Although vital to an enterprise's data protection strategy, network security is sometimes overlooked during IT upgrades. Accordingly, aging technologies such as VPN and legacy firewalls end up being the tentpoles of cyber defense, even as the surrounding threat environment continues to evolve with advanced persistent threats and new types of malware.
The 1990s are still going on: Outdated network security tools remain in widespread use
This atrophying of network security capabilities is not that surprising, especially when one considers how long similarly outdated platforms such as Microsoft Windows Server 2003 have remained fixtures of enterprise IT. Of course, organizations face many obstacles as they attempt to move on and modernize network security. These hurdles range from budgetary constraints and shortages of experienced security personnel, to their widespread dependencies on older infrastructure and lack of awareness of the most relevant threats.
The VPN example
Moreover, the outdated tools that many security teams depend on day in and day out are risky not simply because of their age, but also because of their basic design. VPNs and decades-old access control mechanisms emerged at a time when the public Internet was just beginning to come into view. Let's consider VPN for a moment to get a sense of how disconnected many still-popular network security tools are from today's issues.
VPN was enabled by innovations in the 1980s and 1990s, like the dial-up modem, frame relay and packet switching technology. While it is now most commonly associated with secure communications across the Internet, it was actually designed to work on with virtually any telecommunications infrastructure, underscoring its age. The Internet just happened to end up being the most convenient medium.
New threats require a fresh approach to network security
Flash-forward to 2015 and one can see the abundance of sophisticated Web threats that would have been hard to conceive, not to mention technically impossible to execute, at the time of VPN's inception. VPN is still important and useful, but it can no longer be the security centerpiece, given that enterprises now have to stay ahead of issues like:
Recent insider-led breaches at Amtrak in the U.S. and Benesse in Japan have highlighted what can go wrong if sufficient access controls and other safeguards are not in place. Enterprises that rely on yesterday's defenses run the risk of putting record amounts of information (the cloud and high-capacity local storage have helped swell the amount of data that companies keep on hand) in harm's way.
In a post last December, Trend Micro senior threat researcher Jim Gogolinski recommended a combination of technical and procedural actions to curb the risk of insider threats. Thorough network activity logging, proper access controls and careful management of employee privileges are all worthwhile approaches to staying on top of network security.
Advanced persistent threats
Advanced persistent threats are "low and slow"-style attacks that may first infiltrate the enterprise network through something as simple as an email phishing scam. Afterwards, they may sit on the network for months or even years, concealing their activities while lifting and exfiltrating sensitive data.
In the last few years, it has become increasingly easy to set up and use extensive computer botnets for activities such as spam distribution, phishing and distributed denial-of-service attacks. For example, the record for highest-bandwidth DDoS incidents has been shattered several times in the last year plus as cyber criminals have exploited weaknesses in the Network Time Protocol and used readymade DDoS tools to flood their targets' networks with meaningless traffic.
Aging security tools and internal errors cause headaches for enterprises everywhere
Despite the growing diversity and intensity of the threat environment, network security practices have not caught up. A 2015 study from TechZone and CryptZone found that nine in ten companies still relied on outdated security solutions, while 45 percent also did not plan to increase their cyber security budgets to deal with new risks of security breaches. Other findings included:
- More than 90 percent identified VPN as their primary mechanism for controlling network access.
- Fifty-one percent admitted that their access control technology was at least three years old; 11 percent acknowledged that it was more than 10 years old.
- More than half of organizations have not updated their access policies in a year. Forty-two percent could not automatically enforce these policies on their networks.
Overall, the study discovered that many firms were still saddled with 1990s-era security apparatuses at a time when cyber security has become more important than ever. The survey also revealed that mistakes, errors and other internal actions were also more problematic than external pressure: 61 percent identified accidents, etc., as the leading source of damage.
"It is remarkable that many organizations are still utilizing network security technologies developed in the nineties – a time when the Internet was still in its infancy," one of the study's coordinators said in a statement. "The cyber attacks we have seen over the last few years, have demonstrated that it is far too easy for hackers to steal user credentials, and then use those credentials to traverse the enterprise network in search of the most valuable data. Organizations need to accept that outdated access control technologies are not working against today's sophisticated adversaries."
Back to the future: Implementing modern network security mechanisms
What do enterprises need to do in order to strengthen their defenses against today's top threats? The first step is recognizing how APTs et al represent a different kind of problem than many traditional security tools – such as antivirus software and legacy network security technologies – were designed to solve.
As security research Jon Oltsik noted five years ago in an Enterprise Strategy Group white paper commissioned by Trend Micro, attackers have responded to the adoption of patch management and other security software by exploring new attack vectors. Hence the rise of Web threats that are beyond the scope of many traditional solutions.
Updating technical capacity requires supplementing old but effective tools like VPN and antivirus with modern ones like host intrusion prevention systems, next-generation firewalls and deep discovery. Real-time monitoring, analysis and response to network traffic have become table stakes as enterprise networks become simultaneously more complex and riper targets for attackers in search of financial or reputational gain.
Keeping a lid on network access will be particularly important in the years ahead, in light of how internal vulnerabilities are becoming as problematic as external ones. Identity management tools will need to be implemented alongside APT defenses and email scanning tools to ensure comprehensive coverage of enterprise assets.