Assume users will do the wrong thing when it comes to security, expert advises
- — 16 August, 2013 15:52
Security-conscious organisations should assume their users are likely to make mistakes that compromise institutional security – even if they’ve been trained not to – a Palo Alto Networks security executive has warned.
Noting that advanced persistent threats (APTs) had been continually tweaked and refined for insidious behaviour over the years, Kelly Brazil, the security vendor’s APAC director of systems engineering, warned that their ability to play on human nature made them all but impossible to avoid.
“The problem has been around for a while and it’s not really something we can train people out of,” he told attendees at a breakfast seminar in Melbourne this week.
“They’ll have their devices out at a bar, get something new on their phones, and they click on it. You’re not going to be able to train your way out of these types of situations, and you’ve got to assume that people are going to click on these things.”
In the context of that dynamic, he said, companies aiming to protect their networks from APTs should take alternative approaches to ensuring information security that focus on malware behaviour rather than signature matching or even staff-based heuristics.
This includes the increasingly common approach of monitoring traffic coming out of the network, looking for traffic running over nonstandard ports: “these protocols have been around since the dawn of the Internet and they have not really been well protected using the methods today,” Brazil said.
Another telltale sign of malware activity is the repeated transmission of data to unusual host addresses – which may indicate malware sending information back to a command-and-control node.
Such border protection has become necessary because much of the malware currently doing the rounds immediately goes dormant for several days after infecting a system – rendering it invisible to conventional signature-based scanning techniques.
“You have to control the cyberthreat lifecycle, and it’s far beyond the payload,” Brazil said. “There’s a lot more going on with these attacks than just malware, which is what some people talk about when they talk about APTs.”
“There are a lot of parts of the attack that can be customised and manipulated in the payloads,” he continued. “It’s just so easy to get around existing URL filtering, firewalls, and intrusion prevention systems: services like Tor and Hamachi not only route you through existing security but anonymise you too. We need security that understands these at a basic level, and knows how to deal with them.”
Palo Alto Networks recently gave its flagship WildFire scanning platform the ability to scan APK files, which contain applications for Android-based smartphones and tablets. Android, which has emerged as a massively popular target for malware authors – in Russia and elsewhere – has gained a reputation as being a particularly vulnerable platform for attacks through mobile ad networks.
Although many operating systems and security tools incorporate features that can protect against some common APT behaviours, Brazil warned that they often slow down or inconvenience users – and are therefore often left disabled despite the instructions of corporate security managers.
Such human tendencies run contrary to the tenets of good security protection but they’re hard to avoid, Brazil said, arguing that closing this gap requires a technological defence that can function despite the apathy of users. It also helps to use ‘next-generation’ security tools that speak the language of today’s Internet – allowing tight control over, for example, Facebook access.
“You have to understand ‘known’ and ‘unknown’ threats to be effective anymore. Just handling known threats isn’t going to get you where you want to be. But with the new way of looking at security, all of a sudden these common-sense things you want to do, become very easy.”