Eight New Year's security resolutions for 2008
2005 and 2006 was when we saw the new generation of hackers using new and updated attack methods, new tools and resources, and a focused effort on financial gain. No more was the idea to gain fame but to gain fortune. 2007 saw an expansion of size, scope and concentration of attacks. In addition, we saw attacks becoming much more targeted.
2007 also saw malware, worms and other malicious code being able to morph autonomously to bypass traditional security systems. 2008 is expected to be a continuation of the 2007 theme with a greater emphasis on a few specific attack methods including cross-site scripting, application level attacks, and more client side compromises. Additionally, we are expecting to see some big new things on the horizon including “super worms,” XPATH injection attacks and more.
To protect your systems from compromise, layers of old and new security techniques are the best way to reduce your risk. Here are the top eight security tips that should be a part of your New Year's resolutions along with eating healthy, reading a new book, getting more sleep, catching up with old friends, losing weight, saving money, time off to re-charge and regular exercise.
1: Patch management – eating healthy
The idea of patch management is nearly as old as anti-virus software; however, changes in the way attackers target systems make the traditional solutions far less effective in overall security posture. Most organizations believe that they are 100-percent in compliance with patching their systems as a result of subscribing to the Microsoft automatic patch updates. The problem is that few organizations are 100-percent Microsoft. So many networks include Linux, UNIX, Macintosh and other operating systems that the Microsoft updates simply don't cover. Often some of the most sensitive data is on systems that aren't patched frequently, or at all.
Microsoft's patch program only includes Microsoft applications. Most environments have no monitored methodology for ensuring that non-Microsoft applications are patched. Administrators are often under a false sense of security thinking the system is patched, when many of the applications contain serious vulnerabilities (as in the recent high threat Adobe vulnerability). Invest in a patch management solution that gives you full visibility into your network, covers all the operating systems you are using, and be sure it includes Microsoft as well as your other vendor's patches.
Additionally, be sure your laptops and desktops are using the most current versions of internet browsers. Many threats exist when using older browsers. Often we see two or three different browsers loaded onto each PC. It is important to keep all of these current.
2: Employee security awareness training – read a new book
Employee training is not only a requirement for most industries, but it is one of the best ways to minimize your exposure to the most damaging type of security attacks – the unintentional ones created by your uneducated or careless employees. So many current attack methods depend upon the misbehavior of users. This could be clicking on a link, running a program, being lured out to a malicious website, plugging in a USB drive and the list goes on and on. Raising the awareness level of your employees through online courses that they are required to take monthly is a great way to keep security in the forefront of their minds. Having your employees spend 30 to 45 minutes each month can save tens of thousands of dollars or more in losses.
When selecting a training program, pick one that has a variety of courses that are up-to-date. Be sure it has a method for users to review your company policies and procedures and acknowledge that they understand them. It should require testing that gives the user a certificate of completion when done. Lastly it should have reporting capabilities that will allow administrators to review employee scores andto be able to share them with executive management as well as auditors and examiners.
3: Host-based intrusion prevention (HIPS) – regular exercise
Most organizations use some form of network intrusion detection system (NIDS) to detect attacks. The problem is that the bad guys know this and have architected ways to disguise their attacks to bypass intrusion detection systems. There are a variety of methods for this including encryption, packet fragmentation, packet overlap, and encoding just to name a few. These methods prey upon the Achilles' heel of the NIDS which is that it sits between the attacker and the internal network, but has no visibility into internal events (much less activity on the target system itself). In order to protect your critical systems and data, it is important to monitor activity on the system itself.
Host-based Intrusion Prevention (HIPS) is the answer. HIPS uses very different detection methods than NIDS. HIPS can monitor the system looking for anomalous behavior, applications attempting to be installed, user escalation, and other non-standard events. The system then compares these activities to a set of rules and policies and either logs or blocks the actions. This is one of the best ways to protect sensitive data residing on internal systems.
4: Network, operating system and application-level testing – catching up with old friends
Most organizations do simple external network and operating system vulnerability testing, which is a great way to identify Internet exposures. These basic vulnerability assessments, however, do not perform application level testing which has become a common attack method. Two application level attacks that are often seen include SQL injection and buffer overflows. Application level testing can identify poorly written programs (such as home grown applications and online backing programs) that are susceptible to these types of attacks.
In addition to the external scanning and testing, you should also be running vulnerability assessments on all internal systems to identify exposures. Be prepared to quickly remediate all critical and high priority vulnerabilities that are found. For large networks, this can seem like a monumental task, but it is much better to be aware of potential vulnerabilities and work to remediate than to live in blissful ignorance (until bliss ends and event accountability begins).
5: URL filtering – losing weight
The number of organizations that do not limit where their employees can surf on the Internet is amazing. For those of you who still feel like you should give your employees the freedom to do what they want, this is a freedom that your organization can ill afford. In addition to potential legal and reputational concerns, web browsing is an open window to viral attacks. With such a large percentage of attacks coming from infected or compromised websites, we have to control where our users are going and the best way to do that is through the use of a URL-filtering program. Remember: IDS does not protect you from website-hosted malicious code!
6: Desktop protection – saving money
Desktop anti-virus is just a part of what we expect to have on our systems. As we go into 2008, we believe this traditional software will expand to do much more comprehensive desktop protection. SPAM, phishing protection, spyware, firewalls, intrusion detection and more are required to keep the desktops safe. This software will be further taken to include policy and application execution enforcement and other PC control systems.
The key to these solutions will be centralized management and reporting on all aspects of the security solutions. If you have to manage the systems individually, it will lead to unprotected systems, and exposure within your network.
7: Policy management – time off to re-charge
Every person has a different idea of what policy management means. For some, it means the enforcement of complex passwords that are required to change on a regular basis. For others it is restricted access from “admin” controls on the workstation that can install, remove, and modify applications. Still others think of this as a way of reporting on anti-virus updates, patch levels, operating system service pack levels, and so forth.
Basically, policy management is a way of monitoring and reporting on network systems against established policies and procedures you have for your organization. You need to decide what is important to you, and then employ the systems and service that give you visibility into this type of information. A robust policy management system should include all of the above listed items at a minimum, and then others that you feel are important to your organization.
8: Extrusion management – getting more sleep
Sensitive data leaks from organizations every day. Often this comes in the form of emails being sent out where the employee wasn't trained properly. Regardless of the method, more and more organizations are turning to extrusion management solutions that keep the sensitive data inside the network.
A first step at this might simply be an email content filtering solution that will allow you to monitor for sensitive data being sent through the SMTP protocol. This is often effective because it is the No. 1 way sensitive data leaks from an organization. Other solutions that monitor many or all protocols coming and going from the network may also be used to manage sensitive data.
Unlike the New Year's resolutions that are all but forgotten in February, the idea of layered security can not be pushed aside like eating healthy, getting more sleep and regular exercise. While nothing will ever make you 100-percent secure, these eight risk mitigation solutions are often misapplied, absent or not comprehensive enough in most network environments leading to unnecessary exposure. Implementing these ideas are some of the best ways to fortify and protect your network from attack in 2008 and beyond.
- Kevin Prince is CSO of Perimeter eSecurity