There’s been a general morphing of network security threats over the last couple of years—all the way from students hacking out of curiosity to organized crime working to steal money regardless of the consequences. Industrial and state-sponsored spying is also on the rise. Hacking is getting serious! As the number of new Internet users continues to grow exponentially, so will the security threats—especially identity theft—that can happen to you wherever or however you are logged in.
The upsurge of the Internet as a platform for business at the beginning of the 21st century added new enticements for cyber criminals. Organizations now store and transmit ever-increasing amounts of sensitive data. Suddenly, this data came into the view and reach of savvy cyber criminals. Now, with a little work, crooks are able to obtain confidential company information, customer data, credit card information, or intellectual property. Just as the new eBusiness paradigm provides organizations opportunities to reach new markets, they also provide organized crime new opportunities to exploit weak security, often reaping financial gains with little risk of being prosecuted.
I used to feel relatively safe while logged in at work until a couple of years ago when giant-sized companies were infiltrated. In late 2009, Chinese hackers compromised several very large and global organizations, including DuPont, Google, Northrop Grumman, Dow Chemical, Walt Disney Co, Sony Corp, Johnson & Johnson, and the General Electric Co. Dubbed Operation Aurora, a second wave of intrusions occurred about a year later. That is when it sort of hit me that there are no 100% safe harbors for network users.
Changes in cyber threats require changes in defense plans for the institutions and organizations we work for—not to mention for our own sake while we are logged on. In this two-part installment of “Networking,” we will take a look at Advanced Persistent Threats (APTs) and their trends, and consider how intrusion detection systems (IDS) and intrusion detection and prevention systems (IDPS) can be used to fight back.
Trends have changed from attacking the system to gain entry into an enterprise network to attacking the employee—the wetware layer. The wetware layer (network users) is the first stop for an APT process to find a way into your network. The wetware layer is where human weaknesses are exploited and taken advantage of. As Harry Newton—the editor of Newton’s Telecom Dictionary: Telecommunications, Networking, Information Technologies, The Internet, Wired, Wireless, Satellites, and Fiber—points out, “No system is immune to wetware exploits.”
And there are no lack of exploits. Security used to be measured by how many known virus signatures there were, as identified by the top scanners. It went from about 20,000 in 2002 and 2003 to 150,000 by 2006, to 700,000 by the next year, and all the way to 3,000,000 by 2009. These days there are more than 10,000,000 signatures to keep track of that defend against 286,000,000 kinds of threats.
It is a statistical certainty that the modern enterprise will be the target of an attack. In its “2010 US Cost of a Data Breach”1 study, the Ponemon Institute reported that 90% of organizations surveyed indicated they suffered at least one breach in the last 12 months—that they knew of. Half of them said they suffered two or more breaches—and that is 2 years ago (or 14 years in IT time!). At that time, the average cost of a compromised data record was $214. A breach that absconded with a meager couple of hundred thousand records will cost the organization more than $20,000,000. That is in addition to the lost faith of their clientele. It can get much worse when the threat is internal to the organization. One worker caused a loss of about $7.2 billion in 2008. He was a junior equities dealer for the French bank Société Générale.2 That is mind-boggling—one guy, $7B. On the other hand, it is a big bank, so I am sure they have it covered.
IDS and IDPS
IDS is a technology that gathers and analyzes network information from network devices, such as gateways, servers, and routers. It is trolling for security breaches. It looks for unusual traffic or traffic that meets a known pattern, and it checks through log files and network management reports. Once it detects illicit activity, the IDS will alert the network administrator. Take care when configuring an IDS. You do not want to miss any alerts, but you also do not want levels set too low or the IDS will generate a lot of false-positives. Unfortunately, the longer it takes the IDS to locate a network administrator, the damage continues.
Enter IDPS as the evolution of IDS. Your stated site policy and the prevention portion of IDPS can be configured to automatically respond to an attack. These days, most security products have the IDS and IDPS packaged together. There are two main types of responses: reactive and proactive. The reactive type reacts once an attack has been detected. For example, the IDPS sensed that abnormal network traffic is coming from a couple of network nodes that is consistent with a known virus signature. The IDPS will communicate with the appropriate firewalls and switches (for example) to segregate that traffic. With a proactive system, the IDPS is looking for unlocked doors and open windows, like open TCP ports, which are not normally used.
Next month, we will continue with more on IDS and IDPS, as well as take an in-depth look at APTs and how to safeguard systems through annual Spear Phishing Awareness training!
Jeff Kabachinski, MS-T, BS-ETE, MCNE, has more than 20 years of experience as an organizational development and training professional. He is the director of technical development for Aramark Clinical Technical Services in Charlotte, NC. For more information, contact .
- 2010 U.S. Cost of a Data Breach The Ponemon Institute. www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon. Accessed February 7, 2012.
- Wiki posting of the 2008 loss at the French bank Société Générale: en.wikipedia.org/wiki/J%C3%A9r%C3%B4me_Kerviel. Accessed February 7, 2012.