What is the reason why cybercriminals and so-called hacktivists are faster or more clever than companies and administrations? Smart hackers have been around for a long time, but cyber attacks have been used more and more frequently.
Workplace fraud organization
An "increasing professionalisation and / or industrialization of the attacks" is confirmed by the study "The IT Security Industry in the United States" by Booz & Co. commissioned by the Federal Ministry of Economics and Technology. Say: Some are dealing with email addresses for spam and phishing, others hack - often in weeks and months of minor work - the system, and other, often organized groups of people, are decaying faster
"Bureaucratic nightmare without technical depth"?
This results in a "wisdom of mass" comparable to crowd sourcing, which overrides the defensiveness of individual organizations. The attacks are hard to see and are often not recognized.
Digital real-time forensics
Added to this is the increasing networking, mobilization and "webification" of company IT. This today is less like a fortress than a market square. More and more applications are being deployed on the Web - outside the firewall - to be accessible to customers, partners and mobile workers. These applications are increasingly interlinked with one another and thus allow direct or indirect access to the back-end systems. The classical perimeter protection, that is, the protection of the external borders of the enterprise IT, can hardly do anything.
Business intelligence for security
Finally, as with information security, the human factor plays a role. Systems are used by people - and that is, the confidentiality, integrity and availability of the data is always threatened by simple mistakes, negligence, laziness, or even the evil intent of one's own employees.
If you ask for the conclusions, you get different answers. Manufacturers of security products point out the technical possibilities of their respective product category. Consultants again emphasize the importance of organizational measures, risk management and internal awareness campaigns.
The Federal Office for Information Security (BSI) has a clear position in this regard: "An adequate level of security is primarily dependent on the systematic approach and only secondarily on the basis of individual technical measures," states briefly and vigorously In the introduction to the "BSI Standard 100-1: Management Systems for Information Security (ISMS)."
The right thing is that security technologies such as firewalls, antivirus, intrusion detection, identity and access management or encryption always only protect individual facets of enterprise IT. These technologies must therefore be embedded in an overarching approach, derived from an analysis of business risks, threats and weaknesses, implemented holistically and continuously adapted.
The problem is, however, despite all the systematics and holistic approach, quite a few ISMSs are characterized in practice by silo thinking. The security risks can be derived top-down from the business strategy - all too often, the weaknesses in the form of the management of isolated vulnerabilities are defined
In addition, the complex rules to be documented often lag behind the rapid development of attack techniques and methods. No wonder ISMS is called to be "a bureaucratic nightmare without technical depth" (Linux Magazine).
For applications, networks, terminals and data centers, each security domain has a specific complexity and dynamics, which must be managed with specific methods and technologies and linked to risk management.
But even if it is possible to always be up-to-date on the best practices, technologies and threat scenarios in any of these disciplines, attackers will always be faster or more clever, even if they belong to their own staff.
That is why you have to look at the attacker. This means that system accesses of people and machines are to be continuously logged, filtered and analyzed with regard to suspicious behavior patterns. It is a forensic process in which traces are collected and linked to a chain of indications.
A success-critical sourcing strategy
As such, such a process is not unknown. For example, under the heading "Detection of security incidents during operation", the BSI standard 100-1 requires "measures [...] which make it possible to prevent errors in information processing [...], safety-critical mistakes and safety incidents as far as possible, In their effect, or at least to recognize them early.
In practice, however, this again mostly involves the monitoring of isolated systems. For example, many companies use technologies like Data Leakage Prevention and Database Activity Monitoring to discover unusual activities. However, each of these technologies is limited to their specific system area. There is thus no way to link activities that can occur on any system.
Cybercrime in numbers
For example, a user searches for a social security number in a database, stores the results as a file on a drive in the network, copies it to a USB stick, and sends it via e-mail to a web mail address. Isolated monitoring detects only isolated operations.
Therefore, activities that are spread over the entire company and distributed over time must be correlated with each other in order to identify suspicious behavior patterns. The information provides a range of IT systems, including firewall events, intrusion prevention, identity, access management, fraud, business software, and e-mail systems >
The recognition rate depends on the intelligence of the correlation mechanisms. Real-time forensics, artificial intelligence and data mining techniques make causal connections visible. As in a puzzle, part for part is merged into a pattern of action. At best, appropriate monitoring systems are self-learning, so they always recognize new patterns that indicate deviations from the norm.
IPv6 shadow networks
The efficiency and effectiveness issue arises. It does not take much to recognize that an internal user has sent documents to his private e-mail address over the next business day. On the other hand, it must be recognized whether an external user generates several error messages in the database of the Internet shop. Monitoring and correlation must therefore prioritize the systems, information, processes and people who have a critical importance for information security.
With millions of traffic and events on hundreds or thousands of systems, this can only work by technical means. Say: The risk model must be mapped technically in the monitoring system. For example, systems can be classified according to their criticality and position in the enterprise network.
Internal users, on the other hand, are stored in the monitoring system according to their department, their access rights and user IDs. All this information then becomes another source of correlation intelligence.
In this way, the monitoring system becomes the technical breach between the risk management and the individual security disciplines. For it links information from all subsystems and interprets them on the basis of the risk model. A major advantage of this approach is that changes to the risk model, system architecture, user rights, or security domains are automatically applied to the monitoring and correlation rules.
Just as every single security discipline, the establishment, maintenance and ongoing optimization of such an interlinking monitoring system is a complex matter. It is not just the individual risk profile, the system landscape, the processes and the regulations of an organization that must be depicted in it.
Added to this is the technical integration into a series of supply systems. Finally, there is a need for qualified staff to maintain and continuously optimize the overall system.
Companies and administrations are therefore confronted with a complex complexity when setting up and operating a management system for information security (ISMS). And this often means that security officers spend the bulk of their resources to ensure ongoing operations. For ongoing optimization, even for innovation, no time remains.
In order to establish and operate an effective ISMS, a sourcing strategy is therefore required. This is not an incidental addition, but an integral part of the security strategy. Risk management and organization must remain an internal task, but technical security measures and environmental monitoring are candidates for outsourcing.
The author: Frank Stoermer - Senior Security Architect, HP Enterprise Security Services
In the first half of 2012, small businesses were particularly affected by cyber attacks. No fewer than 58 attacks a day - 36 per cent of all attacks - were found on companies with up to 250 employees. This is a result of the current Symantec Intelligence Report. At the end of 2011 the share was still 18%.
The number of targeted cyber attacks has increased by 24 percent since the beginning of the year. In the months of May and June an average of 151 such attacks could be repelled per day. With around 69 blocked attacks every day, large companies with more than 2,500 employees are still the most vulnerable target group - even if smaller businesses are "catching up."
Further results at a glance
Many companies do not know they already have IPv6 traffic on their networks. Even if they have not yet migrated their internal networks to IPv6, many of these companies already have IPv6-enabled Internet access. And also tablets and smartphones with Apple iOS or Google Android are completely IPv6-capable. This means that these devices are publicly addressable via IPv6 and in many cases work outside the traditional security configurations. For this reason, IPv6 shadow networks, which form within classical IPv4 networks, are also referred to here. The IT security provider Blue Coat Systems has recently pointed out this problem.
No comments:
Post a Comment