If there is one place where a data security breach just can’t happen, it is in the financial services industry. Yet, that is exactly what happened when cyber terrorists breached the data center of an S&P 500 technology provider for the banking industry.
Even though it was running McAfee (News - Alert) antivirus software on its machines, the breach potentially compromised thousands of servers and exposed customer-facing data. The firm called in Bit9, which used its Parity Server solution, to bring visibility to the breach and help stop it, according to a Bit9 case study. But even reaching that point should strike fear into the heart of every enterprise IT staffer.
Image via Shutterstock
Nation states and cyber criminals are going after corporate data like never before, and IT must aggressively defend against data and intellectual property theft.
“What’s been going on over the last few years in the networks is the greatest theft that we’ve seen in history,” according to U.S. Cyber Command General Keith Alexander, quoted in a white paper about preventing cyber attack. “What we’re losing in intellectual property is astounding.”
The most vulnerable area of a business’s network is its domain controllers, according to the paper. Domain controllers, also called Active Directory servers, are where user credentials and authentication information is stored. If a cyber attacker compromises a firm’s domain controllers, it has the keys to the whole kingdom and can quietly infiltrate and steal data over the course of days and years.
There are generally two stages of attack that characterize an advanced, persistent attack on a company’s domain controllers.
First, the cyber attackers gain access to the controller. This often happens by low-tech methods such as getting login information from a user using e-mail that contains a malformed document, taking advantage of known application vulnerabilities, or the user is directed to a dummy website. The attackers then case the domain controller like house thieves planning a heist, looking for vulnerabilities.
The second step is exploiting the vulnerabilities the attackers uncover, often through vulnerabilities in Local Security Authentication Server (LSAS), a Client/Server Runtime Subsystem (CSRSS) or another system process with a discovered vulnerability. A particularly insidious method is scheduling a task via the scheduler that will run at a higher permission at a later time.
Once cyber attackers have gained access to a company’s domain controllers, the firm will be lucky to get away as unscathed as the S&P 500 technology company that had its security breach.
Firms need to take the threat seriously, and Bit9 outlined three steps that IT departments should use when planning their defense.
This starts with protecting critical infrastructure. Critical components such as domain controllers should never be able to run unauthorized programs or be combined with other uses such as file or Web serving. These components should be kept up to date at all times, too.
Next, companies should identify and protect high-risk business servers and intellectual property, which are the ultimate end-goal of cyber attacks. These then can be focused upon and secured with extra precautions.
Finally, companies need to protect client systems globally, according to Bit9.
“Assess systems based on risk and usage. Create a prioritized plan for each organizational and geographic unit,” according to Bit9. “Establish change control and exception polices. At very least, these systems should be monitored, and then locked down as appropriate and policy and resources allow,” focusing in particular on the weakest links in the network of client machines.
Cyber attacks will only get more common in the years to come. But so too can effective corporate IT defense strategies.
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO Miami 2013, Jan 29- Feb. 1 in Miami, Florida. Stay in touch with everything happening at ITEXPO (News - Alert). Follow us on Twitter.