Interviews by Stephen Ibaraki, I.S.P., DF/NPA, CNP, MVP
Laura Chappell: Internationally Renowned Sr. Protocol/Security Analyst and Founder of the Protocol Analysis Institute LLC, and Co-founder of the Internet Safety for Kids Project
This week, Stephen Ibaraki, has an exclusive interview with Laura Chappell, recipient of the “2005 International Professional Excellence and Innovation Award – Independent Network Contractor” founded by the NPA in 2002 and given out at the largest networking industry conference, Networld+Interop (now called Interop) Las Vegas.
Laura is the Founder and Senior Protocol/Security Analyst for the Protocol Analysis Institute, LLC, www.packet-level.com. Moreover, Laura is a widely regarded speaker and best-selling author of numerous industry titles on network communications and analysis. Her top-ranking speaking engagements include Microsoft’s Technet and TechEd Conferences, Novell’s BrainShare Conferences, and the HP Enterprise Technical Symposium. Ms. Chappell is also the founder of and Technical Advisor for podbooks.com, an Internet-based publishing company focused on packet-level communications and security. In addition, Ms. Chappell writes and provides content for a number of industry publications. In 2005, Ms. Chappell released her Master Library encompassing all books, self-study courses, video-courses and trace file interpretations. For more information on podbooks.com, visit www.podbooks.com. For more information on the Laura Chappell Master Library, visit www.packet-level.com/library.
Internationally renowned, Laura has trained thousands of LAN/WAN administrators, law enforcement officers, engineers, technicians and developers worldwide. Chappell is a member of the High Technology Crime Investigation Association (HTCIA) and an Associate Member of the Institute for Electrical and Electronic Engineers (IEEE) since 1989.
Through the Protocol Analysis Institute, LLC, Chappell founded the Internet Safety for Kids program in 2005. This program provides education and presentation services on online predators, safe Internet communications and parental and law enforcement resources. For more information on the Internet Safety for Kids program, visit www.packet-level.com/kids or contact Ms. Chappell at firstname.lastname@example.org
The latest blog on the interview can be found on March 10, 2006 in the Canadian IT Managers (CIM) forum where you can provide your comments in an interactive dialogue.
Q: Laura: thank you for taking time out of your very busy schedule to do this interview.
A: Thanks so much for asking me – I’m certain you will have some interesting questions for me, Stephen.
Q1: Critical information leaks of intellectual property are a growing area of concern. What are your views on managing this area?
A: Regardless of privacy issues, IT managers must monitor employee communications to protect corporate assets and network efficiency. The users will certainly scream about their “privacy” being invaded, but the bottom line of the business depends on optimizing and securing the network. It’s time for the IT manager and CEO/CIO/CTO to get on the same page with regard to monitoring employee activity on the network and the actions they will take when misuse is discovered. (There are concerns to monitoring employee activities – see http://www.cio.com/archive/051505/monitor.html.)
Q2: Can you expand on the privacy issue and how corporations can meet this challenge?
A: Ahh… this topic always gets people heated up, but I am a big proponent of monitoring employees’ network/computer use.
The 2005 Electronic Monitoring and Surveillance Survey conducted by the American Management Association (AMA) indicated that nine out of ten companies monitor their employees in some way or another (video surveillance, Internet use, phone use, etc.). [See www.amanet.org.] With network abuse sucking the productivity out of a corporation and corporate intellectual property and confidential information leaking out, it is no wonder that monitoring was put into place. The 2005 CSI/FBI Security Survey indicated that insider abuse of Internet access ranked number one in types of abuse or attacks. Unauthorized access to information ranked fourth and theft of proprietary information ranked seventh. [See www.gocsi.com.]
It’s not just resource abuse that is a catalyst for employee monitoring – protection of corporate assets and even the protection of the employees’ own confidential records may spur a corporation on to watch what’s flowing in and out of their network.
To address the need for monitoring with the employees’ concerns for privacy, corporations need to educate employees on why monitoring is necessary to protect the corporation and the employees themselves. If management simply announces a ‘big brother policy’ one day to employees, they could risk leaving such a bad taste in the employees’ mouths that the monitoring could cause an immediate reduction in productivity. No one wants to work in an environment where they feel they are being controlled and manipulated with no voice or inside knowledge of why decisions are made! That reminds me of my years at Catholic boarding school – whatever Sister Gerald said was law. In that case, I can certainly understand why I was being watched like a hawk (I was just up to no good), but I felt persecuted.
Corporations also need to be aware that they may be held liable for the failure to investigate an employee’s use of a computer to perform some criminal activities, such as viewing child pornography. On December 27, 2005, the New Jersey’s Appellate Division held that an employer has an affirmative duty “to investigate the employee’s activities and to take prompt and effective action to stop the unauthorized activity, lest it result in harm to third parties.” [Doe v. XYC Corporation [2005 WL 3527015]. In this case, XYC Corporation monitored an employee’s surfing habits and noted that the employee was surfing porn sites – the names of the websites implied that at least one of the sites was a child pornography site. Sure enough, they found nude pictures of his minor stepdaughter on his drive. Some companies seem to think that they only need to act if they are a mandated reporter. Wrong (in so many ways).
Employers and IT staff need to determine now what they will do if they find such criminal activity taking place on the network. I recommend they review their monitoring policies, educate users on the need for such monitoring and then diligently enforce those policies – don’t just fire the employee and let them continue their activities in another company. In addition, those companies need to make their law enforcement contacts now – don’t wait until an incident arises and you find yourself cold-calling some local cybercrime task force. Membership in an organization such as the High Technology Crime Investigation Association (HTCIA) can help formulate those law enforcement/private sector relationships and be invaluable when questions regarding possible criminal activity, evidence collection and prosecution guidelines surround the company.
Q3: Wireless networks are growing rapidly. Being specific, what are the security concerns and the best solutions to these concerns? Can you detail the “War Driving Project” in Australia?
A: Some of my most interesting trace files involve wireless communications! One area I’ve been particularly interested in is ‘open wireless networks.’ Think trade shows. Think VIP clubs at the airport. Think McDonalds and Starbucks. These wireless networks are intentionally open to provide convenient Internet access to attendees and customers. You can warn people against sending unsecured information over these networks, but they just don’t seem to think anyone is listening. Guess what? We are. I remember sitting in an American Airlines Admirals Club with my kids. A ‘3-piece suiter’ sat next to me – apparently wondering why I would be allowed to bring my kids into the VIP lounge. If only I could have told him that I was actually sniffing all his traffic as he sent cleartext communications to his office talking about release dates for unannounced products! Even at a conference attended primarily by law enforcement officers I was able to get a bucket of passwords and a steamy Instant Messenger (IM) session.
In the War Driving Project conducted in Australia, we had a group war drive the top cities including Sydney, Melbourne, Adelaide, Canberra and Brisbane. We found numerous networks with WEP disabled, but more disturbing – we found numerous networks with WEP enabled, but no other level of security put in place. Really now – it’s like putting taping a sign that reads “authorized entry only” across the front door of your house but leaving the door unlocked. WEP is not sufficient to secure wireless networks. In many cases we found the access points still set for the default configurations!
Enabling MAC address filtering is a joke. With a wireless analyzer, anyone can determine the MAC address of ‘privileged computers’ and spoof those MAC addresses to gain entry.
Corporations need to change the default admin password on their access points, identify rogue access points on the network, look into WPA2 with decent keys, authenticate wireless users with protocols like EAP and use encryption (such as SSH) for all applications that cruise across the wireless network. In addition, the wireless network traffic should be encrypted using a VPN and regularly test their wireless network security.
Q4: Which best-of-breed technology do you recommend for monitoring network communications? How do you see this technology evolving by: 2007, 2010, 2012?
A: I have been fortunate enough to work with a variety of network analyzers, flow analyzers and anomaly-detection tools. One such tool actually grouped network devices based on their typical communication patterns. Others can perform content monitoring based on binary signatures, thereby thwarting the old ‘rename the file’ and ‘alter the file extension’ trick. Although many of these tools require passive access to the data flowing through the network, host-based monitoring tools allow you to look directly at the desktops to see what’s installed there before it’s encrypted and sent over the wire. Of course email monitoring is a must as well.
I think monitoring will increase in ease-of-use and automation with a combination host/network monitoring solution linked to regulatory compliance. In addition, I’d like to see these tools offer some proactive auditing functions to identify software and hardware throughout the company and provide anomaly-detection when new software is loaded on a system or new hardware is found.
Again, all this must be implemented without coming across as ‘big brother.’ Companies have got to get across to the employees that they are not just looking for the one bad apple, but also contractors, vendors, temporary employees and management (who have a tendency to bring in very dirty laptops after a weekend of net gaming.)
Q5: Can you elaborate on your recommended policies for processing employees engaging in illicit activities?
A: First and foremost, you need to lay the groundwork. You need to get your law enforcement contacts in place. By joining an organization such as HTCIA or Infraguard, you can begin to develop those contacts and hear how other organizations are dealing with employee illicit activities. Chances are good that someone is going to have a war story to share with you if you show interest in learning more. In many cases, my customers have found something they are concerned about and they have asked me to ‘run it by your law enforcement buddies’ to find out what their next steps should be and locate forensic investigators to handle their case.
Companies need to perform a risk assessment by defining their corporate assets (not just digital information assets such as the customer or employee database and proprietary corporate information, but also the non-tangible assets such as company reputation and ethical standards). Once the company knows what they are protecting, they should have a clearer sense of how to protect those assets.
Employee buy-in is critical – a simple training video covering some of the cases listed on the Department of Justice Cybercrime and Intellectual Property Section (CCIPS) Computer Intrusion Case page (see www.cybercrime.gov/cccases.html).
Now you’ve given me another idea, Stephen – record a simple presentation on the need for employee monitoring based on the CCIPS cases! Thanks!
Q6: What pointers can you provide to IT Managers about security and packet-level analysis?
A: Packet-level analysis is a fancy way of saying network wiretapping (or wirelesstapping in the case of 802.11 networks). Although it is a tremendous tool for troubleshooting, it can also be used as an educational tool (to see how the protocols and applications work). In the arena of security, IT packet-level analysis enables us to see if an application is transmitting data in plain text, whether we are being redirected when going to a target system and identify the signatures of various attack tools and spyware/malware/viral infections.
Whether the IT Manager purchases a commercial product such as Network General’s Sniffer or WildPacket’s EtherPeek/AiroPeek, or they allow their IT team to use a GNU-licensed software such as Ethereal, they should ensure their team knows how the protocols work on the wire and what faulty communications look like. Strong security knowledge must sit on top of a solid grasp of the TCP/IP protocol stack, (including ARP, IP, TCP, UDP and ICMP at least), and the common applications – such as FTP, HTTP, POP3, telnet and SMTP.
When a network breach occurs, a packet-level analyst (aka protocol analyst or network analyst) can differentiate between normal and abnormal traffic and often identify exactly what tool is being used against the target and what security holes are exploited.
Q7: Can you share three case studies illustrating a major challenge, solutions considered, the final option implemented and any metrics to support the final decision? Also include the reasons why the other solutions were not utilized.
A: Case Study 1:
In the area of optimizing network communications, I worked with a company that reported terrible response times accessing the Internet. They were considering placing a caching server inside the firewall to improve performance. When we tapped in to watch all traffic through the firewall we found that approximately 80% of the traffic was non-work related traffic with a high number of video porn downloads. This was at the time the Pamela/Tommy Lee video was a hot item on the Internet. The caching server would have certainly improved performance, (bringing these porno videos in-house for local distribution), but the underlying problem was the employees’ use of the company network. We could use the employee salary information and the actual data flows to show the loss in productivity caused by the network abuse. In addition, those employees who loaded down the Internet link were affecting everyone else’s communications.
Case Study 2:
In another case, a company was using content filtering at the Internet border to watch for and block specific key words from crossing the firewall. They’d implemented this solution to stop their users from accessing specific non-work related sites. They complained of lackluster Internet access times. When we examined the traffic going through the firewall we noticed over a 1 second delay crossing the firewall. When we removed the content filtering the network cranked up to proper speeds. A review of the content filtering configuration showed the firewall had not been configured properly – it was searching for thousands of words when a simple set of bogus DNS entries would have blocked undesired access. Again, I used an ROI calculator to estimate the amount of time they wasted each day as their packets crawled through the improperly-configured firewall.
Case Study 3:
In one instance, a company had systems crashing left and right – it appeared they would work fine for about 3 minutes and then CPU utilization would reach 100% and then the systems would lock up. The local team kept cleaning malware off the systems, but that didn’t seem to stop the problem. Boot up traces of the problem systems showed us exactly how the malware was updating itself and we could block it at the firewall to prevent further infections. Considering how many systems were affected from this problem, the monetary loss was evident to the company. Proof again that seeing the problematic traffic can lead you to a security solution that is specific to that particular problem.
Q8: What sort of network traffic patterns would you consider unusual?
A: That is a pretty broad question. Every network is different – roundtrip times are different, network paths are different, boot up and login sequences are different. The local IT team needs to baseline these things to differentiate between what’s normal to them today and what traffic looks like when things go wrong on the network.
There are some general issues I always look for. For example, “noise.” By just placing an analyzer off a switch port I can see the ‘background’ broadcast and multicast traffic as well as traffic that is forwarded down the port because the switch doesn’t know what to do with it.
Any traffic going to unassigned IP addresses is a bad sign as well. Every network has something called “dark IP addresses” – those are the IP addresses that fall within your network IP address range, but are not assigned to any device. No one should be talking to these dark IP addresses! Traffic to those addresses is probably part of a network scan or reconnaissance process.
Excessive amounts of ICMP port unreachable messages would also indicate a problem – either a configuration problem or a UDP-based scan underway. ICMP redirects are another type of traffic that I wouldn’t want to see… or excessive TCP SYN/RST combinations (a sure sign of a TCP scan)… or ICMP type 13, 15 or 17 packets (used in active OS fingerprinting)… how much time do we have?
Connection attempts to a client system would seem a bit odd to me since clients typically don’t host server daemons and processes. That would raise my curiosity.
Q9: What specific hardware and software would you recommend for a security toolkit?
A: First of all, the security toolkit should be a separate computer from your regular production machine. The tools that we run on the toolkit systems can be a bit temperamental or experimental. In the Network Analysis and Security Toolkit course, each student receives a preconfigured dual-boot laptop with forensic software (Forensic Toolkit), password crackers (including Brutus), honeypot software (Specter/Windows and honeyd/Linux) and the entire Security Auditor suite. The system should have as much memory and hard drive space as you can afford, wireless and Bluetooth built-in (if you want to do Bluetooth scanning).
Having a dual-boot system is a must now (or a VMWare platform to run both Windows and Linux tools from). Lots of the tool binaries are easily available for one or the other platform and not all binaries for each platform are equal. Ethereal, for example, is a tool that I would use for wired analysis on the Windows side, but it doesn’t fully support wireless analysis on the Windows side – for that we using Ethereal over Linux.
We’re just getting ready to put together the second version of the Network Analysis and Security Toolkit course – system specifications (including hardware and software specs) will be online at www.hotlabs.org/toolkit.
Q10: What is the value in knowing ICMP inside and out for troubleshooting, optimization and security?
A: ICMP (Internet Control Message Protocol) is a gem of a protocol. I can watch the ICMP traffic on a network to identify misconfigurations, blatant attacks, fingerprinting, scanning and more. One good place to start learning about it is in RFCs 792 and 1256 (available at www.rfc-editor.org). [For more information on the significance of Jon Postel as the author/editor of this RFC – see www.postel.org]
Q11: What are the best ways to perform a security vulnerability audit on your network?
A: Well, Stephen, there are so many ways to go about this so I’ll just start spewing out options and let your readers find their pertinent nuggets in the flow:
Identify assets (risk assessment)
Prioritize the audit focus (separate the task into smaller chunks)
Differentiate between intrusive and non-intrusive audit procedures
Map the network from outside and inside the firewall
Audit server and client software and hardware
Examine software/hardware audit results against an ‘acceptable’ list
Examine log files and log file usage
Audit routers, firewalls and critical infrastructure devices
Verify system and user configurations
Audit application traffic for cleartext data transfer or unusual dependencies
Audit all network access points (dial-in, wireless, tunnels, partner/consultant links)
Audit security training information for users, management, consultants
Check against industry-known vulnerabilities
Audit antivirus and anti-spyware capabilities and status
Audit patch and fix levels for hosts and servers (multiple OS types too)
Q12: Can your share your viewpoints and recommendations on the following...?
Voice over IP:
VoIP is a hot technology – and a scary one. Consider the nightmare of early implementations of WLAN technology – people were throwing up access points left and right and marveling at the freedom of the wireless world. Then came a slap across the face – it wasn’t secure.
We can, and should look at VoIP technology as simply an application – how secure is the application? Are there VoIP viruses, worms, malware and denial of service attacks on the horizon? Of course there are! And what is the downside when VoIP service is not available because of one of these problems? No phone service to or from the corporation? Nobody home at the call center? No access to 911? What is the cost of such downtime?
Remember that VoIP doesn’t handle latency well either… if we merge the data and voice network and there is significant overload on the data side, what will that do to the VoIP side? We all know how it feels to make an international call and have such high latency that each side is talking over each other – what an irritating pain!
What about interception? Imagine if someone could listen in on your phone calls? Encryption may inject unwanted latency into the calls.
Serious thought needs to go into the notion of a full-blown VoIP dependency for phone service.
Security tools and tricks:
Every network/security analyst should have the most up-to-date bag of hacker tools and tricks on a dedicated system. Only by knowing those tools inside and out can we identify their signatures and stop them in their tracks. In addition, companies need to maintain a security lab for vulnerability and tool testing – running a full Nessus audit on a production server can be a precursor to that new job you’ve never wanted.
Network analysis, forensics, and host forensics:
I believe all IT security specialists should have a solid grasp of network forensics. What’s normal traffic and what’s not normal traffic? In addition, these specialists should know how to perform at least a cursory host forensic evaluation (check out Incident Response and Computer Forensics, Second Edition by Chris Prosise, Kevin Mandia and Matt Pepe).
Q13: What are the top ten resources for IT Managers?
Q14: Laura, look into your crystal ball and provide your top industry predictions.
Q15: A passion for you is the Internet Safety for Kids Program. How is the program expanding and what goals do you have for the program in 2006 and 2007?
A: The Internet Safety for Kids (ISK) project is near and dear to my heart, Stephen – thanks for bringing it up. In 2006, Brenda Czech (co-founder) and I plan to continue to update the “Internet Safety for Kids” book, (which is free online at www.packet-level.com/kids), with the latest cases, predator profile information and protection methods. Ideally we’d like to publish the book in a more traditional book form to support development efforts and reach a non-technical audience. We’ll keep the master slide set up to date and freely available online for anyone who wants to present the topic in their local communities.
In addition, this year we will begin the internationalization of the materials with the translation into numerous languages with local case and legal information. We will continue to create strong collaborative ties with independent, charitable, local, state, federal and international organizations focused on protecting children on and off-line. We will also continue to create fictitious child victims online and document our findings on predator tactics.
By 2007 we hope to have the ISK video courses online and orderable on DVD for wider distribution. We’ll look to the corporate sector for support in getting the information developed and delivered to a wider audience. Although I wish I could focus on this project full-time, we’ve funded the program ourselves to date and find we need more partners to reach a larger audience.
Q16: You are a strong advocate for a higher penetration of women in the industry. What steps would you recommend to increase participation? What actions can corporations take?
A: In an ideal world we would have a fair balance of all races, creeds and sexes in the industry; that’s just never going to happen. I don’t point toward the corporations and demand that they ‘hire a certain percentage of women’ – that sounds like reverse discrimination to me. These corporations need to hire the best person for the job. I think the responsibility of improving the situation rests on the shoulders of the women themselves – the Women in Technology (WIT) organization offers job listings, technology training, conferences and other resources (see www.witi.org for more information). As an example, when I sat on a women’s technology panel at a conference in 2005 an attendee asked why a representative of a technical organization looking for officers was not there at the luncheon to consider some of the women in the room. My response was – “why aren’t you at their booth asking about the requirements for the position – you can bring this information back to share – they shouldn’t have to go out of their way to be here just because you are a woman.”
In addition, we really need to nurture young girls into technology – excite them about science and technology, not fashion. I detest going to my daughter’s school to find the girls wearing and carrying pink items and bringing Barbie dolls into the classroom – guess what Mom and Dad? You just cut your daughter’s earning power in half! If, as a parent you are not tech savvy, go to the kids’ science section in the bookstore and read with your kids. Why not read a book on quasars, black holes, how radar works, the space program, what pi is? Scientific American is still one of the best magazines to give a kid – boy or girl!
Now you’ve given me an idea – to write a book of techno-savvy bedtime stories for kids and non-tech savvy parents… hmmm….
Q17: Choose three topics of your choosing and providing commentary.
A: 1) Topic 1:
2) Topic 2:
3) Topic 3:
Q: Laura, we appreciate you taking the time to do this interview and wish you continued success in your many ventures.
A: Thanks so much, Stephen. I appreciate the opportunity to share my thoughts and experiences with your audience.