Security Posture Drift: Thinking Old School
Charles Kolodgy is a Research Vice President for IDC’s Security Products service and is a featured guest blogger.
Security can’t be set and forgotten because the conditions are in flux. Products are updated and threats evolve as attackers find new ways to exploit technology or to bypass existing security. Examples of new attack methods have been identified in Radware’s 2012 Global Application and Network Security Report. Attackers are utilizing Server-based botnets more than ever and the sophistication and severity of attacks in general increased significantly in 2012. Server-based botnets give attackers a much bigger bang for the buck. A DDoS attack using servers instead of client-based bots is like hitting someone with a 50 pound bag at once instead of pelting someone with hundreds of bean bags. Regarding sophistication, using Radware’s APT score, the number of attacks scoring 7 or higher (out of 10) increased 150% (58% in 2012 compared to 23% in 2011).
Protecting the organization’s environment against the rising tide of sophisticated threats requires strong security. This comes in the form of products, proper device configuration, policy, and vigilance to discover problems or breaches. When products are deployed and initially configured they are at their optimum state: ready to thwart whatever is thrown at them. Eventually system configurations (settings) will begin to “drift” away from the optimum state. The changes are slight – an update to an application opens a new port or changing the permissions associated with a user group can grant access where it shouldn’t be allowed. Over time these small modifications build on themselves and eventually the device has drifted significantly, thus rendering it less effective. Given that drift is gradual it is generally not noticed that the security infrastructure has drifted away from the desired good state. It is also very difficult to get it back on track.
Security drift is a problem because it can directly impact the three pillars of security – Confidentiality, Integrity, and Availability. IT has become seduced by a whirlwind of technology enhancements. All of these new technologies need to be secured but the focus in protection has generally been towards the confidentiality pillar – keeping my “stuff” out of the hands of those who shouldn’t have it. What is normally pushed into the background are the other pillars: the integrity of the systems (and data) and the availability of the systems.
Integrity is maintained with a change auditing process. First a baseline of a desired state is established for any object. After the desired state is established, comparisons can be made between the current state and the baseline state. Any deviations are flagged and alerts are sent to appropriate parties for corrective action. Integrity drift can be identified quickly and systems returned to a “desired state”.
Availability issues are a growing concern for organizations. It isn’t that networking technology can’t keep up with the huge growth in network connected devices, web services, and traffic volume. It is that attackers (many of them activists) have decided that they can damage a company or organization by impacting availability. Denial of Service attacks are growing in number and duration. In a story entitled “Denial-of-service attacks are surging all across the Internet“, USA TODAY reported that denial of service attacks increased 70% in the first half of 2012 when compared to 2011. Additionally Radware’s Industry Security Survey in 2012 reports that 2 out of 3 organizations experience at least one DoS attack a year and almost a quarter are attacked at least every month. To maintain availability organizations must have a process, just as they need for confidentiality and integrity. They must understand what resources are necessary to mitigate DoS and DDoS attacks in their specific environments. One consideration is the network architecture. To be most effective the mitigation resources need to be the first element (or as close to it as possible) in the network path. The organization must account for the criticality of specific resources and maintain a process to prioritize resources. They must also ensure they have the critical tools (and services) necessary to maintain their availability. One of these critical tools is in the form of people. Organizations should have a quick response team that can dynamically respond and employ tactics to mitigate the existing attack and any immediate follow-on attack.
Ultimately when the “old school” concepts of security – confidentiality, integrity, and availability – are taken into equal consideration it allows IT to protect their assets, maintain the desired security state, and ensure access. By emphasizing the avoidance of security drift and formalizing a process to accomplish it, innovation is easier because improvements will be done with confidence that security can be maintained.