Is internet security fundamentally flawed?

Eric Chi, Co-Founder and President of HyTrust, answers some of the big internet security questions.

1. What is the current state of enterprise security?

As it has been for the past several years, the state of enterprise security is badly broken. We are seeing situations with great asymmetry between attacker (some script kiddies) and victim (much of the internet, in the case of the recent Dyn DDoS attack).

Part of the problem stems from the fact that much of the infrastructure we depend on was not designed with security in mind. The fundamental assumption was that users of that infrastructure were reasonably responsible and would not try to sabotage or damage the playground equipment. In the early days of ARPANET these assumptions were for the most part reasonably safe. Now, however, we see that DNS, NTP and even LDAP can be exploited and abused to aid DDoS and other attacks.

Another fundamental problem is the disconnect between hardware, particularly hardware that’s newly network-enabled, and software. So we have the Internet of (Broken) Things with millions of network-enabled devices, most of which are running some sort of old, outdated Linux stack. Many of these devices suffer from well known, documented vulnerabilities, making it trivial for the bad guys to do bad things – including building massive bot armies for DDoS attacks. Sadly these low-cost hardware makers have traditionally been concerned only with shipping products and making it more-or-less work. They’ve been far less concerned with security updates, which have been seen not as table stakes but as unprofitable holes. This will need to change. Fortunately, there is a little light at the end of the tunnel, with ARM proposing an update system and Hangzhou Xiongmai Technology, which manufactured much of the offending hardware, at least sounding like they might help with some recalls.

We are also seeing ongoing efforts to compromise high-value accounts such as IT Admin accounts – an approach that makes perfect sense. Why worry about compromising a single account when you could take them all with a single stroke? Fortunately there are solutions available that can help you lock down admin accounts, as well as track what may be unexpected or unusual activity – not to mention requiring secondary approval for potentially disruptive operations. 

2. If a company as established and with the resources and IT experience of Yahoo! can fall prey to what may be the most massive data breach in internet history, what hope do the rest of us have? Is internet security fundamentally flawed?

While there certainly are challenges and that some will say that security is fundamentally broken, the good news is that there are things that you can do that will greatly increase the chances of a more favourable outcome for your company. 

One of those things you can do is create a culture where security is valued – where security has a seat at the table, security has executive representation and budget, and security is a consideration when doing any sort of infrastructure or applications project. When security is baked into a system at the most fundamental levels, you end up with fewer holes and surprises. The challenge for many organisations is that this sort of fundamental cultural change is hard. It’s a lot harder than installing a new firewall or intrusion detection system. It’s also a battle fought not in a technical vacuum in cyberspace but rather on the human level. It’s a battle for hearts and minds, and for some security practitioners this can be a challenge. However, one of the things that defines the difference between a good security exec and a great one is the ability to win over the infrastructure and operations guys and earn their respect and earn that seat at the table.

When you establish this culture of security, though, it goes well beyond just the infrastructure and applications architects. It extends up and down the organisation from the CEO to the person at the front desk. When you establish that, you harden the organisation organically against many common threats like phishing and social engineering.

3. Most organisations probably think their business is pretty secure. What are they missing? What’s probably the biggest threat that’s in the blind spot right now?

While it may be fun to talk about kernel vulnerabilities, SQL injection and buffer overflow exploits – all very real threats – I think that most organisations need to spend more time on the human factor. First is just basic user training. Teach your people not to use crappy, weak passwords and teach them not to share credentials or post passwords on sticky notes taped to their monitors. Train them to be more careful with email, especially attachments. And work with them so they know not to give up their password to the guy on the phone who claims to be from tech support.

Then there is coping with the insider threat. Not every employee is as happy or loyal as you might hope and a certain number might take action on these feelings. It could be as simple as taking a customer or roadmap to a competitor or it could involve vandalism or destruction of information systems. Bad guys also target IT staff members’ accounts, so even if your own people are trustworthy, it may still make sense to have monitoring and controls in place in order to contain exposure should a sensitive account be breached.

4. What steps should more enterprises be taking?

Training is a great start. Make sure your people are aware of the problem and ensure they know that there are things that they can do to help make things better. Have controls and policy in place that limit administrative powers and access so that it’s limited to only that which is needed for that person to do their job. Build a culture where the importance of security is understood. Consider two-factor or multi-factor authentication. Have effective logging in place and make sure that actions that are denied are logged and not just actions that are permitted.

5. How can businesses securely leverage cloud technology to overcome security challenges and protect their vulnerable data against attacks?   

Considering the relative scale of the average enterprise and the resources they can devote to data centre IT, just moving to the cloud by itself may pay some dividends in terms of security. After all, AWS, IBM, and other cloud providers likely have greater resources and more experience with security than the average enterprise.

That said, one of the best things you can do is to look carefully at encryption. At the very least, use encryption solutions managed by your cloud provider. But keep in mind that one of the best ways you can implement cloud encryption is by using a system where you hold and manage the keys to encrypted workloads on the cloud. That way, even if your cloud provider is hacked or is served papers by the government, you still control who sees your data, regardless.

6. Cloud computing has caused a massive shift in the way organisations think about their IT. As cloud strategies evolve, how is that changing the way enterprises need to think about security?

One of the obvious answers is that security is undergoing fundamental changes. No longer is it a case of installing a firewall and you’re done. The modern cloud-enabled environment is far more permeable than was the case with pre-cloud networks, and thus security needs to be applied not at the perimeter, but rather at the level of the individual workload.

One very real-world consideration is that in many businesses, employee termination is a lot less certain than it used to be. In the past, HR would tell IT that someone has left the company, IT would then go in and turn off their Active Directory account, and since everything was tied to AD – including logins, email, VPN access, applications, and so on – that employee was effectively turned off.   With the coming of the cloud, it is entirely possible that individual departments or groups may have their own cloud assets, and these may not be owned or managed by IT. For example, a Salesforce.com engagement is often owned by sales. Marketing automation packages like Hubspot or Marketo are usually owned by marketing. And Box, Dropbox and other file-sharing services may be owned by several different groups.

This introduces manual steps where non-IT groups need to be responsible for traditional IT functions, such as turning off accounts for former employees. I think it’s safe to say that there are millions of cloud-based apps and services that still have “zombie accounts” that should have been turned off months if not years ago.

Eric Chiu is Co-Founder and President of HyTrust

Image source: Den Rise/Shutterstock