Enterprise security remains under fire

Tuesday, April 13, 2010 @ 06:04 PM gHale

The viability of enterprise security models are under fire in new ways in the wake of the targeted cyber attacks of the sort that hit Google and more than 30 other tech firms earlier this year.

Unlike e-mail and network-borne worms and viruses the industry has seen over the years, targeted attacks are even more secret and can allow the bad guys a way to break into an enterprise network, and stay hidden there for a long time. Typically, the goal behind such attacks is to snoop and to steal sensitive information.

State-sponsored groups with deep technical skills and computing resources have been directing such attacks against government and military targets for several years now. But there has been an increasing number attacks into the commercial arena.

[private]These targeted attacks are the advanced persistent threat (APT) facing U.S commercial entities. The attacks typically rely on sophisticated social engineering techniques to exploit previously unknown security vulnerabilities. These attacks are difficult to fend off because they usually elude the signature-based malware-detection tools traditionally deployed at most companies.

Most attacks use social engineering to trick people with access to key information into opening tainted e-mails or other communications.

The malicious messages look as if they’re from someone the recipient knows and has been communicating with, said Paul Wood, a senior intelligence analyst in Symantec Corp.’s MessageLabs Intelligence unit. They can even go into an ongoing e-mail exchange, gaining authenticity because they include familiar subject headers and references to ongoing conversations.

Who’s most at risk? The quick answer is company directors, vice presidents, managers and executive directors at smaller companies, according to MessageLabs. Because larger companies tend to protect themselves better than smaller ones, cybercriminals aim for small firms that might be suppliers or business partners to big ones, Wood said.

Dealing with these threats requires new ways of thinking, said Sean Arries, a researcher at Terremark Worldwide Inc., a Miami-based provider of IT infrastructure services. Because the attacks often take advantage of zero-day threats for which no defense exists, blocking them with signature-based anti-malware tools is almost impossible, he said.

As a result, companies need to strengthen their ability to detect intrusions and respond quickly, Arries said. Since targeted attacks siphon out data via the network, keeping a close eye on network traffic can help detect anomalies. A gusher of data going out over the network is a warning sign that something is awry.

As part of their security efforts, companies should implement network traffic flow analysis tools. In addition, a company should look toward technology that does network packet inspection. Network packet inspection technology can quickly go through network logs and inspect specific data packets flagged as suspicious.

Using a whitelist can also be useful. That will allow a company to grant specific traffic over its networks while excluding everything else.

This sort of a default-deny approach can be very effective in stopping traffic coming in from or going out to destinations that not previously approved. Companies can block traffic from entire network blocks or even whole countries, if needed. As a result, even if a hacker compromises a network, the chances of his being able to smuggle out data is almost nonexistent.

The problem is that it’s not very scalable. Restricting traffic to specific destinations is unworkable, especially in large enterprise networks. But it can work in specific situations, such as when protecting systems containing credit card data.[/private]

Leave a Reply

You must be logged in to post a comment.