Combating Complexity

By Tony Kontzer  |  Posted 2011-06-14

The recent string of high-profile cyber-attacks that victimized email marketer Epsilon Data Management, the Texas state comptroller’s office, EMC’s RSA security division and Sony’s PlayStation Network serve as important reminders that no one—not even an IT security vendor—is safe. It’s a message that IT security professionals at organizations of all sizes have gotten, spurring them to turn to newer, more innovative approaches.

These breaches grabbed the headlines, but they also obscured what appears to be a growing trend in the world of IT security: The bad guys are increasingly picking on organizations that don’t have the assets of giant corporations and don’t appear to be obvious targets.

“I can’t keep up with all the hacks and attacks that come at us 24/7,” says an exasperated Gary Doan, vice president of IT at Dallas Telco Federal Credit Union.
With its three branches in the Dallas area, the credit union doesn’t have a bull’s-eye painted on its back, but Doan isn’t taking any chances. He recently replaced the company’s security appliance with a hosted offering from Network Box, handing over a healthy portion of his protection needs to a managed services provider.

Doan paid $7,000 for a Network Box appliance for Dallas Telco’s main branch and another $3,000 each for smaller appliances at the other two locations—plus annual maintenance fees. This setup allows Doan to control network and desktop configurations, while Network Box remotely monitors all traffic coming into and going out of the company. It also keeps the credit union up-to-date on the latest virus definitions and intrusion-detection capabilities.

With the previous setup, Doan was paying nearly as much for just the hardware, without getting any of the services Network Box provides. The difference, Doan says, can be measured by the peace of mind he gets from knowing experts are watching his network for him.

“We’ve never had a serious attack that tried to shut down our site or breach it, but that doesn’t mean it couldn’t happen,” says Doan. “And it doesn’t mean we don’t have to guard against it.”

Based on numbers released in April by Verizon Communications as part of its “2011 Data Breach Investigations Report,” Doan is wise to prepare for the worst. With help from the U.S. Secret Service and Dutch High-Tech Crime Unit, Verizon investigated some 761 breaches in 2010—by far the most in the report’s four-year history. (The 2007 report spanned the 2004-to-2007 period.) Surprisingly, the number of actual records breached plummeted precipitously, from 143 million in 2009 to fewer than 4 million last year.

One takeaway, says Christopher Porter, principal of Verizon’s risk and intelligence team, is that cyber-criminals are seemingly content to attack smaller companies and make off with smaller batches of credit card numbers and other data in exchange for the decreased odds of getting caught.

Wary of Cyber-Criminals

At Berry College in Mount Berry, Ga., about an hour northwest of Atlanta, Dan Boyd, the school’s senior network architect, is more concerned with breaches that result from students bringing malware-laden devices to campus and infecting the school’s network. Boyd realizes that small liberal arts colleges aren’t typically a favorite target of cyber-criminals, but he’s wary of them using the school’s network as a conduit for attacks elsewhere.

“The fact that we have 200MB of bandwidth sitting there is enough to be attractive to [cyber-criminals],” says Boyd.

Because of the number of devices Boyd has to account for—the 1,100 PCs used by the school’s staff and faculty, as well as the thousands of laptops, smartphones, tablets and Internet-enabled gaming consoles that are out of his control because they’re brought to campus by some 1,700 students—monitoring application-level traffic is critical, but it had become exceedingly complex.

To combat that complexity, Boyd opted for a novel approach by removing the school’s intrusion-prevention system and traffic-shaping gear, consolidating those functions in its SonicWall firewall. The move reduced the amount of time the school’s four-person networking team spends on pinpointing the location of security issues.

For example, one of the most common issues Boyd sees involves students who download malware disguised as updates to Flash or QuickTime and then bring the malicious files to campus. Whereas network traffic previously passed through too many hops for the school to maintain the kind of visibility and control it needed to block every instance, Boyd now can configure the firewall to detect any suspicious Flash or QuickTime issues and block the malware from entering the network.

Since making the change in its security architecture, the school hasn’t had a single firewall-related failure or outage, according to Boyd. He now plans to test SonicWall’s ability to monitor encrypted traffic.

Once it has that capability, Berry College’s security setup will represent a significant innovation, says Alex Holden, a senior intelligence investigator with IT security consultancy Cyopsis and a former chief information security officer at a major brokerage firm. Consolidating monitoring functions at the firewall not only eliminates the overhead required to maintain multiple security systems, but also ratchets up security effectiveness, he says.

“When you put all your eggs in one basket—assuming there is proper redundancy—there is less chance of failure,” Holden says. “It’s also easier to see the state of the network and declare it to be incident free.”

Working Together

While innovative products and configurations are important components of today’s IT security strategies, it’s equally important that companies of all sizes participate in joint efforts to combat the evolving array of cyber-attacks, says Ron Plesco, CEO of the National Cyber-Forensics & Training Alliance, a nonprofit that serves as a conduit between private industry and law enforcement.

Plesco says the growing practice of voluntarily—and anonymously—exchanging information on breaches, particularly with others in the same industry, increases the odds that a company will become aware of a threat before it arrives.

“You’ve got to stay up on the offense against you if you want to keep your defense sound,” Plesco says. “Unless you are aware of the current threats, you’re not going to be able to harden against them.”

Plesco doesn’t have to sell Berry College’s Boyd or Dallas Telco’s Doan on this concept. Boyd says he’s actively researching a couple of regional groups in Atlanta and would even consider forming a local group if it were not for time constraints.

Meanwhile, Dallas Telco is already part of the Secret Service’s North Texas Electronic Crime Task Force, and Doan says he always gets helpful tips and suggestions at the group’s quarterly meetings. The fact that the task force was already aware of every scam or hack attempt he’s reported has only strengthened Doan’s belief in the collaborative model.

“You can’t protect against everything,” says Doan, “so you need all the sharing of information you can get.”

Ultimately, such sharing may prove to be this era’s most important IT security innovation.

Security Tips

Christopher Porter, principal of Verizon’s risk and intelligence team, offers organizations these security tips:

• Change default access control settings: Two-thirds of all hacking attacks in 2010 were exploitations of default applications credentials.
• Deploy strong firewalls wherever you don’t allow remote access.
• Be consistent about monitoring logs and validating that nothing suspicious is going on.
• Have processes and policies in place so the organization is prepared to respond decisively to a breach.