I want to talk today about tools a modern information security specialist should have in his or her arsenal in 2019. I will also touch upon cyber threats that we face now the most, and technologies that can help us fight those threats.
These days, cyberattacks are already perceived as something ordinary. Crooks with no tech knowledge can buy sophisticated malware or order cheap DDOS services without any problems. On the other hand, professional cybercriminals have become more selective and comprehensively investigate future targets before attacking them.
What tools come to the aid of security specialists when the “best defense is an attack” option is not appropriate?
To protect the workstation, it is necessary at least to use an antivirus. However, thanks to the Microsoft strategy, antivirus is already located on every Windows machine. At the time of the rapid growth of new cyberattacks and the amazing resourcefulness of hackers, many people still believe that the antivirus works only as a placebo — you just turn it on and can forget about it and about viruses.
Well, if some kind of malicious software leaks through such “false protection”, we can restore the machine from the backup and all problems will be gone. Such an attitude is very common but there are plenty of cases when an infected machine caused significant damage and financial loses.
These days, signature-based classic antivirus is really not effective. The attackers have become smarter. Therefore, to protect workstations, you need to use a product that combines both a classic antivirus and various malware search options, for example using behavioral factors.
Do not forget about such important things as:
· Monitoring software vulnerabilities on all corporate machines.
· Antivirus scanning of RAM and flash drives.
· Checking email and web traffic.
In addition, a centralized management console is very useful. It allows to monitor all of the company’s machines, see threats, keep statistics, and perform remote administration tasks.
Many organizations use virtual machines. The virtual environment also needs to be protected. You can, of course, put the protection on each virtual machine, but since usually virtual machines are not too powerful, it would be good to build protection of the virtual environment using a separate master virtual machine. A dedicated machine processes all data. Only one small agent (that does not require serious resources) is installed on all other virtual machines.
You can also use an agent solution available only for VMware. In this case, the agent does not get installed on the virtual machine but protects and checks the machines for the presence of threats through the hypervisor.
Hybrid infrastructures are gaining more and more popularity. Companies use some servers located in the cloud and some are on-premises. To build such an infrastructure, you can use, for example, Microsoft Azure. As for protection, Kaspersky Lab has a suitable solution — Kaspersky Cloud Security.
Encryption is an important part of information security. Employees often use laptops that can be lost or stolen. Therefore, to protect confidential data, it is necessary to encrypt not only the devices but also disk space, as well as email and web traffic — all communication channels. To encrypt traffic, you can use a service by any best VPN provider.
A firewall is a must these days too. Classic firewall filters packets based on preprogrammed parameters only at the first level. Today, it is much more efficient to use an application firewall, which operates at the application level of the OSI model. It knows how to filter packets at the lower levels and allows certain protocols to pass through a certain port, for example, so that only HTTPS traffic goes only on port 443.
When DoS is not an ancient OS
DDoS is a very unpleasant thing. If competitors decide to put your site down at the most inopportune moment, then the attack can result in large losses. Many vendors are ready to provide their anti-DDoS solutions. Popular solutions work as follows: the traffic passes through the cleaning centers and only after that it goes to the client’s web server. The cleaning center detects a DDoS attack at the application level of the OSI model. Then it removes all the load caused by DDoS. Some advanced tools can monitor and “clean” encrypted HTTPS traffic.
All of the above-mentioned technologies may protect against 99% of malware, but there is always 1% left, which does not appear in signature databases. This 1% can be created for one specific attack that can cause great damage. Only the multi-stage approach works well when combating targeted attacks
Do honeypots still work?
The approach called Honeypot was borrowed by the security community from the military. It works this way: “baits” are placed in the corporate network. They are difficult to distinguish from ordinary nodes. They exchange information, turn off at night, etc. They are made a little more noticeable for hackers so that they could take the first attack. Any activity detected on such nodes suggests that “guests have come to the party”.
This technique is quite popular among security researchers, but, unfortunately, today companies do not always have enough resources to build a reliable information security system, not to mention catching hackers with honeypots. In addition, the use of honeypots by unqualified employees can lead to the compromise of the entire network. Before setting traps for others, you need to think about how not to get into it yourself.
Managing the zoo
If the company takes care of corporate security and all potential loopholes for the hackers seem to be closed, this does not mean that the information security specialist can sit down and relax. In addition to the fact that the security officer must find protective solutions suitable for his network architecture and enterprise needs, he must also take care of the effective use of these tools.
Some companies prefer to choose all security solutions from a single manufacturer. But most companies build some kind of a zoo, which consists of paid and open source products, as well as some self-created add-ons.
In any case, you need to think about collecting data, analyzing and monitoring events from the entire family of devices in the company. And in this case, SIEM systems become crucial.
It is believed that the introduction of SIEM helps protect the infrastructure, but this is not the case. Security Information and Event Management cannot by itself prevent a threat. This system is used to analyze data from various systems, such as DLP, IDS, antivirus, various hardware and further identify problems. SIEM can be bought, but you can build it yourself, based on open source solutions. The most popular is Elasticsearch.
All developers of security solutions will soon have to work actively with IoT devices. Today, many people buy their own smart kettles and refrigerators. They are happy to use smart devices but do not understand the need to protect them even though a lot of news pieces inform us weekly about such facts as for example IoT devices are used to DDoS websites or redirect traffic and steal data. IoT manufacturers are not yet ready to start putting protective solutions on their devices.
Cryptocurrency boom cannot be deprived of our attention too as this trend is very attractive for modern cybercriminals. Perhaps, in the foreseeable future, cryptocurrencies will build a big new industry, as plastic cards and online banking have replaced the savings books. Despite the fact that the cryptocurrency itself is considered to be a secure solution, there are still some holes and vulnerabilities. Fraudsters often use good old methods like phishing.