Thursday, September 4, 2014

Why a Layered Approach to Data Protection is Critical
Posted by - Paul Martini, Co-Founder

The high-profile data breaches keep coming, reminding us that no matter how far we extend the boundaries of our network security, criminal hackers are going to continue to exploit our flaws and gaps. Two recent incidents illustrate the critical importance of going beyond standard security measures that focus solely on inbound threats.

Home Depot
On Tuesday, Home Depot announced that it was investigating a report that customer credit and debit card data was stolen from its systems and put up for sale online. The information coming out since this report, indicates that this data breach may have been carried out in the same fashion as the Target breach. Given that they are both retail chains and the data affected was credit cards, it’s likely a particular type of exploit that was successful in one instance, led to other exploits launched using the same tactics. This data breach might even have been performed by the same criminal hacker crew, or perhaps a different one, using the same methods.

Now, if the exfiltration of data at terminals was not the way this breach was performed, it’s quite possible the data was taken through more traditional means, such as a botnet infection on a sensitive server or database. The concern here is in the way the credit card information was stored in the database, considering strict PCI compliance requirements. If the information was taken from a database directly, why was the data not encrypted to PCI standards? And if it was encrypted, how was the data decrypted, exposing the credit card numbers themselves? This is a good example of why simply encrypting data in a database has no value if it is not performed properly. In addition, if the data was taken via the network, the anomalies in data traffic could have been exposed, if the outbound transfers were being continuously monitored and analyzed.

The UPS data breach is another great story that involves different tactics, yet manages to evoke the security gaps illustrated by the Home Depot and Target exploits. In this breach, hackers used known data ports to establish a legitimate remote connection to the network and gain access to systems. Most likely the perpetrators used protocols such as ssh, telnet or rdp, but organizations also need to pay attention to services such as gotomypc, log me in, and others. Although proxied through a website, if a hacker gains access to your main account, they could have access to a multitude of connected PCs. The UPS incident emphasizes the importance of organizations shutting down unused data ports and looking closely at any firewall port-forwarding rules they may have in place that allow access back into the network. For example, back hauling data through a company proxy server for mobile users is popular, but such a technique often involves opening a hole in the firewall to allow the proxy connections in. This is a surefire way to allow unauthorized users access to the local network.

Organizations Can Better Defend Themselves
Although we are likely to see more of these incidents in the future, there are steps organizations can take to avoid being the next big data breach headline. First, they must accept that fact that while inbound malware protection is important, it’s unrealistic to think it will stop 100% of malware. That’s why you need to adopt a layered approach that includes inbound protection, but also employs continuous network monitoring. This would be important from a baselining perspective to detect anomalies in data transfers, but also to detect malware C&C callbacks. Inbound malware protection is a necessity but even if it's 99.5 percent effective, it's the .5 percent that gets through that should be of concern. Only outbound callback prevention and other outbound scanning methods will cover your network during this time.

Learn more about layered APT defense