Search the Community

Defense in depth is dead. The way you’re thinking about data center security is outdated. Security started changing long before Sony, Target and the others got hacked. The problem starts with your perimeter. During a conversation with Pete Lindstrom of IDC, we paused to consider the state of defense in depth. “Circling wagons is just impossible,”Pete said. “With apps strewn across the internet, if a corporation thinks they can build perimeter around all their apps then they are nuts.” By expanding the definition of cloud computing to include cloud-based accounting, CRM, email services, and development tools, people discover that their organizations have been using cloud for years, without fully realizing it. In 2014, IDC reported that 69% of enterprises worldwide have at least one application or a portion of their computing infrastructure in the cloud. In Europe, adoption is also growing but at a slightly slower rate, with 19% of EU enterprises using cloud computing in 2014, according to the European Union‘s Eurostat. Bottom line: more enterprise data is living outside of the protected data center. When your definition of defense in depth is adding layers of security to the data center perimeter and physical data segmentation, modern cloud applications are indeed insecure. Instead, the enterprise should focus on the application, data, and user as the important security layers. In a 2015 report from Accenture and the Ponemon Institute, the authors note that proactive organizations are prioritizing network traffic anomalies, identifying vulnerabilities and limiting unauthorized data sharing, while the “static” companies focus on employees’ device security and data backup. Let’s examine the Sony Pictures hack. The Sony hackers gained access through former employees’ accounts, and easily cracked the perimeter. The real damage occurred once they exploited the weak internal network security. All the critical applications – email servers, accounting data, and copyrighted motion pictures – were all connected “on a wire” inside the corporate network. The perimeter-heavy, fortify-the-exterior approach to security is indeed dead. In fact, when it fails to stop cybercrime, this strategy can cost you upwards of $100M. Each enterprise application should be considered critical and deserves its own perimeter inside any network environment. With Sony, or any organization, critical data means all data. For a manufacturer, critical data might be product designs as well as the obvious accounting and customer data. Plus, nearly 85% of insider attacks or “privilege misuse” attacks used the target enterprises’ corporate local area network (LAN), according to a 2014 Verizon security report. To truly guard and protect an application, enterprises need to control all data and network traffic via secure, encrypted switches at every layer within a network. Defense shouldn’t end at the data center pediment, but extend down to each individual application. Monitored access, encryption, and application-specific firewall rules can all but eliminate malicious “east/west” movement inside a network. This approach to application-specific defense in depth continues the concept of physical segmentation into “application segmentation.” Each application owner within an organization can dictate how traffic flows to each application server through an encrypted network switch. When data passes through a secure application perimeter, application owners can easily monitor and isolate traffic and prevent unauthorized access. Even with only basic interior firewall rules, this enterprise can protect themselves from a Sony-style data exploit. Source

Talk about determination. Hackers strung together zero-day vulnerabilities in Flash and Internet Explorer and then compromised Forbes.com so that the attacks would compromise financial services and defense contractor employees visiting the site, researchers said. The November breach of Forbes compromised the Thought of the Day page that is displayed briefly upon visiting the site. The page downloaded attack code exploiting a vulnerability in what then was a fully updated version of Adobe Flash. To bypass Address Space Layout Randomization—a mechanism built into Flash and many other applications to make drive-by attacks harder—the Forbes page downloaded a second attack. The latter attack exploited a then-zero-day vulnerability in IE that allowed the Flash exploit to successfully pierce the exploit mitigation defense. From start to finish, the attack took about seven seconds. "In the world of cyber threats, the chained 0-day exploit is a unicorn—the best known attack with chained 0-days was the Stuxnet attack allegedly perpetrated by US and Israeli intelligence agencies against Iran's nuclear enrichment plant at Natanz as part of an operation known as Olympic Games," a blog post detailing the attack explained. "Given the highly trafficked Forbes.com website, the exploit could have been used to infect massive numbers of visitors." Instead, only visitors from US Defense and financial services firms were hacked. Adobe patched the Flash vulnerability, designated as CVE-2014-9163, in early November. Microsoft fixed CVE-2015-0071 on Tuesday. The Forbes.com compromise is believed to have started in late November and lasted for a few days. The incident, which was uncovered by researchers from security firms Invincea and iSIGHT Partners, underscores the ingenuity and determination of today's hackers. Any one of the key ingredients of the hack—the Flash bug, the IE flaw, or the compromise of Forbes.com—wasn't enough to penetrate the defenses of defense contractors or financial services firms. But by stringing them together, the attackers were able to achieve their goals. It also helps explain why even minor software flaws that don't by themselves allow for remote code execution—for instance an escalation of privilege bug or a disclosure flaw—nonetheless pose a significant threat to end users. Source