Next-Generation IT and Network Security
“Bring your own device” (BYOD) is frequently cited as an example of the importance of network security and access control. While firewalls must not be the be-all and end-all, next-generation firewalls (NGFWs) featuring data analysis at application level offer whole new levels of protection.
E-mail specialist Mimecast recently discovered a serious security flaw in Microsoft Excel. According to Heise, security researchers at the UK-based company prepared an Excel document so that when the file was downloaded and opened, malicious code would be downloaded from a remote server and executed using a macro called Power Query. Power Query is used for various purposes including updating exchange rates and uses the Dynamic Data Exchange (DDE) protocol, for which Microsoft had already released workarounds following an exploit at the end of 2017. Mimecast strongly recommends implementing these workarounds and, with older versions of Excel, ideally uninstalling Power Query add-ins entirely.
Humans – The Weakest Link
A considerable number of malware and hacker attacks still reach company computers and IT systems via e-mail attachments. Humans are generally the biggest security weakness in a company. Risks often come in the form of phishing e-mails purporting to be, for example, warning letters from official authorities.
Yet more and more users are opening themselves up to cyber attacks and malware by clicking false links in e-mails or online or downloading deceptive apps on mobile devices. A good firewall is a means of battening down the hatches against suspected attack attempts or links of unknown origin.
More on this topic – our latest two-pager from the Security team:
Next-Gen Firewalls Provide More Effective Protection
However, protecting the perimeter with conventional firewalls is no longer adequate for protecting users and companies against dangers such as advanced persistent threats (ATPs). According to Security Insider, these use attack tools adapted to the specific environment. Beyond that, conventional firewalls using port 443 cannot distinguish whether users are browsing via HTTPS or communicating via Skype, for example, or transferring data from cloud services such as Dropbox.
By contrast, next-generation firewalls (NGFWs) not only inspect the protocol and port used, but also analyze the data stream to identify unusual activity and filter out infected files.
AES Encryption and Hash Algorithms
Gartner’s Magic Quadrant for Enterprise Network Firewalls lists Check Point, Fortinet and Palo Alto Networks among market leaders in the field, Cisco and Huawei as challengers and Forcepoint and Sophos as visionaries. Almost all providers integrate VPNs (virtual private networks) in their systems to enable access for external employees and employees working remotely. They support security protocols such as IPsec and SSL or TLS (Transport Layer Security) with the latest encryption methods.
The German Federal Office for Information Security (BSI) recommends AES 128-bit or 256-bit encryption or SHA-2- and SHA-3 hash algorithms for hash functions with 8-bit ASCII character strings of varying lengths. This string could be SHA-256 with a hash value of 512 bits or 64 ASCII characters long; in the case of SHA-512, it would be 1,024 bits or 128 ASCII characters with character strings of the same length in each case (see hash generators).
Even the slightest change to the input will alter the entire character string. The longer and more complex the string, the harder it is to retrace the input. With computers becoming ever more powerful and blockchain-based cryptocurrencies that use such hash functions such as Bitcoin and Ethereum already having been hacked, there are growing doubts as to their security (see Dusted Codes and Computerwoche).
Even with the best encryption algorithms, perimeter security alone is not enough to lend systems effective protection. After all, as we have already mentioned, a careless approach to e-mails and links often makes it easy for attackers to infiltrate computers and corporate networks. That is why mobile security specialist Lookout is already talking about what it calls “post-perimeter security,” which involves applying a zero-trust approach to protecting data on end devices as well. Of course, BYOD users expect to be able to bring their devices to the company and still use their personal apps. According to Gartner, there are signs that unified endpoint management (UEM) is increasingly going to replace conventional mobile device management (MDM) and enterprise mobility management (EMM).
Endpoint Detection and Response from Trend Micro
Sino-Japanese provider Trend Micro, a major supplier in Proservia’s security portfolio, protects applications with endpoint detection and response (EDR), an effective means of identifying threats at lightning speed and responding to them immediately.
This is where Trend Micro’s Endpoint Sensor comes in. This constantly monitors system events and behavior on endpoints and uses specific indicators to detect threats or attacks, enabling it to repel them effectively.
— Proservia Germany (@ProserviaDE) 28. Mai 2019
It’s All About Access Control
When it comes to restricting access to networks, all the major developers and associations have their own terminology. Microsoft, for example, calls it Network Access Protection, while Cisco refers to it as Network Admission Control. The term that has come to prevail, however, is “network access control” (NAC), as outlined in a Überblickspapier Netzzugangskontrolle published by the BSI, featuring technology explained in simple terms, examples of applications and various recommendations. Among other things, the BSI paper mentions the use of virtual LANs (VLANs) to grant guests or employees access to certain sections of a network without compromising the overall corporate network.
Plenty More Potential Risks
Even following every single one of the BSI’s recommendations would still leave room for risks. After all, any mistakes made during the complex task of drawing up security guidelines for network traffic could result in access being authorized incorrectly, opening up the local network and important information to unwanted visitors.
In addition, the strength of separation of the physical network and VLANs depends not only on the NAC but also on the switches and routers that provide the necessary separation. Among developers such as Cisco, the general trend is toward a combination of hardware and software solutions and also software-defined networking (SDN), which promises a simpler and less error-prone configuration.
— Proservia Germany (@ProserviaDE) 28. Mai 2019
Image source: iStock / AndreyPopov