Hiring a professional penetration tester is often a humbling experience. Using a mix of simple social engineering and technology savvy, a professional is often able to expose dangerous security holes in an organization’s IT infrastructure with ease. In a few days, a penetration tester can identify security vulnerabilities overlooked by the IT staff.
Take for example, these penetration test horror stories: A firm spent US$14 million on a new firewall only to have it bypassed by an insecure dial-in modem. Another firm had its entire accounting system accessible to the Internet via anonymous FTP due to a firewall misconfiguration. Yet another allowed a penetration tester to gain access to a secure area with a fake badge made using a plastic hotel keycard, scotch tape, and an inkjet printer.
Targeted attacks however, surpass penetration testing efforts and can present an even greater threat than malware. Unlike penetration testing professionals, criminals have more time to become familiar with a company. They can perform network or physical reconnaissance. They may be present or former employees, or they may have access to the company’s facilities every day through supply deliveries, consulting activities, maintenance services — or just by pretending to be customers.
In light of these threats, there are several proven defense mechanisms that organizations can implement to actively combat targeted attacks and harden the security of their networks.
Badge Reading Systems and Cameras
Physical access to systems often allows an attacker to bypass several layers of security. In this scenario, unattended terminals can be accessed, administrator accounts can be reset, and media can be removed. Enforcing a badge requirement allows for identity verification of people with building access while cameras can record activity by unauthorized individuals who have forced their way into a facility.
Likewise, cameras provide proof of presence and can monitor the activities of authorized individuals who would normally not be suspected of wrongdoing. Although cameras and badge reading systems are relatively simple, they are fundamental in protecting the other security systems and establishing accountability.
Firewalls are an indispensible resource for maintaining perimeter network security, but they aren’t used nearly enough in most organizations. They should be placed between business units, departments, regulated environments (SOX, PCI, HIPAA, etc.), and in front of resources that contain sensitive information that should not be exposed to the rest of the company.
For example, a mobile computer used by a sales rep (which is highly susceptible to becoming infected with malware) should never have direct access to network segments that host accounting systems, human resources systems, and so forth. In most cases, the cost of investing in a firewall is low compared to the cost of an internal breach.
Once attackers have identified their target, they don’t need to strike immediately. They may not know any obvious way into the system, but they can patiently use the time they have to gain familiarity with the exposed equipment and software, and discover unpatched software vulnerabilities. That’s where intrusion prevention systems (IPS) come in.
IPS can sometimes detect exploit behaviors even when the vulnerability being taken advantage of is not yet patched. They can provide real-time notification and block certain targeted attacks as they are taking place. This capability is key, since system vulnerabilities are a leading source of break-ins. That’s because it can take weeks for commercial vendors to prepare a patch, and months before the patch is applied to a server.
The best method for gaining visibility into activity across an organization’s IT infrastructure in real or near-real time, is to collect and centralize log data from servers, endpoints, network and security devices, databases and applications.
Even if a host is compromised and logs are deleted by the intruder, the log data gathered leading up to the attack should have recorded relevant details about the intrusion. Log management systems enable investigators to recreate the events surrounding an incident and often can help determine the difference between an attack and a system failure. Retained logs become the safety net when the unexplained happens.
Some log management systems also provide security information and event management (SIEM) capabilities that can generate alerts to automatically notify IT staff when critical events occur. When a breach is in progress, the SIEM can alarm and present relevant details to the security staff in near-real time.
Encryption technology is one of the most lasting and effective ways to protect against a breach. Depending on the strength of the encryption used, the attacker will need to use significant resources to decrypt the data — and may not even be able to do so at all.
Regulators seem to concur: The recently released HITECH Act Breach Notification Guidance places an emphasis on encryption as a way to protect medical records.
One of the most dreaded tasks in computer administration is deploying patches. Systems need to be rebooted, administrators and owners of the systems need to be notified in advance, and sometimes the systems break and stop functioning.
However, applying security patches in a timely fashion — using patch servers, applications, agents and through domain policy — eliminates more headaches than it creates. Ultimately, if an organization wants to effectively defend itself against targeted attacks, vulnerabilities must be eliminated by applying patches.
To sum up, achieving the right mix of layered defenses is the best way to make IT infrastructures resilient against targeted attacks.
Using these six technologies as a foundation will enable any organization to defend itself against the bulk of security threats, while also providing the intelligence to determine the who, what, where, when and how behind virtually any targeted attack.