Next-Generation IT and Network Security

“Bring your own device” (BYOD) is frequently cited as an example of the importance of network security and access control. While firewalls must not be the be-all and end-all, next-generation firewalls (NGFWs) featuring data analysis at application level offer whole new levels of protection.

E-mail specialist Mimecast recently discovered a serious security flaw in Microsoft Excel. According to Heise, security researchers at the UK-based company prepared an Excel document so that when the file was downloaded and opened, malicious code would be downloaded from a remote server and executed using a macro called Power Query. Power Query is used for various purposes including updating exchange rates and uses the Dynamic Data Exchange (DDE) protocol, for which Microsoft had already released workarounds following an exploit at the end of 2017. Mimecast strongly recommends implementing these workarounds and, with older versions of Excel, ideally uninstalling Power Query add-ins entirely.

Humans – The Weakest Link

A considerable number of malware and hacker attacks still reach company computers and IT systems via e-mail attachments. Humans are generally the biggest security weakness in a company. Risks often come in the form of phishing e-mails purporting to be, for example, warning letters from official authorities.

Yet more and more users are opening themselves up to cyber attacks and malware by clicking false links in e-mails or online or downloading deceptive apps on mobile devices. A good firewall is a means of battening down the hatches against suspected attack attempts or links of unknown origin.

More on this topic – our latest two-pager from the Security team:

Next-Gen Firewalls Provide More Effective Protection

However, protecting the perimeter with conventional firewalls is no longer adequate for protecting users and companies against dangers such as advanced persistent threats (ATPs). According to Security Insider, these use attack tools adapted to the specific environment. Beyond that, conventional firewalls using port 443 cannot distinguish whether users are browsing via HTTPS or communicating via Skype, for example, or transferring data from cloud services such as Dropbox.

By contrast, next-generation firewalls (NGFWs) not only inspect the protocol and port used, but also analyze the data stream to identify unusual activity and filter out infected files.

AES Encryption and Hash Algorithms

Gartner’s Magic Quadrant for Enterprise Network Firewalls lists Check Point, Fortinet and Palo Alto Networks among market leaders in the field, Cisco and Huawei as challengers and Forcepoint and Sophos as visionaries. Almost all providers integrate VPNs (virtual private networks) in their systems to enable access for external employees and employees working remotely. They support security protocols such as IPsec and SSL or TLS (Transport Layer Security) with the latest encryption methods.

The German Federal Office for Information Security (BSI) recommends AES 128-bit or 256-bit encryption or SHA-2- and SHA-3 hash algorithms for hash functions with 8-bit ASCII character strings of varying lengths. This string could be SHA-256 with a hash value of 512 bits or 64 ASCII characters long; in the case of SHA-512, it would be 1,024 bits or 128 ASCII characters with character strings of the same length in each case (see hash generators).

Even the slightest change to the input will alter the entire character string. The longer and more complex the string, the harder it is to retrace the input. With computers becoming ever more powerful and blockchain-based cryptocurrencies that use such hash functions such as Bitcoin and Ethereum already having been hacked, there are growing doubts as to their security (see Dusted Codes and Computerwoche).

Background: SHA-2 and Hash Generators
In cryptology, a hash is a means of mapping a character string of any length onto one of fixed length, known as the hash value. How hash values of different lengths are produced from various algorithms is demonstrated by hash generators such as those from Thomas Falkner and Henrik Thesing. With the older MD5 and SHA-1 methods, the character strings consist of just 32 and 40 ASCII characters respectively, while SHA-512 and Whirlpool each use 128 characters. Irrespective of the length of the message, a hash value of the same length is generated in each case, but changing even one letter in the input will alter the entire string.

An example: “Hello” written with upper-case and lower-case “H” in SHA-256:

Hello – 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

hello – 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Of course, things are not quite as simple as explained above with the Secure Hash Algorithm (currently the relatively secure SHA-2, or SHA-3 in the future). First, the message needs to be extended according to the Merkle–Damgård construction and broken down into blocks of sixteen data or binary words. The message blocks are then processed consecutively and encrypted in a defined number of rounds. In the case of SHA-512, for example, there are 80 rounds. With this block encryption, each piece of key text is linked to the plain text by the addition of the words modulo 232 (for SHA-256) or modulo 264 (for SHA-512). Is your head swimming yet? Modulo (mod), incidentally, is the remainder after two large numbers are divided and is used, for example, in calculating check digits as in IBANs for bank accounts or ISBNs for books. It is a very simple algorithm, but to demonstrate how complex these can be, here’s how to calculate the check digit for the new ISBN 13. You need to take the first twelve digits and alternate between multiplying them by 1 (for odd digit positions) and 3 (for even digit positions), then add them all together and finally use mod 10 to calculate the difference between that figure and the next-highest multiple of 10. The old ISBN 10 used a different formula again and mod 11 with the difference to the next multiple of 11 down. As you can see, it is not that simple.

Post-Perimeter Security

Even with the best encryption algorithms, perimeter security alone is not enough to lend systems effective protection. After all, as we have already mentioned, a careless approach to e-mails and links often makes it easy for attackers to infiltrate computers and corporate networks. That is why mobile security specialist Lookout is already talking about what it calls “post-perimeter security,” which involves applying a zero-trust approach to protecting data on end devices as well. Of course, BYOD users expect to be able to bring their devices to the company and still use their personal apps. According to Gartner, there are signs that unified endpoint management (UEM) is increasingly going to replace conventional mobile device management (MDM) and enterprise mobility management (EMM).

Endpoint Detection and Response from Trend Micro

Sino-Japanese provider Trend Micro, a major supplier in Proservia’s security portfolio, protects applications with endpoint detection and response (EDR), an effective means of identifying threats at lightning speed and responding to them immediately.

This is where Trend Micro’s Endpoint Sensor comes in. This constantly monitors system events and behavior on endpoints and uses specific indicators to detect threats or attacks, enabling it to repel them effectively.

Read more

It’s All About Access Control

When it comes to restricting access to networks, all the major developers and associations have their own terminology. Microsoft, for example, calls it Network Access Protection, while Cisco refers to it as Network Admission Control. The term that has come to prevail, however, is “network access control” (NAC), as outlined in a Überblickspapier Netzzugangskontrolle published by the BSI, featuring technology explained in simple terms, examples of applications and various recommendations. Among other things, the BSI paper mentions the use of virtual LANs (VLANs) to grant guests or employees access to certain sections of a network without compromising the overall corporate network.

Plenty More Potential Risks

Even following every single one of the BSI’s recommendations would still leave room for risks. After all, any mistakes made during the complex task of drawing up security guidelines for network traffic could result in access being authorized incorrectly, opening up the local network and important information to unwanted visitors.

In addition, the strength of separation of the physical network and VLANs depends not only on the NAC but also on the switches and routers that provide the necessary separation. Among developers such as Cisco, the general trend is toward a combination of hardware and software solutions and also software-defined networking (SDN), which promises a simpler and less error-prone configuration.

Image source: iStock / AndreyPopov