Uncovering loopholes on today’s networks


4 November 2014
Wana Tun of Sophos

Companies today face challenges securing their networks against both sophisticated malware and external threat actors. They also face internal struggles with IT misconfiguration and lack of security education among employees. This article looks at the common network threats faced by many organisations today:

Advanced Persistent Threats
The term Advanced Persistent Threat (APT) has come to be associated with nation-state cyberattacks and advanced malware and hacking techniques, but according to a Ponemon Institute study last year, 68 per cent of IT managers do not know what it really refers to.

APTs are attackers who are prepared to persistently and slowly penetrate networks and steal data. Unlike traditional malware, they leverage social engineering and zero-day vulnerabilities, as well as extensive understanding of the target environment.

An APT starts by gathering intelligence on its target through the Internet and social networking sites. The attackers then find a point of entry within the target’s network and once the network is breached, the malware calls home to a command-and-control (C&C) server and reports its location. It then searches the network for data and assets and may also infect other clients in order to get to their target or introduce more attacks to access the systems at a faster rate.  Upon finding the data they are looking for, the APT starts communicating frequently with the C&C host and is likely to extract data in small, encrypted pieces to prevent detection.

Web insecurity
When it comes to security against adversaries, most organisations think about viruses and their endpoints but often neglect their web sites. According to SophosLabs, an average of 30,000 new malicious URLs are generated daily, of which 80 per cent are compromised, legitimate web sites. 85 per cent of malware including viruses, worms, spyware, adware and Trojans are also from the Web.

An attacker first uses the drive-by download technique to penetrate a system from an entry point such as a hijacked web site or an email with a malicious link. Attackers leverage existing vulnerabilities within web servers such as Apache and IIS, injecting malicious code into web pages. Once it reaches the browser, it redirects the user to download an exploit kit through an elaborate traffic distribution system which is difficult to track. The kit then executes exploits against web browser vulnerabilities and plugins such as Java and PDF readers.

Wi-Fi spies
Many users know it is important to protect their wireless network with a strong password. However, a Sophos survey found 8 per cent of respondents using no encryption at all and 19 per cent using obsolete encryption. The following are some of the common mistakes made by companies, especially their remote offices:

1)      Basic errors such as having poor encryption, passwords that are not complex enough, not using VPNs (virtual private nteworks), poor employee education and lack of published policies.

2)      Uncontrolled access to wireless networks, giving customers, suppliers and other office visitors IDs and passwords to internal networks. This has given rise to contractors whose passwords remain valid for weeks and months, even after they have moved on to other companies.

3)      Accidental misconfiguration which leads to security vulnerabilities. This often happens because deployment and management of wireless access points can be time-consuming, complex and expensive.

IPv6 issues
IPv6 (Internet Protocol versions 6) addresses many of the limitations of its predecessor IPv4 by offering a much larger address pool to support various web-enabled devices and delivering better integrity and security.

However, companies should be mindful of some of the risks that they face with the latest internet protocol:

1)      Malware with IPv6-based C&C capabilities are rampant so if a server enables IPv6 by default but its firewall does not, it could lead to a higher number of malware infections.

2)      The deployment of IPv6 involves new ways of doing troubleshooting, firewall configuration and monitoring security logs. IT managers must learn the correct processes for setting up IPv6 or risk mistakes in deployment.

3)      It is not possible to instantly switch from IPv4 to IPv6 so partial adoption through the use of tunnelling technologies to transport traffic between the two protocols is needed. This could give rise to misconfiguration and security loopholes.

To address these security challenges businesses need to combine technologies and add layered defences to safeguard enterprise systems against network threats. By increasing the number of safety nets, the security vulnerabilities and loopholes become smaller.

  • Wana Tun is the regional technical evangelist at Sophos.