Hacking Goes Mainstream, Part II – Protecting Your Network

In our previous post, Hacking Goes Mainstream, we explored the growing size and scope of Denial of Service attacks and Malware threats to poorly protected networks. Since that article was published two weeks ago, additional high-profile cases have appeared as headlines including: USA TodayNBCSony PicturesSanta Cruz County and Harvard’s Web Site.  Another article that didn’t get quite as much coverage; U.S. govt concerned at hacking of Japan arms firms, highlights the lack of  security in the small and medium-sized defense contractors with valuable and dangerous data.  Experts have often warned that smaller and medium-sized companies are especially vulnerable due to lack of security resources and the mentality that because of their size they are an undesirable target. In this article we’ll take a deeper dive into these topics and review security strategies that every company should consider no-matter their size.

The most difficult variable to deal with when addressing the prevention of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks is bandwidth utilization.  By nature, the attacks exploit the fact that bandwidth is expensive, and by distributing the load across many attackers, the bottleneck that occurs at the victim’s Internet connection can be exponentially overloaded.  Aside from unlimited bandwidth, which never makes financial sense, there are some steps that can be taken to mitigate the impact of a DoS attack.  Businesses can start by using the IP verify unicast reverse-path interface command on upstream end of the connection.  If the source's IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet.  That means that if a specific attack depends on source IP address spoofing (SMURF attacks, for example), this feature will stop it.  Another, more common tactic is to filter all RFC 1918 space and ingress and egress filtering using access control lists (e.g. a stateful firewall).  It is also a best practice to rate limit ICMP and SYN packets.  This will stop some of the more common attacks like a SYN flood.  Finally, there are a number of Managed Security Service Providers who have deployed solutions that proactively monitor connections for DoS activity and use the provider’s massive bandwidth availability to mitigate the impact of even the largest attacks. Windstream’s Network Firewall takes advantage of this philosophy.

Malware prevention is a strategic endeavor involving a number of different solutions designed to address specific threat vectors deployed in such a way that they effectively protect a given network.  Network architects and security engineers have to consider the most common ways that malware infects.  At a high level, these are most commonly infection-through-employee-web-activity, infection-through-e-mail-phishing, and infection-through-the-introduction-of-outside-hardware such as USB drives.  Security professionals must address each by taking steps to implement conservative web acceptable use policies that can be upheld in a scalable fashion using up-to-date technology, create a healthy e-mail environment by applying stringent filtering rules and encryption, and to mitigate outside infection by creating a data loss prevention strategy that reduces threats while still allowing employees to easily accomplish daily tasks required for general business.  Once these three common vectors are addressed, it is important that the security professional has a way to monitor activity on the network as a failsafe.  Intrusion Detection and Prevention (IDS/IPS) has proven to be the most effective way of doing this.  IPS and IDS systems will monitor incoming and outgoing traffic for propagation of malware and stop the traffic before a breach can affect the network.  By layering prevention strategies and mitigation systems, security professionals can greatly reduce the threat of malware on your business.

Although it may be impossible to fully make up for the damage that hacking incidents cause, you can certainly  prevent them.