Thwarting the Age Old Man in the Middle: Page 2
- The effective use of port security on Ethernet switches;
- Enabling port authentication such as 802.1x on Ethernet switches;
- ARP cache monitoring software at both at the NMS, Ethernet switch, and individual host(s) level;
- Host-based intrusion detection and prevention agents that are configured with Layer-2 signatures and alarming;
- The use of hardcoded static ARP entries for mission critical gateway and server assets;
- Application-level encryption methods such as SSL with PKI-mandated certificate signing policies;
- Transport-level encryption methods such as IPSEC and SSL with PKI-mandated certificate signing policies;
- The use of multiple factor authentication methods for both network and application-level access; and,
- The use of one time password (OTP) hardware tokens for network and application access.
Yet more concerns: Mobile and VoIP
VoIP is also subject to MITM attacks and requires additional counter measures to protect voice, text and video communications.
"Encrypted VoIP using secure RTP (SRTP) still requires a secure key agreement approach," warned Alan Johnston, adjunct instructor at Washington University in St. Louis, and a Distinguished Engineer at Avaya. Johnston is also co-author of a VoIP privacy protocol specifically designed to protect against MITM attacks called ZRTP. It is published as RFC 6189 by the Internet Engineering Task Force (IETF).
"Unfortunately, most SRTP systems involve sharing the encryption key over the signaling channel, which can result in key disclosure," he said.
As far as man-in-mobile (MIM) and MITB attacks, the best defense to date is in virtual firewalls installed onside a user's device. This firewall should activate whenever the enterprise network or an enterprise application is accessed.
"It should differentiate between enterprise-related sessions and those taking place on individual machines," said Klein. Using this method, malware can be blocked from exploiting protected Web sessions. "For example, when a machine infected with malware attempts to access the enterprise, it is immediately identified and the malware stripped from the device."
In addition, the virtual firewall should provide strong keystroke encryption to prevent keyloggers from intercepting confidential data such as login credentials and account numbers.
"It should secure communication between the browser and the network or application to prevent unauthorized modifications and provide API blockage to prevent unauthorized access," said Klein.
ZeuS, Spyeye and BlackHole-like threats are prevalent banking threats. Financial institutions try hard to hide the problem and have made little progress in defense mechanisms.
"Highly sensitive organizations like financial services have grown increasingly concerned not just with authenticating users, but the protection of transactions themselves," said Gonen. "Unfortunately, traditional user authentication methods that can protect against phishing, pharming and password hacking aren't enough to protect against transaction attacks like MITB, since users could be legitimately authenticated during an attack."
New products on the market, however, are designed to ensure that not only is the user who he claims to be, but that he is authorized to do what he's doing.
"An 'out-of-band' authentication method can validate the integrity of a specific transaction itself and such are quickly becoming an imperative because they can better circumvent MITB attacks by confirming the transaction through means other than the customer's PC and browser, said Gonen.
"This ensures that only the person in possession of the transaction security device can receive details of the transaction and approve it. These types of security solutions will become increasingly important over the next few years as advances in mobile technology are making online transactions a mainstay of global commerce."
A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).