Is your intellectual property secure? Whitelisting can help secure against advanced persistent threats
- — 23 July, 2012 21:29
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
The country's most sensitive information is not always secure, despite what most citizens believe.
Nation states like China, Lithuania and Russia are deploying targeted, customized attacks controlled by humans in order to gain access to the intellectual property (IP) of government agencies, pharmaceutical companies, security organizations and other high-profile institutions. These advanced persistent threats (APT) are placing massive bodies of knowledge at risk.
Imagine what could happen if a hostile nation breached the Department of Defense and was able to access classified information on plans for smart bombs or biological warfare. Or picture a cybercriminal locking in on a pharmaceutical research lab, closing in on the cure for AIDS, hacking the system and selling the illegally obtained formula to the highest bidder. It's not unheard of. In fact, intellectual property is fast becoming one of the most profitable products on the black market.
In a recently released report, the National Aeronautics and Space Administration (NASA) disclosed it received 47 APT attempts, 13 of which successfully infiltrated agency computers in 2011. Breaches in NASA's IT networks can negatively affect national security or lead to significant financial loss. In addition, this type of threat leaves NASA's proprietary information and even blueprints for some of nation's most competitive technological innovations vulnerable. [Also see: "2011's biggest security snafus: Was this the year of the advanced persistent threat?"]
In fact, one of the 13 attacks reported in 2011 targeted the Deep Space Network at the Jet Propulsion Laboratory (JPL) and was linked to Chinese IP addresses. According to NASA, with full-system access to key JPL networks undetected intruders could:
Â· Modify, copy, or delete sensitive files.
Â· Add, modify, or delete user accounts for mission-critical JPL systems.
Â· Upload hacking tools to steal user credentials, further compromising other NASA systems.
Â· Conceal their actions by modifying system logs.
The JPL breach is still under investigation by the Office of the Inspector General.
NASA is just one of the thousands of companies considered "target-rich," meaning their IP and other sensitive data is ripe for cyberattacks and, more specifically, for APT. In 2011, Lockheed Martin, the country's largest defense contractor, was the target of a massive APT when its VPN access system was breached. Fortunately for Lockheed Martin the threat was detected almost immediately, averting potential disaster.
Since these attacks are customized and targeted, many go undetected by traditional security measures which are only able to blacklist known malware. And the persistent nature of the attack allows the hacker to modify codes and strings until it finds one that can stealthily permeate the enterprises' security system. In fact, the number of APTs detected by antivirus perimeter defenses can be as low as 25%, meaning the majority are free to continue with malicious activities.
Threats to IP security are at critical levels. Why? It's easier to steal someone else's intellectual property than it is to devise a proprietary knowledge base. Enterprises must institute policies and systems designed for IP protection; otherwise, hackers will undoubtedly find loopholes within current IT security platforms.
Application control and whitelisting endpoint security technology can ensure the integrity of laptops, desktops, servers and even mobile devices so that companies are protected against potential risks and/or major losses of IP. Application control and whitelisting doesn't only stop bad attacks. It allows only known good programs, applications and software to run on protected machines. Companies can devise a list of trusted sources permitted to run on or access their networks and servers. The list of what is permitted to run and/or access data is much smaller than the list of banned programs and applications. Further, the list of unsafe programs, software and apps that have been deemed unsafe is an ever-changing entity, and virus protection software requires frequent updates to stay abreast of the latest potential threats.
Additionally, supplementing advanced threat protection technology with current security information and event management platforms (SIEM) can provide real-time threat detection by filling in blind spots, which are often experienced with event profiling and endpoint executable identification. In conjunction with endpoint data from firewalls and IDS/IPS, threat detection is not only timely, but appropriate, eliminating many false positives. In other words, it creates a faster, more accurate insight of system usage and activity needed by today's security professionals.
The evolution of trust policies has changed the way known sources are managed. What used to be a cumbersome process based upon a static list of approved programs now works by allowing predetermined sources like Adobe or Microsoft WSUS to update as often as necessary. IT professionals can filter updates and downloads based upon publisher, distribution method or trusted source. When an unknown source attempts to download or access files, it's stopped before it can breach the system's firewall, thus protecting the system, the company's intellectual property and any other sensitive data from potential harm.
Mobile device proliferation and BYOD policies
With the continuing rise of mobile, many companies are seeing their employees use mobile devices for work-related purposes, a trend which gives way to the adoption of "bring your own device" (BYOD) policies. iPads and tablet computers are quickly replacing print collateral, and sensitive emails and documents are often sent via smartphones. In fact, one report estimates that as many as 78% of business people use their mobile devices to check email. Furthermore, nearly 40% of respondents of a recent survey believe that employees will access their company's LANs with mobile devices, regardless of the company's BYOD policies. In addition, nearly 30% believe the introduction of the iPad 3 will significantly increase network traffic. But with the proliferation of mobile devices comes real threats to IP security. In fact, the surge in mobile business applications has been recognized by many IT professionals as one of the greatest risks in network security.
Though the use of personal mobile devices in business enterprises provides business-on-demand, it also creates a greater opportunity for the infiltration of malware, which can be spread from the unsecured device. Many professionals unknowingly download infected apps which, once synced to an enterprise network, can transfer malicious files that have the potential to gain access to IP.
Additionally, some employers are transitioning to virtual office spaces, allowing employees to work in part from home. Many mobile and virtual workers transfer data from workstation to workstation using portable flash drives, compromising the integrity of every machine and network used throughout the course of a project.
Although there is not yet a whitelisting application specifically designed for mobile devices, a company's network will remain secure when the malware transferred from the mobile device attempts to infiltrate a whitelist-protected system.
In the face of smarter criminals, IP protection is not only necessary; it's critical. Sensitive information and data are targeted through APTs and unfortunately, many organizations are left believing their data is secure until it's too late. Whitelisting is one of the most effective ways to maximize IP protection.
Bit9 is a leading provider of Advanced Threat Protection and Endpoint Security and protects the worlds intellectual property (IP) by providing innovative, trust-based security solutions to detect and prevent sophisticated malware and cyber threats.
Read more about wide area network in Network World's Wide Area Network section.