Targeted cyberattacks that use sophisticated social engineering techniques to exploit network vulnerabilities are creating advanced persistent threats (APT) to enterprise security models like never before. According to the article, “Targeted cyberattacks test enterprise security controls,” these threats pose a more immediate danger to sensitive data of U.S. commercial entities than a full-fledged cyberwar. George Kurtz, a long time colleague of mine and CTO of McAfee, expects these types of attacks to continue.
“These attacks have demonstrated that companies of all sectors are very lucrative targets. [APTs are] the equivalent of the modern drone on the battlefield. With pinpoint accuracy, they deliver their deadly payload, and once discovered — it is too late.”
One of the methods the article suggests to protect systems from targeted attacks is using a whitelist to allow specific traffic over its networks while excluding everything else. In other words, they want to limit exposure to social engineering by limiting user access to potentially dangerous sites. Plans like these make some sense, but don’t address the core problem. There are too many ways that users can be tricked into accessing something that isn’t protected against for this to work. And for institutes such as higher education that conduct research at random places, restricting site access gets in the way of users doing their job and simply is not going to fly.
As we pointed out in the blog, “Cisco’s 2009 Security Threat Report: We need a patch for the common user!” people are the primary vulnerability going forward. Whether we like it or not, our employees, contractors and partners are continually accessing sites and other media that can cause problems. Rather than dealing with user behaviors that are simply out of our control or are required for them to be effective, enterprises should focus on the real problem — which is to stop the payload of these attacks.
As long as there are people in the mix, they will continue to unknowingly bring things into the network that cause all sorts of havoc. The reality is people make mistakes. They go on sites their company knows nothing about. They open bad emails and download the wrong stuff on their machines. Since we can’t realistically stop what users are doing, we have to address the results of normal, but risky behavior.
The bottom line is we need to stop the payload from getting on the network and becoming a threat. That needs to be the primary thrust, and is the focus of BOUNCER, which protects against unwanted applications while permitting users to go about their business.