You trust your employees, right? Maybe you shouldn’t…
At least, not in issues of network security. Whether you like it or not, employees use office computers to communicate on social networking sites, share links to online entertainment, or download files from suspicious sources. At the same time, cybercriminals use social networking sites for phishing and malware distribution. They infect personal blogs, entertainment sites, file-sharing services, and torrent trackers. They regularly hack passwords to email accounts. To protect your network, here is a list of security threats and protection techniques you should know:
Because the majority of threats target mass audiences, antivirus software can prevent most accidents. Targeted attacks are different: hackers perform them secretly, often using a non-standard approach; they are highly sophisticated and well organized. These are the attacks you should worry about the most.
Social Engineering Attacks
In 2009, over 20 major software companies fell victim to the Operation Aurora targeted attack. In one incident, hackers lured company employees with social networking sites and IM clients. Using social engineering techniques, the scammers got acquainted with their victims, gained their confidence, and did whatever was necessary to make the recipients open a link. The fraudsters only needed to:
-Collect widely available information about the user from social networks
-Create an account with the victim’s personal information
-Become “friends” with the people from the victim’s list of contacts
-And get in touch with the victim using an established “cover”
When an account has been so thoroughly prepared, it can easily trick victims into clicking a suspect link. If this fails, the scammer can try a more sophisticated trick; hacking the account of a user whom the victim trusts and sending links from there. This is especially easy if the victim’s trusted contacts include vulnerable users like elderly people, children, or teenagers.
In a targeted attack, a link may lead the victim to a site with 0-day exploits, which allow criminals access to vulnerable computers. By communicating on social networks from the office computer, employees may unwittingly help hackers penetrate the corporate network.
Watering Hole Attacks
In this type of attack, hackers infect the sites that your employees use the most. Recently, the U.S. Ministry of Labor site was infected, but the real target of the attack was the Department of Energy. The criminals had tried to infect the computers of DOE employees who regularly visited the Ministry of Labor’s website.
Once targeted employees open an infected page, malware redirects their browser to a malicious site, which may contain 0-day exploits. By hiding malware in such a way, scammers can also hide their targeted attacks from antivirus companies and IT security experts.
Protection through Policy
Users may cause targeted attacks by allowing scammers to access the system. Unfortunately, there is no technology to eliminate human error from corporate network security. However, reinforcing security policies provides protection by combating targeted attacks at every stage - from the first attempt to exploit a vulnerability to attempts to compromise the network.
Protection Against Exploits
Since targeted attacks use unique malware, signature-based detection isn’t enough to identify the malicious code. Yet, antivirus programs have long had more weapons at their disposal than signature-based detection. AEP technology methods of heuristic analysis and control over executable code can block execution of malicious code when it exploits a 0-day vulnerability.
If fraudsters can attack the system, network traffic and application controls may prevent further penetration into the corporate network.
Network traffic control
Once malicious code gets in the system, it usually attempts to:
-Establish connection with a command center
-Open ports for incoming connections
-Download additional modules
-Implement malicious code in other processes to maintain connection with the command center
-Gather information about the network like its systems and users
-And send the harvested information to the fraudsters’ server.
Having connected to the system, scammers collect information about it and the computer’s corporate network. To collect local information, the fraudsters don’t need extra privileges. They can find a list of running processes, installed software, and more, with little effort. They collect information about the corporate network using special scripts and utilities for masking activity and bypassing security systems. Then they analyze this information before the next stage of attack.
Using network traffic control technology, system administrators and IT security specialists can block dangerous network activity and detect any penetration into the corporate network. For instance, Firewall and IPS / IDS can:
-Block incoming/outgoing connections by port, protocol, domain name, and IP address.
-Generate statistical analysis of traffic for anomalies
-Collect suspicious network traffic for further analysis
-Detect or block outgoing commands or similar output sent online, downloads of suspicious files from the Internet, and transmissions of confidential information
Firewall and IPS / IDS can detect anomalies in the interactions of network nodes once the malicious code tries to contact the command center or scans the corporate network for other systems like open ports. This anomaly detection allows IT security experts to respond to the threat, preventing further intrusion into the corporate network.
Having accessed the target system, the criminals aim to consolidate their success. By downloading additional modules, malicious code, and utilities onto the system, they incorporate a connection with the command center into trusted processes like explorer.exe.
Application Control can block the launch and download of untrusted programs and modules from the scammer’s hacker set. HIPS policies should also block dangerous non-standard behavior from legitimate software. Browsers shouldn’t open ports for incoming connections. System processes and other applications shouldn’t be connected to external servers to deploy malicious code to other trusted processes. This behavior should be prohibited.
To prevent criminals from gaining control of the system, IT security specialists should:
-Stop trusted or vulnerable programs from implementing code in other processes
-Restrict applications’ access to critical system resources and files only
-Block dangerous functions that aren’t a default feature of the applications
-Safeguard systems that require the highest protection level with the Default Deny mode. This mode can block programs from starting up if they aren’t included in the white list, stored locally, or in the cloud.
If the scammers seize control of the system and penetrate the corporate network, they may try to find and upload files that contain important information like:
-Corporate documents, including security policies
-Files containing credentials
This information appears on the main victim machine as well as in open network folders on other systems. To prevent a data leak, IT security specialists should use file/disk encryption to restrict local access to the confidential information. Data is also transferred in an encrypted form. Even if the criminals manage to download something, they couldn’t read the content of the encrypted files.
In isolation, none of the above technologies can prevent a targeted attack. To protect the corporate network, all these technologies must be well integrated and carefully tuned.
However, system administrators and IT security specialists should also use administrative protection measures:
All users must:
-Know and observe company security policies
-Understand the possible consequences of the Internet threats, such as phishing, social engineering, or malware sites
-Inform the security service about all incidents.
-Accept user access rights and privileges:
-Scan the systems for vulnerabilities and unused network services:
-Detect and analyze vulnerable network services and applications
-Update vulnerable components and applications. If there is no update, vulnerable software should be restricted or banned.
Rights and privileges should be granted only when necessary and recorded. Many of these measures can be automated. If security policies are violated, special software shows the user a warning message. Systems Management technology can be used to search for network services and unauthorized devices, vulnerabilities, and automatic updates of vulnerable applications.
Misuse of company resources can lead to direct financial losses and a serious IT security incident. While communicating on social networking sites or viewing websites on the office computer, employees can become unwitting victims and involuntary allies of criminals who plan targeted attacks. Though they may have honest intentions, it’s never a bad idea to have a backup plan.