The scary reality for organizations that house confidential and sensitive data, including the personal information of employees and citizens, is that there is no end to cybersecurity threats such as botnets, worms and hacking.
Of these, botnets are perhaps the most frightening cybersecurity threat. These highly sophisticated, vulnerability-seeking threats manufactured by cyber criminals are nearly invisible. Unlike the disk-crashing, network-freezing worms and Trojan horses of a few years ago, bots are designed to leave networks and computers running seamlessly by all outward appearances while they siphon data out to their “bot masters” and avoid detection.
Most state and local government agencies are already pursuing tactics to minimize the chance of network penetration and, if an attack occurs, to isolate the threat and eliminate it. However, because governments are continually pressed to provide the same or greater services with the same or fewer resources, their cybersecurity strategies can be inadequate or uncoordinated. To help agencies formulate a strategy that meets their particular needs — based on agency size and type, available budget, and the sensitivity of the information that must be secured — CDW-G offers the following approaches:
- Install a Windows Firewall. Though sometimes tempting for end users to disable, a properly configured Windows firewall can block many network-based exploits. This measure is especially appropriate for large agencies with many similarly configured machines.
- Disable AutoRun. The autorun feature, which automatically installs software, should be disabled to prevent operating systems from blindly launching commands from foreign sources.
- Break Password Trusts. Judicious control over local accounts, especially the local administrator account, is critical to isolating and eliminating threats. Disabling computers’ capability to automatically connect to each other closes the path that botnets take to spread to the internal network. This is particularly critical in environments where machines store highly confidential data.
- Consider Network Compartmentalization. In most computing environments, workstations do not need to communicate with each other across departments. Shutting down this capability goes a long way toward preventing the spread of botnets. IT managers should establish private virtual local area networks (VLANs), or access control lists (ACLs) between subnetworks to limit exposure. This strategy is not a good fit, however, in environments that mix voice and data communications, as it tends to break the ability to negotiate virtual circuits on the fly.
- Provide Least Privilege. When users are not administrators of their own workstations, it is much harder for malware to propagate via drive-by download or for AutoRun methods to take hold on a system. Preventing users from being administrators also makes it more difficult for their user account credentials to spread malware, should the computer become infected.
- Install Host-Based Intrusion Prevention To keep botnets from taking root in a system, IT managers should concentrate additional protections on specific network layers based on vulnerability, such as at points of contact between specific hardware and software. This approach does not fix technical flaws or holes in operating systems or application software, but it can reduce the chances that exploits will be successful. These tools are highly effective, but they are expensive and challenging to deploy.
- Enhance Monitoring The more that is known about how end users and the network operate in normal activity, the easier it will be to determine in real-time when a botnet infestation causes slight anomalies. Around-the clock monitoring is ideal, using products that collect data on network traffic, train devices to monitor abnormalities, and detect and prevent intrusions. However, even with remote managed security services filling the gap, enhanced monitoring might be beyond the capabilities of many government agencies.
- Filter Data Leaving the Network. Botnets typically establish communication with one or more remote servers that hackers use to retrieve private information. To stop these communications, and the threats associated with them, agencies can prohibit unwanted traffic from leaving the network, a tool known as egress filtering. Agencies should force Internet traffic through proxies or content filters (see below), or deploy a data loss prevention (DLP) solution.
- Use a Proxy Server. While it is impractical to block all potentially hostile outbound traffic, forcing outbound traffic through a proxy server gives agencies a secondary choke point for monitoring and controlling Web access and for defeating some attempts to tunnel around security measures. Content filtering is appropriate for almost any agency.
- Install Reputation-Based Filtering. Tools like IronPort and WebSense can help block e-mail from, and requests to, addresses that have reputations as potential malware sources.
- Monitor DNS Queries The way that a workstation responds to domain name system (DNS) queries is often an early warning sign that the workstation may be infected. Specifically, responses from workstations that contain very low time-to-live (TTL) values should be monitored, as low TTL can indicate infection. Monitoring allows system administrators to act before the infection spreads too far
The steps outlined here provide a framework for a cybersecurity strategy tailored to an agency’s specific size, as well as the size of its IT department and budget. CDW-G advises agencies to evaluate each step to devise a strategy that meets their specific needs.
Peyton Engel is a technical architect at CDW Government (CDW-G), a provider of IT solutions to government, education and healthcare, where he is responsible for leading the company’s security assessment team.