Can Opensource help in IT Security?

Opensource has now become very common in business and government organizations, as it is very cost effective and easy to modify as per need. The question is, if it can help in thwarting attacks. Here are my views on how opensource can help IT organization, especially SMBs.

Define the Security Problem

The first and foremost point is to first define the problem. Different organizations work differently and have their own priority of what is important.
If one cannot define the problem, one ends up creating more complications than solving.

Organizations first need to define what are the risks of security breach and what can be lost:-

  • State sponsored attacks
  • What data to protect?
  • Dreaded APT(Advanced Persistent Threat) attacks
  • Protect Intellectual Property
  • Protect Company Reputation
  • Data leak to competitors
  • ...

Experts in Cyber Security, talk about people, process and technology approach.

One cannot thwart APT by just buying a big fat expensive appliance. It needs skilled and qualified personnel with a formal process.

Here are some common thoughts on security:-

  • "We have not been hacked and unlikely someone will hack". Most of the SMBs are sitting ducks, in terms of security. They either know they are hacked or they have no clue that they have already been hacked or waiting to be hacked. Unethical hackers can use organization's resources for targeting other organizations, to hide their source.

  • One challenge is to find a balance between business functionality and security. One may have the best measures put in place, but one mail from the boss takes priority, and puts a loophole in the system and not to mention the annoyance for all the hard work in setting up, by the security team. Paranoid level of education can help open up their eyes and understand the risks; so, they can be more careful.

  • Not to mention the cases, where organizations still don’t believe they need security. Many do not know that Anti Virus is not the best defence. Security is seen as reactive than a proactive measure.

Opensource can provide adequate solutions but it needs highly skilled personnel to able to use it efficiently. And off course, with a well defined process behind it.

Ransomwares are on the rise, and there are ransomwares for linux servers as well. In recent news, ransomware dubbed Linux.Encoder.1 targets linux users.

APT attacks are the most commonly talked about, as the word "Advanced" is very catchy.

What is APT?

An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. APT usually targets organizations and/or nations for business or political motives. APT processes require a high degree of covertness over a long period of time. The "advanced" process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The "persistent" process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The "threat" process indicates human involvement in orchestrating the attack.

Websense talks about the seven stages of kill chain, on this link. Basically, here is the summary:-

  • Unethical hackers gather information about the target from various sources like social media, websites, news and gather email addresses, social media contacts etc.
  • Phishing mail/post tries to convince in clicking a malicious URL or attachment.
  • Malicious URL/attachment drops an exploit kit, which gathers information and launches attack for a specific vulnerability, from the information gained.
  • Attackers maintain access to the machine through command and control server, and launch further attacks within the organization.
  • One can imagine what can be the consequences over a period of time.

How can Opensource help?

Before even diving into details, I like to put forth some basic process, that organizations can consider:-

  • Use of non admin user accounts can help thwart several attacks, and is first line of defence
  • Avoiding using USB to transfer data
  • Segregating networks based on department, using vlan is a good idea
  • Keeping Softwares and AntiVirus updated
  • Use strong passwords, with least 10 characters.
  • Avoid using same passwords across multiple sites. LastPass and keepass are useful tools.
  • Avoid open file shares
  • Never underestimate that idle computer running throughout the day
  • Avoid running internal servers 24x7, unless really required. Saves power too.
  • Stay alert on phishing emails and avoid installing off the internet
  • Avoid using central AD/LDAP passwords across all applications and sites. Some applications store clear text passwords, which can be a big give away.
  • Is BYOD really necessary? What is exposed and how critical is the exposure?
  • Paranoid firewall policy(if possible) by blocking everything and allowing only few IP addresses ports

Here are some opensource/free tools that can help:-

  • Use security browser extensions like AdBlock Plus, NoScript, Web of Trust
  • Does everyone in the organization need public mail address? Why not an internal mail addresses accessible internally? Solutions like iredmail and deeproot is worth a look.
  • Avoid open file sharing and consider using owncloud, which helps for backup too
  • Encrypt confidential documents using Veracrypt
  • Wireless network is a weak link. Rogue access points can steal any strong long preshared key. Tools like Kismet, Netstumbler can help. Arpwatch can help detect arp poisoning in wired and wireless networks.
  • Having an in-house Automated Malware analysis system like Cuckoo can help. Malware execution can be simulated in an isolated physical environment, without affecting own machine. Besides, there are online options too, like:-
  • IDS(Intrusion Detection System) tools - Bro, Surricata and Snort
  • SIEM solutions - Consider OSSIM , MozDef , FIDO
  • Mail encryption using GnuPG with tools like Enigmail, Mailvelope
  • Vulnerability Scanner - OpenVAS
  • DLP(Data Leak Prevention) - Consider MYDLP
  • Network Access Control - Consider PacketFence
  • Collect DNS records using PassiveDNS. Malwares mostly use DNS instead of IP, to talk to command-and-control servers.
  • Block known malicious IPs, or country
  • Web Content Filter - Consider Parental Control Software, OpenDNS [not sure if it is still free], Squidguard

Proprietary tools does make life easy but relying on them completely can also be a risk. Using opensource, takes that little extra effort from a user's standpoint. For example, to check for phishing URL or attachment, one would have to copy and paste or upload file to check. Proprietary tools do it on the fly.

Detecting attacks at the gateway level(IDS) depends on the signatures used by IDS. Well, there is a reason why certain things are not free.

Thwarting APT using opensource will remain a question, but it can definitely help mitigating security breaches along with good governance and practises.

Well, if one does consider being a "Sitting Duck" and waiting to be breached, and have limited budget, opensource is the best bet.

Dinesh Gunasekar - | Tags : APT, IDS, Malware
comments powered by Disqus