Being able to adapt to change is one of the most important abilities in security today, mostly because attacks to defend against are able to do the same. The sophistication of current threats is mainly seen in their skill to adjust based on the weaknesses of the environment they are targeting.
In this post, we will try to see networks the way attackers see them — through their vulnerabilities — and turn these around into guides for how IT administrators should protect their network.
People are the weakest link
People will always remain vulnerable to external stimuli, especially those that trigger strong emotions. This is why social engineering will always be a part of attacks — there are a lot of techniques to be used, and a high probability of effectiveness. Embracing the assumption that people will always fall victim to social engineering attacks is important for IT admins simply because it is true. Network security needs to be designed with this in mind, regardless of how oriented the employees are. IT administrators can:
1. Configure the network to not only prevent attackers from getting into the network, but also from getting data out of it. This way, even if an attacker is able to gain control of a machine in the network, exfiltrating any stolen data will be difficult. A properly managed firewall and network access control would greatly help achieve this. Threat intelligence will also play a big part here, also, such as of IPs used as C&Cs in attacks.
2. Segment the network based on the level of security the systems need. Critical systems need to be isolated from the “normal” ones, either physically or through the network segment they are connected to.
On top of these, however, employee education is still important and should be done regularly.
The safest place is the most dangerous
Even the smallest of security gaps within the network can lead to the biggest of breaches. Attackers know this well, and it is important for IT admins to keep it in mind. The network should be audited on a regular basis to make sure that all areas are properly secured.
For example, IT admins may not take into consideration that they themselves are potential targets, or that certain devices within the network can also be infection points such as the network printer or even the router.
The same goes for web administrators. Attackers might not directly breach highly-secured sites such as banking websites, instead checking for other sites in the same DMZ (demilitarized zone), compromise them, and leverage the trust-relationship to conduct a side-channel attack against the banking website.
People use weak passwords
It is no secret that password management is a challenge for most users, so working on the assumption that all members of the network have secure passwords is simply not an option. To secure the network under the assumption that users have insecure passwords would require the implementation of other authentication measures such as two-factor authentication or even biometrics.
The network is haunted by ghost machines
All networks have ghost machines in them. These are the machines that are not found in the network topology map but are connected to the network. These may consist of employees’ personal devices, external partners’ devices, or machines that should be retired but aren’t. Attackers leverage on these machines because they provide both access to the network and stealth.
In order to counter this, IT administrators need to be keen on monitoring the systems that are connected to the network. They need to implement a Network Access Control mechanism to monitor and control the level of access these ghost machines are entitled to in the network.
Old vulnerabilities are reliable and can still be used
Assessing and addressing software vulnerabilities is a critical process for every IT administrator, and should always cover all bugs — both new and old. IT administrators need to keep in mind that a vulnerability will remain a threat to a network if not addressed, regardless of how long its been since it was discovered.
For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.