Within the past year, we've witnessed a number of highly publicised attacks that have forever changed our notion of just how lethal malware can be. Sure, we always have known that viruses and worms can be dangerous, but we've just witnessed just how effective malware and orchestrated attacks can be at targeting high profile organisations. First, we have the Operation Aurora attacks that started with Google and also targeted companies such as Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman and Dow Chemical.
Second, if Operation Aurora wasn't troublesome enough, we shortly thereafter learned about Stuxnet, which targeted industrial control systems and showed us that it's possible for science fiction plots to jump from printed page to reality. Stuxnet was especially crafted to spread until it found its target, and then instructed to tamper with that target by altering the instruction sets sent to a physical device. It truly is an incredible piece of work. Stuxnet spreads geographically and decides on what actions to take depending on what environment it encounters. We haven’t seen anything like it before.
These events shouldn't come as a surprise. The effectiveness and complexity of malware has been on the rise for years. It used to be that most viruses and worms relied on one or two vulnerabilities to propagate. All of that started to change when we saw blended threats, when malware started to use many different attack vectors to spread – software vulnerabilities, e-mail, file shares, instant messaging, and so on. In addition, for years, security professionals have warned that attackers and malware were getting stealthier in their approach. Many didn't heed these warnings – that is, until recently.
One of IDC’s top 10 predictions for 2012 is that the mobile enterprise will create the hottest security threats in 2012. IDC expects the number of devices and the nature of their usage will come under scrutiny as data loss and leakage incidents rise rapidly and IT departments struggle to manage risks. The analyst firm predicts that mobile security will be prevalent in 2012, particularly pushing out antimalware to mobile devices to prevent different types of malicious attacks.
Now, the malware shows that even the most cash rich and security savvy companies can be targeted successfully, as can a network no matter where it resides. Consider Stuxnet again. It proved, for example, that just physically or virtually segmenting a network from the Internet doesn't make it safe. Attackers can target specialised manufacturing, transportation or other non-Internet connected networks. All it takes is for a user to click on the wrong link, or insert an infected USB drive or other device, and the attackers will reach their target. Ironically, these "disconnected" or segmented networks often are left with the weakest of defenses, if they are defended at all. That's because organisations assume they are secure because of their proximity to the Internet. This false sense of security leads to improperly hardened, patched, and keeping organisations from taking the steps necessary to otherwise secure these networks.
It’s not as if such disconnected and segmented networks are rare. We see them in most every critical infrastructure industry: financial, pharmaceutical, manufacturing, utility, and many others. And if it is possible for attackers to reach network segments disconnected from the Internet, how challenging do you think it is for them to target standard web servers, end points, and traditional corporate networks? In too many instances, the task is too trivial.
That’s not to say that nothing can be done. There certainly are many things that can be done to help bolster the security of your infrastructure. Here are six areas we believe are ideal places to focus:
Awareness. Your people are your front line. They need to be trained to be aware. We mention security awareness first because there is very little that can be done to protect critical systems and data if users are regularly downloading software they shouldn't, surfing to web pages they shouldn't, and opening links and attachments that they shouldn't. An end user mistake involving any one of those could blow a hole in the hull of the best built information security ship. That's why a security-aware organisation is a much more secure organization.
Capture data that details security events on your network. You already may be doing this. Even if you are not centrally managing security event data, you probably have more security data than you realise scattered throughout firewall, application, router, and other log sources. Most enterprises have an enormous amount of data that are useful for determining what sorts of things are going on within their networks. The trouble is that they don't know how to aggregate and put that data to actionable use. This brings us to our next point.
Leverage the security data collected. Consider the 2010 Data Breach Investigations Report from Verizon Business, which found that while 86 percent of data breach victims had evidence of the breach in their audit logs, 61 percent of those victims didn’t uncover the breach themselves – they were notified by a third party. How embarrassing. Fortunately, it’s a security risk that can be mitigated. And when it comes to compliance, many organisations don't fare much better. According to the 2009 Deloitte Annual Global Security Survey, excessive access rights are the most common external and internal audit finding. This is why you need to put into place the processes and possibly the technology necessary to cultivate your security logs and pinpoint the information needed to keep the infrastructure secure.
Threat model. This is a practice in which too few organisations currently engage. Determine where valuable data reside and where it travels. Are employees, such as developers, taking data home? If any web servers are hacked, how tough would it be for an attacker to work its way to back end databases? Do you know what types of attackers would be interested in infiltrating your systems? What data would they seek? How can you limit access to this data to only those who need it for their work? Knowing the answers to all of these questions, and acting to reduce risk, simplifies your security team’s ability to protect your organization, and even may save the cost of doing so.
Vulnerability Management. One of the most cost-effective approaches organisations can take to improving security is to employ a vulnerability management program. Consider using a network vulnerability assessment tool to scan network segments to identify all of your systems and their associated patch levels, and make sure that software patch levels are up to date. This practice should be repeated at reasonable periods, such as weekly, monthly, or at the very least quarterly intervals.
Enforce security policies. Your security policies, such as disabling orphaned ID accounts, running vulnerability assessment scans, maintaining adequate application and security logs, password changes, among many others, all are bordering on worthless if they are not enforced. Employees need to know the organisation takes these policies seriously. Also, wherever possible, use automation to help you enforce your security and regulatory compliance policies. Your security team can be a big help here.
While you read about how security threats have grown more menacing, it's also important to remember that security defenses also have grown more powerful. The critical thing is to take the necessary steps to protect your infrastructure and your data, which is where most businesses fall short. It's a mistake that is growing increasingly costly to make.
Patrick Eijkenboom is the chief security consultant with NetIQ Australia.