The realm of Network security encompasses many perspectives and interests as is evident from the wealth of articles prevalent across the media and availability of various proactive protection measures. One particular technology recognized as integral to securing a network is the Intrusion Prevention System (IPS), which is used to detect and prevent suspected malicious network traffic or behavior. However, an IPS is not just a ‘set-it-and-forget-it’ type of solution. This is because of the necessity of employing current Cisco IPS signatures, which are the lifeblood of the IPS and are essential for it to identify and block attacks against specific vulnerabilities or certain types of threats. Because new threats and vulnerabilities are constantly being discovered, the IPS signature database for an IPS-capable device needs to be kept current to maximize the level of protection that it can provide. If you already use Cisco IPS technology, then you might already be familiar how crucial it is to use the most current IPS signatures. Otherwise, the IPS solution cannot provide optimal protection against new threats and attacks. Cisco IPS owners with a Cisco IPS Services License understand this fact and can receive signature updates as they become available. Signature updates can be installed manually or downloaded and installed automatically using native Cisco IPS capabilities or management tools such as Cisco Security Manager. For those inclined to write their own signatures, Cisco has published documentation on how to write customer signatures for the IPS.
And while the signatures are the “lifeblood” of the IPS and keeping them current is paramount, it is also important to make sure that the underlying operating system is kept up to date on the sensor as well. The underlying operating system and engines decompose and analyze the traffic as it passes through the device. Things like protocol decoding, features, and evasion resistance are handled here. The engines work but do not alert without the signature set as the signatures provide the matching framework for an alert to fire. The same can be said about the signatures. They do not work without the engines. Each requires the other to function and therefore keeping them both current is important.
As part of CSIRT’s mobile monitoring offering for special events, we undertook monitoring of the corporate and customer traffic of the Cisco House at the London 2012 Olympics. This engagement presents us with an excellent opportunity to showcase Cisco technology, while keeping a close watch on potential network security threats. CSIRT monitoring for this event will be active for the entire life-span of the Cisco House, from two months before the Olympics, until two months after.
For the London 2012 engagement, we shipped our gear in a 14RU military-grade rack that is containerized: made for shipping. Inside the mobile monitoring rack we have an assortment of Cisco kit and third-party kit that mirrors the monitoring we do internally:
Catalyst 3750 to fan out traffic to all the other devices
FireEye for advanced malware detection
Two Cisco IronPort WSA devices for web traffic filtering based on reputation
Cisco UCS box where we run multiple VMs
Lancope StealthWatch collector for NetFlow data
and a Cisco 4255 IDS for intrusion detection
We mirror the signatures that we have deployed internally at Cisco out to these remote locations. Depending on the environment where the mobile monitoring rack is deployed, we may also do some custom tuning. The kit in the mobile monitoring rack can do intrusion detection, advanced malware detection, and collect and parse NetFlow and log data for investigation purposes. The Cisco UCS rack server also helps us have several VMs, allowing us to run multiple tools that complement the other devices in the rack. For example, we run a Splunk instance on a VM to collect the logs generated by all the services. The data from the gear in the mobile monitoring rack is analyzed by our team of analysts and investigators, to eliminate false positives, conduct mitigation and remediation, and finally produce an incident report if required.
Last weekend was a typical one, nothing out of the ordinary: errands, science fairs, softball practice with the kids. However, I found myself hesitating a number of times, thinking twice, before I handed my credit card to the cashier at the mall for to purchase a pair of shoes and again as I typed in my credit card number and security code online to purchase some items for a school fund raiser. In the past, I hadn’t given this much thought, but with yet another data breach in the news, it seems that the breaches are continuing to occur – and as consumers, we will continue getting those ‘Dear John’ letters informing us we were one of the unlucky ones…
With news of another data breach of up to 1.5 million credit and debit cards compromised last month as well as high-profile data attacks against the International Monetary Fund, National Public Radio, Google and Sony’s PlayStation Network, data security should be top of mind to all of us. So, how are these breaches continuing despite all of the efforts to secure customer data? In a series of blog entries to follow, we’ll outline the anatomy of a data breach, steps you can take to reduce your risk, and how Cisco can help keep your organization from being the topic of the next breach headline.
Anatomy of a Data Breach:
It used to be that hackers were in the business of hacking for fame or infamy… mostly individuals or groups of friends were doing small-time breaches, leaving digital graffiti on well-known websites. Although these breaches demonstrated security gaps among those affected, there was little financial impact compared to today. It should come as no surprise in a world of big data, that it is harder than ever for organizations to protect their confidential information. Complex, heterogeneous IT environments make data protection and threat response very difficult.
Reduce the risk of compromised company data by securing users’ smartphones
Once upon a time, a mobile phone was just a phone—you made and received calls on it, and that’s all. It posed zero risk to the security of your network or your business. Now, a mobile phone is so much more than just a phone. It’s a personal assistant, a portable game player, a digital camera, and most importantly, a full-fledged computer—and these smartphones definitely pose a security risk. Just like a laptop, smartphones, tablets, and other mobile devices can connect to your network, which means they could compromise your company’s data or leave your network vulnerable to attack from a hacker. You wouldn’t leave employees’ laptops unsecured, so why would you take chances with their mobile devices?
For the most part, the same security measures you ascribe to the computers on your network in the office should also be applied to mobile devices that have access to your LAN. Just like desktop PCs and laptops, all mobile devices need software protection to guard against malware and other attacks. Smartphones and tablets should have a firewall as well as antispam and antivirus software installed, such as the Cisco AnyConnect Secure Mobility Solution and Norton Smartphone Security offering.