By Kasey Cross, A10 Networks
State-sponsored cyber-attacks strike with shocking frequency. Recent breaches at the U.S. Joint Chiefs of Staff, the U.S. Office of Personnel Management, Anthem, USIS and Community Health Systems have all been attributed to government-backed attackers. China even brazenly launched several DDoS attacks on Github and GreatFire.org earlier this year.
The motives, methods and results of these state-sponsored attacks vary, but the implications are clear: Every organization that stores sensitive information has a proverbial bullseye on its back.
James Clapper, the director of National Intelligence, has pointed to China as the likely source of the OPM infiltration. And the earlier Anthem breach appears to have been perpetrated by the "Deep Panda" Chinese-sponsored cyber-espionage unit. Well funded and extremely efficient, with seemingly unlimited resources and talent at their disposal, state-sponsored cyber-criminals would appear to be an unbeatable foe. If they can infiltrate the U.S. government, what hope does the average enterprise have of protecting itself?
Well, there are various ways. In addition to patching vulnerabilities and implementing multi-factor authentication, every enterprise must also deploy intrusion prevention systems and data loss prevention tools to block attacks.
Here is a more detailed look at what organizations should do to keep nation-state attackers at bay.
Decrypt and Inspect SSL Traffic
State-sponsored hackers can hide attacks in encrypted SSL traffic to evade detection. As a result, network security solutions, such as next-gen firewalls and intrusion prevention systems, need to be able to inspect all incoming and outgoing traffic for threats -- not just the data that is sent in plain text. What you can’t see can hurt you. To ensure state-sponsored hackers do not bypass your security controls, decrypt and examine all traffic.
Below are five features for IT teams to consider when selecting an SSL inspection platform:
SSL performance: In addition to assessing current Internet bandwidth requirements, IT also must factor in SSL traffic growth and ensure the inspection platform can handle future SSL throughput requirements.
Compliance: To address regulatory requirements like HIPAA, Federal Information Security Management Act (FISMA) and Sarbanes-Oxley (SOX), an SSL inspection platform should be able to bypass sensitive traffic, like traffic to banking and health care sites.
Heterogenous networks: IT should look for SSL inspection platforms that can decrypt outbound traffic to the Internet and inbound traffic to corporate servers with multiple, flexible deployment options. Additionally, the platforms should intelligently route traffic with traffic steering, granularly parse and control traffic based on custom-defined policies and integrate with a variety of security solutions from leading vendors.
Security infrastructure: SSL inspection platforms should not just offload SSL processing from security devices but also maximize the uptime and performance of those devices. It’s important the platforms can scale security deployments with load balancing, avoid network downtime by detecting and routing around failed security devices and support advanced health monitoring to rapidly identify network or application errors.
SSL certificates and keys: To ensure certificates are stored and administered securely, IT should look for SSL inspection platforms that provide device-level controls to protect SSL keys and certificates, integrate with third-party SSL certificate management solutions and support FIPS 140-2 Level 2 and Level 3 certified equipment and Hardware Security Modules (HSMs).
Fortify Web Applications Against Attacks
Web application data is an attractive target for state-sponsored hackers. Attackers have been known to exploit application vulnerabilities to gain access to Web servers or steal records from databases. One way enterprises can protect against this is with a certified Web application firewall (WAF), which filters all application access by inspecting both the traffic toward the application and the response traffic from the application.
A WAF offers granular control of the application’s data flow and is capable of protecting against various attacks including SQL injection, cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks, among others. For instance, a WAF can prevent buffer overflow attacks by setting accepted maximum thresholds for aspects of HTTP requests and blocking requests that exceed the configured limits.
Use Virtual Private Networks (VPNs) to Secure Data
You should assume that any communications over public networks can and will be intercepted. Therefore, organizations of all sizes should implement IPsec VPNs to prevent snooping and data theft, as well as to address compliance. Though it's no guarantee your data will be protected, you should still encrypt sensitive data sent over the Internet using IPsec encryption.
While IPsec is a mature and well understood technology, new networking paradigms like cloud computing, as well as escalating bandwidth requirements, are compelling large enterprises and service providers to rethink their VPN strategies. As a result, organizations need to develop VPN architectures that can:
- Support unprecedented IPsec throughput levels
- Leverage BGP routing for high availability and rapid scaling
- Spin up new IPsec tunnels and gateways on-demand in cloud environments
- Minimize power consumption and rack space requirements for data center efficiency
Monitor and Audit Access to Sensitive Data
If you store sensitive data in databases or files, be sure to track all activity including access and changes. The will help detect anomalous activity, prevent illicit access and measure the impact of an intrusion if an incident does occur. For instance, if someone requests every credit card record, accesses large quantities of data at once or during unusual times of day or escalates their privileges, it could indicate a cyber attack is underway. Monitoring and auditing user access to sensitive data ensures there is a trail to link security violations to specific user names.
Train Employees on Security Best Practices
Your own employees will often be your weakest security links. Therefore, it’s important for organizations to educate their teams and enforce best practices, such as choosing a strong password, to prevent advanced cyber attacks. Users should also be instructed to identify social engineering attacks, phishing threats and other malicious activity. Otherwise, they'll likely become a victim.
The world has changed. The lone hacker is no longer the face of cybercrime. That bad actor has been replaced by entire nation states with dedicated professional teams of infiltrators. They are formidable. They are relentless. They are coming for your data.
Kasey Cross is responsible for security evangelism for the Thunder Application Delivery Controller (ADC) product line at A10 Networks. She has over 10 years of experience in marketing and management positions at leading information security companies, including Imperva and SonicWALL. She was also the co-founder and CEO of Menlo Logic and led the company through its successful acquisition by Cavium Networks. She received a bachelor’s degree in economics and physics from Duke University.