To ensure the security of their IT network companies need to adopt a multi-layered approach, experts say.
The strategy, they say, should take into account the fact that end users are now the main targets of hackers.
Basic server security methods of filtering out known malicious URLs and relying on file signature technology just won’t cut it anymore, according to a white paper by Palo Alto, Calif.-based Frost & Sullivan research analyst Terrence Brewton.
Malware is now being developed so rapidly it can easily bypass these methods, he says.
Brewton advocates use of multi-layer security, which he defines as “using different types of security to protect everything from the content layer to the application layer.”
Businesses stand to lose both sensitive data and money if vulnerable to an attack.
According to one estimate $67.2 billion is spent each year by businesses to respond, mitigate, and fix network intrusions.
Around the world, hackers are focusing their attacks on end users, according to Toronto-based Symantec Corp.’s latest Internet Security Threat Report.
That means in addition to a network perimeter, a company also needs to monitor inbound and outbound traffic.
“It’s having the moat and the castle walls,” says Marc Fossi, manager of development with Symantec Security Response. “A threat that can bypass one layer of security, is unlikely to pass every layer.”
Traditional security measures such as a firewall between your network and the Internet are no longer sufficient, he adds. But they are still an important part of an overall security plan.
Layer 1: Content access
Basic URL filtering for malicious Web sites and offensive non-work material should work by filtering out invalid Web certificates and conduct ActiveX code blocking, Frost & Sullivan’s Brewton says.
“It’s going to block the usual Web sites you don’t want to go to. It stops the usual suspects: hacker sites that [could] inject malware onto the computer.”
Security vendors make use of black lists and white lists to approve benevolent sites and block malevolent pages.
But companies should be aware that some employees may be using an anonymizer…software or a Web-based proxy that allows them to bypass filters.
That could make the company vulnerable as employees can access risky Web sites, Fossi says. “There’s also potential a Web based threat could be installed on their computer. That’s why you can’t just rely on a content filter.”
Education can play a role in a company’s security plan, he adds. If employees know why they can’t use certain tools instead of just being told it’s out of bounds, they’ll be more likely to cooperate.
Layer 2: Dynamic Web threats
After blocking known malicious Web sites, you must block malicious content embedded in legitimate Web pages.
Examining HTTP headers or requests and analyzing HTML to detect vulnerabilities are necessary features in a security system.
Your defence should include some ability to block zero-hour exploits, Brewton says.
A zero-hour (or zero-day) exploit or attack is a computer threat that tries to exploit unknown, undisclosed or unpatched computer application vulnerabilities.
“When a hacker creates a new virus and it hits the Internet, we really don’t know about it until 24 hours later.”
Security vendors can’t keep their lists up to date given the sheer number new malware applications being created every day.
But they say any security offering should include a system for recognizing and blocking zero-hour malware.
The number of threats on the Web more than doubled from 212,000 in June to nearly 500,000 last December, according to Symantec.
By using heuristic scanning, software can look for malicious behaviours and stop them, Brewton says. Actions include “trying to change your homepage, and trying to download content without a prompt.”
Social networking Web sites are popular targets to drop zero-hour malicious code, according to Symantec’s report. It’s the top method of phishing attack in the United States, China, Romania and Guam – the top four phishing countries.
“It has to do with trust,” Symantec’s Fossi says. “I know and trust everyone in my group of friends and I’ll be more likely to click on a link from them.”
With more companies making use of Web 2.0 sites to collaborate and communicate with customers, guarding against this attack is something to consider.
Layer 3: File analysis
A solid security product must inspect files for known and unknown threats that are likely to be injected into executable and binary files.
Simple signature-based security detects known malware, and smart signatures use problem-solving heuristics that indicate a new threat.
“Any new anti-virus technology should do deep packet analysis, looking at both the context and the content,” analyst Brewton says. “If the file type is an .exe, then a certain set of rules should apply.”
Executable files were the most common method used to spread malicious code in the latter half of 2007 at 40 per cent, according to Symantec.
E-mail attachments were second with 32 per cent.
Layer 4: application controls
The final layer of icing on your multi-layered security cake is a system for filtering outbound and inbound traffic such as peer-to-peer, instant messaging, and malware communications.
“This is mainly about data loss prevention,” Brewton says. “It should be protecting against the insider threat, which is always the biggest threat to any network.”
Aside from sending out confidential information over the Web, he said employees are now more apt to use USB flash drives to walk off with company data. These can get lost and fall into the wrong hands.
“It is very important the application controls have some sort of forced encryption.”
Despite the widespread growth of external device use (thumb drives, iPods, smartphones, etc.) 43 per cent of enterprises still don’t have removable media protection, according to Symantec’s report.
“Because of the popularity of these sorts of things, we’re seeing a resurgence of the type of viruses that used to spread through floppy discs,” Fossi says. “USB drives have come down in price considerably over the past few years.”
End-point security systems should scan removable media as soon as its plugged in, he adds.
Choosing your security vendor
Instead of creating a patchwork of applications that cover all of these bases, Symantec’s Fossi recommends a single product that offers multi-layer coverage.
“You don’t have to worry about the gaps between this product and that product and that sort of thing.”
He says one product can also reduce the resources needed to install and operate the system, as it can all be run from one administration console.
