing
malware

Source: Webroot

3 Beyond the Wall: Security in a Post-Perimeter World


© 2010 Clyde Consulting, LLC CLYDE
consulting
As soon as the real Web site administrator realized there was bad code on his site, he removed it. However, his login
credentials were compromised, and the program continued to login and continuously re-inserted the malware code
into the Web pages. More than 1,600 files were modified. The errant FTP connections came from 60 different, unique
IP addresses, making it virtually impossible to track down a location for the person who led this effort.

While some people may not be aware of specific stories like this one, most do have a general sense that these threats
are real and growing. InformationWeek Analytics’ Strategic Security Survey found that a majority of companies
surveyed expect a security breach in the next year. Among companies with fewer than 1,000 employees, 84 percent
of respondents state that malware is the most likely security breach they will face. Almost half also think a Web or
application exploit will breach security. Respondents to the same survey identified the serious risks associated with
these breaches, such as network or application downtime, and theft of valuable information.

The big question is what should companies do about it?

FIGURE 5 Which Types of Security


Breaches or Espionage
MALWARE
84%
Are Most Likely to Occur
(VIRUSES,
WORMS,
in Your Company Within
BOTNETS) N/A the Next Year?

56%
PHISHING
41%

OPERATING
SYSTEM 52%
VULNERABILITIES 48%
AT TACKED
WEB OR
44%
SOF TWARE
APPLICATIONS N/A 2010 2009
EXPLOITED

25%
DENIAL OF
SERVICE 29%

0 20 40 60 80 100
Source: Strategic Security Survey,
InformationWeek Analytics, May 2010

FIGURE 6 What Will be the Impacts


of These Breaches?
NETWORK OR BUSINESS APPLICATIONS UNAVAILABLE 57%

IP THEF T OR CONFIDENTIALIT Y COMPROMISED 54%

MINOR FINANCIAL LOSSES 39%

CUSTOMER RECORDS COMPROMISED 39%

OTHER INTERNAL RECORDS LOST 39%

100
IDENTIT Y THEF T 34%

80 LIABILIT Y
LEGAL 34%

VIOLATED REGS RE: DATA SECURITY 30%


60
FRAUD 29%
40
0 10 20 30 40 50 60
Source: Strategic Security Survey,
20 InformationWeek Analytics, May 2010

0
Malware (viruses,Operating
worms,
Phishing
botnets)
system
Web orvulnerabilities
software applications
attacked
Denial ofexploited
Service
4 Beyond the Wall: Security in a Post-Perimeter World
© 2010 Clyde Consulting, LLC CLYDE
consulting
The Good Guys Are Getting Out
The ever-growing number of assaults via malware and exploits is only part of the challenge facing companies today.
The days of only An even bigger dilemma is protecting corporate data against these assaults in a world of mobile employees.

company issued assets The era of the walled cities didn’t end simply because their ability to protect diminished. Many rulers found that over
time their people refused to live behind a wall. The human desire to not be captive is powerful. Likewise, employees
connecting to the IT want to be free. Free to work from anywhere, and free to use whatever devices they want to access work files and data.
infrastructure are gone. The days of only company issued assets connecting to secure parts of the IT infrastructure are gone.

According to International Data Corp (IDC), more than one billion non-PC mobile devices will access the Internet
in 2010. In-keeping with that trend, IDC reports that “mobility” is cited as the number one factor driving increased
security spending. IT security professionals are realizing how challenging it is to protect employees who are outside
the perimeter.

Regardless of the security challenges associated with mobile workers, employees are committed to working from
outside the perimeter. Recent research sponsored by Unisys and conducted by IDC found that 75 percent of
“information workers” are willing to pay at least part of the cost of IT tools in order to be able to use what they
want. This “consumerization” of IT raises some new and unique concerns for maintaining security and managing
corporate IT infrastructure.

FIGURE 7 Percent of Respondents


Using for...
BUSINESS BOTH PERSONAL

LAPTOP 61%

MOBILE PHONE 52%

SMART PHONE 55%

GPS 38%

TEXT OR IM 47%

PROFESSIONAL 36%
SOCIAL NETWORKS

ACCESSING BLOGS 35%

GOOGLE APPS 51%

20 40 60 80 100
0

COMPANIES WITH 500+ EMPLOYEES N=2,820 Source: A Consumer Revolution in the


Enterprise by IDC, sponsored by Unisys,
June 2010

IDC predicts the percent of workers using smart phones and social networking is expected to double from
approximately 40 percent to almost 80 percent by 2013. In addition to the increased number of consumer devices
accessing company networks, many interactive Web applications are being used via a corporate network connection.

120
100
80 Wall: Security in a Post-Perimeter World
5 Beyond the
© 2010 Clyde Consulting, LLC CLYDE
60 consulting
40
The explosion of Web applications and software-as-a-service (SaaS) means that employees using any Internet
connected device anywhere in the world can access vital business applications with just a login. This trend towards
anywhere-and-everywhere computing is fueling a shift away from software sold as a packaged product. IDC expects
that by 2012, less than 15 percent of new software firms will ever ship a packaged product (CD). Tied to this, IDC
predicts continued growth in the SaaS market. IDC estimates that the SaaS market reached $13.1 billion in revenue
in 2009, and will grow to $40.5 billion by 2014—a compound annual growth rate (CAGR) of just over 25 percent.

FIGURE 8 Percent Respondents Using


for Both Business and Personal
EMAIL
WEB
BROWSING
SHARED
DOCS
WEB OR
AUDIO
IM
TEXT
MESSAGING
INTERNET
VIDEO
GOOGLE
APPS
INTERNET
PHONE
PROFESSIONAL
NETWORKING
BLOGS/WIKIS
VIDEO
STREAMING
YOUTUBE COMPANIES WITH 500+ EMPLOYEES N=2,820

TWIT TER
Source: A Consumer Revolution in the
0 20 40 60 80 100
Enterprise by IDC, sponsored by Unisys,
June 2010

This is the post-perimeter world. No longer can an artificial wall separate business and personal use of devices,
Web sites, social networks, and other tools. Businesses need to embrace this new paradigm by:
• providing solid security at the point that users connect to business applications
• ensuring valuable data is protected
• constantly updating device-level protection.

Citizens Still Must be Protected


Laws and regulations The explosion of malicious code and onslaught of mobile employees mean an increased number of data-security
100
require companies breaches. Companies are not alone in wanting to protect valuable data. Governments around the world also are
attempting80
to address these concerns.
to implement specific
In many countries, government is expected to play an important role in fighting crime, identifying fraud and
measures aimed 60
protecting the valuable personal data of its citizens. The laws and regulations that have emerged require companies
at protecting data. to implement
40 specific measures aimed at protecting data.

20

0
Web
Email
Shared
Browsing
WebDocs
orText
Audio
IMInternet
Messaging
Google
Internet
Video
Prof.
AppsNetwrking
Phone
Blogs/Wikis
Video Streaming
YouTube
Twitter

6 Beyond the Wall: Security in a Post-Perimeter World


© 2010 Clyde Consulting, LLC CLYDE
consulting
FIGURE 9

GLBA
w h at i t i s w h at i t doe s who it impact s mos t
Gramm-Leach Requires that sensitive information sent across Finance industry
Bliley Act the Internet is encrypted

DPA
w h at i t i s w h at i t doe s who it impact s mos t
Data Protection Protects people’s personal information European companies that
Act of 1998 by imposing legal obligations on anyone handle personal data
processing personal data

SOX
w h at i t i s w h at i t doe s who it impact s mos t
Sarbanes- Protects shareholders and the general public Finance industry, public
Oxley Act from accounting errors and scandals by companies that register
requiring all public companies to retain their shares for sale on a US
email and business records for at least 7 years Stock Exchange

FRCP
w h at i t i s w h at i t doe s who it impact s mos t
Federal Rules of Enforces data retention standards by requiring Any business that may
Civil Procedure companies to produce records within a set become involved in a
amount of time court case

FOIA
w h at i t i s w h at i t doe s who it impact s mos t
Freedom of Gives citizens the right to have copies of any UK and US government
Information Acts information that government or commercial organizations
bodies are holding on them

HIPAA
w h at i t i s w h at i t doe s who it impact s mos t
Health Insurance Ensures the privacy and confidentiality of Healthcare industry
Portability and patients’ healthcare information
Accountability Act

PCI-DSS
w h at i t i s w h at i t doe s who it impact s mos t
Payment Card Enforces global standards to protect credit Anyone that handles
Information Data card data against theft and fraud payment card transactions
Security Standard

CIPA
w h at i t i s w h at i t doe s who it impact s mos t
Children’s Internet Prevents access to offensive Internet content Education industry
Protection Act on school and library computers

Source: Webroot

These well-intentioned efforts can place additional burdens on companies to ensure regulatory compliance in their
approach to information security. Staying ahead of malware attacks and securing a mobile workforce to protect
valuable data and ensure regulatory compliance is a tall order for even the largest IT security department. For many
small- and medium-sized businesses, the challenge often is insurmountable.

7 Beyond the Wall: Security in a Post-Perimeter World


© 2010 Clyde Consulting, LLC CLYDE
consulting
Beyond the Perimeter Is the Cloud
The time has come for Now that users are outside the perimeter and working in and through what has come to be known as “the cloud,” it
makes sense that security also must be provided and managed in the cloud. This is good news. Companies no longer
a new post-perimeter need attempt to staff and maintain a large data security infrastructure.
approach to The changes in attack vectors, user behaviors and Web-centric computing from anywhere and everywhere make
information security. perimeter security inadequate. The time has come for a new post-perimeter approach to information security.

The benefits of moving to the cloud are not merely speculative. In a global study, commissioned by Webroot, Web
Security professionals in Australia, the United Kingdom, and the United States identified simplicity, effectiveness, and
blocking access to inappropriate sites as the top three reasons for adopting security SaaS.

The Forrester paper “Real-World Insights into SaaS Implementation Success” summarizes the experiences of clients
who have completed SaaS implementations. The proven SaaS benefits discussed in the report are:
• Speed to deploy
• Responsive service from vendor
• Lower costs
• Faster deployment of latest innovations
• Easy-to-use interfaces
• Security

SaaS vendors are It’s noteworthy that security is included on the list of benefits, given that it often is identified as a top concern for those
considering a SaaS purchase. However, customers who have implemented SaaS affirm that it offers a superior security
doing more to secure option. The Forrester study confirms this:
data than in-house IT “The majority of the customers we interviewed revealed that their SaaS vendors were doing more to secure their data than their
departments could do. own IT departments could do. One reference said, ‘Our greatest fear became our biggest confidence.’”

FIGURE 10

WEB SURFING
FACEBOOK

WEB 2.0 WEB 2.0


CRM
FACEBOOK
CONSUMER IM SKYPE
SKYPE
WEBMAIL WEBMAIL ERP
WEB SURFING CONSUMER IM

HOSTED EMAIL
HOSTED EMAIL
T WIT TER T WIT TER

HOME OFFICE MOBILE DEVICES

ERP EXTERNAL
CRM STORAGE DEVICES
CONSUMER IT COMPANY COMPUTERS
INFRASTRUCTURE

PERIMETER POST-PERIMETER

Perimeter vs. Post-Perimeter Security


Source: Webroot

8 Beyond the Wall: Security in a Post-Perimeter World


© 2010 Clyde Consulting, LLC CLYDE
consulting
This statement is particularly auspicious for small- and medium-size enterprises that are less likely to have the budget
and staff resources to effectively manage IT security in-house.

Farewell to the Company Data Center


It’s not just the perimeter that is going away. Much of the infrastructure that historically was contained within a company’s
walls is also going away. As employees increasingly rely on personal devices to perform work functions and business
applications are provided as services instead of software installs, the need for company data centers is eliminated.

Gartner predicts that by 2012, 20 percent of businesses will own no IT assets. According to Gartner, “Several inter-
related trends are driving the movement toward decreased IT hardware assets, such as virtualization, cloud-enabled
services, and employees running personal desktops and notebook systems on corporate networks.” This trend will
Start-up companies also make Virtual Private Networks (VPNs) obsolete.

should be selecting SaaS This means a field-leveling opportunity for smaller companies that want to compete with larger companies. No longer
will they need to invest in a hardware-intensive infrastructure. Start-up companies should be selecting SaaS solutions
solutions instead of instead of shopping for servers. Established small- and medium-sized businesses should retire application software
shopping for servers. along with the server it is housed upon and migrate to a SaaS security solution.

For larger companies, server consolidation efforts can be accelerated to lower overhead. SaaS means they too can gain
efficiencies and eliminate hardware and maintenance costs.

What’s Next?
In the coming years, expect to see virtually every aspect of IT security transition to the cloud. IDC’s “Worldwide
Security SaaS Forecast by Market” details the growth they predict in the various security segments during the next
several years.

FIGURE 11 Worldwide Security SaaS


Forecast by Market
$5000M
OTHER
$4500M
SECURIT Y AND
$4000M VULNERABILIT Y
MANAGEMENT
$3500M IDENTIT Y AND ACCESS
MANAGEMENT
$3000M
$2500M NETWORK SECURIT Y

$2000M
ENDPOINT SECURIT Y
$1500M

$1000M WEB SECURIT Y

$500M
MESSAGING SECURIT Y
0
2008 2009 2010 2011 2012 2013
Source: IDC March 2010

Companies need to The faster companies adapt to this new post-perimeter world and seek security solutions that do not rely on antivirus
quickly adapt to the new signatures as their primary means of protection, the faster they can secure valuable information.

post-perimeter world. In order to take advantage of this trend companies should seek a security SaaS vendor that provides the following:
1. C
 loud-centric solution that offers superior protection for mobile workers. This means it runs primarily in the cloud
while still providing the necessary endpoint protection.

9 Beyond the Wall: Security in a Post-Perimeter World


© 2010 Clyde Consulting, LLC CLYDE
consulting

MESSAGING SECURITY
WEB SECURITY
ENDPOINT SECURITY
NETWORK SECURITY
IDENTITY AND
SECURITY
ACCESS AM
2. Scalable cloud service to grow with the business. This will reduce implementation costs and simplify
ongoing management.
3. C
 omplete SaaS solution that includes both e-mail and Web protection. This ensures that valuable company
data is secured.
4. I nnovative technical approach based on pro-active protection that is not merely signature-based. This
protects against nearly all attacks, not only the ones for which there are already signatures.
The Great Wall of China and the site of the Berlin Wall are certainly worth a visit, but their utility to protect and
contain has ceased. The day is fast approaching when out-dated network firewalls and extraneous servers can be sent
off to the “Perimeter-Security Museum.”

About the Author


A recognized industry leader, Robert Clyde serves as the Managing Partner of Clyde Consulting LLC and provides executive
advisory services to innovative security companies. Rob has more than 25 years of experience as a security software expert and
he has had leadership roles in startup and small businesses as well as mid-size and large companies, including Symantec and
Axent Technologies. As CTO at Symantec, Rob was a key member of the management team that drove the company to grow
from slightly under $1B in revenue to more than $5B, during which time the stock split three times.

An Internet security pioneer and innovator, he is credited with the creation of the first commercial intrusion detection system.
He is a Certified Information Security Manager and founding board member of both SAFEcode and the IT-ISAC. In 2010,
Rob received the coveted Joseph J. Wasserman award from the New York Metro Chapter of Information Security Audit and
Control Association.

Sources
Forrester Research IDC, sponsored by Unisys Open Security Foundation’s
Real-World Insights Into A Consumer Revolution Data Loss Database
SaaS Implementation Success In The Enterprise 2009 yearly report
may 2010 june 2010 datalossdb.org

Gartner InformationWeek Analytics Symantec


Top Predictions for IT Strategic Security Survey Internet Security Threat Report
Organizations and Users, april 2010 april 2010
2010 and Beyond
december 2009 Network Security Newsletter Unisys
When Admins Attack Poll: Information Workers
IDC january 2010 Ready and Willing to Purchase
Worldwide Software as a Service Their Own Technology for Work
2010 – 2014 Forecast: Software Will NSS Labs august 10, 2010
Never Be the Same Q2 2010 Endpoint Protection
june 2010 Product Group Test Report: Webroot
Host Intrusion Prevention Web Security in SMBs
july 2010 march 2010

10 Beyond the Wall: Security in a Post-Perimeter World


© 2010 Clyde Consulting, LLC CLYDE
consulting

You might also like