From Threat Detection to Information Protection
June 1, 2007
Driven by the age-old lure of easy money, many of today’s criminals are using high-tech cyber attacks to commit identity theft and financial fraud to line their pockets.
The technological capability of malware developers has grown to the point where malware can be effectively used to steal information from infected computers. Targeted attacks and social engineering are being used in conjunction with advanced malware to compromise computers at homes and offices around the world, enabling these high-tech versions of well-known crimes.
Malware can be loosely defined as any software program that is not operating in direct or indirect support of the intended mission of that computing system. Certain forms of malware known as keystroke loggers, screen-scrapers and session recorders are able to capture operator input and system data and deliver to some other computer over the Internet, where valuable personal or company information can be harvested from the vast fields of captured data.
COMPROMISES SPELL TROUBLEToday’s attacks usually begin with technically or socially clever schemes that compromise computers with malware. In simple terms, compromised computers spell T-R-O-U-B-L-E. Keeping network-attached computers safe from compromise is a significant part of the chief security officer’s and chief information officer’s job. From a technology perspective, most experts agree that protecting computers from compromise requires both computer-based and network-based measures. Host-based software such as personal firewalls and anti-malware software are a necessary part of safe computer use. Network-based technologies like firewalls, intrusion detection systems and intrusion prevention systems can play a key role in securing the infrastructure.
In the past 10 years, we have witnessed the evolution of network-based security from “keeping the bad guys out” with firewalls to “seeing what’s getting through the firewall” with intrusion detection systems (IDS) to “keeping the bad stuff out” using state of the art technology like intrusion prevention systems (IPS).
This evolution of network-based protection technology has been driven by the need to keep pace with the evolving threat landscape. The current state of the art, using high-performance network IPS technology to identify and block threats can be very effective in reducing the likelihood that protected computers are compromised. However, IDS and IPS technology generally share one common characteristic that may limit their ultimate effectiveness. They’re generally focused on identifying the malicious and/or harmful network transactions and stopping them.
IDC Research recently issued a report that found technologies such as intrusion detection systems are only spotting 70 percent of intrusions. Even taking the logical step to using intrusion prevention systems to stop these intrusions is clearly not going to be 100 percent effective. Security experts will correctly point out that security is best implemented through education, process and with a layered approach to technology.
INFORMATION PROTECTION MINDSETLooking forward, organizations will be best served by expanding their viewpoint beyond threat detection towards information protection.
Implementing strict policies on encryption and where critical information resides can reduce risks associated with physical loss issues such as laptop or backup tape theft. Implementing strict authentication and access controls can reduce risks from insider threats and inappropriate access to sensitive company or customer information. Implementing organization-wide document classification processes can provide a basic infrastructure within which information protection policies can be enforced.
As organizations enhance their network security infrastructure, they should look to technologies that go beyond threat-detection-based approaches and toward true information protection. Intrusion prevention systems that can provide not only access controls and threat-protection, but also implement strict acceptable application usage policies and even document control policies will lead the way towards successful information protection.
The significant rise in 2007 of sophisticated, targeted threats, the continued discovery of vulnerabilities in commercially deployed software and the high-profile losses of sensitive customer and employee information are shouting out to all security professionals to expand their viewpoint beyond threat-detection and towards information protection. Organizations should consider further education for their users, new information protection policies and additional technology solutions such as intrusion prevention systems and information leakage protection solutions.