Defence against the cyber dark arts

In an industry full of hacks and attacks, defending networks is no easy task for IT departments and professionals. Ranging in both capability and threat, reacting to cyberattacks must be specific to the challenge that enterprises come up against. Implementing the wrong security technology can be costly, and in the worst case scenario can make it easier for the bad guys to fulfil their goal.

Cyberattacks, malware, and system vulnerabilities have all been mystified and media-hyped beyond reasonable analysis – but businesses need to design an in-depth defence strategy that is tailored to their security requirements. Truly understanding what risks your business may come up against is essential to combating possible future problems. IT security does not have a ‘magic’ solution and there is no single technology that can prevent an entire network issue. So how do businesses know what will actually work for them to secure their sensitive information?

The easiest way to break this down is to look at a selection of attack types in turn, and the more successful mitigation strategies that IT professionals can implement to fight against them.

Network Probe / Hostile Scan

Put plainly, Network Probes and Hostile Scans are millions of malware infections and hostile actors looking for vulnerabilities to exploit. This type of cyberattack moves from router to router, scanning for its next victim – if it doesn’t detect a vulnerable router, it will search for the next IP address. By using commercial software such as Metasploit, Nessus, or the free tool NMAP, these programs can locate vulnerable services on the internet.

If an enterprise is serious about improving Internet security, it’s imperative to move as many services as possible to hosted services and close all feasible internet-facing ports. Minimising open ports will significantly reduce the chances of a Network Probe or Hostile Scan.

When hosting Internet accessible services or a web application, there is also an opportunity to upgrade the firewall to a more sophisticated application-aware version, frequently called a ‘Next Gen’ firewall. Password audits, secure default configurations and architecture plans to move to external hosting providers all open the door to protect opportunities and continuous monitoring solutions.

Phishing attack

Phishing emails remain the primary vector for malware attacks and are almost evenly distributed between two variants - through a malicious email attachment (39.9 per cent) or through an email with a malicious link (37.4 per cent) . Once opened, these attachments or links have the potential to encrypt files – with the attacker demanding a ransom to unlock them. However, the good news is that because all phishing attacks arrive via email, there are multiple opportunities to mitigate the threat.

Sometimes it is unavoidable that a user will accidentally open or click on a malicious link, but understanding the threat is the first step to defining an appropriate defence strategy. A study of Microsoft’s Patch bulletins from 2013 demonstrates that removing administrator rights is an extremely effective first step against the threat of phishing email exploits. The report states that of 147 vulnerabilities published by Microsoft in that year with a ‘critical’ rating, removing administrator rights mitigated 97 per cent of the vulnerabilities. Furthermore, the report also reveals that 98 per cent of Critical vulnerabilities affecting Windows and 99.5 per cent of all vulnerabilities in Internet Explorer could be mitigated by removing admin rights.

IT professionals have a huge opportunity to combat this sort of attack with multiple layers of defence –simply keeping up to date with patching the operating system, as well as third party applications is a ‘quick win’. Web and email protection, along with managed antivirus, are also defence tactics that can be used to minimise the risk of phishing attacks. By applying these methods of defence, businesses are well on their way to minimising the chances of being hacked.

Distributed Denial of Service (DDoS)

DDoS has been around for a long time and fundamentally works by attacking network connections with huge amounts of traffic. This can quickly overwhelm a business infrastructure and essentially knock it off of the internet. In general, DDoS attacks are categorised as connection- or resource-based, in addition to the newer types of amplification attacks. Connection-based attacks simply attempt to open as many simultaneous connections as possible with the targeted server in order to degrade its performance, while resource-based attacks occur when the server is overwhelmed with requests. The attacker can slow the rate of response, or open the TCP/IP connection by sending confusing, or non-RFC compliant packets. This essentially tricks the server into thinking it will receive more data shortly.

The key to mitigating any style of DDoS attack is monitoring the performance of the network router. Using Simple Network Management Protocol (SNMP) capabilities makes it relatively easy to determine how hard the firewall is working. On top of this, reports from an Internet Service Provider (ISP) can determine if the volume of traffic is excessive. Finally, being able to put in a network tap, or mirror a switch port on the outside of the firewall, and using a tool like Wireshark to see the inbound network traffic, can give you a good indication of whether you’re under attack.

Putting the action into practice

Ultimately, IT professionals are either partially or completely responsible for the confidentiality, integrity, and availability of the IT systems in their care, and must therefore take the security of their systems seriously. While detective, preventive and forensic defensive layers are essential to IT operations, it is also imperative that they are fitting to each company’s individual needs, ensuring they provide the most effective network protection possible.

Ian Trump, Security Lead at LOGICnow