An Information Security Proposition from ixtel

The immense complexity of modern networks and the nature of the threats and attacks make it impossible to secure them completely at all times. As the threats grow more severe, what is the most efficient and cost-effective way for companies to protect themselves? This white paper explores the challenges modern businesses face in balancing the opportunity that the internet represents the threats to security from network predators.

The evolving threat environments– Every year new technologies, products, even laws are introduced with the aim of improving network security. The overall situation has not improved, however, as the threats continue to keep up with, and sometimes outpace, the introduction of new forms of protection While many threats in the past have been motivated by a desire to cause damage and disruption, we are now witnessing an increasing shift to more sophisticated attacks by criminal gangs motivated by financial gain. These gangs have significantly more financial and technical resources at their disposal than a hacker operating alone. At the same time, the punishment for online crime is still comparatively lenient.
The fluid and diverse nature of the threats and attacks, coupled with the increasing complexities of today’s networks, makes complete protection impossible.

Although fewer than 10 percent of the attacks on the internet are targeted against a single company, the financial impact on an individual business of a single successful targeted attack will be 50 to 100 times greater than the impact of a purely malicious worm or virus. In addition to the financial implications of a security breach, the range of impacts on an organization may include:

  • Damage to a company’s reputation, and potential legal implications that may result from any failure to protect customer information.
  • Time wasted by employees in deleting spam or struggling with a slow network.
  • Compromised assets, such as wasted bandwidth or damaged machines.
What companies need more than ever from their security providers is stability, and certainly – not the pursuit of some mythical preventative technology to enable threats to be avoided. But acceptance of the situation as it exists, that security will always be relative, and that the paramount need of business is for adequate, effective security that optimally protects an organization’s electronic assets. All security devices are vulnerable to being sidelined by a resourceful attacker. The net result is that security products can’t stop what they don’t recognize as a threat.
Technology in itself will never solve the problem of security; it must be harnessed to human vigilance and expertise.

Building protection within the network infrastructure – Organisations today must connect to the internet for a wide variety of reasons – to publicize their services, deal with customer sales and service inquiries, communicate via e-mail, and for e-commerce transactions and customer support. However, the internet is inherently an insecure and potentially hazardous medium, with threats from hackers, viruses, worms, Trojan horses, and internal threats such as employee sabotage. The impact of these threats on organizations can include loss of productivity and revenue, loss of financially sensitive information, and damage to reputation.
Companies must assess the risk of threats being realized and then put the necessary barriers in place to protect themselves. Such barriers will always include an optimal mix of technology, people and processes. Any element on its own won’t be sufficient to mitigate the risk posed by increasingly sophisticated attackers

A multilayer approach– Although specific threats to security can be identified and categorized, the reality is that many threats are blended. For example, hackers may distribute Trojan software in a worm or virus in order to add a PC to a botnet (a collection of software robots) and use it to send spam.

Failure to protect against one type of threat can result in the organization being exposed to another. For instance, failure to prevent employees’ illicit surfing can lead to their downloading spyware; or peer-to-peer software; or being exposed to sites hosting spyware infected pages or downloads.
As the threat is both fluid and blended it is important to have a multilayer approach to protection. The exact form of protection will vary between sites, depending on their size, complexity of the operating environment, and company electronic assets exposed to potential attacks. ixtel’s view is that optimal flexibility is needed to respond to the demands for protection that each customer site or remote user places on technology and associated processes.
Companies must assess the risk of internet security threats, and then put the necessary barriers in place to protect themselves.

Combating internal threats is as important as mitigating external attack risk - A growing proportion of both threats and actual attacks on an organization’s electronic assets comes not from external sources, but from inside an organization. Employees, contractors and other staff who have access to a company facility or remote computer can inflict damage to an organization’s electronic assets if there are inadequate defenses. Many “inside” attacks go unnoticed until the damage to the business has already been inflicted.
Proactive monitoring, event correlation, and threat response should be applied to security and non-security devices such as servers, desktop PCs, routers, etc. This allows both internal and external events considered to be “unusual” in nature to be reported and investigated immediately. Often such incidents involve access to servers either at unusual times or by unauthorized users. Without the proactive security monitoring of such non-security devices, these events would not trigger any response. Thus an effective security posture should always highlight both internal and external threats, security and non-security devices.

ixtel advocates a layered approach to protection – The essential elements of ixtel’s defense-in-depth approach involve:

  • Firewalls on the perimeter of the network (in best practice firewall solution with the firewalls sourced from different suppliers, so that both firewalls cannot be exploited in the same way).
  • Intrusion detection systems (IDS) and Intrusion prevention systems (IPS) at strategic places in the network.
  • Monitoring, event correlation and threat response across an optimal range of security and non-security devices backed by skilled security analysts.
  • Remote access or wireless/mobile access is via strong authentication over a VPN connection.
  • Anti-virus protection and proxy caching.
  • Network-based prevention against distributed denial of service (DDoS) attacks.
  • Vulnerability scanning and assessment tools.
  • Machine log storage for compliance and investigation purposes.
  • All of the above would be backed up by rigorous audit and test procedures.

Conclusion – Technology alone will never solve the problem of security. Technology must be harnessed to human vigilance and expertise. The key is detection and response, and therefore it is critical for companies to invest in network monitoring services. The most effective solutions integrate capability and components from a number of vendors.
To arrange their own security in the most cost-effective, flexible manner, companies should work in partnership with MSSPs who offer a holistic set of capabilities. These partnerships will be crucial in enabling businesses to protect complex distributed IT environments on static budgets.
ixtel practices a layered approach to protection, placing multiple barriers in the way of potential attacks into the network. A centralized and standardized managed security service, such as ixtel’s Managed Security Service, provides a safe and secure corporate infrastructure that maintains and supports compliance against key regulatory requirements as well as offering greater control of budgets.