When it comes to security, having multiple layers is the most important defense. This principle was true for medieval kingdoms, and it’s true today for organizations working to protect their services and data from cyber-attacks.
Let’s go way back in time and consider a castle during the Middle Ages and the security lessons learned. Protection included a moat and a drawbridge that offered a limited entry point. These massive structures were often built atop large hills to enable a better view of oncoming armies. Thick stone walls on the exterior proved nearly impenetrable and interior walls added yet even more defense. Add to that a parapet, armed guards and watchtowers, and a castle proved a tough place for aggressors to infiltrate.
A castle coming under attack is no longer something most of us worry about. Instead, our focus is often on the virtual world and the data we store online – be it on private networks or a public cloud. The point is, in either instance, a layered approach to protection is imperative.
In this article, I will examine and follow the many different ways hackers and cyber-criminals attempt to tap into systems online and siphon data for personal gain. One layer of security won’t stop these anonymous intruders. They’re too smart and too persistent. Businesses must have multiple means of security to ensure the culprits are cut off at every turn.
An Epic Threat
The news developed quickly and became exponentially worse in mid-May of 2017. A cyberattack had rippled across the world. This particularly nasty piece of ransomware was known as WannaCry and between May 12 and May 15 it infected an estimated 200,000 computers in about 150 countries. On the fourth day of the crisis, security experts had determined that successful updates by most compromised organizations had effectively stopped the attack. By then, however, its effect and scope was already unprecedented.
Unfortunately, WannaCry is not likely to remain the largest and most crippling ransomware attack for very long. Two months after the strike, Lloyd’s of London, the world’s oldest insurance market, released a 56-page report that stated a large-scale cyberattack could cost the global economy more than $120 billion, which was the cost of cleaning up Hurricanes Katrina and Sandy.
These types of threats are constantly evolving and can be devastating to individuals and organizations. What’s more, recovery can be a difficult process and often requires the services of a reputable data recovery specialist. While hackers are always refining and updating their methods, many of the same vulnerabilities exploited in the 1980s by famous hackers Mitnik and Morris remain the same today. These include poor passwords, vulnerabilities in operating systems, social networking, exposed open interfaces and more.
Staying protected requires hard work and awareness. Security and convenience are often mutually exclusive, which is a key challenge. People want security, but want it to be transparent to them. In other words, they want to focus on their job at hand, not being a security expert. Also, organizations must understand that no matter how much money they spend, there is no such thing as impenetrable security. Risk mitigation is the best defense.
The Problems and Solutions
Stepping through an advanced attack
A lot of malware begins life through email. Spam emails can be more than just an annoyance. If designed to do so, opening a malicious email can be all a hacker needs to access a computer (or user), or an entire network, and wreak havoc. (See attack number 1 in the diagram) With this danger in mind, spam protection is imperative for anyone with an email account – which covers nearly everyone in the business world.
Proper protection must include the following actions:
- Scan emails for dangerous attachments and links
- Scan and block unsolicited commercial email (UCE)
- Optionally, replace all links in an email with a unique link that, when clicked, sends the user to a spam protection service for scanning before the user is allowed to continue to that destination.
Users also must be vigilant and consider the content of the message itself and who it is from. A message might even come to your inbox from a known colleague or good friend, but there is still the possibility that the sender’s email account has been compromised or that it didn’t actually come from that person. The best (and safest) practice is to avoid opening any attachment, even from known colleagues, unless it is expected.
Though an email might not contain malicious links or attachments, ALL content must be scrutinized. Content that “tricks” the user into performing an action is called a socially engineered attack, or more commonly a phishing attack. Examples that should raise suspicion are an email from the CFO asking to transfer money, someone asking for a username and password, or a colleague asking that an unusual task be performed. That email you got that you thought was from your bank maybe tricking you into revealing your banking account credentials.
The 2016 Verizon Data Breach Investigations Report found that 58 percent of incidents involving compromised user credentials utilized phishing attacks. Breaking news, collective interests and the names of known people are common tactical topics used to fool users into doing the bidding of the attacker.
- Good spam protection software and/or service
- Ensuring users are educated on the most current spam/phishing tactics and provide ongoing education.
Let’s say that the spam prevention system has failed to block a malicious email and the user has made the mistake of clicking the link within the message. (See attack number 2 in the diagram) At this point, another level of protection is necessary (remember the castle!). This next level is known as web filtering. It is a security measure that blocks users from connecting to malicious websites and destinations.
Filtering can also be done by category. For example, companies may not only wish to block malicious websites, but also websites that fall into certain categories such as gambling, weapons or worse. Web filtering can take place on several levels. Most commonly, it is implemented at the Internet gateway or firewall. However, web filtering can also be implemented at the user’s workstation/laptop/mobile device, etc., and within Domain Name Servers (DNS). While web filtering at the firewall or gateway is the easiest to manage, it might not protect a company’s mobile users. As Bring Your Own Device (BYOD) becomes a more common practice, this danger has risen.
When a user clicks a malicious link in an email, he/she might not necessarily be behind the corporate firewall. In this case, implementing an endpoint web filter is essential, or at least a software agent that can talk back to the corporate web filter no matter where the user is located. DNS-based web filters are perhaps the easiest to implement since there is typically nothing to install on the corporate network. OpenDNS is a notable service that is free for home users that will block DNS requests from known malicious hostnames/websites, and connections to any category of the user’s choosing.
- Multi-layered web filter on the firewall or gateway.
- Endpoint protection to safeguard mobile users utilizing software and/or a DNS filtering service.
Intrusion Detection and Prevention
If the web filtering system has failed to block the connection to the malicious website, the user’s computer can connect to a malicious system. (See attack number 3 in the diagram) Once the connection is made, it is possible for the attacker’s server to attempt to gain control of the computer or install software. This can be done either by taking advantage of known or unknown vulnerabilities on the user’s computer, or tricking the user into installing software on their PC using social engineering.
A corporate firewall should have the ability to scan traffic in real-time and detect intrusion attempts on client computers, as well as the company’s public Internet-facing servers such as email, web or application servers. This is called an Intrusion Detection/Intrusion Prevention (IDS/IPS) system.
It is absolutely imperative that all computers, servers and network devices on a company’s network are up-to-date on all software and fully patched. Most malware will take advantage of known vulnerabilities that have known fixes readily available.
- Install an IDS/IPS service at the corporate gateway
- Protect endpoints and mobile users with an IDS/IPS software system
- Educate users on what is safe and how to spot social engineering attempts
- Implement a centralized patching system
Now we move on to the next layer in our security strategy. Let’s say that the IDS/IPS services have failed to block the malicious software and the user’s computer has vulnerabilities. It is now up to the antivirus system to save the day. (See attack number 4 in the diagram) This is an area of software development that has evolved quickly in recent years. It can be installed on the firewall to examine all traffic as it passes through the Internet gateway, and on the endpoints. Both are recommended.
Traditionally, antivirus products were definitions-based, meaning the software could only detect known viruses that were included in the definition file. Not so long ago, it was also acceptable for antivirus software to update once a week to detect the newest malware. Things have certainly changed. Today, antivirus software must update each hour or every few minutes to detect the latest threats. However, as hackers and cyber-criminals become more sophisticated, even this isn’t sufficient.
New malware can’t be defined fast enough, which brings us into the realm of Zero-day threats – brand new hazards that have no previous history or definition file. These must be identified and blocked as well, in real-time. Zero-day threats could be something totally new or, more commonly, variants of previously known malware (which is why WannaCry is still a threat). In recent history, some of the most successful ransomware, such as CryptoLocker, TeslaCrypt and Locky have had several variants to work around antivirus software and take advantage of new vulnerabilities.
New anti-malware software is starting to closely examine specific behaviors rather than matching programs to definitions. This broadens protection by casting a much wider net. Using heuristics (techniques for solving problems as fast as possible), machine learning (a form of artificial intelligence) and sandboxing (detonating the malware in its own isolated space), these next-generation security programs are able to detect suspicious behaviors on a single machine or, collectively, on the entire network in order to identify and stop threats. Think of it this way – the traditional virus definitions method works well for the known, while the advanced methods work well for the unknown.
- Multi-layered endpoint protection that uses both traditional and next-generation threat detection engines.
- Antivirus on the gateway
Application Control and IP Reputation
Implementing all of the measures we’ve discussed thus far can certainly go a long way in ensuring security. However, these antivirus services and all other protections can still fail to detect and impede malicious software. (See attack number 5 in the diagram) When this worst-case scenario has occurred, the endpoint is under control of the attacker’s Command and Control server and can be instructed to do any of the following:
- Collect and send personal information, which is among the most valuable commodities on the black market. This could be credit card numbers, health information, browsing habits, web site credentials, and more.
- Encrypt files on the local computer and possibly the corporate network, then ask for a ransom to get the data back.
- Participate in a Distributed Denial of Service (DDoS) attack. In this scenario, thousands of computers are coordinated by the attacker to send garbage data to a single point, thus flooding the victim’s Internet line. This results in a loss of service for as long as the attack is sustained.
- Infect other computers on the network or Internet. This includes hijacking a user’s address book and sending malicious emails to all contacts on the infected user’s behalf.
- Inject advertisements like pop-ups or links in the web pages you visit.
One of the most worrisome elements of this situation is that the user typically doesn’t know that their own computer is infected, and it is beneficial for the malware to remain hidden so that it can continue to do damage and infect other computers.
- Multi-layered endpoint protection software
- Corporate gateway application that can detect what applications are using the Internet, where they are connecting and what data is being transmitted, then blocking connections to known disreputable IP addresses.
A risk mitigation plan must include tactics to recover from data loss as quickly as possible. It is important to regularly back up critical data and store those backups in at least three places – two onsite and one offsite. The regularity of backing up data is different for each organization and is based on the level of acceptable risk. This could mean replication once an hour, once a day or continuous real-time replication offsite. Companies must consider how much downtime will cost per hour as well as per day.
If you are not able to recover your data at the primary production site, a disaster recovery and business continuity plan must be in place.
Responding To An Attack
Though prevention is the best medicine, if you suspect your computer or network is infected, there are several steps you should take:
- Immediately disconnect the network cable, turn off your WiFi and turn off the suspected computer. Or disconnect the internet from the corporate network or network segment if necessary.
- If you believe you might have revealed sensitive company-related information, report it to the appropriate people within the organization, including network administrators.
- If you believe your financial accounts have been compromised, contact your financial institution immediately and close any accounts that might be at risk. Watch for any unexplainable charges to the account.
- Engage with a security specialist who can counter the attack and implement the appropriate safety measures.
- Immediately change any passwords you might have revealed. If you have used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future. A good password manager can help you securely keep track of all your passwords and keep them unique.
- If the attack is severe, consider reporting it to the police and filing a report with the Federal Trade Commission.
New and Evolving Threats
As noted throughout this blog, cyber-criminals do not sit idle for long. They are constantly updating their methods and trying new schemes to infiltrate endpoints and networks. As far as users, new technology is integrating into our society at increasingly rapid rates. This is dangerous for several reasons. The business world, and even individuals at home, might use this technology without fully understanding how to protect themselves. Cyber-criminals see these new factors as yet another entry point at which they can aim their attacks.
Two major components that continue to develop are Bring Your Own Device (BYOD) and the Internet of Things (IoT). Because these are relatively new developments from a myriad of manufacturers, they are difficult to keep updated with the latest security, if not impossible. BYOD in the workplace means employees often bring their own unprotected phones, tablets and laptops into an office. Although these are personal devices, they might have their company email configured, and sensitive corporate files might be saved as well. As far as IoT, more and more devices are becoming connected. It is critical that these devices are identified and kept separate from the production network and protected at the Internet gateway and DNS levels. IoT is one of the major security challenges in the healthcare industry right now because so many medical devices are network connected with security taking a distant backseat to function and cost to upgrade.
The very near future will also bring a network of autonomous vehicles, which introduces an entirely different category of security. These vehicles will need to communicate with the manufacturer, traffic systems and themselves to maintain safety.
There is much to consider and a lot of information to keep track of. It might be appealing to accumulate a variety of security monitoring tools to combat the growing number of threats. While this might be tempting, it is an approach that is difficult to manage. Instead, it is advisable that businesses invest in a centralized logging and alerting system, known as a Security Information and Event Management (SIEM) system. Regular penetration testing, which searches for and identifies network vulnerabilities, is also an important practice that all businesses should implement into their best practices to identify their weaknesses before the bad guys do.
Organizations should likewise invest in a security assessment to identify:
- Vulnerable applications and hardware
- Possible network infrastructure weaknesses
- Information security tactics
- A Backup and Business Continuity plan
The Future of CyberSecurity
I have used the word “evolve” several times, and I’ll say it once more – expect that current security tools will continue to evolve to keep pace with more intricate attacks.
Encryption will become even more prevalent to protect data “at rest,” such as data stored in a database or on a hard drive, and data “in flight,” meaning data that is protected during transmission. This includes emails flowing from sender to recipient, as well as web browsing. This also means that we’ll need to examine that encrypted traffic and data for malicious content.
Fully encrypted hard drives will become common, especially for mobile devices. This will protect intellectual property on those devices from theft if that device is lost or stolen. Most mobile phones today are fully encrypted by default.
To ensure only approved users are given access to networks, two-factor authentication(2FA) will become a vital practice and is gaining wide acceptance. 2FA provides authentication using two different methods, such as a username/password combination and a code displayed on a cell phone. So in this example, you would need both the username/password and the cell phone. One isn’t any good without the other. There are up to four factors of authentication that can be used:
- Something you know – username, password, or code
- Something you have – a cell phone, tablet, or key fob
- Something you are – fingerprints, your face, retina pattern
- Somewhere you are – in the corporate office building, or other specific location
Another important strategy will be the “containerization” of applications and data. This means applications will run in their own virtual containers to keep data and programs separate from all other running applications on a computer or mobile device, allowing all of them to be more easily portable and protected by an inherent security.
One of the chief concerns in the near future will be the proliferation of persistent malware. This refers to malware that is able to hide deep in device firmware or BIOS (Basic Input Output System). Typically, when a computer is infected with malware, the machine is wiped clean, reformatted and all software is re-installed. Persistent malware would be able to survive such a procedure because it could hide itself deeper into the system, or possibly even outside of the computer, such as on a network printer or other network device firmware, ready to re-infect systems as they are added to the network. A new breed of anti-malware software will be able to audit deep-rooted software and firmware over the entire network on all devices to expose malicious code.
Network access will only be granted to devices that are trusted according to their “trust score”. Depending on several factors such as if a device has up-to-date malware protection, belongs to the company rather than the individual, is a specific class of device, where it’s located, the type of connection to the network, etc., a device will be assigned a “trust score.” The device is allowed specific access depending on that score.
SIEM (Security Information and Even Management) software, as mentioned above, is growing in popularity and will become more vital as this breed of tool matures. SIEM applications will allow the gathering of data from many disparate devices over the network and be able to correlate the data to identify abnormal behavior. Data such as CPU load, memory, network traffic, communication between devices, uptime of devices, door code usage, and even something as innocuous as the speed of the fan on a device, can all be correlated to reveal abnormal behavior. This will lead to a more centralized way to monitor security and will leverage a learning intelligence.
These steps will continue to increase in importance, and more security strategies utilizing artificial intelligence (AI), machine learning and heuristics are sure to develop in an attempt to stay ahead of the bad guys.
I’ve gone over many common “attack surfaces” and how to protect those layers. Each one is important. It’s imperative that you know your network and where you can be attacked so that you can properly defend those areas. In the modern world we live in, staying safe, educated and being a good “net-citizen” is the cost of doing business.