Exorcising the Demons: Casting Out the Unwanted
In the spirit of Halloween, this blog series examines CSO survival techniques and relates them to horror movies. Why? Because if cyber security isn’t done correctly, it can be quite scary.
Halloween is over…barely. And we’ve all survived…barely. (I know I did, I have two daughters and I had to figure out how to do makeup this year. Yikes!)
But there may still be some horror creeping around the corner. As we come down from our candy-induced sugar high, it’s time to cast out the demons.
I’m reminded a little bit of an all-time horror classic: “The Exorcist.”
Forty-three years after its release, “The Exorcist” is still terrifying audiences (heck, it even inspired a new TV series, and continues to scare the heck out of me even after about 200 viewings). At the time of its release, it was deemed too scary, too controversial, and a lot of people called for it to be banned. People literally had to be carried out of theaters on stretchers, and there were even stories that the Vatican was against it being shown.
The movie’s premise is simple, but horrific: a young girl is possessed by demons that must be cast out. The demon works to slowly and painfully beat its victims into a state of spiritual surrender by unleashing a non-stop attack on every aspect of the poor girl and her family. The scenes of torture and torment are hard to watch.
Demons in Your Network
Much like young Regan, the young girl in “The Exorcist,” your network is almost certainly possessed and in great need of an exorcism, lest it cause catastrophic damage. The poor CSO who ignores the warning signs of a “demonic presence” in their systems is doomed to suffer a through waves of ongoing attacks that will likely result in their “spiritual” surrender, as they will end up being the one who is exorcised—from their company, that is.
There’s malware, viruses and new attacks lurking. In some cases, they lay dormant waiting for their opportunity to strike. Just as in the movie, especially in the limited release “director’s cut,” the attacks start small. Little scratches on the doors, footsteps in the attic, seemingly innocuous things begin to become malevolent. It’s the same in the network. Odds are that there are already indications of malevolent “spirits” banging around in your systems. The network or security team probably already has a feeling that deep within the bowels of the system something is lurking, just below the surface, listening and watching. Rootkits, viruses and botnet command and control callouts are waiting to be summoned by distant evil forces bent on slowly degrading the system from within.
A ‘Major Incident’
Just recently, a network attack forced three UK hospitals offline and prompted the cancellation of all routine operations and outpatient appointments.
According to a ZDnet article, a “major incident” caused by a “computer virus” infected the Northern Lincolnshire and Goole NHS Foundation Trust network, forcing it to shut down the majority of its networks to combat the virus.
“A virus infected our electronic systems [on Sunday] and we have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it,” Dr. Karen Dunderdale, the trust’s deputy chief executive, told the BBC.
“Isolate and destroy it.” Sounds a lot like “cast out the demons.” You can almost hear Max von Sydow as Father Merrin bellowing, “I command thee out!”
What about threats that hide in SSL encrypted traffic? They’re out there too. And they’re even harder to find, because, well, they’re encrypted.
Back in August, security researchers discovered a “super sophisticated” and nasty piece of spyware that had stayed hidden for five years.
What made this spyware particularly powerful, and what helped it remain hidden, is its heavy use of encryption and other stealth features that help it avoid detection and fly under the radar of traditional anti-virus and cyber security software. Because the spyware’s functionality is deployed over the network, it resides in a computer’s memory, not on the disk, which also makes it that much harder to detect.
And let’s not forget about the recent rash of colossal distributed denial of service (DDoS) attacks that are taking down everyone from widely popular security blogs and service providers to DNS companies (which, then, in turn takes out their customers).
These DDoS attacks have not only grown in sophistication, but in size, with some reaching the 1 Tbps mark. That’s HUGE. And their toll is being felt by not only businesses, but consumers who can’t access some of their favorite websites and social networks due to a DDoS –created outage.
Don’t Be Your Own Exorcist
If ever there was a time to not try and heal yourself, it’s when you realize that your head is spinning as you speak in Latin. Just as one would not try and be their own exorcist, trying to exorcise the demons in the network solo is not always the best idea. When malevolence abounds, it’s time to call those who are ready for the battle.
It’s easy to continually throw new boxes and solutions at the problem, and hope that Frankensteining a security solution together will give you the well-rounded and thorough protection your network needs. But that’s not necessarily the case. That can introduce weaknesses and additional points of failure. And adding more and more disjointed technology to an ill formed strategy will never tip the balance of power towards the good guys.
At the same time, network security requires a cultural shift. Policies have to be created and enforced to ensure employees aren’t introducing bad things to the network.
A demonic threat from inside can be just as bad as one brought in from the outside. Allowing your employees unfettered rights and accesses across the network is like catching your teenager playing with a Ouija board, it should scare you.
Something as simple as enforcing strong password rules, requiring two- factor authentication, and installing tools that catch viruses and other malware before employees can get infected push the perimeter outward and can give the defenders time and data with which they can better combat the enemy.
And in this day and age, DDoS protection is a must. For example, A10 application delivery controllers (ADCs) have DDoS protection built-in, while A10 Thunder TPS adds DDoS protection at the network edge to detect and mitigate DDoS attacks before they infiltrate your network.
Then there’s uncovering hidden threats in encrypted traffic. A10 delivers Thunder SSLi which works to identify and remove encrypted threats before they wreak havoc. These appliances decrypt traffic and pass it to your existing security infrastructure, and then re-encrypt the SSL traffic to ensure it doesn’t contain any hidden threats like malware, spyware or more.
A thorough security plan built on a few best-of-breed tools, can not only prevent your network from being possessed, but can exorcise the demons that do get through, hopefully before they start cursing and the bed starts levitating.