Combating today s Security Threats

Transcription

1 Combating today s Security Threats

2 Today s security are more sophisticated and harder to detect than ever before. In order to combat them you must be able to stay a step ahead of the attacker, but in order to do this, you must understand the attack itself. This expert E-Guide explores advanced persistent (APTs) and discusses security strategies to help you protect your organization. Threats: APT Strategies By: Warwick Ashford RSA, Google, Iran's nuclear facilities and more recently Sony and possibly even Lockheed Martin have all been hit by security breaches using advanced persistent (APTs). While there is reason to believe that most businesses will be targeted by APTs, simple defence strategies will go a long way to preparing businesses for APTs and reducing the risk, according to IT security professionals. Although some APTs, like Stuxnet, target zero-day vulnerabilities and most are highly targeted, what usually makes these "advanced" is that they combine a raft of infiltration techniques. But taken individually, these techniques are typically well-known and easy to defend against. Doing the basics properly will provide a level of security that will reduce the likelihood of opportunistic hacking or accidental compromise. Ionut Ionescu, head of threat management at Betfair, recommends following good practice techniques such as having a vulnerability management system in place, keeping security patches up to date, and continually testing the security posture of the IT infrastructure. Such best practice techniques should enable businesses to detect a fair number of APTs. Page 2 of 13

3 Knowing what you need to protect is the most important task. Vladimir Jirasek, director of communications at the Cloud Security Alliance UK & Ireland, said: "Without that, the security controls will concentrate on the easy picks, rather than where it actually matters. Good documentation, impact assessments and risk assessments are rather important here." Security experts say any effective approach to defending against APTs must include defence in depth, a detection capability, an APT incident response plan, a recovery plan, and security awareness and training. As part of the re-assessment process, an organisation must ensure it understands why it may be attacked. "Every organisation should draw up a risk register that will allow the allocation of funds and resources to protect the assets that are most valuable to the organisation, which may include business processes as well as information," says Mike Westmacott, security consultant at Information Risk Management. Protect assets against APTs with defence in depth Security experts believe defence in depth can help organisations protect themselves effectively against APTs. Defence in depth covers aspects such as staff and contractor vetting, effective access management, defined compartmentalisation of key information assets and monitoring controls. Gerry O'Neill, vice-president of the Cloud Security Alliance, UK & Ireland, recommends security heads should involve other relevant functions across the organisation, such as physical security, HR, fraud and operational response teams. Gerry O'Neill says defence in depth should also involve sector-led intelligence reports and alerts, where available. However, no single layer of fraud prevention or authentication is enough to stop determined fraudsters. Multiple layers must be employed to defend against today's attacks and those that have yet to appear. Avivah Litan vice-president and distinguished analyst at Gartner, advocates deploying defences at the endpoint, such as secure browsing applications or hardware and transaction signing devices; at the navigation layer, to monitor Page 3 of 13

4 session navigation behaviour and compare it with normal patterns; and at the linking layer, to analyse the relationships between internal and external entities to detect collusive criminal activities or misuse. As APTs may exploit known or unknown vulnerabilities and may propagate using a number of different methods, Ionut Ionescu urges businesses to improve and enhance their ability to correlate various signals that may combine into an APT. "For example, we need to link intelligence reports about a new flaw in a common business application with attempts by unidentified callers to obtain the addresses of key personnel, with a mistake in a firewall, with a device seeing increased traffic, and piece these together to find the next APT that may be targeting the organisation," Ionescu said. As part of their defence-in-depth, Ionescu advises businesses to move from a perimeter-based mentality to one where "every component is taught karate", with security controls asset-specific and live with that asset, rather than relying on another device upstream or downstream to protect that particular asset. Shore up detection capabilities to counter APTs For the Cloud Security Alliance's O'Neill, detection needs to be of a higher order capability than traditional log reviews. For instance, he says it should involve logging and monitoring capabilities to detect out-of-profile activity or anomalous data traffic - such as those used for fraud detection - with followup investigation processes. It is essential to regularly test areas of the organisation identified as having the highest risk ratings. "It is important to know when an attack is underway, and how to gather evidence to be able to understand the purpose and origin of the attack," says Information Risk Management's Mike Westmacott. So network forensics systems and tools should be installed onto a network to continuously monitor and record all network activity. If an attacker has been Page 4 of 13

5 able to compromise a network, and has been cleaning his or her tracks by removing evidence from servers, a standalone network traffic recorder can provide information on how the breach occurred and what information may have been compromised. "By bringing together in-house capabilities with third-party expertise in the form of a network forensics capture and analysis service, an organisation can reach an acceptable level of risk with regards to APTs and blended. Such an approach will also prove invaluable if an attack takes place, as it will help the company to continuously improve its security posture," Westmacott said. How to respond to an APT incident If an organisation has experienced an APT incident, it should define an approach to determine how to close down an attack or eavesdropping activity while preserving forensic evidence. "Senior executives and the corporate communications function should be engaged to ensure that PR messages are crafted and released so as to minimise brand damage," says O'Neill. Post-event analysis is essential to confirm lessons learnt from the events, including how the attack was introduced and carried out, as well as strengthening the in-depth controls, both technological and procedural, which should prevent recurrence. Security awareness among employees: the human firewall The final line of defence is the people in the organisation, the most valuable asset a business has. John Walker, member of the security advisory group of the London chapter of ISACA, advocates a thorough security awareness training and education programme. "Whatever an individual's role is within the business, from chief executives to secretaries, businesses must ensure that everyone is provided with an Page 5 of 13

6 adequate level of security awareness training so they will be able to identify anything suspicious," John Walker said. With the right level of training, employees of an organisation can function as human intrusion detection systems in every part of the business, says Walker. This is particularly relevant as APTs typically combine a number of vectors, including social engineering - for which there are few, if any, viable technical countermeasures. Staff should, in fact, act as a human firewall, says Paul Wood, chief executive of First Base Technologies. "It is no longer viable or appropriate to treat employees as something to be controlled, blocked or locked down," he says. "Our network perimeters have been eroded and undermined by advances in technology and changes in working practices. Unless we consider our employees and colleagues as intelligent people who will understand the threat to their employer - and hence their salaries and livelihood - these types of attack will continue to prevail," Paul Wood said. Wood warns that if organisations treat employees as children, or even potential criminals, that is how some of them will respond. "Let's stop talking down to people, let's treat them as adults and explain the real risks and the potential consequences of a successful attack. Let's provide guidance on protecting their personal information as well as the organisation's data and everyone will win - except the criminals," Wood said. Page 6 of 13

7 How advanced persistent work Attackers have advanced techniques, lending them multiple targeting and intelligence gathering capabilities. Hackers use these capabilities to compromise and eavesdrop on target systems. Once the hacker is on the system, the persistence strategy is one of "low and slow" to allow continued monitoring and data extraction, while avoiding detection. What makes APTs persistent is that hackers will cycle through an arsenal of techniques until they find a way in. Some industry pundits dismiss the reference to APTs as a marketing gimmick. Organisations stand accused of seizing on the APT concept to excuse their unwillingness or inability to deal with too difficult or complex to deal with adequately, or difficult to shake off or close down without great expense, says Gerry O'Neill, vice-president of the Cloud Security Alliance, UK & Ireland. "But the truth is that there is a different profile of threat operating here - and one which organisations cannot afford to ignore." APTs are a real and continuing threat to businesses and governments, O'Neill says, and require a heightened threat awareness and defence capability. This must include a re-assessment of the organisation's data at risk and a re-evaluation of the layers of control needed to prevent "lowprofile" compromise. If all the common entry points are blocked, and additional security takes care of the zero-day, most organisations should be able to put up a reasonable defence. Page 7 of 13

8 By: Anand Sastry, Contributor Traditionally, every enterprise deployment has a firewall as the first line of defense, protecting assets from common Internet-sourced. In most firewall deployment scenarios, firewalls act as gatekeepers, limiting access to only those services over the Internet that the enterprise feels are necessary. At a basic level, access is controlled by rules, which list the asset, and by the service that is permitted to be accessed from a specific location. These rules are determined based on the function of the asset. Typically, enterprises have followed a split-architecture design with Internetaccessible servers separated from the corporate assets in a particular isolated network segment. This segment is traditionally known as a "demilitarzied zone" (DMZ). The isolation is achieved by dedicating a network interface of the firewall to these servers. Direct access to assets outside of those hosted in the DMZ is not permitted. These assets typically include corporate workstations, critical server components like domain controllers, servers and enterprise applications. Assets hosted on the DMZ segment typically include Internet-accessible applications, such as Web interfaces, mail exchanges, mail relays and public drop boxes, among others. Access between assets on the DMZ and corporate segments is strictly controlled. Compare this architecture to that of an enterprise's hosted environment and you will notice many similarities in the approach to access control. An example of a hosted environment could be an enterprise's e-commerce platform, hosted by a third party. Such deployments typically have a DMZ segment hosting the Web heads (Web servers in a three-tier architecture that includes Web, application and database servers). For high-traffic environments, a load balancer handles all connection hand-offs from the firewall's Internet interface, directing traffic to the Web server with the least Page 8 of 13

9 load. The application and database servers are hosted on separate segments with access rules restricting access between the Web, application and database tiers. In both these environments, the firewall serves as the primary defense mechanism, controlling which assets are accessible while providing rudimentary protection against attacks at the network layer. The firewall in this traditional form is not sufficient to offer protection against some of the more pervasive, which typically involve weaknesses within applications (layer 7) rather than weaknesses in the realm of the network (layer 3) that traditional firewalls are designed to protect. To cope with these, traditional firewall products at corporations and hosted facilities have been augmented with products that specifically target application attacks and malware. Below, let's explore a few contemporary types of firewall deployment scenarios that are designed to thwart application attacks and emerging malware. Firewalls for outbound traffic monitoring In corporate environments, though, where firewalls are designed to control access into and out of the environments, traditionally outbound Web access is permitted uncontested. This opens up the corporation to malware due to client-side targeting a user's browser. To counter this threat, most traditional firewall products have been augmented with Internet access management features (inline or proxy-based) that specifically monitor outbound access. This is because, though the firewall can control which ports users are allowed to access from within a corporation, they are insufficient at controlling the content that is accessed. With client-side exploits being a major threat in corporations, such updated protection is crucial. Application-layer content inspection Traditional firewall vendors are now offering appliances that provide application-layer content inspection combined with antivirus -- malware detection capabilities co-existing with a traditional firewall, all on the same Page 9 of 13

10 chassis. These devices, in addition to monitoring traffic for malicious content, also block access to sites hosting questionable content. Of course, these products should not be considered a replacement for traditional host-based protection mechanisms like antivirus, antispam or any other endpoint security solution. Web application firewalls In the hosted environment specifically, Layer-7 monitoring could take the form of Web application firewalls, which specifically focus on applicationlayer attacks that target Web and application services. In addition to protecting against traditional Web attacks like cross-site scripting and SQL injection, these devices have the ability to understand traditional client behavior (i.e., users who interact with the site), and can track and prevent behavior that deviates from the norm. Web application firewalls are currently available as add-on modules to the traditional firewall chassis to offset any performance shortfalls of added Layer-7 traffic monitoring. This is not to say a Web application firewall can replace the traditional firewall in a hosted environment; traditional segmentation of the various tiers is still crucial. Virtual firewall deployments This approach can be extended to virtual hosted platforms as well. Without going into details (a topic in itself), segregating virtual platforms requires firewall separation to be enforced at the hypervisor, thereby controlling access to different virtual instances on the same physical platform. This VMto-VM security enforcement can be further augmented with a combination of traditional and Web application firewalls. In such deployments, the traditional firewall will still have a part to play, though at a more macro level, enforcing separation/protection between farms of virtual servers. Layer-7 protection can then be enforced on those segments deemed sensitive or critical to the business. In conclusion, given the threat landscape, designing a secure hosted or corporate environment should include augmenting firewalls' traditional network-specific defense with a combination of host and network-based protection focusing at the application layer: Having only a layer 3 device protecting critical portions of the network is no longer sufficient. Page 10 of 13

11 About the author: Anand Sastry is a Senior Security Architect at Savvis Inc. Before joining Savvis, he worked for clients in several industries (large and mid-sized enterprises in financial, healthcare, retail and media) as a member of the security services group for a Big 4 consulting firm. He has experience in network and application penetration testing, security architecture design, wireless security, incident response and security engineering. He is currently involved with network and web application firewalls, network intrusion detection systems, malware analysis and distributed denial of service systems. He tweets at Page 11 of 13

12 Dell SonicWALL provides intelligent network security and data protection solutions that enable customers and partners to dynamically secure, control, and scale their global networks. Using input from millions of shared touch points in the SonicWALL Global Response Intelligent Defense (GRID) Network, the SonicWALL Threat Center provides continuous communication, feedback, and analysis on the nature and changing behavior of. SonicWALL Research Labs continuously processes this information, proactively delivering countermeasures and dynamic updates that defeat the latest. Patented1 Reassembly-Free Deep Packet Inspection technology, combined with multi-core parallel architecture, enables simultaneous multi-threat scanning and analysis at wire speed and provides the technical framework that allows the entire solution to scale for deployment in high bandwidth networks. Dell SonicWALL network security and data protection solutions, available for the SMB through the Enterprise, are deployed in large campus environments, distributed enterprise settings, government. Page 12 of 13

13 Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 13 of 13