|
|
| Home - Industry Article - Jun 06 Issue |
Effective Ways to Decrease Cyber Attacks
continued... page 2 |
- Train Your Employees
Employee security training can provide tremendous results for securing your systems against the most common vulnerability in your network, social engineering. This vulnerability cannot be addressed by firewalls, IDS, vulnerability assessments or anti-virus. Hackers use social engineering to gather information that is useful for an attack, such as internal addresses, operating systems, security tools in use, or to gain valid user IDs and passwords from untrained users. A simple example of social engineering is a hacker calling a user posing as the help desk or network administrator. The hacker requests the user ID and password and tells the user it is required for testing purposes. Employees who have not been trained in proper security measures will often give this information to the caller, no questions asked.
- Deploy Internal and External Perimeter Defenses
It goes without saying that a bare minimum security defense, at the perimeter of the organization, should be in place. This includes deploying firewalls, intrusion detection and anti-virus products to form a first line of defense. However, as noted, with several high-risk vulnerabilities the exploitation can be carried out even with these defenses in place.
In addition to the external perimeter, the internal perimeters should not be overlooked or taken lightly. The internal perimeters are places like conference rooms, wireless access points or office lobbies that knowingly or unknowingly provide network access. Organizations providing network access to clients, contractors or vendors should isolate public network access points from the internal corporate LAN. In addition, newer NAC (Network Access Control) solutions are being introduced to the marketplace from a myriad of vendors. These solutions provide the common capability of quarantining devices entering the network until they have been validated to be authorized for network access. These solutions will not only play a part in the public network access points in an organization, but also for corporate issued devices on the network to ensure that they are compliant with current network access policies before being allowed access to the network.
- Harden Systems through Recommendations
DISA (Defense Information Systems Agency), NSA (National Security Agency), Microsoft and CIS (Center for Internet Security) have developed security hardening guides for common systems deployed in both public and private sector networks, namely Windows, Linux, Solaris and Cisco devices. These guides instruct security personnel in best practices for configuring systems that are deployed in their environments.
These policies or guides are very detailed and generally include checks representative of all five classes of vulnerabilities (unsecured accounts, unnecessary services, backdoors, misconfigurations and software defects). Many of these policies contain over 1200 items that must be validated and remediated in order for the device to be considered compliant.
To help deploy these hardened configurations, most organizations create standard images that have been configured to the appropriate standard and deploy the images as new systems are brought on-line. Deploying systems with these standard configurations installed dramatically reduces the attack surface of systems upon initial deployment. However, this does not address systems that have already been deployed without hardened configurations, nor does it provide on-going security as new vulnerabilities are discovered. Fortunately there are automated solutions that can perform period compliance audits and remediation for systems that have been deployed with or without these policies standards in place.
- Perform Regular Vulnerability Assessments
In order to determine what your current exposure or risk is, you must perform a vulnerability assessment of the devices on your network. This can be done with automated tools installed at your location, through a vendor that provides a managed service model, or by outsourcing to consulting organizations that provide assessment services.
It is estimated today that approximately 30-45% of Fortune 500 companies actively perform routine vulnerability assessment scans. These organizations employ various tools and outsourcing to complete this task. However, what is truly ironic is that the majority of those systems are left unsecured even after problems have been identified. The reason that this occurs is the shear volume of information generated by a typical vulnerability assessment.
An average scan of various computer systems, conducted using commercially available scanning tools, yields approximately 100 vulnerabilities per host in environments where regular scanning and remediation are not practiced. In an environment of 1,000 computers, that equates to 100,000 vulnerabilities. The average scan report, detailing the vulnerabilities on those systems, would be approximately 33,333 pages. That's about 66 reams of paper, or 133 pounds!
- Remediate Vulnerabilities Identified by the Assessment
So, just how do organizations respond to 133 pounds of paper? There are several options available, and depending upon the size of the organization and number of vulnerabilities, each can have varied costs and results.
In-House Manual Effort: One way is to retain full time employees to respond to vulnerabilities that are discovered. These FTE's are usually assigned a section of the vulnerability assessment report and are visiting vulnerable systems on a daily basis to resolve the issues. Companies who use this option generally feel that they have sufficient, technically skilled resources to address these vulnerabilities. This is typically a smaller organization, with a homogeneous environment. If the organization has less than 25-30 devices, this could be a suitable option.
Outsourcing: This provides the same methodology as the in-house manual approach, except this is an augmented staff solution and is typically done on a quarterly or yearly basis. The outsource provider will generally offer a full services option for vulnerability assessment and remediation. The outsource provider may also maintain service level agreements (SLAs) related to securing the network. Although outsourcing can be extraordinarily expensive, large organizations may be able to roll these services into existing IT management contracts with their current outsource provider. Since this is a line item cost to the outsourcer, an organization should review the SLA details to ensure that they will adequately address the security risk within the organization
In-House Software Development: Several organizations have attempted to develop systems in-house to automate the vulnerability resolution process. These are typically very expensive, prone to error and have a high rate of failure due to employee attrition. Generally, companies who take this approach have underestimated the time, effort and ongoing maintenance that will be required to keep their custom developed solutions current and able to address the growing number of vulnerabilities and frequency of attacks. However, this approach is useful for organizations that have highly specialized security needs surrounding custom applications within their environment or have restrictions on using externally developed software.
Patch Management: Patch Management solutions only address the portion of vulnerabilities (approximately 20 to 30%) that can be resolved by installing patches and software updates. Many organizations are comfortable with patching tools because they have not completed full vulnerability assessments within their network and often don't realize, until after an attack or an independent security audit, their true risk. In light of growing security awareness, many organizations are realizing that patching can be part of an overall strategy, but is incomplete on its own.
Configuration Management: Configuration management solutions only address the portion of vulnerabilities that can be resolved by changing the configuration of a computer. For example, default configurations and installations, when installing a web server, may include sample programs and utilities that can be accessed and used in an attack. Proper configuration of web servers, desktops and other application servers could be performed by changing windows registry values, ensuring proper access controls to shared resources and removing unnecessary components.
Commercial Automated Vulnerability Remediation Solutions: The best overall solution for reducing the amount of labor, improving consistency and maintaining compliance are automated solutions. AVR solutions provide various methodologies for helping organizations identify and mitigate the risk of vulnerabilities within their network. For a product to be considered a true AVR solution, it must provide the following 3 methodologies of risk mitigation.
|
|
|
