Mobile Access Safety Mobile Access Safety Beyond BYOD Dominique Assing Stéphane Calé Firstpublished2013inGreatBritainandtheUnitedStatesbyISTELtdandJohnWiley&Sons,Inc. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permittedundertheCopyright,DesignsandPatentsAct1988,thispublicationmayonlybereproduced, storedortransmitted,inanyformorbyanymeans,withthepriorpermissioninwritingofthepublishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentionedaddress: ISTELtd JohnWiley&Sons,Inc. 27-37StGeorge’sRoad 111RiverStreet LondonSW194EU Hoboken,NJ07030 UK USA www.iste.co.uk www.wiley.com ©ISTELtd2013 TherightsofDominiqueAssingandStéphaneCalétobeidentifiedastheauthorofthisworkhavebeen assertedbytheminaccordancewiththeCopyright,DesignsandPatentsAct1988. LibraryofCongressControlNumber: 2012951550 BritishLibraryCataloguing-in-PublicationData ACIPrecordforthisbookisavailablefromtheBritishLibrary ISBN:978-1-84821-435-4 PrintedandboundinGreatBritainbyCPIGroup(UK)Ltd.,Croydon,SurreyCR04YY Table of Contents Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Chapter1.AnOrdinaryDayintheLifeofMr.Rowley, ortheDangersofVirtualizationandMobility . . . . . . . . . . . . . . 1 1.1.Abusyday . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2.Theupsanddownsoftheday . . . . . . . . . . . . . . . . . . . . . 3 1.3.Whatactuallyhappened? . . . . . . . . . . . . . . . . . . . . . . . . 3 Chapter2.ThreatsandAttacks . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.Reconnaissancephase . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.1.Passivemodeinformationgatheringtechniques . . . . . . . 10 2.1.2.Activemodeinformationgatheringtechniques . . . . . . . . 14 2.2.Identity/authenticationattack. . . . . . . . . . . . . . . . . . . . . . 22 2.2.1.ARPspoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.2.2.IPspoofing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.2.3.Connectionhijacking . . . . . . . . . . . . . . . . . . . . . . . . 29 2.2.4.Maninthemiddle . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.2.5.DNSspoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.2.6.Replayattack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.2.7.Reboundintrusion . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.2.8.Passwordhacking. . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.2.9.TheinsecurityofSSL/TLS. . . . . . . . . . . . . . . . . . . . . 34 2.3.Confidentialityattack. . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3.1.Espionagesoftware. . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.3.2.Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.3.3.Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.3.4.Crackingencrypteddata . . . . . . . . . . . . . . . . . . . . . . 44 vi MobileAccessSafety 2.4.Availabilityattack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.4.1.ICMPFlood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.4.2.SYNFlood. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.4.3.Smurfing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 2.4.4.LogFlood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 2.4.5.Worms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 2.5.Attackonsoftwareintegrity . . . . . . . . . . . . . . . . . . . . . . 55 2.6.BYOD:mixed-genrethreatsandattacks. . . . . . . . . . . . . . . 57 2.7.InterceptionofGSM/GPRS/EDGEcommunications. . . . . . . 61 Chapter3.TechnologicalCountermeasures. . . . . . . . . . . . . . . . 65 3.1.Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.1.1.Protectionofmobileequipment. . . . . . . . . . . . . . . . . . 67 3.1.2.Dataprotection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.2.Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 3.2.1.Systemsofintrusiondetection. . . . . . . . . . . . . . . . . . . 81 3.2.2.Honeypot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 3.2.3.Managementandsupervisiontools. . . . . . . . . . . . . . . . 91 3.3.Reaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 3.3.1.Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 3.3.2.Reverseproxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 3.3.3.Antivirussoftware . . . . . . . . . . . . . . . . . . . . . . . . . . 104 3.3.4.Antivirussoftware:anessentialbuildingblock butinneedofcompletion. . . . . . . . . . . . . . . . . . . . . . . . . . 107 3.4.Organizingtheinformationsystem’ssecurity . . . . . . . . . . . 108 3.4.1.Whatissecurityorganization?. . . . . . . . . . . . . . . . . . . 109 3.4.2.Qualityofsecurity,ortheattractionofISMS . . . . . . . . . 110 Chapter4.TechnologicalCountermeasuresforRemoteAccess . . 113 4.1.Remoteconnectionsolutions. . . . . . . . . . . . . . . . . . . . . . 114 4.1.1.Historicsolutions. . . . . . . . . . . . . . . . . . . . . . . . . . . 115 4.1.2.Desktopsharingsolutions . . . . . . . . . . . . . . . . . . . . . 115 4.1.3.PublicationontheInternet . . . . . . . . . . . . . . . . . . . . . 116 4.1.4.VirtualPrivateNetwork(VPN)solutions. . . . . . . . . . . . 118 4.2.Controlofremoteaccess. . . . . . . . . . . . . . . . . . . . . . . . . 137 4.2.1.Identificationandauthentication . . . . . . . . . . . . . . . . . 139 4.2.2.Uniqueauthentication. . . . . . . . . . . . . . . . . . . . . . . . 155 4.3.Architectureofremoteaccesssolutions . . . . . . . . . . . . . . . 157 4.3.1.Securingtheinfrastructure . . . . . . . . . . . . . . . . . . . . . 157 4.3.2.Loadbalancing/redundancy . . . . . . . . . . . . . . . . . . . . 161 4.4.ControlofconformityoftheVPNinfrastructure . . . . . . . . . 162 4.5.Controlofnetworkadmission . . . . . . . . . . . . . . . . . . . . . 166 TableofContents vii 4.5.1.Controlofnetworkaccess . . . . . . . . . . . . . . . . . . . . . 166 4.5.2.ESCV(EndpointSecurityCompliancyVerification) . . . . 167 4.5.3.MobileNAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Chapter5.WhatShouldHaveBeenDonetoMakeSure MrRowley’sDayReallyWasOrdinary. . . . . . . . . . . . . . . . . . 173 5.1.TheattackatMrRowley’shouse . . . . . . . . . . . . . . . . . . . 173 5.1.1.SecuringMrRowley’sPC . . . . . . . . . . . . . . . . . . . . . 173 5.1.2.Securingtheorganizationallevel. . . . . . . . . . . . . . . . . 174 5.1.3.Detectionattheorganizationallevel. . . . . . . . . . . . . . . 175 5.1.4.Alittlebitofprevention. . . . . . . . . . . . . . . . . . . . . . . 175 5.2.TheattackattheairportVIPloungewhileonthemove . . . . . 176 5.3.Theattackatthecafé. . . . . . . . . . . . . . . . . . . . . . . . . . . 176 5.4.TheattackintheairportVIPloungeduring MrRowley’sreturnjourney . . . . . . . . . . . . . . . . . . . . . . . . . 178 5.5.Thelossofasmartphoneandaccesstoconfidentialdata . . . . 180 5.6.Summaryofthedifferentsecuritysolutionsthatshould havebeenimplemented . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 APPENDICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Appendix1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Appendix2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Bibliography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Introduction “With the Internet, to be competitive in themarketistocommunicateinformation to the outside world. It no longer consists of forbidding access to an organization’s data; it consists of mastering information exchange”. Jean-PhilippeJouas(presidentofLUSIF) Extractfrom01Informatique,4 September1998 Remote access has helped realize one of mankind’s most ancient dreams: “ubiquity”, because with these new technologies, employees can now access all their company’s resources, anywhere, at any time and from any device (PC,PDA,etc.) This development of “nomadism” is linked to a number of technological improvements, such as the “democratization” of the cost of laptops and the proliferation of Internet access, which is now available even in the remotest of places. However, it also has its roots in economic factors such as the globalization forcing companies to be more efficient and responsive in order to survive in a highly competitive environment. The gains arising from the implementationofmobilitysolutionsareindeedmanyandvaried: – increases in the productivity of employees, who can continue to work while on the move (on trains, in airport lounges, in hotel rooms, etc.),with customers (online demonstration of in-house software use, etc.), and from home; x MobileAccessSafety –increasesintheflexibilityoforganizationsandwaysofworkingdueto, for example, the development of teleworking, whether permanent (distributed call centers allowing telephone operatorsto work fromhome) or casual; – decreases in the emission of CO into the atmosphere thanks to a 2 reduction in the number of journeys (BT have estimated that the development of flexible working at their organization saves 12 million liters ofgasolineperyear); – continuation of business operations in the case of major crises such as the destruction of the company’s premises (by fire, water damage, etc.), epidemics(H1N1,etc.),strikes(railemployees,roads,airports),oranyother event that prevents employees from reaching their place of work or to carry outtheirduties(powercut); –decreasesinthecostofbusinessoperationsduetothereductionofcosts related to the provision of office space (reduction in office space and therefore of rental costs, maintenance, security, insurance, etc.). BT has estimated savings in operating costs of £6,000 per year, per telecommuting employee; – reduction in transport costs for employees, who can limit work-related travel because they have access to all necessary resources from any given location; –reductioninemployeeturnover,byallowingthemtoadaptthewaythey perform their professional duties to their own requirements/personal wishes (e.g., childcare during school holidays, sports competitions, charity events, etc.). This improvement in working conditions can increase employee productivityandreducethenumberofworkstoppages; – avoidance of fatigue and stress for employees by limiting the travel to theworkplace(telecommuting). Unfortunately, the exponential growth of remote access has completely calledintoquestioncompanies’securitymethodsthathavesurvivedthusfar. As in the Middle Ages, this mainly consists of building high perimeter walls to protect against attacks from assailants, and to strictly limit and control incomings and exchanges with the outside. But today, organizations’ physical boundaries are becoming more diffuse as the development of telework extends its geographical perimeter as well as the number of entry points. A veritable “Pandora’s box” has been opened by the growing use of Introduction xi remote access. Thus, one employee can potentially inadvertently contaminate the entire information system of their company by connecting, for example, from home with their personal computer that has been contaminated by their children while surfing illegal download sites. The evolutionoforganizations’securitypoliciesisthereforevital. Each security issue is unique, because such issues depend on the organization’s intended use for its remote access, as well as on its own specificlimitationsandconstraints(financial,technical,etc.)Forthisreason, it is not possible for us to provide, as part of this work, a universal “recipe”. We will try, however, over the course of the following chapters, to give you some ideas, approaches, principles and techniques that will allow you to understand, on the one hand, the risks involved, and on the other, provide youwiththemeanstobuildasecuritysolutionforyourparticularcase. Our aim is not to produce an exhaustive description of the various security issues and solutions concerning the mobile elements of companies, because as you will have gathered, such a task would require a much longer book. We have therefore chosen to adopt a didactic approach to make the reader aware of the various threats and protection solutions, by giving a concrete example based on an average user, and the various attacks suffered duringa“typicalday.” Then, we place these attacks in the broader context of the different families of risk. This allows us to then present the tools capable of counteringtheseattacksorlimitingtheireffects. Finally, we finish with our average user by explaining the protection solutions that should have been put in place to protect him. As the field of security is not solely related to technical issues, we conclude by making the link between the various recommendations with one of the main methodologicalapproachesinthisarea(ISO/IEC27002). Chapter1 An Ordinary Day in the Life of Mr. Rowley, or the Dangers of Virtualization and Mobility “Appearancescanbedeceiving” Proverb 1.1.Abusyday The day promised to be busy for Mr. Rowley. Upon awakening that morning, he knew it would be punctuated by unexpected events – as usual – butwhattheywouldbehedidn’tknow. It all started after breakfast, when, after his son had already been surfing the Web, he decided to get on with preparing his annual report by logging onto his company’s fileserver from his personal computer. Thanks to the VPN1 Internet access solution which had been installed by his company, he could work from home as if he were in the office. What a gain in productivity! And it was so simple: all that he had needed to do was simply install a small softwareclientonhisPCandconfigureitappropriately. 1VirtualPrivateNetwork:virtualprivatenetworkstypicallyexistoverapublicinfrastructure such as the Internet, thanks to an encryption solution that ensures confidentiality of data exchange.