Why Multi-Layered Security is still the best defence
As if protecting resources in the age of BYOD wasn’t already hard enough, the beleaguered unsung heroes of corporate IT security increasingly have to look beyond the plethora of user-access devices and consider the security of equipment such as printers, fax machines, and even the routers and switches from which the network is built.
Faced with increased vigilance from security professionals and ever more sophisticated counter measures, some cyber criminals are focusing their attention on these less obvious targets, and in some cases, compromising equipment before it is even installed. With recent economic uncertainty hitting IT budgets hard, how many IT departments might have been tempted to acquire second hand equipment? Is that cheap Cisco Router a genuine Cisco or a counterfeit? And with counterfeit components finding their way into US Missile defence equipment, how easy would it be to slip malicious firmware into the supply chain for brand new devices?
Although we haven’t yet seen examples in the wild, researchers from Columbia University last year showed how potentially large numbers of legacy printers are vulnerable to attack simply by receiving specially crafted print jobs. When you consider that many of these printers are wireless and some even accessible from the Internet, the impact of a widely available exploit could be catastrophic.
In the early days of anti-malware protection, when the technology was immature and inter-vendor collaboration was all but non-existent, the smart money was on multiple levels of protection from multiple different vendors. The idea was that if one vendor missed something, another could still catch it and vice-versa. Of course, the vendors of multi-level solutions didn’t like this very much, since it made it impossible to own and control their accounts.
Eventually, as the main vendors completed their portfolios with offerings at each layer - Desktops, Servers and Gateway - they looked for ways to reverse this industry “best practice”. The answer, with a little help from industry analysts, was to show how the increased cost of managing a multi-vendor environment outweighed any savings from increased detection rate. In reality, although the difference in detection rates between the major players narrowed somewhat - thanks largely to the sharing of malware samples among vendors - some solutions are still far more effective than others.
So why do I still need multi-layered security?
With desktop anti-malware protection addressing an ever broader spectrum of threats, many organizations, particularly at the SMB end of the market, ask whether additional protection at the servers and gateway is still strictly necessary. To answer this, you just need to consider all the different ways in which malware can enter a network and all the possible places it can hide.
Unique, previously un-encountered malware is now being released into the wild at an average rate of about 30 per minute, so no matter how rapidly leading vendors such as Kaspersky Lab respond with updated signatures, those customers unlucky enough to be the first targets, still risk infection. Even if, within an hour, new detection signatures have been distributed to the customer’s head office and all the infections cleaned from PCs and laptops, what is to stop infected files, which may still lurk on the file- or mail-server, being unwittingly forwarded to remote offices or worse still, customers and suppliers?
The simple addition of high performance malware detection and blocking at the gateway will not only prevent this, it will also likely reduce the number of initial infections, thus reducing cleanup costs. This is because signature updates take a certain amount of time to propagate to all the PCs on a network and this time is further increased with mobile laptop users, who may return only after several days of absence from the office.
OK, I hear you say, then why not just employ anti-malware at the gateway and ignore the client side. This approach would be fine if the client side devices had no CD ROM drives, SD card slots, or USB interfaces, and if they never left the building. However, back in the real world, there is really no sensible alternative to managed anti-malware client software.
So what about those compromised printers and routers?
There is unfortunately no single silver-bullet solution to ensure safety from all potential threats, but by integrating high performance anti-malware into every layer of the network, we can at least stand a good chance of identifying and isolating attacks before they spread. Combine this with powerful Intrusion Prevention, protocol and behaviour analysis, Application Control, Vulnerability management and all the other defences found in a NETASQ Next Generation firewall, and you’ll greatly reduce your exposure to such threats.
Of course, these layers of protection are only effective when enabled, so if you own such a device, your most important task today could be to double check that every protection layer is enabled.