Is malware lurking silently in your network? Six important security steps

Corey Nachreiner, CTO of WatchGuard, explains that it's no longer a matter of if you'll get hacked, but when

In a recent survey, security firm Kaspersky found that 90 per cent of businesses admit to having suffered a security incident. Furthermore, at this year's Gartner Symposium/ITxpo, Peter Sondergaard, global head of research, warned that the average piece of malware lies dormant and undetected on a victim's network for up to seven months before it's activated and detected. In other words, not only do we miss the attacks getting into our networks, but we don't even realise we've been breached until it's too late.

The recent Trump Hotel breach is a good example of this issue. Not only did attackers bypass the hotel chain's defences to install point-of-sale (PoS) malware, but they remained undetected on those PoS systems for a year. Whether or not the hackers made off with credit card details, the reputational damage and disclosure fees associated with this breach will cost Trump Hotels for years to come.

To combat these increasingly sophisticated cyber attacks, we need to significantly improve our defences and design our networks to survive breaches. However, building the complete arsenal necessary to combat and detect advanced threats may seem overwhelming, especially to small businesses on shoestring budgets. The good news is certain defences have more return on investment than others. Here are six simple security tips that would have effectively prevented many of the breaches businesses suffered last year.

1. Patch your public servers quickly

As simple as it sounds, patching your public servers quickly is one of the best things you can do to improve security within your organisation. Most internet attacks take advantage of flaws that have already been fixed. In fact, data from Verizon's 2015 Data Breach Investigation suggests that 24 per cent of the breaches they studied may have been mitigated if the victim had patched their external web services quickly.

If you have public-facing servers, such as web servers, you should apply that server's security updates as soon as they become available (be sure to test them first though). This action alone could stop a quarter of attacks from succeeding. In fact, I recommend you try to patch all your systems as quickly as possible, including your desktop applications. Nowadays, many attacks target client systems. Keeping those systems up-to-date can significantly lessen the amount of security incidents you face.

2. Implement two-factor authentication (2FA)

Today's threat actors often find ways to phish trusted users credentials, and then use those credentials to compromise systems. In fact, since many people use the same passwords everywhere, another organisation's password leak can contribute to a breach against your systems as well. Strong password practices can help mitigate the problem, but users aren't perfect. That's why smart organisations use multi-factor authentication to help plug the gap that bad password practices expose.

Implementing a two-factor authentication system, even one that uses a simple mobile text message for the second factor, greatly increases the difficulty for attackers trying to steal your users' credentials. In fact, the same Verizon report I mentioned earlier also claims 2FA could have reduced 24 per cent of the breaches it studied.

3. Implement outbound security controls and monitors

Many of our defences are primarily concerned with controlling inbound network traffic. We assume hackers attack us from the outside, so we restrict what they have inbound access to. While we certainly need to retain these restrictions, we can't forget the importance of monitoring and controlling outbound traffic as well.

Today, many attacks are client-based. In English, this basically means attackers trick one of your users into doing something that makes an outbound connection-for instance, clicking a web link. If you don't have security controls that monitor and control your users' outbound traffic, you'll miss many threats.

The good news is there are many security controls that can help. For example, even legacy firewalls offer outbound traffic controls, as long as you take the time to set up egress filtering policies. More importantly, modern security appliances offer several features to restrict and monitor outbound traffic. Application control allows you to fine-tune control of what applications your users can access, web security features can prevent them from visiting dangerous sites, and IPS systems can sometimes detect and prevent the exploits used in drive-by download attacks.

In fact, some outbound security controls can even help identify infected computers before it's too late. Some security product can detect the command and control (C&C) communication channels malicious software uses to call home. These tools can help you identify and contain infected systems before they exfiltrate sensitive data. In short, be sure to invest in some outbound security controls as well.

4. Segment your trusted network

You might have heard security professionals say something like: "most networks have a hard shell, but a soft and chewy centre." This is because many organisations still treat their "trusted" network as one big flat network. However, we need to design our trusted networks using defence in depth as a practical strategy to survive modern security attacks - today.

Sure, you trust your employees. But do you really trust them equally? For instance, should your front desk receptionist really have network access to your engineer's source code repository? Or should your marketing department have access to the database backend storing your customer's credit card transactions? The answer is, probably not!

You should segment your trusted network into separate divisions, based on the roles of your users or sensitivity of the data on that segment. This allows you to place additional security controls between segments, giving you another opportunity to detect or block unauthorised activities internally. Even if one of your users gets compromised, the attacker will have to jump through more security hoops to get to the real data.

5. Use advanced threat protection (ATP) solutions

Signature-based antivirus is a losing game. Malicious hackers use many techniques to repackage their malware over and over again, thus evading "pattern" based detection systems. Rather than looking for signatures, new ATP solutions detonate malware in a sandbox and pay attention to behaviours, including malware's evasive activities. This allows the ATP solutions to catch zero day malware that AV may not yet have a signature for.

If you want to catch today's evil payloads, use ATP solutions.

6. Make visibility a key part of your defence

There is no such thing as perfect security. Highly motivated bad guys can always find some chink in your armour. While it's important to have preventative defences, you also need to focus on visibility tools that can help you identify security events that get past your defences.

As you pick security controls, be sure to choose strong visibility features that help you identify key security events. You may also consider adopting a Security Incident and Event Management (SIEM) solution that can gather the logs from all your systems and visualise and correlate that data to help you identify new events. Visibility tools may be the difference between your ability to recognise and stop a network security attack as it happens, versus discovering it a year later.

Corey Nachreiner is CTO of WatchGuard