Obviously, those organizations with perimeter and endpoint defenses are far less secure than they believe.
Companies have been so obsessed with perimeter security that they have forgotten about protecting their internal network. What they need is a third layer of security that identifies vulnerabilities and then protects against intrusions that circumvent firewall and endpoint defenses – a burglar alarm that warns you about a breach and then contains or blocks those threats.
Staying ahead of the game: Detecting vulnerabilities
There is a scary trend related to security vulnerabilities. Several years ago, it was common for it to take a year between the time a vulnerability was discovered and the time it was exploited by malware. In 2000, the MS00-078 vulnerability had been known about for a full year by the time the Nimda worm first appeared in September 2001.
Things have changed. The window of time from discovery of the vulnerability to exploitation has shrunk dramatically – from more than a year to literally hours. And with 3,000 to 5,000 new vulnerabilities discovered each year in applications, databases and operating systems, quickly applying patches has become more critical than ever. However, most companies are not able to apply patches on a broad scale within a day or hours after release.
And new threats can come out of nowhere. New attack vectors are emerging quickly and applications can be exploited with frightening speed. For example, in 2004 there were no serious malware threats targeting instant messaging software. A year later there were more than 2,000. This shows how quickly the security landscape can change and completely compromise the integrity of a network.
Now the good news. The first secret to protecting your internal network is to look for vulnerabilities proactively before the bad guys show up. Before you come under attack, make sure that you have thought like a bad guy and have tried to break into parts of your network that may or may not be vulnerable. This allows you to mitigate errors and fix those vulnerabilities before anything malicious happens.
Vulnerabilities come in two forms: misconfigurations and software flaws. Software flaws are straightforward to fix, just apply a patch from the manufacturer that corrects the flaw. Of course, maintaining current patch levels across a large, complex network can become a daunting task, but there are a number of products on the market that automate the task quite effectively. Misconfigurations are a little trickier to address. The most common example of a misconfiguration is a weak password. But, one admin's weak password is another admin's strong password. In other words, the strength of any configuration is relative.
How hardened should your system be? Luckily there are best practice secure configuration standards available from organizations like the Center for Internet Security that can be leveraged for benchmarking your systems. The main point here is to consistently and proactively track and fix vulnerabilities in your network. When most networks are attacked, weaknesses were exploited when patches were already available or obvious misconfigurations went unnoticed. With the right kind of vulnerability management solution and processes in place, weaknesses in your network can be can be found, brought to your attention and shored up.
Install a burglar alarm: Intrusion detection and protection
In the past, attacks were all about notoriety. Most of the people perpetrating security incidents were harmless pranksters, maybe running a script or program to deface a web site. They could bring a network down but generally did not steal anything. Now the trend is for professional bad guys to fly under the radar, and attack and steal information for financial gain. That means the threat landscape is more serious than before and makes companies more vulnerable. They have a false sense of security in believing that a hardened perimeter is sufficient protection.
In attacker trends, botnets have emerged as a valuable commodity. Botnets are one of the most popular and dangerous ways for attackers to infiltrate and propagate throughout internal networks. They act as a remote control agent that, once inside the network perimeter, phones home to the perpetrator and waits for remote commands. Then the bots can do practically anything. They can steal keystrokes, run a malicious program or steal data on the compromised machine; and that is just the beginning.
Since botnets can bypass perimeter security and get into an internal network through workstations with unauthorized access, roaming laptops and firewall penetrating worms, a burglar alarm – intrusion detection – needs to be installed. Without intrusion protection, you may never know if you were infected or if information was stolen. Unfortunately, corporate security staffs often do not have the technology in place or are not properly equipped to keep up with the latest threats.
Hardening your network perimeter is like locking the front door. It is necessary to keep intruders out, but it does not help much if the internal network has been broken into. A lack of visibility into the internal network means that there have been no control mechanisms to stop threats once they begin to spread.
Once you have made sure that there are no obvious vulnerabilities in your network, intrusion protection technology can tell you when and if your network gets invaded. Then you can intervene as soon as possible to mitigate the damage by containing or blocking those attacks. Intrusion protection, not a hardened perimeter, can tell you if botnets are infecting your internal network, even when employees are bringing those infections onto your network after taking laptops offsite or using VPN access to remotely access the network.
Due to the false sense of security that firewalls have often produced, most companies have not spent much time monitoring their internal networks to find out if threats have gotten past the perimeter. This has left botnets and other malware free to propagate around the network if they breach the perimeter – and this can bring a network down or result in the loss of important customer, patient, employee or company information.
Building a third layer of security
Hardening your network perimeter and protecting endpoints with anti-virus software are the obvious first steps to securing your network. Adding a third layer of security to protect your internal network from vulnerabilities and intrusions is the next step.
Building this third layer of security does not require a lot of extra technology or additional IT staff. One approach is an on-demand solution that allows the infrastructure of the solution to be moved “into the cloud” to avoid the hassle of deploying and managing a network security infrastructure.
- Chris Smith is vice president of marketing for Alert Logic