Network Management

The prime target of cyber criminals is to find ways to misappropriate businesses and users for their own profit, which can vary from financial motivation to publicity. In this article we will review the key trends we see in network security and then discuss existing and recommended counter measures. The article targets the business infrastructure, and therefore excludes targets such as widgets and smart phones.

 

 

Cybercrime now deploys a new type of attack called non-vulnerability based attacks. These attacks do not exploit known or unknown application vulnerabilities but rather use application transactions for malicious activity, so they go undetected by standard network security tools. A few examples of non-vulnerability based attacks include: brute force attacks, aiming to defeat a business authentication scheme; HTTP page floods, originating in Botnets and targeting application server resources; and web application hacking that scans a web site looking for vulnerable pages.

 

 

The July 2009 cyber attacks on the USA and South Korea commercial and government web sites were a reminder that DDoS attacks are a major threat to the on-line industry: eCommerce sites, critical infrastructure and government. A few other cases in the past 2-3 years include the shutdown of game servers (2007), the Estonia DoS attack (2007), the Georgia DoS attack (2008) and the Iran election protest attack (2009). In 2010-11 we expect to experience DDoS attacks at the same rate as in 2007-9, however the shift is in the magnitude of the attacks. The July 2009 attacks ended with only a few gigabits of attacks in volume - in 2010-11 we expect to see attacks above 10 gigabit.

 

 

New types of attacks, including application misuse activities, are generated by completely real source IP addresses - it is the users who are not real! This is referred as the "artificial user phenomena". This impacts on-line businesses ranging from advanced application layer DoS attacks to competitive intelligence, "robotic gambling", bid robots, advertising click robots, information theft, SPAM activities, SPIT (Spam over Internet Telephony (News - Alert)) activities and general misuse of application memory and CPU resources - all which have an immediate negative effect on business revenues.  

 

 

Network security tools tend to rely on signature detection technology. However this technology is almost 20 years old and was designed to detect attacks that exploit known application vulnerabilities. But the bad guys today are smart: they deploy non-vulnerability based attacks and application level attacks that cannot be detected by static signature technology.

 

Therefore the solution relies in behavioral analysis technology that creates a baseline of normal users, application transactions and network bandwidth behavior. A behavioral engine has the ability to detect, in real time, cyber criminal activities that run attacks by misusing the application and network resources or by exploiting newly discovered application vulnerabilities. It then automatically creates a real time signature that characterizes the attack pattern accurately, to filter out the malicious activity - without blocking legitimate user traffic so as not to affect the availability of services across the Internet.

 

As most businesses rely on web applications to generate their revenues or support productivity, it is also essential to deploy a Web Application Firewall (WAF). The WAF complements standard signature detection to prevent known application exploits and behavioral analysis technology (NBA) that prevents unknown and non-vulnerability based attacks. The WAF protects against common web attacks such as web application vulnerability, cross site scripting and SQL Injection by detecting abnormal application use.

 

The use of the above mentioned tools is a must in order to comply with PCI (News - Alert) DSS requirements.