Hardly a week goes by without news of a major security breach hitting the headlines. Some, like the Ashley Madison and Sony hacks, have gone mainstream and garnered plenty of public attention, but many aren’t newsworthy enough to attract coverage even in specialist publications. Even more besides are never reported.
But despite this, not only can a security breach be a public relations nightmare, it’s also bad for your clients, employees, and the bottom line.
Protecting infrastructure and the assets they house is just as important for small businesses as it is for multinationals that rake in more cash than a small island nation.
According to Paul Hocksenar, senior security engineer at distributor Exclusive Networks, larger companies have embraced IT security, but with small-to-medium businesses
there hasn’t been “a new awakening to the real dangers faced by the current and future cyber threat landscape”.
The old world: firewalls and antivirus
Since the early days of the internet and personal computing, the basic building blocks of computer and network security have been firewalls and antivirus.
Firewalls sit at the boundary points protecting, say, web servers from the public and internal systems from employees, and they basically act like bouncers. Web traffic, come on through. Sorry, file transfer protocol – not tonight, and definitely not with those shoes.
Historically, it was as simple as that. List the services that you want to let in and out of a particular network, and that was it. Firewalls also allow filtering based on source or destination, for example, allowing companies to deny their employees access to pornography sites or blocking access from North Korean military IP addresses. More modern firewalls are also able to inspect the data being transferred through it.
Antivirus typically sits at the computer level, and monitors for known bits of code that are used by viruses or malware. Malicious code is typically detected through its signature, although more advanced systems employ heuristics, machine learning and sandboxing techniques.
Although signatures are updated on a constant basis, the need for manual detection, verification and propagation of malware means most antivirus packages are a step or two behind the developing threats.
That’s not to say that we should start abandoning our antivirus and firewall solutions. As David Morrison, senior security consultant at Loop Technology, notes: “Traditional technologies will always remove a large amount of the ‘noise’ you see hitting the various ingress points to your network, such as automated scans and simple attacks by less skilled adversaries.”
It’s evolution, baby
As security awareness and implementation has improved, and technology has evolved to become smarter, so too have the attackers. For example, perpetrators are now increasingly modifying their code, however slightly, from attack to attack, so as to slip in under the systems that detect purely based on code signatures.
Bogdan Botezatu, senior e-threat analyst of Bitdefender, says there has also been a shift of late from people who hacked systems for glory and notoriety to those seeking to use their nefarious work for financial gain. “Last year, there was a major change. Ransomware is all over the place. An attacker infects a computer with a piece of malware which encrypts all the files on that device or in the cloud associated with it.” The only way to recover your data was by paying the ransom or restoring to backups.
According to Evan Dumas, head of threat prevention Asia-Pacific for Check Point, part of the reason why criminals are starting to gravitate towards cybercrime is that the risk/reward ratio is markedly better in the digital world than it is with traditional operations. For example, in some jurisdictions, like Indonesia or Singapore, arrests for drug trafficking can result in a death sentence. Online data theft and extortion, on the other hand, is harder to police and prosecute, especially across international borders.
The new world: pattern detection
Security information and event management (SIEM) works on a number of fronts. Firstly, it captures and stores the vast amount of logging information that’s generated by various pieces of security infrastructure. This data includes everything from the sites that people are visiting, and dodgy emails captured and quarantined for antivirus software, to permission changes enacted by security personnel and login information.
It then tries to correlate and make sense of this information. If any suspicious patterns or behaviours are observed, alerts can be generated and sent off to the relevant employees. Via a dashboard interface, security personnel can view reports and visualisations that could help them pick out anomalous patterns. SIEMs also make it significantly easier to piece together strands of information in the wake of a confirmed intrusion.
Intrusion detection systems (IDS) can either work at network level or sit on a server or host. Network intrusion detection systems (NIDS) sit in strategic locations monitoring traffic packets. If it detects the signature or pattern of an attack, it can raise an alert. A host intrusion detection system (HIDS) monitors traffic heading in and out of the server or computer and keeps tabs on any suspicious file changes.
Intrusion protection systems take the idea up another notch by being able to take measures to stop an attack, such as actively dropping packets or changing the network configuration. Traditionally in the IT world, a sandbox is an environment where developers could experiment freely with their code, with no consequences to the wider company.
Over the past decade, high-end security equipment has begun using the technique to dynamically and realistically test out suspicious or unknown pieces of code or website links. Sandboxing is now beginning to filter down from large corporations and government organisations, and allows for previously unknown threats to be detected and neutralised without the need for human verification, classification and signature generation.
Next: combat phishing
Combat phishing by doing it yourself
Malicious attackers are zeroing in on what many consider to be the weakest points of any security setup, the water and carbon-based life forms running the whole shebang.
Most of us are wise to the fact that Nigerian princes really don’t need our help in transferring money around, and we almost certainly didn’t win a million euros in a lottery competition we never entered. So, attackers have begun crafting ever more realistic phishing emails that faithfully mimic correspondence from utility companies or package delivery services. While these emails are still distributed broadly, there’s evidence that hackers are also personalising emails to target particular people within organisations.
Aaron Bailey, director of Sydney-based The Missing Link Network Integration, believes that training – primarily through experience rather than lectures – is an important strategy in reducing the chances of a successful phishing attack against an organisation.
One particularly effective method, he believes, involves using a simulated phishing attack that generates not only metrics on who opened the suspicious emails, clicked on the links and entered credentials, but also delivers targeted training to those who need it.
Bryce Boland, CTO of FireEye Asia-Pacific, cautions that while helpful, it’s not a substitute for technical solutions, as “attackers only need to succeed once, and training is never going to deliver a 100 percent success rate”.
Back to basics
“Defence in depth” is a key phrase that came up consistently with all the security consultants who CRN spoke to. Having multiple layers of protection makes it more likely that only the more determined hackers are able to get in, while buying the organisation time to deal with them.
If you can’t afford the latest and the greatest, Julian Haber, CEO of Brisbane-headquartered Intalock, says that “a well configured, managed and monitored environment will provide better protection than numerous expensive ‘best of breed’ tools that are poorly configured or managed”.
In the experience of Loop’s Morrison, many companies still have “weak passwords, unpatched systems, use unencrypted protocols and lack of network segmentation allowing an attacker to venture anywhere through the network once inside”.
Getting the basics right can be just as valuable as investing in the latest technology.
What to do when an intrusion is succesful
Even with well trained staff and an expertly designed and configured security setup, Bitdefender’s Bogdan Botezatu believes that for most organisations it’s a question of when not if an intrusion occurs.
If an attack is detected in time, damage can be limited. Having SIEM and intrusion detection helps in this regard, both with real-time alerts and the ability to more simply dig through mounds of potential evidence.
Regular backups are always important. If your organisation is hit with ransomware, it not only allows you to restore systems to their pre-infected state, but also means that there’s no temptation to pay your data’s captors, which merely serves to perpetuate this cycle of cybercrime.
VENDORS TO WATCH
Trustpipe monitors network traffic heading into and out of a computer or server. With a small list (under 2Mb) of “expressions”, Trustpipe is able to detect known attacks and any potential variants that are whipped up by hackers. Its compact size and speed is said to make it perfect for older operating systems, including the still widely used Windows XP.
Sentrix is an AWS and Microsoft Azure-based scalable web-mirroring service that aims to prevent a distributed denial of service attack (DDoS) from succeeding. When your site comes under attack, Sentrix simply keeps expanding its mirror network until the attacker runs out of resources and quits.
PFP Cybersecurity secures a server without installing any software on it. It’s a completely external hardware solution, meaning that even the most advanced malware can’t detect its presence. The system monitors and creates a baseline of the server’s radio-frequency activity when it is performing normal tasks. Via careful analysis, PFP is able to detect anomalous behaviour and potential attacks.
Norse DarkWatch is an appliance that hooks into the company’s DarkMatter platform, which watches live attacks from the globe like you’d watch a football match on a Friday night. With threat sources and vectors updated constantly, users can prepare their systems as necessary.
NuData believes that online fraud has moved beyond just using stolen credit cards, and aims to prevent any funny business by monitoring user behaviour on e-commerce sites.
ThreatSim, via its web interface, permits you to run simulated phishing attacks against your own company, allowing you to figure out who is susceptible, and also run targeted training for at risk users.