Hardly a week goes by without news of a major security breach hitting the headlines. Some, like the Ashley Madison and Sony hacks, have gone mainstream and garnered plenty of public attention, but many aren’t newsworthy enough to attract coverage even in specialist publications. Even more besides are never reported.
But despite this, not only can a security breach be a public relations nightmare, it’s also bad for your clients, employees, and the bottom line.
Protecting infrastructure and the assets they house is just as important for small businesses as it is for multinationals that rake in more cash than a small island nation.
According to Paul Hocksenar, senior security engineer at distributor Exclusive Networks, larger companies have embraced IT security, but with small-to-medium businesses
there hasn’t been “a new awakening to the real dangers faced by the current and future cyber threat landscape”.
The old world: firewalls and antivirus
Since the early days of the internet and personal computing, the basic building blocks of computer and network security have been firewalls and antivirus.
Firewalls sit at the boundary points protecting, say, web servers from the public and internal systems from employees, and they basically act like bouncers. Web traffic, come on through. Sorry, file transfer protocol – not tonight, and definitely not with those shoes.
Historically, it was as simple as that. List the services that you want to let in and out of a particular network, and that was it. Firewalls also allow filtering based on source or destination, for example, allowing companies to deny their employees access to pornography sites or blocking access from North Korean military IP addresses. More modern firewalls are also able to inspect the data being transferred through it.
Antivirus typically sits at the computer level, and monitors for known bits of code that are used by viruses or malware. Malicious code is typically detected through its signature, although more advanced systems employ heuristics, machine learning and sandboxing techniques.
Although signatures are updated on a constant basis, the need for manual detection, verification and propagation of malware means most antivirus packages are a step or two behind the developing threats.
That’s not to say that we should start abandoning our antivirus and firewall solutions. As David Morrison, senior security consultant at Loop Technology, notes: “Traditional technologies will always remove a large amount of the ‘noise’ you see hitting the various ingress points to your network, such as automated scans and simple attacks by less skilled adversaries.”
It’s evolution, baby
As security awareness and implementation has improved, and technology has evolved to become smarter, so too have the attackers. For example, perpetrators are now increasingly modifying their code, however slightly, from attack to attack, so as to slip in under the systems that detect purely based on code signatures.
Bogdan Botezatu, senior e-threat analyst of Bitdefender, says there has also been a shift of late from people who hacked systems for glory and notoriety to those seeking to use their nefarious work for financial gain. “Last year, there was a major change. Ransomware is all over the place. An attacker infects a computer with a piece of malware which encrypts all the files on that device or in the cloud associated with it.” The only way to recover your data was by paying the ransom or restoring to backups.
According to Evan Dumas, head of threat prevention Asia-Pacific for Check Point, part of the reason why criminals are starting to gravitate towards cybercrime is that the risk/reward ratio is markedly better in the digital world than it is with traditional operations. For example, in some jurisdictions, like Indonesia or Singapore, arrests for drug trafficking can result in a death sentence. Online data theft and extortion, on the other hand, is harder to police and prosecute, especially across international borders.
The new world: pattern detection
Security information and event management (SIEM) works on a number of fronts. Firstly, it captures and stores the vast amount of logging information that’s generated by various pieces of security infrastructure. This data includes everything from the sites that people are visiting, and dodgy emails captured and quarantined for antivirus software, to permission changes enacted by security personnel and login information.
It then tries to correlate and make sense of this information. If any suspicious patterns or behaviours are observed, alerts can be generated and sent off to the relevant employees. Via a dashboard interface, security personnel can view reports and visualisations that could help them pick out anomalous patterns. SIEMs also make it significantly easier to piece together strands of information in the wake of a confirmed intrusion.
Intrusion detection systems (IDS) can either work at network level or sit on a server or host. Network intrusion detection systems (NIDS) sit in strategic locations monitoring traffic packets. If it detects the signature or pattern of an attack, it can raise an alert. A host intrusion detection system (HIDS) monitors traffic heading in and out of the server or computer and keeps tabs on any suspicious file changes.
Intrusion protection systems take the idea up another notch by being able to take measures to stop an attack, such as actively dropping packets or changing the network configuration. Traditionally in the IT world, a sandbox is an environment where developers could experiment freely with their code, with no consequences to the wider company.
Over the past decade, high-end security equipment has begun using the technique to dynamically and realistically test out suspicious or unknown pieces of code or website links. Sandboxing is now beginning to filter down from large corporations and government organisations, and allows for previously unknown threats to be detected and neutralised without the need for human verification, classification and signature generation.
Next: combat phishing