Академический Документы
Профессиональный Документы
Культура Документы
A How-to Guide
By Roger Grimes, IT Security Expert and Author Its clear that todays traditional defenses arent working for small- to medium-sized businesses (SMBs). This paper will discuss the different threats facing todays SMBs, talk about why the traditional defenses fail, discuss what does work, and confirm why intelligent application control (a.k.a. whitelisting) is the single best defense that any company can implement to significantly minimize security risk.
September 2011
WP-EN-09-27-11
Overview
Its clear that todays traditional defenses arent working for small- to medium-sized businesses (SMBs). For two decades, SMBs have been told their best defenses are frequent patching, up-to-date antivirus software, least privilege users, firewalls, and strong passwords. SMBs have been doing their best to implement all these defenses, but sadly, they are still as exploited as ever. Albert Einstein is quoted as saying, Insanity: Doing the same thing over and over again and expecting different results. This paper will discuss the different threats facing todays SMBs, talk about why the traditional defenses fail, discuss what does work, and confirm why intelligent application control (a.k.a. whitelisting) is the single best defense that any company can implement to significantly minimize security risk.
And lets be clear, cyber thieves are stealing tens of millions of dollars every day over the Internet. Who are the criminals and what are their motivations?
Todays Threats
Long gone are the days when our biggest worries were teenage hackers out to prove their online technical skills by developing harmless malware. Todays attacker is much more likely to be a professional criminal out to steal money and/or cause real harm. Professional criminals who used to rob banks and break open mailboxes to steal social security checks and credit cards are finding a better payoff with much less risk by stealing what they need online. If a thief robs a bank, they are lucky to get a few thousand dollars and they have a big chance of going to jail for a significant portion of their life. Online thieves can make off with hundreds of thousands to millions of dollars and very few are ever caught.
IP Theft
Thieves are also motivated by valuable information. Corporate espionage has been a malicious tool used against small businesses. I was personally involved in many cases where stolen information was offered for sale, with proof of possession, to the victims competitors. Many of these illegal offers only came to light because some competitors were ethical enough to report the offer to the victim and law enforcement authorities rather than take the bad guys up on their offer. I wonder how many competitors either remained silent or took up the offers? Business-like cyber thieve gangs, known as Advanced Persistent Threat (APT), are often present in many networks stealing as much intellectual property (IP) as they can send through the victims Internet pipes. Many APT experts believe that most companies with significant IP assets are already compromised and being actively exploited. This year, Rhode Island Senator Sheldon Whitehouse put it this way, Cybercrime has put our country on the losing end of what could be the largest illicit transfer of wealth in world history. The 2011 Verizon Data Breach Investigations Report says 17% of all data breaches were due to trusted insiders, and when involved, it led to higher monetary loss than from external attacks. Of the approximately 800 data breaches in 2010 examined in the Verizon Data Breach Investigations Report, the highest concentration of attacks were on companies with fewer than 1,000 employees. Hackivists are often helped by insiders. Much of the information being leaked outside was stolen by previously trusted employees. Many times the compromised insiders are identified and prosecuted, but not before the embarrassing information leak. Some insiders steal information for personal gain (e.g. credit card or medical information), while others are informants paid by outsiders.
Hacktivists
Sometimes cybercriminals only want to embarrass companies by leaking their confidential data and emails. The decentralized hackivist group, Anonymous proved this over and over. Their list of embarrassed victims reads like a Fortune 500 list but also includes dozens of small businesses, law enforcement offices, banks, consultant agencies, and military-related companies.
incidentally, almost every firewall allows outbound HTTPS connections, so firewalls are becoming less relevant with each passing day. Once installed, the programs can take complete control of the exploited PC. They often install a remote backdoor so the human attacker can come visit, load additional malicious software, and steal authentication credentials. Password complexity and length doesnt mean much because the attacker can capture it directly using keyloggers or simply replay the credential (or password hash) and create new logons. In this way, one compromised PC leads to easy access to the rest of the network. Malware doesnt even need administrative access to do damage anymore. As least-privilege user security contexts become more popular, malware writers have realized they didnt need administrative access all along. Malware can do anything it wants to do (e.g. steal authentication credentials,
3
Configuration Management. Configuration Management is the process of configuring and maintaining desired settings. Most computers start out securely configured, but over time become less and less secure. Users disable firewalls and antivirus software to troubleshoot software installation problems and then forget to re-enable them. They ignore patch update prompts, disable password-protected screensavers, and uninstall programs that management intended to provide additional protection. Over time, computers tend to drift. Hackers hate compliance; they love drift. Configuration Management can ensure that PCs are appropriately configured and stay appropriately configured.
What Works?
If traditional defenses alone wont work, what does? First, Im not advocating throwing out the traditional defenses.
Security is not binary. Its not black and white; its shades of gray.
www.intelligentwhitelisting.com/
Lumension, Lumension Patch and Remediation, Lumension Vulnerability Management Solution, IT Secured. Success Optimized., and the Lumension logo are trademarks or registered trademarks of Lumension Security, Inc. All other trademarks are the property of their respective owners.
Global Headquarters 8660 East Hartford Drive, Suite 300 Scottsdale, AZ 85255 USA phone: +1.888.725.7828 fax: +1.480.970.6323
www.lumension.com
Vulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management
7