As you embark on 2013 and evaluate your security risks for the coming year, what should not change in terms of your network security focus is data center security.
When asked why he robbed banks, American bank robber Willie Sutton famously replied, “because that’s where the money is.” Data centers are attractive for the same reasons – because that’s where the data (and the source of money) is. How ironic that just years ago, few businesses even had a data center firewall. Today, if you’re consolidating data centers, working on a data center infrastructure refresh or building a private cloud, security needs to be a key part of your data center strategy. The trend for 2013 and beyond will certainly be more data center attacks.
Headlines over the last couple of years have very clearly demonstrated the new world order for attacks. Attacks are now stealthy, sophisticated, multi-vector attacks, and very damaging. The main catalyst for the change has been with the “actors”. As the attacker community evolved from hackers (with aspirations of notoriety) to organized crime members, hacktivists and nation-states, the targets have fundamentally changed.
Specific organizations with important data that could be sold on the black market are now the new targets instead of random businesses. This of course makes strategic business sense in a new world where customer data or the latest proprietary product information could bring significant monetary benefits. In addition, these new set of attackers have more time, more resources and the financial wherewithal to mount more complex, long-term attacks against specific targets, which leads to a qualitative difference in how they operate. The attacks are now longer-term operations that utilize a wide array of tactics, from targeted malware and spyware to phishing attacks and social engineering, in addition to exploits.
The goal of the attacker is now to stay as stealthy as possible so they can continue to exfiltrate data from the compromised network. In some cases, the organizations that have been attacked have not been aware that they have been breached for years. The worst possible example is probably Nortel, which had been breached for almost a decade.
One Phish, Two Phish
Beyond distributed denial of service (DDoS) attacks that bombard a particular organization’s network to take away resources from legitimate users, a more interesting data center attack is the targeted, modern attack. You can call it modern malware, advanced persistent threats (APTs), cyber attacks, or other convenient buzz words, but they operate in a similar manner. They start off with baiting end-users to an application or website containing malicious content. These phishing attacks incorporate customized content based on the individual or organization being targeted, making the links compelling enough to click on. In fact, social media and networking sites provide enough information about users, their behaviors and their likes and dislikes to easily launch phishing attacks.
The application that is downloaded, or the website being visited, now installs a malware on the end-user device. The malware then establishes a backdoor for the user, typically via some remote administration tool (RAT), enabling complete control of the end-user device. Very similar to the placement of American moles during the Cold War, the attacker is now on the inside, and has a much more interesting vantage point to operate. They can record information, manipulate databases, map the internal network, run password sniffing tools, seek additional privileges via other end-users, and establish communications to the command and control. Once the attacker is on the inside, it is also much easier to target the important internal servers in the data center that can be harder to exploit from outside the enterprise network.
The Weakest Link
Many of the organizations who have been attacked utilize comprehensive security technologies. Yet attackers have found a way to penetrate these defenses. This tells us that existing defenses aren’t working and security is being compromised by its weakest link—users in the enterprise.
1. The Human Factor – Via a variety of bad behaviors like weak passwords, negligence of management applications (RDP, Telnet, SSH), and social media oversharing, employees can compromise data center security without meaning to do so. There is no doubt this human factor in security is a challenge and needs to start with comprehensive and clearly understood security and privacy policies. While end-user education and awareness is important, it is insufficient given the uphill nature of that battle. The solution is to balance this with network security best practices: Do not trust, always verify – All users should always be authenticated, and provided least privilege access. In the data center, adopt a positive enforcement model. Positive enforcement means that you selectively allow what is required for day-to-day business operations as opposed to a negative enforcement approach where you would selectively block everything that is not allowed. This means safely enabling user access to specific applications or sub-application functions while inspecting all content for threats. Management applications like RDP, Telnet and SSH should be limited only to IT administrators.
2. Network segmentation – Network segmentation even in flat layer two networks like Ethernet Fabric architectures is critical. Properly segmenting the user to a segment of the data center helps in various ways. It helps to limit the scope of compliance, limit access to vulnerable servers in the network and limit exfiltration of data if you are compromised. Of course, to do this effectively, you need to have visibility of users, applications and content in every segment.
3. Tackle unknown threats – While addressing known threats is well-understood, addressing targeted, unknown threats is a tougher challenge because they are unlikely to hit honeypots in the wild that can provide comprehensive analysis of the malware and its behavior. Most targeted attacks originate from executable files downloaded onto an end-user device. Therefore, inspecting unknown files in the network in a virtual sandbox is a key strategy adopted by security vendors to weed out targeted, unknown malware. What is critical to complement this inspection is the ability to deliver malware signatures and inline enforcement for any malware that is found.
4. Inspect unknown traffic – In a data center, the amount of unknown traffic should be a very small percentage of all traffic. The ability to categorize and inspect unknowns to determine whether they are threats is a critical part of the data center security strategy.
5. Monitoring and logs – Finally, the monitoring of access by users to key applications in the data center is important to provide valuable information of user activity. It also helps detect critical policy violations and security holes.
Some of these best practices are in fact advocated by Forrester Research’s John Kindervag in his Zero Trust Network architecture, and being adopted by many enterprises worldwide. In summary, while end-users and employees in an organization may form the weakest link when it comes to unknowingly opening up businesses to damaging attacks, the strategy to address this may be to look beyond the users, and complement user awareness and training with network security best practices.