Online security is a huge and growing concern for national and international government, with an ever-changing landscape of threats and opportunities to eliminate them. In recent speeches given by US President Barack Obama, UK Prime Minister David Cameron, and a whole host of European leaders, cyber security has been identified as a key part of ensuring safety in a rapidly developing world.
A huge amount of government anxiety about cyber security stems from the very real risk of dangerous cyber-attacks. Obviously for governments, this can include genuine acts of cyber war, critical damage to essential national infrastructure, or even direct attacks on military installations. But in addition to that, some of the most vulnerable parts of a government are the same as your organisation – email, remote access functions, databases, payrolls, mobile data and all the other relatively mundane functions of a network.
Despite all this, businesses aren’t necessarily taking the threat from cyber-attacks as seriously as the government is. IT security personnel, especially senior security staff, must take the cue from world leaders and begin to take very seriously the threat from cyber-attacks. It’s fair to say that some of the IT tools used by companies to increase productivity, efficiency and convenience are precisely the routes that cyber criminals can take to damage the business. With each new addition – the Cloud, BYOD, remote web access – comes a fresh set of responsibilities that IT security personnel must meet. It’s hard to know precisely where to begin with all of this, so we’ve broken it down into distinct elements and then chosen the areas that should be prioritised.
Cyber-attacks that target mobile devices are on the rise, for the simple reason that the use of these devices has also increased dramatically over the past decade. The functions of an ordinary mobile phone are so numerous and sophisticated that a committed hacker or malware attacker could find a user’s handset the easiest way to compromise a company’s security.
We’ve drawn up a list of the Three As of mobile security management:
Apps: Limit access to app stores, because these are some of the main ways developers can target mobile users with malware.
Access: Require a password for Exchange, ActiveSync, wifi, VPN and proxy access. The device must also have a pass code of some sort.
Authorisation: Constantly monitor the network for evidence of unauthorised access.
The recent tendency towards Bring-Your-Own-Device (BYOD) policies can make it even harder for IT security managers to keep a firm grip on sensitive networks. These are devices that are constantly being connected and disconnected from an infinite range of home networks, coffee shop wireless internet, car Bluetooth systems, USB chargers plugged into unfamiliar computers… as well as your own company’s network. Not all BYOD users are fully aware of the vulnerabilities of their devices or of the network – most people are very happy to charge their phone up with whatever comes to hand, even if that’s a sticky USB cable attached to the back of a till in a pub. Users also download apps, which can potentially lead to the device being compromised by unscrupulous developers. And even more concerning, users lend their devices to others – letting your grandson play Angry Birds on a BYOD-enabled iPhone could be a very costly mistake to the business.
Because of these risks inherent in a BYOD workplace, some security managers are calling for it to be wound back. The security issues that it causes are, for some companies, particularly hazardous or simply too costly to mitigate effectively.
DDoS – Distributed Denial of Services
While DDoS attacks frequently make the news, they’re some of the most poorly-understood types of cyber-attack. Governments in particular are concerned because of the rise of ‘Hacktivists’ – cyber criminals whose goals are ideological rather than financial, but who can damage government systems directly. This can range from knocking a government web page offline, or politically-motivated attacks on government infrastructure or facilities.
DDoS attacks are relatively simple – attackers use networks of infected computers to hammer a single target with data. By flooding the resources of the targeted network, attackers can slow down or even stop completely whatever they’re targeting. If this is a website, it could be simply taken offline for hours or days. But if it’s a different or more important part of the organisation’s network, the damage could potentially be much more severe.
Ways to defend against DDoS attacks include firewalls, but you’ll need much more than that to be truly effective. A good firewall should combine awareness of applications, users, content and context with network security. It must also integrate Layer 7 application profiling, intrusion prevention, content security, network access protocols and application proxies.
The capabilities of other network components, such as switches and routers, must also be carefully examined. Are they ‘intelligent’ enough to implement their own rate-limiting and access control systems at the appropriate moment?
And on a much more basic level, giving the network enough bandwidth can help defend against DDoS attacks. It makes it much harder for a DDoS attack to be successful, making it less attractive to cyber criminals, and less likely for a DDoS attack to harm the business. Benchmarking day-to-day traffic can help prevent against DDoS too because, in the event of a DDoS attack, knowledge of normal and ‘attack’ patterns enable your systems to block the DDoS before it can do any damage,
Virtual and Cloud Computing
Cloud computing and Software as a Service (SaaS) has brought untold joy to businesses and employees who were being restricted by physical and virtual environments. But with it comes the frustrations and fears of IT administrators who recognise the risks and challenges inherent in the cloud.
By expanding networks into the cloud, hackers and malware attackers are given a much larger surface area to aim at. There are so many more interlinking systems to worry about – DropBox and Google Docs are used daily by thousands of companies, but there needs to be a comprehensive security strategy in place to deal with the risks. Even migration from an on-site Microsoft Exchange Server to cloud-based Office 365 comes with a to-do list of security niggles – the email, web browser, VPN and remote working security policies will all need attention before that change is made.
Research commissioned by Barracuda shows that almost a third of respondents thought that managers would sidestep centralised IT departments to purchase cloud technology directly. This will clearly have a negative effect on comprehensive security strategies, as it will ultimately prevent the organisation’s IT security personnel from having any meaningful control over the network. This could be devastating to organisations of all sizes – it’s time to look further ahead at developing policies that actually lay out who is responsible for procuring cloud technologies, and evaluation how they will fit securely into the existing IT provisions of that firm.
Doing All Of This On A Budget
Cloud computing is attractive to businesses because it saves money and resources. The security to make it work effectively and safely, however, can be demanding both in terms of expense and man-hours. IT security budgets are being squeezed, so it’s important to implement these changes in a cost-effective way.
One way to save money is to check for overlapping security solutions on your network, and establish whether any of these can be consolidated into one. This will force an audit of security across the business, and will also help foster a holistic view of the network. And by thoroughly auditing your security provisions, you can identify weak points – and decide what to target next.
For more information on Barracuda and their products, visit our website.
For further reading: