Uncovering loopholes in today’s networks
By Wana Tun October 16, 2014
- Need to combine technologies and add layered defences to safeguard networks
- By increasing number of safety nets, vulnerabilities and loopholes become smaller
COMPANIES today face challenges securing their networks from both sophisticated malware and external threat actors. It is also a struggle internally with IT misconfiguration and lack of security education among employees.
In this article, I aim to illustrate the common network threats faced by most organisations today.
Advanced Persistent Threats (APTs)
There is much hype and confusion over the buzzword Advanced Persistent Threat (APT), and it has become associated with nation-state cyber-attacks and advanced malware and hacking techniques.
According to a Ponemon Institute study last year, 68% of IT managers do not know what the term APT refers to.
The truth is, APTs are attackers who are prepared to persistently and slowly penetrate networks and steal data. Unlike traditional malware, APTs leverage social engineering and zero-day vulnerabilities, and extensive understanding of their target environment.
An APT starts by gathering intelligence on its targets such as a company’s profile and its employees through the Internet and social networking sites. The attackers then find a point of entry within the target’s network and upon breaching the network, it calls home to a command-and-control (C&C) server and reports its location.
They then search the network for data and assets and may also infect other clients in order to get to their target, or introduce more attacks to access the systems at a faster rate.
Upon finding the data they are looking for, the APT starts communicating frequently with the C&C host and is likely to extract data in small, encrypted pieces to prevent detection.
When it comes to security against adversaries, most organisations think about viruses and their endpoints but often neglect their websites.
According to Sophos Labs, an average of 30,000 new malicious URLs are generated daily, of which 80% are compromised, legitimate websites. Also, 85% of malware including viruses, worms, spyware, adware and trojans are also from the Web.
Attackers first use the drive-by download technique to penetrate from an entry point, such as a hijacked website or email with a malicious link. Attackers leverage existing vulnerabilities within web servers such as Apache and IIS, injecting malicious code into webpages.
Once it reaches the browser, the user is redirected to download an exploit kit through elaborate traffic distribution system (TDS) which are hard to track. The kits execute exploits against web browser vulnerabilities and plugins such as Java and PDF readers.
After that, the attackers download a malware or virus to infect the system.
Many know it is important to protect their wireless network with a strong password. However, a Sophos survey found 8% of respondents using no encryption at all and 19% using obsolete encryption.
These are some mistakes made by companies, especially remote offices:
- Basic errors such as having poor encryption, passwords that are not complex enough, not using VPNs (virtual private networks), poor employee education and published policies;
- Uncontrolled access to wireless networks, giving customers, suppliers and other office visitors IDs and passwords to internal networks. This has given rise to contractors whose passwords remain valid for weeks and months even after moving on to other employers; and
- Deployment and management of wireless access points can be time-consuming, complex and expensive. It also increases the chances of accidental misconfiguration which leads to security vulnerabilities.
Companies should be aware that cybercriminals increasingly target wireless traffic to penetrate enterprise networks. They are leveraging the rise of mobile workers, workstations that lack endpoint protection and BYOD (bring your own device) policies that limit companies from controlling and configuring mobile devices.
Security experts have warned about IPv4’s limited address pool but its successor IPv6 (Internet Protocol version 6) has the features needed by the modern Internet: Larger connectivity, integrity and security, while supporting various web-capable devices.
However, IPv6 is not without its limitations. The following are some risks companies may face with the latest Internet protocol:
- Malware with IPv6-based command-and-control capabilities are rampant so if a server enables IPv6 by default but its firewall does not, there will be higher cases of malware infections;
- IT managers must learn how to deploy IPv6 in a completely new manner, including processes such as troubleshooting, firewall configuration and monitoring security logs. This could give rise to deployment mistakes; and
- It is not possible to instantly switch from IPv4 to IPv6 so partial adoption through the use of tunnelling technologies to transport the latter over to IPv4 is needed. This could give rise to misconfiguration and security loopholes.
To conclude, we need to combine technologies and add layered defences to safeguard against network threats. By increasing the number of safety nets, the security vulnerabilities and loopholes become smaller.
This can be done in a cost-effective manner by utilising a simple solution with web security capabilities, such as a unified threat management device.
Wana Tun is the regional technical evangelist at Sophos.
Malaysia among top 10 Asian countries exposed to APTs
Govt malware, insider threats to dominate security landscape: CyberArk
Trial by fire: Adopting the resilience mindset
Smarter, shadier and stealthier cyber-crime forces dramatic change
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.