Transcript
The Case for a New Approach to Network Security An Advanced Systems Group White Paper The IT world certainly has changed. The cloud, social media, smartphones, widespread WiFi, tablets, and other innovative technologies bring exciting and valuable business capabilities to the market. Unfortunately, they’ve also introduced new vulnerabilities, breeding a new generation of attackers who are eager capitalize on the susceptibilities. In the face of the new challenges and the latest generation of threats, organizations need to revise the security strategies they relied on in the past. Today, organizations need more than perimeter protection, anti-virus capabilities, and denial-of-service (DOS) attack defenses, although some organizations continue to struggle even with these security basics. Few dispute that data has become an organization’s most valuable asset. Organizations must ensure the integrity and control of that data through encryption, data loss prevention strategies, and other data management techniques.
To meet the latest generation of threats, organizations require a new approach to security that addresses the changes in the threat landscape and places an emphasis on the need for governance, visibility, and control.
Five Critical Shifts that Threaten Network Security: 1. Emergence of systematic, syndicated, multi-layered global hacking. 2. Shift from application security to data security. 3. Emergence of social networking as major vulnerability. 4. Shift to proactive defense from reactive defense. 5. Shift focus to multidimensional password theft.
Network Security—Then In the past, network security was IT-centric. It typically involved defenses like • Protecting edge switches • Setting up layers of firewalls • Implementing virus protection by deploying anti-virus software, intercepting viruses at the email and Internet servers, educating users to leave unknown attachments unopened, and blocking users from accessing known risky websites • Thwarting DOS attacks by monitoring incoming traffic, recognizing attacks early, and setting switches and routers to perform rate limiting and traffic shaping functions. Organizations expecting more sustained, sophisticated, and distributed DOS attacks deployed additional hardware to capture and divert or redirect the attacks. • Scanning online activity to identify and isolate individual hackers often considered “lone rangers” or rogue players. Although these defenses took nearly a decade to develop and deploy effectively—and in recent years organizations have experienced some success in curtailing malicious activities— these defenses weren’t intended to defend against many of the types of online threats organizations face today. As a result, organizations continue to experience disturbing losses due to security breaches.
As demonstrated by the concerted, sustained, and ultimately unsuccessful DOS attacks against major companies targeted by WikiLeaks supporters, organizations have grown quite adept at defending against DOS attacks .
Network Security—Now Today, the “lone ranger” hacker no longer operates alone. These individuals most likely belong to an informal group of hackers or even an organized hacker syndicate. Together, they may orchestrate and coordinate their attacks and share techniques and methods, creating a more serious threat that’s more difficult to identify and defeat. The industry has also noticed an increase in progressive stepped attacks—when hackers repeatedly try to penetrate the systems through different vectors of attack. The organization may deflect some of the attacks, but the attackers are counting on one of them succeeding. And one is all it takes. The rise of social networking also poses challenges. Although it can be a significant benefit to the organization when appropriately managed, it also presents some dangers in terms of security. Companies should make their social media users aware of the risks of information sharing on social media and educate them specifically about the types of information they can and cannot share. Organizations should consider revising policies to address social media and monitor what employees say and share on social media.
The Enterprise Strategy Group (ESG) reports that nearly one-third of organizations experienced a data breach within the last 12 months. More alarming still, another 10% of the security professionals surveyed said they don’t know if they’ve experienced a data breach in that period.
Social media also offers hackers and other criminals the opportunity to engage in social engineering—using deception or fraud to persuade employees to reveal passwords and other confidential information. Attackers can then use this information to penetrate the systems and compromise data. To prevent this method of attack, companies should build a defense around education, policy, and activity monitoring. Finally, organizations face one of their largest security threats from their own people, often in the form of careless or disgruntled employees. For example, many employees generally lack knowledge about what comprises sensitive data. Or employees sometimes circumvent business processes or controls for the sake of speed and efficiency, which creates the risk of accidental data leakage. PricewaterhouseCoopers’s recent report, “Trends in Proprietary Information Loss,” found that Fortune 1,000 companies have experienced proprietary information and intellectual property (IP) losses of $50-60 billion annually—and roughly 25 percent of the companies surveyed said the majority of their losses were due to insiders. This outranked the losses caused by viruses, worms, spyware, and system penetration by outsiders.
Five Critical Shifts That Threaten Network Security Together, the threats described above represent five critical shifts in the threat profile. In response to these shifts, organizations must rethink how they plan and execute security to safeguard to their systems, applications, and— most importantly—their data.
1
Emergence of systematic, syndicated, multi-layered global hacking
This essentially amounts to the industrialization of hacking, which produces a supply chain that starkly resembles that of drug cartels. Automated tools such as malware distributed via botnets provide the weapons of choice.
2
Shift from application security to data security
Companies are shifting to data security as cyber-criminals devise and uncover new ways for bypassing existing security measures to obtain information and critical data.
Social media also offers hackers and other criminals the opportunity to engage in social engineering—using deception or fraud to persuade employees to reveal passwords and other confidential information.
3
Emergence of social networking as major vulnerability
People who are less educated in security policy are more susceptible to social engineering, which makes companies more vulnerable.
4
Shift to proactive defense from reactive defense
Rather than sitting around, waiting to be breached, smart organizations are actively seeking holes and plugging them. Basically, it’s another instance in which offense is the best defense.
5
Shift in focus to multi-dimensional password theft
Attackers expect that credentials for one application, like an email account, likely will also apply to other applications, like online banking. As a result, attackers are ramping up their efforts against these big payoff targets. Changing passwords frequently, insisting on different passwords for each account, or even choosing an altogether different security option other than passwords all make good defenses.
IBM’s Security Systems X-Force records and analyzes an average of 20 new network vulnerabilities every day from around the world. There are well over 10,000 known network vulnerabilities and the number rises daily as global threats continue to increase.
To combat the threats from these shifts in network security, managers need the visibility and control that lies at the heart of information governance. Organizations know all about corporate and financial governance. Now they must apply it diligently to information that—when you come down to it—is one of their most valuable assets.
Increase Visibility through a Comprehensive Security Assessment The largest identity threat to date, the TJX breach, occurred when attackers started focusing on weaknesses in the wireless network. Even more troublesome, the attack came after the organization had certified its compliance with the Payment Card Industry (PCI) security standard. New threats emerge every day that require innovative approaches and force organizations to be more proactive. And as the number of hackers around the globe continues to grow, it’s more important than ever to conduct a comprehensive security assessment of your network—one that focuses on actual threats rather than an audit checklist such as the PCI compliance. A comprehensive security assessment consists of eight steps:
1
Recognize your organization’s current digital footprint
Document your electronic footprint on Internet, both the visible spectrum as well as the IRC/ICQ message channels, and other groups. Identify and pinpoint potential areas that may be vulnerable to information disclosure or compromise by gathering all the intelligence you can about your organization, employees, partners, other stakeholders, and infrastructure the same way malicious hackers do.
2
Assess vulnerabilities of employees, partners, and other stakeholders
Once you’ve assessed the vulnerabilities of employees, partners, and other stakeholders, analyze and evaluate what you’ve learned to identify potential problems.
The largest identity threat to date, the TJX breach, resulted from the attackers focusing on weaknesses in the wireless network. Even more troublesome, the attack came after the organization had certified its compliance with the Payment Card Industry (PCI) security standard.
3
Assess the vulnerabilities of networks, applications, other IT resources
Document and analyze your entire IT infrastructure to find the weaknesses and potential problems.
4
Conduct comprehensive scanning of ports, vectors, protocols
Conduct a comprehensive scan of all ports on your network to identify the IT counterpart of open windows and unlocked doors. The most common malicious network scans search for vulnerabilities in a standard range of 300 ports on a network where the most common vulnerabilities are found. (However, you may have over 60,000 ports on your network that can be suspect.)
5
Understand how your network interacts with outside parties
The security threats organizations face place a substantial premium on their ability to recognize threats and correlate threat behavior. Therefore, companies require not only technology tools but enterprise-wide information governance grounded in policies and education.
Try to access your network as an outside party might. See what your network requests in terms of information and how easily it can be satisfied.
6
Probe your internal network weaknesses
Assess interaction with internal networks. Unfortunately, internal people do malicious things too.
7
Review wireless nets, including WiFi, Bluetooth, RFID, rogue devices
Wireless nets, rogue devices, and removable media all present vulnerabilities. If a hacker leaves a USB flash drive containing malicious code in your lobby, someone will likely pick it up and innocently pop it into a system on the network to see what’s on it. That’s all it takes to compromise your network.
8
Assess and educate employees about social engineering attacks
This includes policies around behavior, like picking up flash drives left lying around.
This may sound like a lot of work, and it is. But hackers make it their job to breach your security, and you want to make it as difficult as possible for them.
Information Governance Maintaining proper security monitoring and controls are central to defending your organization against data breaches. Fortunately, new efforts at Security Information and Event Management (SIEM) and Data Loss Prevention (DLP) strategies can counter the latest threats. SIEM uses automated collection, analysis, alerting, auditing, reporting, and secure storage of all logs, which produces a mountain of information. Tools then correlate this huge amount of seemingly unrelated data and turn it into intelligible patterns that reveal what actually happens on your network and immediately generates alerts if anything significant happens. The results are invaluable to the stakeholders in any organization, including Compliance, HR, Security, IT, and Network Operations.
If a hacker leaves a USB flash drive containing malicious code in your lobby, someone will likely pick it up and innocently pop it into a system on the network to see what’s on it. That’s all it takes to compromise your network.
DLP consists of systems to identify, monitor, and protect data in use, in motion, and at rest. It relies on deep content inspection and contextual security analysis of all aspects of a transaction within a centralized management framework. In short, DLP is designed to detect and prevent the unauthorized use and transmission of confidential information. The security threats organizations face place a substantial premium on their ability to recognize threats and correlate threat behavior. Therefore, companies require not only technology tools but enterprise-wide information governance grounded in policies and education. That’s why it’s equally important that management has the will and commitment to enforce corporate governance and HR policies.
About the Author Mark Teter is the Chief Technology Officer at Advanced Systems Group. He is an internationally recognized authority on information technology who regularly advises IT organizations, vendors, and government agencies on a broad range of information management issues. Each year, Mark conducts dozens of seminars and training programs for corporate and government institutions. He sits on several financial industry advisory boards and has recently published Paradigm Shift: Seven Keys of Highly Successful Linux and Open Source Adoptions.
About Advanced Systems Group Since 1981, Advanced Systems Group (ASG) has been providing comprehensive consulting services, successful storage and data management solutions, assessments, and implementation services to help customers meet today’s IT & business challenges. In particular, ASG focuses on customer needs, customizing unique solutions and successfully addressing companies’ particular IT challenges. As a consistent member of the VAR Business Top 500, ASG pursues active involvement in the industry, maintaining the highest level of engineering certifications with partners and the vendor community.
Call us at 800.894.3619 www.virtual.com Denver . Baton Rouge . Boise . Colorado Springs . Dallas . Houston . Los Angeles . New Orleans Oklahoma City . Orange County . Phoenix . Portland . Salt Lake City . San Diego . Seattle . Tulsa ©2010 Advanced Systems Group
