Hackers always seem to be one step ahead of the rest of us when it comes to Unified Threat Management (UTM). As soon as one security vulnerability is patched, the hackers find another one to exploit. Or, even more perniciously, they find entirely new strategies for attacking individual computers and/or massive computer networks.
As a result, ensuring that your company’s computers and networks remain healthy has become a full-time job that requires knowledge of the latest threats along with potential counter-measures.
Fortunately, you don’t have to battle this Cylon Centurion’s hacking attempts alone. UTM attempts to provide all your network security using a single network appliance and/or specialized software. This appliance may be physical hardware installed as an edge-device in your office or datacenter, or a cloud-based application, or some combination of the two. In fact, as many companies are now migrating some or all of their IT services to the cloud (see our previous blog “Cloud Migration, or Hey You! Get Off of My Cloud!” maintaining a rock-solid, failure-free connection to the cloud becomes all important.
Let’s first review the major types of computer/networking threats, then discuss some counter-measures, and finally bring it all together with UTM solutions.
Your computer and computer networks are under virtually constant attacks from various evil-doers. Many of these threats have been around for decades, while hackers constantly update their techniques and sophistication. Below is a brief overview to many of today’s threats.
This ubiquitous attack method continues to be one of the least sophisticated, yet most successful attack techniques. Most of us understand that fraudulent emails and/or websites are to be avoided, yet plenty of people continue interacting with them. Users voluntarily offer up their login credentials, financial information, and other sensitive data.
Malware refers generally to any malicious software that installs itself on an unsuspecting computer or network. Once installed, the malware may begin executing one of many nefarious activities, including corrupting data and/or programs, stealing user credentials, financial information, or company proprietary information, or simply monitoring computer and network activity.
Malware encompasses the gamut of malicious software including:
- Computer viruses – generic term for malicious software designed to infect computers and often to spread throughout computer networks.
- Worms – another type of virus, worms are designed specifically to infect and then spread to other computer systems, often using the host computer’s contact lists.
- Trojan Horse – refers to both the infection (“My computer has a trojan virus”) as well as the method of delivering the virus. The term generally implies packaging the virus in a user-friendly way that encourages the user to click or download a malicious link.
- Advanced Persistent Threat (APT) – refers to malware that has taken residence on a computer but does not cause immediately obvious effects. The threat can lie dormant waiting for some activation event or it can quietly compromise sensitive information, making detection difficult.
- Ransomware, Spyware, Adware – Ransomware is malicious software that requires a ransom be paid to the hackers in order to prevent your sensitive data from being compromised or destroyed. Spyware sits on your machine and secretly monitors your computer and sends your sensitive data to the hackers. It may also perform keystroke logging, compromise user credentials, etc. Adware monitors your online behavior and sends you specific advertisements (via popup or embedded in the webpage) based on your interests and purchasing history. It tries to build a profile of you so it can maximize the chance that you will click on any particular link. Much Adware is perfectly legal except when downloaded to your machine without your permission.
This threat infects a host computer for the sole purpose of performing crypto-mining, without your knowledge or permission. Crypto-mining refers to a highly CPU intensive process that is required to facilitate crypto currency (such as Bitcoin) transactions. In exchange for this service, the miner is rewarded with some small payment of the crypto currency.
DDOS Attacks and Botnets
Botnets refer to large scale computer networks that have been compromised by malicious software and can be controlled to operate en masse by the hackers. A common use of these botnet networks is to launch DDOS (Distributed Denial of Service) attacks aimed at a particular website. Each compromised computer is ordered to flood the target website with enough traffic to cripple or even completely crash the desired target.
Rogue Security Software
Unfortunately, commercially available security software has become a real security concern. A recently released study by AV-Comparatives tested 250 commercially available anti-malware software packages. The study, “Av-Comparatives’ 2019 test of Android antivirus products”, concluded that of the 250 tested products, “138 of the vendors detected less than 30% of the Android malware samples, or had a relatively high false alarm rate”. They also concluded that they considered the products “by 61 developers to be risky”.
Rootkits / Exploit Kits
These kits are designed to give hackers more command and control over the infected computers and/or networks at the operating system level. They are sophisticated software packages that, once installed, allow hackers to scan and/or manipulate sensitive data to various malicious ends.
SQL Injection Attack
SQL (Structured Query Language) is the database software environment that runs and maintains many company’s sensitive data. SQL Injection attacks attempt to insert malicious SQL code into the database. If compromised, all the data in the database may be stolen or corrupted.
These occur when the hacker places himself in-between two unsuspecting parties. Once inserted, the hacker has access to all the data flowing between the users. A common means of effecting this type of attack occurs when using unsecured public WiFi networks. The hacker tricks the user into routing all data through the hacker’s computer before it reaches the WiFi network. Other sophisticated techniques used to hijack private internet connection include DNS spoofing, IP spoofing and HTTPS spoofing.
Drive-by Download Attacks
These may occur when a compromised or fraudulent website is accessed. The web browser or application accessing the site is unknowingly used to automatically download malicious software. These attacks do not require the user to click a malicious link or download a malicious file.
These are attacks that do not install malware on your computer. Instead the attacker uses tools and capabilities native to the computer OS, and executes the attack from RAM memory directly, with little or no hard disk footprint.
Zero-day Exploit Attacks
These attacks exploit security vulnerabilities as soon as they are discovered and before the vendor has a chance to issue a security patch update.
Although the cyber threats to your computers and networks are very real, the good news is that developers continue to counter these threats with new and sophisticated technology. Below are briefly discussed some of the most current and effective methods of countering cyberattacks.
Common sense security policies
One of the most effective and cheapest way to protect your company from cyberattacks is to maintain a relevant security policy that is well understood and respected by your team. Keeping users from responding to phishing emails or engaging with fraudulent or malicious websites or apps is the best way to ensure your systems do not become corrupted. Educating employees about these dangers is critical.
Intrusion Detection/Prevention Systems (IDS/IPS) perform one of the most important anti-malware features – detecting and preventing malicious software from entering your computer and/or networks. Both systems monitor computer and network activity, sometimes at the packet level, looking for anomalies and/or known malicious threats, often identified by unique data signatures or blacklisting. IDS simply issues warning or reports about detected threats, while IPS attempts to take pre-emptive action to disable the threat before fully compromising your computer or network.
Next Generation Firewalls
NextGen firewalls provide several sophisticated additional capabilities that allow firewalls to be even more effective and proactive in protecting computers and networks. Stateful firewalls have been around for a while and are a great improvement over previous generation’s stateless firewalls, but next generation firewalls continue to add much needed capabilities. NextGen firewalls add network context (layer 7 aware) and deep packet inspection (inspecting the payload as well as the packet header) to the firewalling decision process. NextGen firewalls also typically provide some level of IPS and also adds the ability to use external intelligence sources as part of the decision process.
This technique is often used as part of the firewall and allows the admin to block specific websites (and/or email) that either contain objectionable content (pornography, hate, violence, etc.) or originate from a suspect IP address.
Secure Web Gateways
These provide cloud-based, encrypted internet gateways at the outer edge of your network. They force a single internet access point to your internal network where you can rigorously enforce security protocols, even with employees accessing the network from remote locations and arbitrary devices. Real-time monitoring of incoming and outgoing traffic at the gateway, URL and content filtering, data leakage protection, and general malware protection are typically performed.
Virtual Private Networks are encrypted internet “tunnels” that ensures all traffic that enters or exits your network through the VPN is secure.
Unified Threat Management
The sheer number and increasing sophistication of cyberthreats make finding a single, unified solution very attractive. Fortunately, there are many companies these days that offer UTM solutions some of which are comprehensive UTM solutions including SD-WAN. These solutions can be physical network appliances connected at your network’s edge, but increasingly, the UTM solution is realized as a cloud-based virtual appliance. Any UTM solution you consider should address all of the above threats, and also have significant capability with respect to all the counter-measures above.
A cloud-based UTM system allows you to completely control the security protocols for your entire network using a single, integrated portal. This is especially useful for companies that have remote sites (headquarters and branch offices, field sites) and/or a mobile workforce that often accesses the company network from offsite. A cloud-based UTM solution ensures that rigorous security protocols are enforced for all data traversing the company network, regardless of access point.
If a cloud-based UTM solution appeals to you, then maintaining a rock-solid connection to the cloud becomes critical. Mushroom Networks devices ensures your connection to the cloud stays up even as network conditions deteriorate or individual WAN down go down, using SD-WAN, cellular-bonding, and advanced failover features.
Rob Stone, Mushroom Networks, Inc.
Mushroom Networks is the provider of Broadband Bonding appliances that put your networks on auto-pilot. Application flows are intelligently routed around network problems such as latency, jitter and packet loss. Network problems are solved even before you can notice.