One of the defining characteristics of information technology (IT) is that it is in a constant state of change. This change does not just occur with vendors developing new products and improving existing technologies, it happens inside businesses and organizations every day. Servers are reconfigured, applications are modified, and networks architectures are revised. There are external changes as well, such as evolving malware, which is becoming more difficult to detect, new forms of attack that leverage browser vulnerabilities as well as operating system (OS) weaknesses, and the rapid adoption of personal mobile devices for use with enterprise systems. How can IT professionals keep pace with these kinds of dynamics? In this, the first of three articles in the Essentials Series: Understanding and Responding to Network Threats, we will examine security threats faced by businesses today; the next two articles in this series will address evaluating and managing security technologies that can address these threats.
There are no simple answers, but a small number of principles can provide the foundation for a sound strategy for keeping pace with security threats.
This, the first of three articles on understanding and responding to network threats, describes how changes in infrastructure and security threats can compromise security and how the first step to responding is understanding the state of network operations.
Maintaining a secure environment under constant change can be viewed as a set of three distinct challenges:
Unlike well‐planned projects with sequential tasks and well‐defined milestones, you face these challenges simultaneously and without clear expectations that the job of securing an environment will ever be done.
IT infrastructure consists of servers, workstations, network devices, mobile devices, and software ranging from OSs and network systems to application servers to databases. Changes in this environment can come in several different forms, all of which can have an impact on security:
These changes are representative of the kinds of changes one faces with respect to IT infrastructure, but there are types of changes in security threats as well.
In addition to malicious software, there are additional threats that can compromise confidentiality and availability of IT systems, especially with regard to content moving across the network.
Businesses face the potential for data leaks and data loss on their networks and with their mobile devices. Attackers have an array of ways to capture confidential information ranging from keyloggers capturing usernames and passwords to hacks into databases putting large volumes of data at risk. Information is not the only asset at risk, though.
Figure 1: A wide array of security threats require attention to virtually every point on the network.
Botnets can commandeer the compute, storage, and network bandwidth resources of an organization. Compromised devices have reduced capability to perform business operations because CPU cycles are stolen for malicious activities such as generating spam and launching Denial of Service (DoS) attacks.
Spam continues to be a significant problem, with some studies finding more than 90% of all email messages are unwanted, unsolicited content. Although spam filters are quite effective, spam still consumes valuable resources and puts unwarranted demands on network resources.
It is also worth noting that attackers are changing tactics. As we become better at hardening servers and protecting the lower levels of the network stack, hackers are targeting the application level. Database applications may be subject to SQL injection attacks, browsers may be vulnerable to HTML attacks, and Ajax—a popular set of Web development techniques for creating rich Internet applications— applications present a larger attack surface for hackers. On top of this, IT departments are facing increased demands for their services.
Despite the fast‐paced changes facing IT professionals, there is no assurance that their staffs and budgets adapt as fast. IT departments are faced with more demanding Service Level Agreements (SLAs), rapidly changing business requirements, and stagnant growth in budgets. The combination of a dynamic environment with static growth in resources leaves few options for IT professionals other than to constantly improve the ways IT operations are performed and to constantly strive for greater efficiency out of existing resources. Part of that extra efficiency will come from understanding how decisions about security changes impact day‐to‐day business operations.
The state of constant change in IT infrastructure requires that we know as much as possible about the state of the network. Any change made in response to an emerging threat, no matter how well meaning, can inadvertently disrupt business operations. So what are systems administrators and network managers to do?
For starters, we must understand what kinds of applications are on the network and what kinds of traffic patterns these generate. Are there significant amounts of streaming audio and video on the network? Are rich Internet applications generating large‐volume data transfers from servers to clients? Network managers need to know the types of traffic, the expected volumes, and the corresponding network performance associated with the applications running on the network.
This kind of information can be essential for evaluating network security measures, such as content filters and intrusion prevention systems (IPS). For example, how will an IPS scale to the traffic on your network? Will adding an IPS or content filtering appliance degrade performance to the point that business functions are adversely impacted? Are some users more likely to be adversely affected than others?
One must also monitor how well existing security technology continues to function in the face of changes in the environment. As the volume of traffic increases, does the firewall become a bottleneck? Is unwanted variation in the time to deliver packets adversely affecting the quality of services, such as VoIP or streaming video? Attackers devise variations on existing threats to avoid security measures. For example, do anti‐malware and anti‐spam technologies continue to block unwanted content when delivered by Web site drive‐by downloads rather than email? Continuing to monitor the performance of existing security technologies is essential to comprehensive security management.
The last question raises another key area of concern: knowing who is on your network. The key issue for network administrators is to understand how users are authenticated. If there are multiple authentication systems, which system controls access which resources? Is there synchronization between multiple authentication systems at the business‐operation level? Not knowing how fundamental network services work can leave one making security, or even basic configuration, decisions that disrupt business operations. At the very least, network managers should know:
Knowing who and what are on your network at one point in time does not guarantee an accurate picture of who and what is on the network at another point in time. There is a constant challenge to know, for example, the patch levels of key pieces of infrastructure. Are servers that were considered hardened 6 months ago still hardened in light of new vulnerability discoveries? Client devices are even more problematic when users have administrative privileges. How can IT support staff know the configuration of antivirus, anti‐spyware, personal firewalls, and other client device security measures without automated controls?
There are so many ways that a lack of information can adversely affect an organization that IT managers need to maximize the amount of information they can get from their security and asset management investments. The state of a business' IT infrastructure is constantly changing. Sometimes these changes are under the control of IT professionals and sometimes they are external changes; in either case, one must have accurate, up‐to‐date information about the infrastructure to protect and manage it properly. The remaining articles in the Essentials Series:
Understanding and Responding to Network Threats will provide further details on how intrusion prevention and multi‐function security products can help control the threats described here.