By: David Thomason, Thomason Technologies LLC
The past few months have seen a significant increase in “hacktivism”, a word derived from hacking and activism. Loosely organized groups like Anonymous and LulzSec seem to be playing a game of “one-ups”. These groups are so bold as to taunt law enforcement from Twitter and to go after the highest profile targets such as the US Senate and the CIA.
Who loses? We all do. Businesses lose because a loss of personal information, say from a credit card company, erodes confidence and they lose customers. Individuals lose when their personal information is made public or sold to those who would use it illegally. Additionally, money will be spent: to investigate the crimes, to investigate the security posture of the targeted organizations, and finally to add legislation. History tells us this legislation will do little or nothing to stem the tide of hacktivism, but will add costs to businesses, which in turn pass those costs to the consumer. You and me.
At one time, perimeter security seemed to be the dominant solution to prevent attacks. After all, hackers must come from the outside. Today, firewalls aren’t even a speed bump to hackers. Many external firewalls look more like a pegboard. In fact, more than ever the attacks are “client side”– your users visit websites that serve up malware like extra-cheese on your favorite pizza. Spyware, adware and other types of malware are consumed by our users when they visit their favorite gaming or movie download site. Those are just two examples, but malware has been hidden in everything from openly malicious sites to advertisements on the most popular news sites.
Some would claim that our defenses are useless, but the truth is, there are a number of things we can do to either prevent our companies from becoming the next victim or to give us a chance at detecting and responding to the security incident. Let me offer the following four steps as a “quick-start”.
1. Get the basics done. Too many companies today still don’t have a complete grasp on the basic security processes, such as patch management, firewall audits, password changes and protection, security logging, anti-malware updates, etc.
2. Lock down your systems and keep backup images so that systems can be restored quickly in the case of failure or a complete compromise. One of the most secure organizations for whom I have ever done consulting kept a complete set of clean virtual images and compared them nightly against the desktops and servers to make sure nothing changed or was added. If there was any variance, the variance was recorded and copied for forensic purposes and a fresh instance was immediately loaded.
3. Deploy monitoring tools at the perimeter and internally. This would include IPS, web application monitoring, network intelligence tools, next generation firewalls, etc. Many companies will stop after deploying firewalls and IPS at the perimeter or maybe even at a secondary perimeter that protects against partner networks, VPN connections, etc. I say that’s not enough. If you aren’t monitoring internally, you are missing all the traffic passing between your desktops and between desktops and internal servers. Overlooking these links could be a fatal mistake. I’ll explain more later.
4. Train your users. Professionals have known forever that security is only as strong as the weakest link. If security is not a part of your corporate culture, you need to change your culture. Contrary to some opinions, it won’t stifle creativity and won’t hurt productivity for people to understand the importance of security as well as the practical steps to protect corporate information.
The truth is, these may all sound like basics and number 4 should probably be done at the same time as number 1, but too many companies don’t make the effort to get all of these functions done effectively.
For example, let’s take firewall audits as just one part of #1 above. It is difficult for organizations with over 10 firewalls to regularly audit the rules on the firewalls. It is time consuming, complicated and often not very productive. However, with good firewall configurations, many vulnerabilities are completely mitigated. For example, in the typical e-commerce environment, a web front end processes transactions and then sends those transactions to a back end database via an encrypted SQL connection. By using a firewall to prevent any communications except SQL over SSL between the web front end and the database you eliminate virtually all the vulnerabilities except those that can be exploited via that SQL over SSL channel, or locally. (Stay tuned to later blog entries for more on auditing firewalls.)
Locking down system configurations is an important part of security. In the past, we have relied on patch management systems and antivirus products to keep us safe. These products have not evolved fast enough and are horribly inadequate to protect us from the most basic viruses, spyware, adware and other malware. They are even less effective against advanced persistent threats (APT) or even from the dreaded hacktivist. New technologies that provide cloud based software authentication, reputation services and application whitelisting are proving to be significantly more effective and are likely to replace traditional antivirus products. (Again, stay tuned to later blog entries for more information on anti-malware.)
Network monitoring is not an easy task. For mid-sized companies, the process can seem overwhelming. Auditors might require it and yet maintaining the expertise is difficult. However, this is often the most revealing part of the security process. By monitoring the network at the perimeter and internally, you not only identify what attacks are coming at you from the outside, but you also see what your users are doing to compromise security internally. Using IPS and internal network intelligence tools, I have discovered dozens, wait, hundreds if not thousands of systems that were infected with insidious malware. I’ve found multiple laptops that were completely compromised while on the home network and then carried into the corporate environment where they started replicating their maliciousness. I’ve discovered users unknowingly downloading malicious code and I’ve discovered devices inappropriately placed on the internal network. One major key to internal monitoring is proper deployment. A good deployment requires the use of TAPs, also known as Traffic Access Points. TAPs are used for a number of purposes. They copy traffic from a network link to a network monitoring tool. They replicate data from a SPAN port to multiple network tools. They aggregate the information from multiple links to a single tool. They eliminate a single point of failure or reduce downtime by providing an alternate traffic path for inline devices like IPS systems. They convert from 10G to 1G or from 1G to multiple 100Mb links. They can be used to filter traffic, and the list goes on and on. The point here is that with a little engineering workand by using the right taps, you can maximize monitoring capability for your network tools and save a ton of money.
Finally, nothing will provide a better return on investment when it comes to security than training your users. Teaching your users to look for security issues, to recognize poor security practices and to practice good security is essential for any organization to maintain high levels of security.
A final recommendation…don’t wait for government to mandate the measures you take, because by the time they send down a new requirement, the hacktivists have already figured out how to get around it.
NOTE TO THE READER:
Thomason Technologies, LLC is an authorized reseller of Network Critical products.