Traditional security is not stopping network attacks

(22/01/2009)

Gone are the days when we could use the castle and moat analogy to describe the way the network perimeter protected a company’s internal resources from external threats. Now, it’s far more complicated. There are bridges, ladders and tunnels through the moat, as laptops, desktops, and guest users move in and out of the network perimeter, bringing unknown security risks and issues.

On average, small to medium businesses have spent 12 to 15 per cent of their IT budget on information security, which is a very high proportion, but they are still experiencing issues. According to a recent white paper by former Meta Group analyst Mark Bouchard, these investments have not improved security. While 98 per cent of companies in recent studies have implemented anti-virus software, 97 per cent have implemented firewalls, and 84 per cent have implemented VPNs, and yet:
• 78 per cent have experienced one or more security incidents in the past year
• 42 per cent do not believe their networks are secure
• And the average loss due to cybercrime was $350,000

Traditional security measures, like the firewall or even anti-virus solutions, are no longer sufficient given the proliferation of mobile computing, the changing threat landscape, and the continual update cycle users must adhere to.

In fact, users who fail to keep their computers patched and up to date may well be the weakest link in the chain for. Even with the most vigilant security policies, requiring users to maintain anti-malware on their computers, download the latest signatures, and update their OS with patches from Microsoft and Apple, many users are simply choosing not to do so.
Even when an orgainsation has a security policy mandate that requires users to keep their computers up to date and patched, it probably has no way of enforcing it.

It’s understandable that many users are not keeping up with the continual update cycle, what with the seemingly constant flow of in-band and out-of-band security patches. A survey found that over half of SME organisations had computers on their network without a patched operating system or did not know if the systems were updated - even if this was required by policy.

This is not an issue of ignorance. Most IT managers admit that keeping computers up to date is one of their biggest concerns with their mobile workforce and most have security policies in place that require users to download the latest updates when they are released.

The top two challenges facing IT managers around securing mobile devices, such as laptops, were making sure the anti-malware is enabled and updated and making sure the OS is updated.

But this lack of control cannot be down to a recent shift in working habits either. Mobile devices and working from ‘anywhere’ are not new phenomenons, even though we are seeing these trends increase each year. We’ve had laptops for years, and I’m sure many of you are quick to point to your SSL VPN deployment, which makes sure your mobile workers are kept secure during remote access to network resources.

But what do you do when those workers return to the office? If you’re like most companies, you let them plug right into the network without any type of endpoint assessment or compliance check, even though you really don’t know the health state of their computer, where it’s been, or what it’s hoping to access.

Network access control solutions (also known as NAC) have provided some answers to this challenge. NAC attempts to resolve the firewall fallacy by enforcing security at the time of network access. NAC was designed to help mitigate attacks, by stopping malware and other threats before they spread across the network.

NAC achieves this through four key functions:
1. Enforcing the identity of the user and device attempting access
2. Checking the health of the device, which can include a myriad of different policies checks, such as firewall enabled, OS patched, anti-virus enabled and updated, etc.
3. Providing conditional and granular access, which can include placing non-compliant devices into probation or quarantine, forcing remediation, or limiting access to the Internet.
4. Ongoing monitoring and reporting, to provide some level of visibility into the state of the network and computers/users on it, auditing, and reports.

There are numerous available NAC products and frameworks, and unfortunately, early solutions in the market suffered from high complexity and cost, requiring a great deal of back-end infrastructure, network changes, and end-user training. As the market matures, companies now have more options, including plug and play appliances or even NAC management services in the cloud.

Microsoft and its Network Access Protection (NAP) technology is worth looking into. While NAC is not a panacea, it does resolve many of the security problems facing companies today, and when matched with your existing anti-malware, anti-spam, network firewall, and other security solutions, it adds a layer of defense needed in this time of increased threats.

Without it, you may be faced with the high cost of a network attack, including downtime, lost productivity, lost revenues, and damaged corporate reputation. According to Infonetics Research, the cost of a network breach could cost as much as $225,000 for a medium sized company, and the biggest cause of an attack is malware.

There are several things IT departments can do to make sure they have the policies and processes in place to control the health of computers on your network.

Establish a clear security policy:
You can criticise your employees for being reckless when it comes to security, but if your company does not have a security policy, then you are as much to blame as they are. Either invest in a new one or update and improve an existing strategy, get it approved by the CEO and head of IT, and then implement it.

A good security policy includes many areas of company security, including guidelines on the kind of software allowed on corporate laptops and mandatory solutions, such as anti-virus. There should also be clear security policies about Internet use and which websites should and should not be visited while on the corporate network.

Communicate the security policy to all employees
Once you have a security policy in place, make sure all employees are educated about it from the very beginning. Offer training sessions to encourage greater understanding and co-operation, and make information about easily available - post it on the company Wiki, SharePoint sites or Intranet.

Implement a security alias or hotline
This is for employees to contact if they have a security question or crisis. Many companies do this outside the normal help desk operation to make sure that high-risk security situations get top priority. The key is to make it as simple as possible for staff to report a problem, so that the company can easily rectify it.

Take a layered security approach
Defence in depth is a term we’ve heard a great deal over the past few years, but the strategy behind it remains sound. IT departments for all kinds of organisations need to view and manage security across the infrastructure, including at the end point (laptops, desktops, and mobile devices), at the server level and at the network edge.

Deploy network access control (NAC)
Organisations need to bring the various policies under one umbrella to ensure that all of the different strategies can be implemented successfully. This will allow the company to make proactive (not reactive) decisions. NAC solutions inspect the end point before the device logs on to the network to ensure it meets the company’s corporate policy.

Related topics:  Firewall   Internet and Web security   Mobile and Wireless Security   Network Security   Security management and policies 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources