[BreachExchange] 3 Ways You Can Mitigate Man-in-the-Middle Attacks

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 6 19:14:10 EST 2018


In today’s enterprise where mobile devices such as smartphones and tablets
are so prevalent, security depends heavily on wireless networks. This means
organizations should consider network security and secure device
connectivity a priority, since data in transit can be at significant risk
of attack.

IT and security leaders who want to mitigate the risks of wireless networks
need to take special care to avoid wireless eavesdroppers, particularly
from man-in-the-middle (MITM) attacks. These attacks occur when someone is
able to monitor wireless communications and may also attempt to modify them
in real-time.

Two Types of Man-in-the-Middle Attacks

Generally, MITM attacks fall into two categories. Purely eavesdropping is
called a “passive MITM.” The more advanced configuration is the “active
MITM,” where someone can capture everything that transmits between two
devices, and even modify the data in transit.

While some IT managers might think that MITM attacks only target Wi-Fi
networks, they should be aware that these breaches are also possible on
cellular networks through the use of IMSI catchers. Therefore,
administrators should have security measures for both Wi-Fi and cellular
data connections on corporate mobile devices.

Turning Industry Knowledge Upside-Down

MITM attacks are particular problems for IT managers. Obviously, any
unencrypted communications can be intercepted and even modified. But that’s
just the start. With a MITM attack, many basic assumptions about
cryptography are turned upside down.

Industry-standard tools such as TLS/SSL cryptography can be defeated or
weakened. For example, a MITM attacker can engage in a downgraded MITM
attack. With this type of MITM, during the connection for the TLS/SSL
protocol, the attacker changes the list of encryption algorithms offered by
the client to prefer weak algorithms, or even the “NULL” algorithm, which
results in no encryption at all. This reduces the amount of security needed
to access files or programs.

If the server is willing to use the weaker algorithm, then the result may
be traffic that is easily decrypted by the attacker. Since TLS/SSL
underpins most internet cryptography (including SSL VPNs), this presents a
major risk for enterprises.

Mitigating the Risks

Even with the concerns posed by MITM attacks, here are three strategies can
help mitigate mobile security threats:

1. Employ Encryption. At a minimum, this means that any and every
enterprise application, including web, email and voice traffic, should be
encrypted, not just sensitive communications. Why everything? Because if an
active MITM attacker can intercept unencrypted, “unimportant”
communications, they can insert data as well — changing DNS responses to
send the user to an impersonating server, or sending down malware towards
the mobile device or injecting Javascript that steals cookies. A recent
innovation called HTTP Strict Transport Security (HSTS) can help ensure
that clients don’t even try to use unencrypted communications for
enterprise websites.

In extreme cases, IT managers with a very low tolerance for risk can use
their mobile device management (MDM) tool to configure mobile devices to
bring up a VPN tunnel and send all traffic, even non-corporate traffic,
back to an enterprise data center or VPN provider. There is additional
overhead, but this also brings additional security and resistance to MITM

2. Verify TLS/SSL Setups. The internet adage of “be liberal in what you
accept” means many out-of-the-box web servers accept older protocols and
weaker encryption or authentication algorithms. MITM attackers can take
advantage of this. In general, a first step is to disable older algorithms
or weak for encryption and authentication — such as NULL, RC4, 3DES, MD5
and SHA1 — along with older versions of protocols, such as SSL and TLS
versions prior to v1.2.

IT managers who are using application delivery controllers (load balancers)
have a centralized point to manage TLS/SSL settings and keep cryptographic
libraries updated on the server side. If each application server has its
own TLS/SSL settings, this complicates things and makes it more difficult
to keep things synchronized and patched.

The Open Web Application Security Project (OWASP) provides guidelines and
tips on proper configuration of TLS for web servers; the advice is equally
applicable to other TLS-protected services, including SSL VPNs and email
(IMAP/SMTP) servers.

3. Manage Enterprise-Wide Certificates. IT managers should ensure that only
valid certificates and certification authorities are used with enterprise
applications. If a local certification authority is used within a company,
then the Certification Authority (CA) certificate should be pre-loaded onto
all devices using the organization’s MDM tool.

IT managers should review settings for certificate revocation, ensuring
that online revocation protocols are still enabled. They should also
investigate adding certificate pinning, which reduces the possibility that
a fake digital certificate can be used by a MITM attacker to access their
applications and web services.

A final action item here is user training: Ensuring that users know that
they should never accept an unrecognized certificate on their mobile — or
any other device.

By following good network security principles, IT managers can both
mitigate many of the risks of MITM attacks and, at the same time, increase
overall security in all internet-connected environments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180206/99620fcc/attachment.html>

More information about the BreachExchange mailing list