The enterprise IT security landscape changed dramatically during 2016. Expansion into more clouds, the addition of industrial IoT, and marked increases in virtual deployments resulted in more devices, more locations, and more environments for organisations to monitor and protect. Data rates are increasing, network reach keeps growing, and new appliances keep entering the market to analyse and protect it all, with each needing to be managed, optimised, and secured. This growing network complexity is becoming a security vulnerability in its own right, alongside the dramatic rises in malware and other threats.
To explore and quantify these issues and challenges facing enterprises, and to show how these could be addressed, at Ixia we recently published our 2017 Security Report. We identified seven key areas that organisations need to consider in order to better protect their networks and data in this dynamic cybersecurity environment.
1. Expanding network attack surfaces
An attack surface is the sum of the different points through which an attacker can enter or extract data from an IT environment. The growth in network complexity is increasing the size of attack surfaces in three dimensions: first, the number of locations where data resides; second, network throughput; and third, volume of IT tools being used. The Internet of Things (IoT) is also making the attack surface even larger as many IoT devices are neither deployed nor managed by IT. Network segmentation is on the rise, which is good practice, but survey data shows that 47 per cent of organisations are leaving nearly half of their network segments unmonitored. Businesses need to introduce automation and real-time monitoring to see what they are missing.
2. Sharing in the cloud
Cloud usage is on the rise raising its own security issues. Where do cloud providers’ performance and security responsibilities stop, and individual organisations’ begin? Today, the average organisation is using six different cloud services. By 2020 over 92 per cent of all workloads will be cloud-based. With the growth in the use of shadow cloud services, which fall outside the control of IT, up to ten times more cloud services are likely to be deployed than IT expects. An effective visibility strategy needs to span all of the hybrid, public, and private cloud environments being used by an organisation.
3. The attackers’ arsenal
New, highly sophisticated hacking techniques grab headlines, yet the old, tried and tested methods are still favoured by most cybercriminals. Across different services, operating systems and deployments, attackers are looking for the easiest way to gain entry. We have seen attackers checking for passwords that are 14 years old, probing for vulnerabilities that are over 10 years old, and using malware that has not changed in years.
4. Top usernames and passwords
With so many IT systems in a typical network, password management remains a problem area attackers are exploiting. The top five username guesses in 2016 were: root, admin, ubnt, support, and user. The top five password guesses were null, ubnt, admin, 123456, and support.
Many of these are the default combinations for network appliances or cloud offerings, so if the IT team fails to change them, there is a simple route in for malicious hackers. IoT devices were also a notable target of brute force guesses.
5. Malware or phishing?
Malware continued to dominate over 2016 but during June, July and August, ransomware phishing appeared to have outpaced conventional malware phishing. Major websites such as Google, PayPal and Facebook were the top targets – once again showing how cybercriminals target low-hanging fruit. Meanwhile, Adobe updates were found to be the most prevalent drive-by updates for delivering malware or phishing attacks.
6. Top exploited URI paths and content management systems
A uniform resource identifier (URI) is a string of characters used to identify the name of a resource. WordPress URI paths were the two most exploited in 2016, showing how attackers are targeting sites built on the popular platform. WordPress was by far the most exploited content management system, with Joomla a distant second – yet again, hackers understand how to target the most popular services.
7. The CISO Mind Map
The CISO has a lot to manage. A typical organisation engages as many as 15 vendors for various aspects of security, IP protection, user training, and risk assessment. That includes protecting inside their traditional perimeter dealing with private clouds, firewalls, antivirus software, and encryption. The CISO must also deal with monitoring and securing outside the traditional perimeter including public clouds, SaaS services, smartphones, laptops, and networks of IoT devices. The CISO mind map is complex, needing to understand all these resources as well as what makes one vendor’s appliance better than another.
In conclusion, key takeaways from our 2017 report include:
Protect the simple stuff: modern firewalls and security tools will protect you adequately from the latest security threats. Most attackers lack the resources to create advanced zero-day malware,a dn reuse simple methods, including DDoS distractions, older malware/exploits, admin password guessing, or phishing. Start with user name and password hygiene, as it is the first place an attacker will look.
Challenge your security architecture: We are constantly surprised at how many networks are not exposed to large-scale testing before deployment. Challenge your defenses not with average data flows, but drive them to capacity to see how or if they fail. After all, attackers are doing this every day.
Validate provisioning: Every time a new security or performance monitoring product is added, a new cloud is connected, or a network segment is established, there is provisioning. The vast array of command line interface connections that need programming leads to more complexity. And, complexity typically leads to mistakes or vulnerability.
Adopt a Zero Trust model: Never trust. Always verify. Every new device, every new network update, and every provision should trigger validation testing. One error can create an opening.
Inspect encrypted traffic: Many organisations do not decrypt encrypted traffic like SSL and SSH or leave it to individual security and performance monitoring tools to accomplish. This becomes a major blind spot that attackers are using to hide malware.
Limit your attack surface. The more you can limit your network environment, the easier it will be to protect.
With these measures in place, visibility architectures that allow your IT security team to see your entire network and monitor it in real-time are absolutely essential; after all, you cannot secure what you cannot see.
Jeff Harris, VP Solutions, Ixia
Image source: Shutterstock/deepadesigns