Wayne Rash has been writing technical articles about computers and networking since the mid-1970s. He is a former columnist for Byte Magazine, a former Editor of InternetWeek, and currently performs technical reviews of networking, wireless, and data center products. He is the former Director of Network Integration for American Management Systems and is one of the founders of the Advanced Network Computing Laboratory at the University of Hawaii. He is based in Washington, DC, and can be reached at email@example.com.
Various experts agree that threat management has entered a new age, and that the old approach to computer and network security can no longer work. One reason is that you now have to work under the assumption that the cyber criminals are already inside your network, and that the focus of threat management has to change to preventing them from finding and extracting vital information.
In short, while your organization’s firewalls, intrusion prevention and detection systems and other edge defenses are important, they’re simply not enough. Now through a combination of social engineering, phishing attacks, insider threats and attacks designed to overwhelm any network, the battle has moved to one where every asset is threatened and where criminals attack using information taken from your own employees.
Adding to the complexity of managing your response to the threats that are affecting your organization is the reality that while the old threats of hackers and malware are still around, new threats are being added to the picture on a daily basis. Cyber criminals have learned to use big data analysis to find weak points in your organization, they take advantage of human nature to use a person’s curiosity against them, they research their victims and amass information necessary to cause employees to violate the trust placed in them, or they use the information to cause executives to take actions they might otherwise not take.
The end result of these attacks can be a data breach that can cost an organization millions of dollars not to mention its reputation. While the actual cost depends on the specific organization, an estimate by the Ponemon Institute places the average total organizational cost per U.S. company at more than $7.01 million per year. The total cost globally can be as much as $300 billion in 2015, according to an estimate by accounting and professional services firm Grant Thornton. In some cases, those attacks can have even more serious impacts up to and including criminal charges against the company that was victimized.
The Nature of Today’s Threats
The reason that edge defenses such as firewalls are no longer adequate to protect a network completely is because cyber criminals are now attacking other entry points. But that doesn’t mean that edge defenses are unnecessary, because attackers will always try the organization’s internet connection first. But in addition to that connection, criminals will attack using access by employees, business partners, contractors and anyone else who has access. In addition, attackers are now beginning to focus on mobile devices as another means to access protected data within an organization if only because the growth in employee-owned devices has not been accompanied by a growth in mobile security.
Just how much effort the attacker will put forth to attack your network may surprise you. Successful criminal attacks have taken place using low-level employees who may have access to information needed to move up the organization to someone with better access, and so on. In one notable breach, a major department store was attacked via its HVAC contractor.
It's not unusual for attackers to start out by sending phishing emails to a clerical employee, for example, and using that employee’s access to find something that will lead to more access, such as a company directory. They then use the directory to lead them to someone more senior that may have the access they need. This continues until the criminals reach what they’re really looking for, such as credit card accounts, health records, employee personnel records or even a business’ intellectual property.
Some examples of the attack types are these:
Why the Attacks Happen
While there are still a few security attacks for bragging rights, those days are mostly gone. Security breaches have become big business for cyber criminals many of whom are members of organized crime groups. In addition, there are attempts by competitors to gain information or trade secrets, attacks by state sponsored attackers and there are ideological attackers.
If there is any certainty in regards to threat management, it is that there’s no single solution, nor is there any single method of handling threats against your information technology infrastructure. In fact, some of the most effective attacks aren’t aimed at the infrastructure itself, but rather against the people who use it. But it’s important to note that countering threats needs to take each part of the network into consideration as part of the approach.
In addition to protecting the network against cyber-attacks, it’s equally important to help protect the physical security of the network against intruders. Attacks that ultimately lead to data breaches have begun with an attacker entering the building of a victim, and simply plugging a laptop into an unguarded Ethernet port. Worse, there are instances in which a data breach took place when the actual server containing personal and financial information of customers was stolen when a criminal simply walked in to an office and left carrying the unprotected server.
Each layer of the OSI network model is subject to its own type of attack. In addition, there are network attacks that make use of the network layers, but only as a means of access. The US Department of Homeland Security and its Computer Emergency Response Team has collected examples of vulnerabilities to attack according to each network layer in what it calls its DDOS Quick Guide. This guide provides mitigation options for each type of attack.
Examples of the types of attack may include resource exhaustion at Layer 7 (the Application Layer) or attacks by some types of malware. On the other hand, a Layer 4 (Transport Layer) attack may simply cause the network connection to reach its bandwidth limits. Similar attacks at Layer 3 (Network Layer) may include ICMP flooding, such as by Ping packets, to overwhelm a router or switch and cause it to malfunction.
Fortunately, it’s possible to plan for the possibility of such an attack, and to harden the network so that it won’t be overwhelmed. Likewise, it’s possible to take steps in advance so that many, perhaps most, DoS and DDoS attacks can be mitigated. An example of such mitigation may include rate limits on layer 3 traffic that will cause the switch or router to simply disregard traffic beyond a certain point.
Other types of attacks, such as Layer 4 attacks, are best managed from outside the network being attacked so that routing tables can be modified, or so that DNS (domain name service) entries can be changed. In addition, such traffic can be routed through a threat management service that can perform inspection of malicious traffic before it reaches its target and eliminate attack traffic on the spot.
Some types of attack mitigation are beyond the capabilities of most organizations on their own, if only because handling such attacks works best from outside the network. For many organizations, handling such attacks may work best by engaging a third-party threat management service or threat protection service.
Such threat management and protection services are available either as an on-demand basis, or they’re available by subscription. Depending on the nature of the threat, the business of the potential victim, and the type of attack, these services may sample incoming traffic for indications that an attack is beginning, they may inspect all traffic, or in extreme cases they may handle all of an organization’s traffic and only allow legitimate traffic to actually reach the organization.
There are services that provide a combination approach, for example by sampling traffic for indications of an attack, and then once an attack begins, the service can handle the problem more aggressively. In most cases the providers of such services include a full-time customer service resource that allows the potential victim to report suspected attacks and engage help.
The determining factor for most organizations is the cost of such services, and the potential performance impact. Engaging a security provider on a full-time basis is expensive, and adding extra steps for network traffic hurts performance. While some very risk averse organizations, such as financial institutions, may choose full-time monitoring, a more practicable approach is usually less intense.
The Full Security Picture
Unfortunately, mitigating network based attacks is only part of the process. A growing number of threats exist outside the realm of such attacks, and some of the most serious data breaches depend on properly functioning networks with inadequate protection from programmatic attacks. Those attacks may include malware at the network edge, social engineering, dishonest employees and related attacks. Most of those attacks use some sort of dedicated software, usually in the form of malware, but they depend on external help to function.
Examples mentioned above are phishing attacks, attacks using partners, and the like. Preventing those attacks depends on having properly designed and configured network resources, proper monitoring of assets and activities on the network, and the willing involvement of employees.
Notably, phishing attacks have grown from being a way to separate consumers from their credit card numbers to becoming the primary means of attacking the enterprise. Cyber-criminals are using carefully targeted phishing email messages to gain access to the credentials of trusted employees. Those credentials are then used to gain access to critical data where cyber-criminals are able to exfiltrate entire databases, as happened in the recent attacks on the federal government’s Office of Personnel Management.
In addition, phishing attacks are the cause of ransomware attacks in which cyber-criminals gain access to an organization’s critical data, then encrypt it, and hold the decryption key until a ransom is paid. Such attacks were originally aimed at individuals, but have now moved to enterprises such as medical facilities in Los Angeles, California and in Washington, DC. The facility in Los Angeles paid a ransom, while the facility in Washington was able to recover because of its data protection and backup policies.
Coordinating Threat Management
There is no single approach that will manage all threats, and no single area of focus that will spot all of the problems. What this means to your organization is that you must employ several methods of ensuring that threats are mitigated where they can be, and that help is engaged where necessary. This means that you need to consider performing each of these tasks, or engaging the help of a trusted provider.
While it’s impossible to eliminate all threats to an organization’s security, it is possible to be proactive and manage your organization’s exposure to those threats, and to manage threat mitigation. To accomplish such management, you must take steps in advance to design and configure your network environment so that it’s resistant to attack, you must involve your staff in helping you discover threats and prevent them from functioning, and you must engage partners so you have help when you need it.
The new age of cyber threats is far beyond the old days of anti-virus software and firewalls. Now the threats come from all directions, which means that threat management must look in all directions to be effective.
Threat management must evolve to meet the evolution of cyber threats which have become a series of attacks from all directions.