Nov 262016
 

(actually we don’t usually sit in the data centre; it’s too noisy and usually the wrong temperature for people)

There is a perception amongst people that security “gurus” who work in network security are spying on all your network traffic. Not the hackers (which is a whole other matter), but the people who run enterprise firewalls. We do, but we’re not interested in what you are doing but instead what is being done to you (and the enterprise as a whole).

Frankly nothing strikes me as more boring than spying on someone’s porn browsing – if I really need to, I’ll hunt down my own porn thank you very much! And we’re busy; you could probably double the size of every network security team in every organisation on the planet and still nobody would be sitting around twiddling their thumbs.

On the subject of porn (as an extreme example), it is not a security issue. There is an argument that browsing porn sites is putting yourself at greater risk of picking up some kind of nasty infection, but avoiding porn sites to avoid getting infected with malware is a tactic that results in your computer being infected. So the intended content isn’t a problem as far as security is concerned, but we’re interested in unintended content.

Now there are places that enforce browsing censorship – blocking anything that isn’t work-related. That role is usually dumped on the network security people because they have the tools to do the job.

Does porn browsing on the office matter? Of course it does – some people are upset by the sight of such things, and almost as important, when someone is browsing porn they are not working. But such matters are best dealt with in the office by the line manager – if someone isn’t doing their work it doesn’t matter if they are browsing porn, hitting Facebook, or snoozing under the desk. All should be dealt with appropriately by the line manager.

And centralised censorship is a rather clumsy tool – blocking Facebook is all very well if it is to prevent personal usage of the Internet, but what about the Marketing department using Facebook for publicity? Or the Customer Service department keeping an eye on Facebook for product problems that they need to look into? These can be allowed through on a case-by-case basis, but it highlights that censorship is a clumsy tool.

The word from a nameless vendor who is in this space, is that in many cases this censorship has less to do with preventing people from doing “naughty” things, and more to do with controlling bandwidth usage. And as bandwidth becomes cheaper, there is less interest in censoring Internet activities – certainly from a personal perspective I notice a decrease in the number of people who complain they cannot visit certain sites because of work’s “firewall”.

There is also the subject of TLS inspection where firewalls intercept and inspect TLS or SSL encrypted traffic between you and “out there”. Again there is a suspicion that we are for whatever reason spying on your activities. The answer to this is the same as previously – why should we bother? It is too much like hard work, and frankly most of the information that passes through a firewall is unbelievably boring.

No, TLS interception is used to do the boring task of inspecting traffic for malware, spyware, and other security threats. And with the increasing use of TLS to encrypt traffic it is becoming more and more important to do TLS interception for security reasons.

Yes there are those who would use that sort of technology to spy on your activities, but those organisations are typically nation states … and repressive ones at that. But it is extreme foolishness to blame a useful tool for the abuses that an abusive government perpetrates.  Your average enterprise just isn’t that interested in what you’re up to.

And if you still don’t believe this, there is a simple answer: Do anything private on your own private network.

b84v37631-cubist-eye

Sep 092011
 

I was alerted to this by an article on The Register which points to the Godai Group‘s investigation into what happens when you register domains “close” to a reputable company and grab all the emails that happen to pop by. It is hardly a surprise to anyone who has run an email system, but you will get tons of email delivered caused by email address typos. Specifically Godai Group looked at a specific type of typo – accidentally leaving out a “.”. For example, one of the domains that the Godai Group picked up on was some-person@ca.ibm.com where “someone” has registered caibm.com (no dot) … whether or not that person is sniffing those emails cannot be known, but they could.

Again, to those who have run email systems it is no surprise to learn that some of the emails contain “interesting” information not limited to :-

  • Trade secrets
  • Business invoices
  • Personal information about employees
  • Usernames and passwords!
  • Network diagrams.

What is not mentioned is that those Fortune 500 companies almost certainly have policies in place prohibiting acts such as sending passwords and other sensitive information by email. But of course there is a description for someone who reads all of the corporate policies – someone who isn’t doing their job!

There is an interesting list of mitigations in the Godai Group report, but it could be a lot more extensive :-

  • When sending out an email to an address where the left hand side would be a valid internal address, flag the destination in your logs. Use that information to build up a list of domains for which you should check for valid internal addresses and freeze (hold in the queue) any messages that match. As an example, if mike.meredith@ca.ibm.com were a valid address you might want to freeze any emails addressed to mike.meredith@caibm.com.
  • Use your email logs to build up a database of domains that you send email to. This will allow you to identify similar domains that may be practicing so-called “doppleganger domains” that you may want to take some action against. You may think you can guess what the domains would be, but there is a lot to be said for hard evidence.
  • Perform content filtering on outgoing email, and build up a set of rules to catch emails containing patterns that match certain kinds of emails you do not want leaving your organisation – to begin with a pattern matching “password [is] XXXXXX”. This could take considerable effort to build, and there will always be the chance of a false positive so you will want a sensible warning message when emails matching the relevant content filter get caught – “Please check that this email does not contain confidential information; please check the recipient address, and if necessary re-phrase the email”.
  • Encourage the use of end-to-end encryption such as PGP. Plain encryption is not sufficient – “walled garden” email systems such as GroupWise support encryption for internal emails, but this is about external (even if it isn’t intentionally so) email which is not encrypted with such corporate email systems. In fact systems such as GroupWise may be considered dangerous in this context – it comes with the word encryption on the tin, and even allows you to “take back” emails that you have sent that you regret. These facilities encourage dangerous practices.
  • Education, education, education. But this will not accomplish much – not only are the people who really need to be educated not listening, but these problems are mistakes – both in terms of accidentally sending emails to the wrong address, and in terms of emailing information that should probably not be sent via email.
  • Lastly, and perhaps for amusement value, you could try persuading senior managers that the danger of them sending inappropriate information accidentally out to third parties via email is so great that it justifies setting up a process by which all their email sent to external address is manually reviewed to ensure that it is not an accidental release of internal information. Good luck on that one!