Network security was a big issue a decade ago. Now, ten years of technology later, it continues to be a top priority and it appears that it will be so ten years from now as well. That’s because as IT security firms learn more about the tactics of hackers, crackers and malicious code writers, the latter group just continues to devise more clever schemes. It’s a cat-and-mouse game of sorts in which both creatures continue growing smarter — but the mouse ultimately keeps steps ahead with the cat feverishly chasing after it.
Security solutions firm StillSecure recently introduced Strata Guard, a security platform with six distinct attack-detection technologies that combine both signature-based and behavior-based attack detection. The technology is designed to protect against intrusions and malware. StillSecure CTO Mitchell Ashley learned a great deal about the vulnerable points in the corporate network during the company’s research and development cycle for this and other recently released products.
TechNewsWorld caught up with Ashley to discuss security trends he is seeing, why some points of the network are especially vulnerable, and how companies can protect their networks from the enemy.
TechNewsWorld: What do you see as the most vulnerable points in corporate networks these days?
Mitchell Ashley: Clearly endpoint devices, laptops and desktop computers, are where the most egregious worms and Trojans are directed today.
Of course, there are many, many attacks that are directed at the network perimeter and a significant amount exploit commonly open ports on firewalls such as port 80 Web traffic, port 25 SMTP e-mail traffic, and numerous peer-to-peer and messaging applications that are allowed through the firewall. Even many of these types of attacks attempt to take advantage of the lack of security knowledge and security best practices of end users.
TechNewsWorld: Why are these endpoint devices so vulnerable?
Ashley: Believe it or not, we still live in a world where end users are largely responsible for securing their own devices, or at least they have the ability to change security settings and install potentially exploitable applications.
Announcements of new Web browser vulnerabilities, regardless of which Web browser you use, have seemingly become a daily occurrence. Many more of the end user devices connecting to the network are those configured and managed by visitors, contractors or employees. It is hard to protect the network when just about any device can connect through LAN, WiFi or remote VPN/dial up access. This is a significant challenge for every network security organization.
TechNewsWorld: What are the most common attacks you are seeing today?
Ashley: During the last month some of the most common attacks we’ve observed are Windows Pop-up spam, attacks to anti-virus products, password stealers, variants of the Sober Virus, the Netsky virus and more targeted attacks.
TechNewsWorld: What are the most harmful attacks out there?
Ashley: By far the most harmful attacks are the “targeted attacks” aimed at end users and companies. This is a new trend that is becoming more prevalent because technologies that block malicious traffic continue to become more advanced.
Historically, hackers have sent malicious code into the wild with hopes of reeling in random victims. Although this method is still used and devices continue to become compromised, they are not surreptitiously targeted to one organization and/or end user.
From what we see, targeted attacks are primarily being used for financial gain or theft of personal information. There have also been suspected instances where hackers are hired by companies to target competitors for theft of private, confidential information. This can be far more damaging to an organization than being hit with a virus or worm by happenstance that has less probability of causing real harm.
TechNewsWorld: With so many threats out there today, how can a company bestassess its security risks? Where does a company begin?
Ashley:You have to begin by taking security seriously. If it’s just a checklist item to make internal management and auditors happy then the results of any security efforts are minimized. Oftentimes security is seen as a technology problem; let’s go get a new tool. The most effective approach is to have a security strategy, or sometimes called a security architecture or plan. Most industry experts recommend that every organization take a layered security approach.
TechNewsWorld: I hear a lot of talk from analysts these days about layered security. Please give our readers an example of layered security in its practical use and explain why it’s such an effective strategy.
Ashley: Think about the layers of safety systems in your automobile; bumpers, crumple zones, motion impact sensors, anti-lock brakes, tinted safety glass, front and side air bags, head restraints and safety belts. All are designed to act as layers or buffers to help prevent incidents and protect passengers. Layered security is about the sameprincipal; using multiple security mechanisms to prevent and respond to security threats.
Any layered security architecture should embody defensive, preventative and compliance strategies. Intrusion prevention systems, such as StillSecure’s Strata Guard, are a good example of implementing a defensive strategy; blocking unwanted or malicious network traffic.
Vulnerability management and network access control are good examples of preventative and compliance strategies; ensuring elements of the network can’t be compromised by knowing the security posture of devices and providing a means to make sure these devices are remediated or quarantined. Together all three of these examples are big steps towards achieving the benefits of the layers security approach.
TechNewsWorld: You mentioned vulnerability management. It seems no organization is bulletproof. How do you manage vulnerabilities most effectively?
Ashley: Vulnerability management is a very important element of any layered security strategy. Many organizations have periodically scanned their IT environment for vulnerabilities but far fewer have come up with a reliable method to manage how the highest risk items get prioritized and follow through happens to make sure the security problem gets resolved.
Enter vulnerability management. Rather than a tool or technology, vulnerability management is a process for systematic detection of security vulnerabilities on devices. Then the workflow, manual and automated remediation, verification and reporting functions make sure the right issues are followed up on and by the right people.
The important thing is that this be viewed as a lifecycle, with a full audit trail of vulnerabilities, actions taken, and data management capabilities to show the value of all the hard work put into managing vulnerabilities.
TechNewsWorld: I understand you’ve seen a move from perimeter attacks toendpoint attacks. Why are we seeing this?
Ashley: Network attackers are like water, they flow to the point of least resistance. While everyone has been focused on the external entry points into the network, where firewalls are traditionally placed, we have long ignored end user computing devices.
While a very necessary security element, anti-virus solutions have acted like a placebo, lulling everyone into a false sense of security that endpoint devices would not attack our own networks. The Blaster worm changed all of that and ushered in a new era of worms and Trojans designed specifically to exploit the countless corporate and home computers that can be used to attack the network from inside the firewall.
TechNewsWorld: What are some new techniques hackers are using to compromiseend points and how can companies protect themselves?
Ashley: Attackers pull new tricks out of their hats every day; for example, disabling security products. In this technique, hackers hinder the anti-virus and firewall, which in turn disables the ability to prevent attacks, receive patches, and leaves networks highly vulnerable.
While this strategy is not entirely new, it’s becoming better by the day. These improvements are why security vendors, like StillSecure, must be vigilant to stay on top of these new methods and continue to be innovative to stop the attacks before they happen.
TechNewsWorld: Why is it so important to enforce policy compliance onendpoint devices?
Ashley: We’ve traditionally “trusted” endpoint devices because they were configured and managed by the organization’s IT staff. Of course now everyone recognizes that this kind of thinking is highly flawed. So many worms and Trojans have demonstrated how fallible our existing network security is; once inside the firewall any compromised endpoint device can do very serious damage.
Endpoint policy compliance recognizes that the devices connecting to the network aren’t just the corporately managed devices. Any device connecting must have its security posture assessed and then determine whether it should be allowed on the network.
As I mentioned earlier, many of these endpoint devices are unmanaged, brought in by visitors, contractors and employees at work or VPN’ing from their home PC. IT must be able to assess any device connecting to the network regardless of whether they plug into the LAN, WiFi, VPN or dial up. The general term for this is network access control.
TechNewsWorld: How does organizational structure influence network securityand how can companies shore up this area?
Ashley: StillSecure completed a survey earlier this year that showed the structure of security in IT organizations is in a transition phase. Responses varied, from organizations that had a central security team of security experts, organizations where system and network administrators perform security duties as a part of their daily job, and situations where security didn’t report directly into IT.
Generally, organizations with a dedicated security person or team had a higher level of buy in within the organization. This can greatly affect the aggressiveness of the security approach taken, and the kind of funds allocated to security projects.
TechNewsWorld: Looking ahead, what do you see as the next level of threats and/or vulnerabilities?
Ashley: The methods used to comprise devices are becoming much more sophisticated. They also are much smarter about how readily available security products work and how to evade them.
The latest generation of rootkits are a great example of this. Not only are they good at hiding their premise on a compromised system, they can act intelligently based on what specific anti-virus or personal firewall system is in use, and then use techniques that can evade detection by those specific products. This is evidence again that you can’t rely on a single security tool or product, but rather a layer of them so if the AV software doesn’t catch it, the firewall or network access control system will.
What’s really needed to respond to the next generation of threats are much more intelligent security systems that don’t operate autonomously but act in concert with each other. Imagine a security architecture where the network access control system could respond to threats recognized by a security monitoring system within the network. That’s very powerful.