Wayne Rash has been writing technical articles about computers and networking since the mid-1970s. He is a former columnist for Byte Magazine, a former Editor of InternetWeek, and currently performs technical reviews of networking, wireless, and data center products. He is the former Director of Network Integration for American Management Systems and is one of the founders of the Advanced Network Computing Laboratory at the University of Hawaii. He is based in Washington, DC, and can be reached at wayne@waynerash.com.

Introduction

Various experts agree that threat management has entered a new age, and that the old approach to computer and network security can no longer work. One reason is that you now have to work under the assumption that the cyber criminals are already inside your network, and that the focus of threat management has to change to preventing them from finding and extracting vital information.

In short, while your organization’s firewalls, intrusion prevention and detection systems and other edge defenses are important, they’re simply not enough. Now through a combination of social engineering, phishing attacks, insider threats and attacks designed to overwhelm any network, the battle has moved to one where every asset is threatened and where criminals attack using information taken from your own employees.

Adding to the complexity of managing your response to the threats that are affecting your organization is the reality that while the old threats of hackers and malware are still around, new threats are being added to the picture on a daily basis. Cyber criminals have learned to use big data analysis to find weak points in your organization, they take advantage of human nature to use a person’s curiosity against them, they research their victims and amass information necessary to cause employees to violate the trust placed in them, or they use the information to cause executives to take actions they might otherwise not take.

The end result of these attacks can be a data breach that can cost an organization millions of dollars not to mention its reputation. While the actual cost depends on the specific organization, an estimate by the Ponemon Institute places the average total organizational cost per U.S. company at more than $7.01 million per year. The total cost globally can be as much as $300 billion in 2015, according to an estimate by accounting and professional services firm Grant Thornton. In some cases, those attacks can have even more serious impacts up to and including criminal charges against the company that was victimized.

The Nature of Today’s Threats

The reason that edge defenses such as firewalls are no longer adequate to protect a network completely is because cyber criminals are now attacking other entry points. But that doesn’t mean that edge defenses are unnecessary, because attackers will always try the organization’s internet connection first. But in addition to that connection, criminals will attack using access by employees, business partners, contractors and anyone else who has access. In addition, attackers are now beginning to focus on mobile devices as another means to access protected data within an organization if only because the growth in employee-owned devices has not been accompanied by a growth in mobile security.

Just how much effort the attacker will put forth to attack your network may surprise you. Successful criminal attacks have taken place using low-level employees who may have access to information needed to move up the organization to someone with better access, and so on. In one notable breach, a major department store was attacked via its HVAC contractor.

It's not unusual for attackers to start out by sending phishing emails to a clerical employee, for example, and using that employee’s access to find something that will lead to more access, such as a company directory. They then use the directory to lead them to someone more senior that may have the access they need. This continues until the criminals reach what they’re really looking for, such as credit card accounts, health records, employee personnel records or even a business’ intellectual property.

Some examples of the attack types are these:

• Phishing attacks – An email is sent to a company employee, with the contents of the email designed to motivate the employee to click on a link presented in the email. That link may lead to a means of gathering information such as login credentials, or it may deliver malware to the employee’s computer that can be used in gaining access. It may do both.
• CEO attacks – An email or a phone call is sent to a senior executive in an organization such as the CFO, requesting an immediate transfer of funds for some confidential purpose. The contact appears to come from the company CEO, and contains enough personal information to achieve credibility. The transfer is usually to a bank account that’s drained and rapidly closed.
• Third party breach attacks – When a third party is successfully attacked, it’s fairly normal for the cyber criminals to sell the results of the breach to others. An example of this took place when the professional social media site LinkedIn.com was attacked in 2012. When the information was put up for sale four years later, it contained hundreds of millions of user name and password pairs. Because so many people use the same user name and password on many accounts, cyber criminals started trying those credentials with some success and were able to hijack the Twitter account of Facebook founder Mark Zuckerberg.
• Denial of Service attacks – A DoS or DDoS attack is an attempt to overwhelm the internet entry point security for an organization by flooding it with traffic to the point that the router or firewall protecting the network fails, giving the attacker access to the network. However, in some cases the service disruption isn’t actually after data so much as it’s an attempt to simply take the victim off line and hinder their business.

Why the Attacks Happen

While there are still a few security attacks for bragging rights, those days are mostly gone. Security breaches have become big business for cyber criminals many of whom are members of organized crime groups. In addition, there are attempts by competitors to gain information or trade secrets, attacks by state sponsored attackers and there are ideological attackers.

• Organized crime – groups of criminals exist in some areas of the world who run companies that sell or otherwise make use of stolen information that they can sell or otherwise exploit. These groups are looking for financial information that they can sell directly, and they’re looking for personally identifying information such as health records that they can use for identity theft.
• Competitors – Companies or organizations against which you compete may try to extract your trade secrets for their own benefit. But they may also go after your customer lists, your suppliers, your business methods and your employee data. They will use the information they gather to benefit their business and to harm yours.
• State-sponsored attacks – Your organization doesn’t need to be a defense contractor or government agency to come under attack by state-sponsored attackers. More frequently, such attackers are collecting information to use against another victim, or they’re acting like competitors, but trying to benefit their own nation’s businesses. But depending on your business and your other customers, such an attack may be using your organization as a pathway to their real target.
• Ideological attacks – Your organization may be part of some activity or relationship that someone with strong beliefs may find objectionable, or it may be that your organization looks as if it might be a weak link in an attack on another organization. Either way, advocacy groups, political groups and even terrorists may seek out your organization and attempt to bring it to its knees. While they may also try to steal information, their main goal is to take your organization off line, or to provide a pathway to their ultimate target.

Approaches

If there is any certainty in regards to threat management, it is that there’s no single solution, nor is there any single method of handling threats against your information technology infrastructure. In fact, some of the most effective attacks aren’t aimed at the infrastructure itself, but rather against the people who use it. But it’s important to note that countering threats needs to take each part of the network into consideration as part of the approach.

In addition to protecting the network against cyber-attacks, it’s equally important to help protect the physical security of the network against intruders. Attacks that ultimately lead to data breaches have begun with an attacker entering the building of a victim, and simply plugging a laptop into an unguarded Ethernet port. Worse, there are instances in which a data breach took place when the actual server containing personal and financial information of customers was stolen when a criminal simply walked in to an office and left carrying the unprotected server.

Each layer of the OSI network model is subject to its own type of attack. In addition, there are network attacks that make use of the network layers, but only as a means of access. The US Department of Homeland Security and its Computer Emergency Response Team has collected examples of vulnerabilities to attack according to each network layer in what it calls its DDOS Quick Guide. This guide provides mitigation options for each type of attack.

Examples of the types of attack may include resource exhaustion at Layer 7 (the Application Layer) or attacks by some types of malware. On the other hand, a Layer 4 (Transport Layer) attack may simply cause the network connection to reach its bandwidth limits. Similar attacks at Layer 3 (Network Layer) may include ICMP flooding, such as by Ping packets, to overwhelm a router or switch and cause it to malfunction.

Fortunately, it’s possible to plan for the possibility of such an attack, and to harden the network so that it won’t be overwhelmed. Likewise, it’s possible to take steps in advance so that many, perhaps most, DoS and DDoS attacks can be mitigated. An example of such mitigation may include rate limits on layer 3 traffic that will cause the switch or router to simply disregard traffic beyond a certain point.

Other types of attacks, such as Layer 4 attacks, are best managed from outside the network being attacked so that routing tables can be modified, or so that DNS (domain name service) entries can be changed. In addition, such traffic can be routed through a threat management service that can perform inspection of malicious traffic before it reaches its target and eliminate attack traffic on the spot.

Getting Help

Some types of attack mitigation are beyond the capabilities of most organizations on their own, if only because handling such attacks works best from outside the network. For many organizations, handling such attacks may work best by engaging a third-party threat management service or threat protection service.

Such threat management and protection services are available either as an on-demand basis, or they’re available by subscription. Depending on the nature of the threat, the business of the potential victim, and the type of attack, these services may sample incoming traffic for indications that an attack is beginning, they may inspect all traffic, or in extreme cases they may handle all of an organization’s traffic and only allow legitimate traffic to actually reach the organization.

There are services that provide a combination approach, for example by sampling traffic for indications of an attack, and then once an attack begins, the service can handle the problem more aggressively. In most cases the providers of such services include a full-time customer service resource that allows the potential victim to report suspected attacks and engage help.

The determining factor for most organizations is the cost of such services, and the potential performance impact. Engaging a security provider on a full-time basis is expensive, and adding extra steps for network traffic hurts performance. While some very risk averse organizations, such as financial institutions, may choose full-time monitoring, a more practicable approach is usually less intense.

The Full Security Picture

Unfortunately, mitigating network based attacks is only part of the process. A growing number of threats exist outside the realm of such attacks, and some of the most serious data breaches depend on properly functioning networks with inadequate protection from programmatic attacks. Those attacks may include malware at the network edge, social engineering, dishonest employees and related attacks. Most of those attacks use some sort of dedicated software, usually in the form of malware, but they depend on external help to function.

Examples mentioned above are phishing attacks, attacks using partners, and the like. Preventing those attacks depends on having properly designed and configured network resources, proper monitoring of assets and activities on the network, and the willing involvement of employees.

Notably, phishing attacks have grown from being a way to separate consumers from their credit card numbers to becoming the primary means of attacking the enterprise. Cyber-criminals are using carefully targeted phishing email messages to gain access to the credentials of trusted employees. Those credentials are then used to gain access to critical data where cyber-criminals are able to exfiltrate entire databases, as happened in the recent attacks on the federal government’s Office of Personnel Management.

In addition, phishing attacks are the cause of ransomware attacks in which cyber-criminals gain access to an organization’s critical data, then encrypt it, and hold the decryption key until a ransom is paid. Such attacks were originally aimed at individuals, but have now moved to enterprises such as medical facilities in Los Angeles, California and in Washington, DC. The facility in Los Angeles paid a ransom, while the facility in Washington was able to recover because of its data protection and backup policies.

Coordinating Threat Management

There is no single approach that will manage all threats, and no single area of focus that will spot all of the problems. What this means to your organization is that you must employ several methods of ensuring that threats are mitigated where they can be, and that help is engaged where necessary. This means that you need to consider performing each of these tasks, or engaging the help of a trusted provider.

• Training – Your staff needs to be taught what to look for so they can identify a cyber threat, and they need to know what actions they must take when they think they’ve found one. This means teaching them not to open suspicious attachments, not to click on suspicious links and not to give out critical information. But they must also be able to know who to notify when they see what they think might be suspicious activity whether it’s a strangely performing network asset or service personnel they don’t recognize.
• Configuration and design – You can’t protect critical assets from a breach if they’re open to anyone who has access to the network. This means that your network must be segmented, it must keep critical information pairings in separate locations with separate encryption, and network activity involving those assets must be closely monitored by security staff and by technical means such as intrusion prevention systems.
• Reporting – There is far too much information available about the activity on any network for the network management staff or the security staff to keep up with. This means that automated means of tracking log entries, security reports and other activities from secure space access to login times have become essential. Then the security staff must configure consolidated reporting that matches the needs of the organization.
• Partners – Relatively few organizations have the resources to manage all external threats on their own. That means that they must engage partnerships with third-party support for handling threats that are beyond their capability or that must be managed externally.

Conclusion

While it’s impossible to eliminate all threats to an organization’s security, it is possible to be proactive and manage your organization’s exposure to those threats, and to manage threat mitigation. To accomplish such management, you must take steps in advance to design and configure your network environment so that it’s resistant to attack, you must involve your staff in helping you discover threats and prevent them from functioning, and you must engage partners so you have help when you need it.

The new age of cyber threats is far beyond the old days of anti-virus software and firewalls. Now the threats come from all directions, which means that threat management must look in all directions to be effective.

Download the full PDF.