Protect Network Security Proactively.Today's modern, high-performance network demands a security system that prevents potentially damaging attacks before they invade corporate networks and files. Twenty-first century business processes require corporations to open their networks to a range of suppliers, partners, customers, and organizations. In this environment it is more important than ever that organizations keep their networks up and running. Downtime The time during which a computer is not functioning due to hardware, operating system or application program failure. is not only a deterrent to business, but costly. Due to the time and cost of getting a network back online, recovering data, investigating the attack, and making the necessary reparations reparations, payments or other compensation offered as an indemnity for loss or damage. Although the term is used to cover payments made to Holocaust survivors and to Japanese Americans interned during World War II in so-called relocation camps (and used as well to it's clear that keeping a system functioning in the presence of new and evolving security threats is vital. Traditional reactive security solutions, such as firewalls, intrusion detection See IDS and IPS. , and anti-virus products, have limitations. These tools scan for configuration weaknesses and detect attacks but do not necessarily prevent them. Most are dependent on the end user to download updates. Often produced daily, these updates are difficult to keep up with and can also impede system performance. While one might assume that a combination of these products would offer highly secure solutions, in reality most products do not integrate well. As a result, enterprise security management has become an administrative nightmare. This article discusses the new common sense, proactive approach to security required to effectively protect critical network systems. It outlines the traditional reactive security solutions currently available on the market and explains how to make a smooth transition from a reactive security approach to a proactive defense. It also demonstrates how to effectively and efficiently change corporate mindset mind·set or mind-set n. 1. A fixed mental attitude or disposition that predetermines a person's responses to and interpretations of situations. 2. An inclination or a habit. so that management will consider security not merely as overhead, but as a vital investment that is essential to the successful operation of the enterprise. The Evolution Of Attacks Despite the best efforts of security officers, internal corporate computing resources are being penetrated every day, with attacks spreading at the speed of communications, to paralyze par·a·lyze v. To affect with paralysis; cause to be paralytic. other resources on the network. The work of a hacker is never done; as a result, Denial of Service A condition in which a system can no longer respond to normal requests. See denial of service attack. (DoS), defacement de·face tr.v. de·faced, de·fac·ing, de·fac·es 1. To mar or spoil the appearance or surface of; disfigure. 2. To impair the usefulness, value, or influence of. 3. attacks and malicious code surround and reside in enterprise networks, proliferating Proliferating is the multiplication of a certain thing. Often it is used as a biological term to describe the increase of cells due to cell division. Look under proliferate or proliferation for more details. ad infinitum ad in·fi·ni·tum adv. & adj. To infinity; having no end. [Latin ad, to + . Recent events surrounding Microsoft's admission that their corporate network--and ultimately their product development source code--was hacked provides further evidence of the need for a new approach to security. DoS attacks See denial of service attack. also have disrupted corporate giants such as Yahoo, eBay, and Amazon, as well as government entities including the FBI. Increased Internet use, mobile computing Using a computing device while in transit. Mobile computing implies wireless transmission, but wireless transmission does not necessarily imply mobile computing. Fixed wireless applications use satellites, radio systems and lasers to transmit between permanent objects such as buildings , intranets and extranets, and e-commerce initiatives are integral to business communications. As enterprises open up their networks to enable these vital e-business processes, points of entry for cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. attacks emerge. These attacks mutate mu·tate intr. & tr.v. mu·tat·ed, mu·tat·ing, mu·tates To undergo or cause to undergo mutation. [Latin m and sneak past traditional static defenses to corrupt file systems, and can spread to thousands of computers in a matter of minutes A Matter of Minutes is an episode from the television series The New Twilight Zone. Cast
With so many new, sophisticated, and deliberate attacks A type of offensive action characterized by preplanned coordinated employment of firepower and maneuver to close with and destroy or capture the enemy. facing traditionally reliable security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security , today's enterprise can no longer afford to adjust reactively. Today's enterprise demands a proactive security solution for protecting network resources. Virtually every attack follows a natural evolution. The table indicates the anatomy of how an attack progresses, from inception to infection and resulting damage. Protection in any one area is simply not enough defense against current attacks. Attacks must be identified and repelled before they can evolve. Reactive Security Approach The security market has grown reactively over the years in an effort to keep pace with the evolving security needs of an increasingly distributed computing environment See DCE. Distributed Computing Environment - (DCE) An architecture consisting of standard programming interfaces, conventions and server functionalities (e.g. naming, distributed file system, remote procedure call) for distributing applications transparently across networks . Consequently, today's security market is segmented, with many different vendors selling a wide range of security products. And yet, despite the continued reliance on firewalls, anti-viral scanners, vulnerability scanners A vulnerability scanner is a computer program designed to search for and map systems for weaknesses in an application, computer or network. Step 1, typically the scanner will first look for active IP addresses, open ports, OSes and any applications running. , and intrusion detectors, a whopping 90% of organizations have been breached with reported losses totaling a staggering $265M in the last year, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a recent Computer Security Institute poll. A traditional reactive security strategy relies primarily on perimeter defenses A defense without an exposed flank, consisting of forces deployed along the perimeter of the defended area. , which, once compromised, pass the security burden onto subsequent layers of reactive scanning and detection technologies. While certain point products do address relatively elementary tasks associated with enterprise operations, very few have actually evolved to manage highly sophisticated attacks and the sheer volume of evolving, ever-changing threats in today's business Today's Business is a show on CNBC that aired in the early morning, 5 to 7AM ET timeslot, hosted by Liz Claman and Bob Sellers, and it was replaced by Wake Up Call on Feb 4, 2002. environment. Following are three examples of existing security point products and their inherent limitations. Firewalls. Considered a "perimeter" security solution, a firewall typically sits at the primary connection point to an outside network or the Internet. Network connections are forced to pass through a firewall for examination--accepted or rejected based on network access policy rules. Firewalls are widely used to give users access to the Internet in a secure fashion as well as to separate a company's public Web server from its internal network. They are also used to keep internal network segments secure. While firewalls remain a critical component of virtually every organization's security strategy, traditional firewall technologies are simply not equipped to deal with the volumes of traffic flowing in and out of networks today. Users require more and more services on their desktops, including multimedia, streaming audio A one-way audio transmission over a data network. It is widely used on the Web as well as company networks to play audio clips and Internet radio. Computers in home networks stream audio (mostly music) to digital media hubs connected to home theaters. , database applications. And with remote and wireless computing, internal users "look" and operate just like external users. All of these services require the corporate firewall to be opened up more and more, rendering it less operative to stopping attacks. In fact, IT professionals need to be concerned that a firewall doesn't become a "bottleneck" to network performance. Once an attacker gets past the firewall, the firewall becomes an inefficient means of protecting a corporation's network. In addition, it has been recognized that the majority of all computer attacks come from within an enterprise, another testament to the limitation of firewalls. Designed years ago to serve as an initial defense against brute force attacks The systematic, exhaustive testing of all possible methods that can be used to break a security system. For example, in cryptanalysis, trying all possible keys in the keyspace to decrypt a ciphertext. See dictionary attack. See also brute force programming. , firewalls are now more suited to managing and monitoring network traffic bandwidth. The firewall cannot be relied upon solely to support a variety of network protocols, including a growing list of Internet and intranet applications, and be equally adept at controlling network access between internal resources. Intrusion Detection. Intrusion detection systems This article is about the computing term. For other uses, see Burglar alarm. An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. (IDS) monitor network activity for attacks. These systems collect and analyze data from network sources to determine if attacks have been initiated against a network from outside or within an organization. They then proceed to report any suspicious activity to network/security administration. They also audit those activities that have violated established network parameters, providing forensic evidence that may prove helpful in prosecution activities. The downside of this approach is that a high volume of network traffic can overload a system, and as a result not all packets are analyzed. Also, an administrative staff is required to monitor the activity of IDS, sometimes requiring the increase of a company's security administration requirements and subsequent overhead. Like most scanning products, intrusion detection products typically search for configuration weaknesses and detect attacks after they occur. They do not prevent attacks. Due to their focus on a s ingle in·gle n. 1. An open fire in a fireplace. 2. A fireplace. [Perhaps Scottish Gaelic aingeal, fire, light. element--the network--IDS products also have a tendency to produce false positives (or false alarms) or even fail to alarm in certain instances, which can trigger unnecessary downtime. While one might assume that a combination of these products might offer highly secure solutions, product integration is a challenge. In addition, many are dependent on the end user to download updates, which can impede system performance. As a result, when a virus hits, managers must rush in response for the latest upgrades--turning enterprise security management into an administrative nightmare. Anti-Virus Products. Virus protection products are designed to recognize and eliminate file infections caused by untrustworthy files arriving in networks from outside resources. Typical antivirus products rely on scanning and pattern matching 1. pattern matching - A function is defined to take arguments of a particular type, form or value. When applying the function to its actual arguments it is necessary to match the type, form or value of the actual arguments against the formal arguments in some definition. technology to identify known viruses, and therein lie their weakness. Antiviral antiviral /an·ti·vi·ral/ (-vi´ral) destroying viruses or suppressing their replication, or an agent that so acts. an·ti·vi·ral adj. products cannot recognize and deter new viruses. When a new virus emerges, a system remains unprotected until such time as anti-virus product manufacturers are able to develop an antidote, which might take days. Even then, most solutions are dependent on an end user's willingness and ability to download updates from the vendor's Web site or else the anti-virus protection is inadequate. Proactive Security While firewalls, intrusion detection systems and anti-virus software anti-virus software n → Antivirensoftware f remain important tools for organizations seeking to secure their networks, IT managers are considering a new approach to security--one that is focused on "uptime." Where reactive tools fail in detecting new and unknown threats, causing downtime, this new breed of security solution is emerging to proactively address attacks before they strike to keep business running. Ideally, this new software would involve a central management console A terminal or workstation used to monitor and control a network. See Microsoft Management Console. and an intelligent agent embedded Inserted into. See embedded system. within every computing device in the enterprise. The management console would provide secure rule sets to agents, maintain agent event logs, generate comprehensive reports, and correlate an overall view of enterprise health based on the data that is pushed out and subsequent information that is taken in. This method of security is likened to application behavior enforcement, with IT departments and security administrators defining behavior characteristics, customizing and administering rules to work within the parameters of the enterprise's unique environment and security sensitivities. Intelligent agents would reside on all servers, desktops, and remote computing devices to ensure that the client machine is conforming to the corporate security policy at all times, no matter where it's located. Management consoles and intelligent agents would communicate automatically in real-time to eliminate the need to e ver shut down a network to stop an attack. If set up in this way, proactive security will restrict the behavior of potentially malicious code without impeding business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets , providing a record of attack operations to notify enterprise security personnel when an attack is occurring. It would function at a high performance level to repel re·pel v. re·pelled, re·pel·ling, re·pels v.tr. 1. To ward off or keep away; drive back: repel insects. 2. network-based attacks, such as DoS, probes, malformed mal·formed adj. Abnormally or faultily formed. packets, and hostile connection attacks. With architecture such as this in place, all network and computing resources would be protected against the complete lifecycle of an attack, while simplifying administration throughout the network. And an enterprise would finally be able to proactively control the outcome of an attack, rather than just trying to stay ahead of events beyond its control. Changing Corporate Mindset All too often, corporate IT professionals and business managers consider security to be overhead rather than an investment; that security threats are a necessary evil of doing business in the electronic information age and all that one can expect from security is that it reduces the risk of problems to what one might consider "acceptable levels." Others may put off implementing security tactics until after a major security incident occurs and they have suffered serious losses. This attitude is risky as the costs involved with an attack can be quite high--usually resulting in significant downtime. Enormous amounts of time and energy go into pattern definitions, matches, and scans. When the network, or systems within the network, is down, an organization is not operating at maximum efficiency. Downtime also can mean loss of productivity, poor business practices, and loss of revenue, profitability and customer satisfaction. While there are different degrees of severity associated with downtime, the results can cause a paralyzing ripple throughout the enterprise. A particularly malicious attack can destroy vital, confidential, sometimes irreplaceable information, such as trade secrets, customer lists, and financial records. The cost to purchase reactive security technologies also can be considerable, with the dedicated man-hours usually needed to integrate and manage the technology within the organization adding to it exponentially. By nature of their title and responsibilities, business managers must be bottom-line oriented, so persuasive arguments for becoming proactive about security must include an education on the risks, subsequent costs, and potential liability involved with not investing in network security. With every attack, the public trust in your company will falter and the emotional cost to employees and customers is high. For this reason, CIOs and security managers need to think about security in new ways. It is certain that new attacks are evolving and everchanging. To actively fight these threats that plague today's businesses, attitudes toward security must begin to evolve, too. Proactive security is a realistic way of improving uptime throughout the enterprise. Eric Ogren is vice president of marketing at OKENA (Waltham, MA).
Attack Lifecycle
OKENA Intrinsic Security
PROBE PENETRATE PERSIST
Ping server addrs Mail attachment Create new life
Guess passwords Javascript Modify existing life
Guess mail users ActiveX controls Weaken Registry
security settings
Network installs Install new services
Compressed Register trap doors
messages
Backdoors
PROBE PROPAGATE PARALYZE
Ping server addrs Mail copy of attack Format disk
Guess passwords Web connection Delete files
Guess mail users IRC Modify Files
FTP Drill security hole
Infect file shares Crash computer
Denial of Service
Steal secrets
|
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion