Traditional best practices include making firewalls as restrictive as possible; minimising services on public servers; regular audits of the network perimeter; diligent monitoring of server logs and the deployment of antivirus solutions on the desktop. But administrators who stop there are leaving their company at risk.
Over the past few years, firewalls and server software suites have received a huge amount of attention from security researchers and, as a consequence, the security on servers is far better now than it was at the beginning of the decade. But hackers adapt and evolve.
They are motivated by financial incentives and backed by organised crime. They know that the best way to get into a network today is no longer through the heavily fortified servers, routers, and firewalls, but instead through the plethora of ordinary workstations, printers and internal servers scattered throughout a company's local network.
The problem that hackers had to solve was this: how can you exploit these less secure, less monitored machines when you can't initiate connections to them? The answer is astonishingly simple - get those devices to initiate a connection with you.
The social engineering method may be the most popular. With every holiday or major news event, eSoft sees hundreds or thousands of emails intended to trick end users into connecting back to an attacker's server. On Christmas Eve 2007, for example, hundreds of thousands of people received an email with this message:
'This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these. ;-) '
End users who followed the link in the email were sent to a site that attempted several stealthy attacks on the end user's computer with the goal of automatically installing malicious software (malware) on the user's computer.
For users that weren't vulnerable, a message would pop up asking the user to install a codec so they could view a video. Of course, the installed software was not a codec, but malware, and the specific malware being installed changed every 15 minutes to try to stay ahead of anti-virus signature updates.
Malicious ads garnering credibility from trusted host sites and 'typo-squatting' sites that capitalise on mistyped URLs like google.cm instead of google.com, are other forms of social engineering that are frequently used to try to establish a connection from a hacker's machine to a machine in the heart of your local network.
In the case of ads, some ads are themselves malicious and used to automatically install malware without the user ever clicking on them. In these cases, the trusted websites unwittingly proxy attacks on unsuspecting end users.
These all too common scenarios are a nightmare for network administrators. New flaws in web browsers, FTP clients, media players, PDF viewers, and other client-side programs allow attackers to get footholds inside a network, effectively bypassing all perimeter security. The installed malware will typically disable any anti-virus programs found and attempt to hide on the system so that the infected end-user has no idea that something is wrong.
These machines then become launching points for new attacks, some of which are designed to steal sensitive information such as credit card numbers, usernames and passwords, and others use the machine as a 'bot', which is then used for sending spam, conducting distributed attacks on other computer networks, hosting child pornography, and such like.
Consequently, network administrators must secure not just the perimeter, but every machine in the organisation - and this is not a one-time task. The administrator must know all of the software installed on every computer in their organisation and keep it all up-to-date.
But is even that enough?
On January 20th, 2008, banner ads were found exploiting computers via a flaw in Adobe's PDF Reader. Adobe's fix was not released until February 7th, leaving nearly three weeks in which the majority of computers worldwide were vulnerable. This is the new landscape of computer security.
Administrators must augment their security and processes to mitigate these new attacks. In addition to traditional firewalls, hardened servers and perimeter monitoring, IT administrators need to make sure they have the following security protections in place:
Gateway anti-virus scanning
This is in addition to existing desktop anti-virus software, but best practices here will use a different signature set for the gateway solution to maximise the chance of blocking malicious files. The gateway solution should scan all web and ftp traffic, as well as emails before they are allowed inside the perimeter.
Note that most gateway appliance manufacturers get their anti-virus signatures from a 3rd party anti-virus company. Find out where their signatures come from before you buy. Also, make sure that the gateway anti-virus solution is able to scan nested zip files and other compressed formats. Streaming anti-virus solutions cannot do this.
Malicious website blocking
Get a gateway security solution that blocks websites that are known to host viruses. In many cases this will mitigate attacks even from malicious ads on trusted sites since those ads link back to known malicious websites.
Note that many URL filtering providers list malicious websites as a category, but few aggressively add sites to that category on an hourly basis and provide real-time updates to the customer. These features are incredibly important in fighting modern threats.
Intrusion detection and prevention
It has long been a part of traditional security best practices to deploy some kind of intrusion prevention product. However, many solutions are geared toward protecting servers and perimeter devices only. Make sure your intrusion prevention solution watches the internal network and has frequently updated signatures for detecting attacks on client software.
Breach and bot detection
In addition to watching for attacks, make sure you are using a security solution that watches for evidence of infected and compromised hosts. Infections can come into the network in many ways and detecting those infections early is crucial. Blocking the ability of those compromised machines from reporting to malicious servers is equally critical.
Restrict user privileges
Users do not need to surf the internet or read their email while logged in as an administrator. By restricting user accounts it makes it harder for malware to infect a fully updated system. It has the added benefit of making it harder for users to install unapproved software so that the administrator can better assess the local network's vulnerability to specific attacks.
Enforce auto-updates
Operating systems and installed programs that have the ability to automatically check for and install updates should always be set to do exactly that.
Disallow the download of executable files from unapproved sites
This won't be possible in all networks, but for aggressive administrators who are ready to fight the battles that will surely follow, blocking all executable files that don't come from approved sites (such as microsoft.com for Windows updates) can help to mitigate some malware downloads.
In the end, there is no silver bullet to combat the new techniques being used by hackers. The social engineering techniques are particularly difficult to combat since there is almost always some hook that can get an end user to open an attachment, visit a website, or download and install dangerous software.
Constant vigilance, an expanded set of security tools and the mindset that the perimeter is not the only part of the network under constant attack will help to mitigate many of these new threats.
