Why being Proactive in Security is Essential
We have always been taught that once your system is compromised you need to either restore a clean backup or re-install the system in order to be safe. This is because the person who compromised the machine might have installed rootkits, backdoors or tampered with system tools to gain future access to the machine or spy on your network. A custom rootkit might not be caught by an antivirus solution so the only safe recourse is restoring the whole system to a clean state.
Unfortunately it seems that we are quickly getting to a point where restoring the system to a clean state might not be enough. I have recently come across a blog post by a security researcher at Sogeti ESEC Labs where the researcher tried (successfully) to install malware on the network card firmware. The malware in question was quite basic and simply hid ICMP requests with a TTL of 42 from the system as well as responded to said requests with the same TTL even when the OS had disabled the interface. While there is still nothing to worry about as far as we know it does illustrate the dangers we might experience in the future.
Such malware will be limited by the size of the firmware and the interaction that the device has with the system that can be exploited. As technology moves forward however, these will grow allowing increasingly sophisticated modifications to be implemented. Even now I would imagine that changing the current malware to redirect all the traffic it gets to a remote IP address while hiding said activity from the system is quite doable. This would potentially mean that a remote attacker compromising the system might have the option to install a stealthy sniffer that will not be removed by formatting the compromised system and re-installing.
If such a scenario were to occur, the cost of compromising will increase drastically because re-installing your system will not be enough. One will either need to toss the system and rebuild it from scratch or at the very least toss the Electrically Erasable Programmable Read-Only Memory (EEPROMS) containing the firmware and install a new clean version.
Tools can be developed to ensure firmware is not compromised by vendors, but then again just as a system is compromised once, you cannot depend solely on antivirus to give you a genuine result and you would therefore not be able to trust these tools. If such malware is developed in the future, then being proactive and ensuring that your system can not be compromised will definitely be a must.
The idea of successfully infecting your network card firmware (or any system critical devices for that matter) with malware is quite simply a nightmare come true. Restoring your system to with a clean format has always been an end-all be-all when it comes to taking out malicious software, but it seems like these tech-vandals have really gone for the jugular on this one. And to think that the scenario was replicated in a controlled lab environment. What more in the real world?
I definitely agree that proactivity is essential when it comes to system security. With malware and cyber-vandalism tactics becoming even more aggressive than they originally were years ago, system admins and general computer users can’t simply rely on dated security to practices and hope to come out unscathed. As insightful as this article is, maybe you guys in GFI can suggest on how proactivity can be implemented for both average and advanced computer users.
@ Stevie – It’s a nightmare indeed; however, security is a war so to speak – sometimes one side has the edge and other times the other side has the edge. Right now this is a new attack vector which means it’s relatively unprotected. If it actually starts being used, measures will hopefully be put in place to address this better. Right now it’s simply too early to say. There are some protections that a device manufacturer could take to ensure this doesn’t happen, such as generating a certificate for any updating software to authenticate with the card before it allows updates for example.
@ Nelson – The steps one needs to take in order to protect against this is no different than any other scenario really. What your target is, in this case, is to prevent unauthorized and unnecessary access of the protected machine. That generally means good access control, keeping the system up to date,good end point security including antivirus and perhaps a good intrusion detection system.
@Nelson
I have to agree with Emmanuel on this. Proactive security simply means taking a more aggressive disposition towards system security. A lot of people (and even professional IT specialists) mistake security as a passive / reactive solution to external threats. A combination of good access control, updated software, reliable end point security, as well as excellent antivirus and intrusion detection systems (as Emmanuel mentioned) are great ways of achieving this.
Infecting the network card firmware with malware? Definitely, frightening stuff. But since it was done in a controlled lab environment, I wonder how something like this would play out in a real world scenario. I bet it’s much harder than it sounds. Infecting the critical systems of hardware itself is no cake walk. Does this mean that hardware firmware will start requiring their own security protocols? That’s pretty ridiculous by any stretch of the imagination.
@Calvin
But given the ever changing landscape of security (especially from a technological standpoint), how aggressive is one expected to be? I think in another article posted by GFI blog, IT companies are encouraged to strike a balance between convenience and security, but with a conscious mandate on aggressive and pro-active security, does that mean that we should be doing without the convenience and comfort of our clients for the sake of security?
There’s a lot of discussion going around on how pro-activity can be implemented in a field that is mostly reactive. However, with the right tools, training, and foresight I believe that security can reach a point where it is able to anticipate (maybe not all, but most) possible threats both in the present and in the near future. This will allow companies to better adjust their systems to address more likely threats. As cliché as it may sound, a great offense does prove to be the best defense. And when it comes to security, I think this saying holds a lot of truth.