Posts

How to Transform Your Network Security Infrastructure To Be Future-Ready

As an IT leader, you understand how new disruptive technologies can improve your company’s competitive positioning and drive overall business value. Technology trends such as cloud, mobility, social and big data compel companies to move quickly to define and implement next-generation data center architectures and security defense strategies to take advantage of these new technologies. While these trends have proven to boost commerce and operational efficiencies for many businesses who are early adopters, they also introduce security loopholes that give cyber-criminals an easy path to inject malware into the network, evade detection, and steal data.

For example, when new software and network designs are implemented to enable BYOD initiatives, companies quickly find themselves at higher risk due to the increasing number of vulnerable web applications and unsafe systems and endpoint devices that are added to their network. They’re now forced to grapple with a significantly higher volume of connected devices accessing their networks which have the potential to slow performance as well as productivity. Not only can users consume an enormous amount of bandwidth with multiple connections per device and time-wasting, productivity-draining applications such as social media and video streaming, they also collectively create a much larger attack surface for cyber-criminals to exploit. To fully benefit from BYOD and other business enabling technologies, next-generation data centers must be agile, scalable, manageable, flexible, and most importantly, secure against the ever-changing global threat environment including network attacks that use encryption to bypass security controls. After all, a security system cannot stop what it cannot decipher.

To meet these challenges, the network security layer must be highly extensible to support the largest of data centers’ bandwidth consumption with absolutely near zero downtime. Such requirements have justified necessary networking security architectures that can be incrementally deployable and horizontally scalable. In other words, there might not be a single SonicWall Next-Generation Firewall (NGFW) with the scale to meet the performance requirements of some compute- and bandwidth-intensive networks such as large institutions, government agencies, and global enterprises. A more practical way to scale the performance beyond capabilities of a single SonicWall NGFW device is to combine multiple SonicWall NGFW devices into a network cluster for full redundancy, failover and failback to ensure there is no single point of failure in the design. In this infinite scale-out model, adding additional security compute resources should ideally be a matter of easily adding more firewalls to the system in a very cost-effective way.

If you are currently tasked with implementing big-bet initiatives to improve growth and competitiveness and feel that security is your biggest barrier for implementing these programs, SonicWall invites you to download this exclusive “A Massively Scalable Approach to Network Security” white paper to help you implement your future-proofed, network-based scale-out security layer architecture. This is a highly resilient design that offers transparent security services to augment existing security solutions, separate security functions and provide added capacity via N+1 redundancy to solve your most complex and demanding data center requirements. The solution provides the following benefits:

  1. Scalable performance to support 10, 40 and/or 100+ Gbps data centers
  2. Assured availability of internet services and connectivity without compromising security
  3. Deep security through SSL inspection and prevention of intrusions, malware, botnets, etc.
  4. Visualization of all applications, users, groups traversing the firewalls
  5. Cost savings up to 82%* lower than Cisco and 65% lower than Palo Alto Networks and 57% lower than Fortinet

Are You Compromising Your Business Security

As advances in networking continue to provide tremendous benefits, businesses are increasingly challenged by sophisticated attacks designed to disrupt communication, degrade performance and compromise data. Striking the perfect balance between network security and performance is no easy task. Meeting these demands can be especially daunting for small businesses, which usually cannot afford the same degree of protections as their larger counterparts.

The good news is that, with technology, higher performance and superior security are possible. By minimizing the attack surface that a business presents to the world, security can emerge as a differentiator rather than an inhibitor.

The first line of defense for any business “” large or small “” is an updated and properly configured firewall. In fact, if your business is still using a traditional firewall to protect against malicious threats, you may not even realize that you are woefully unprotected. Though firewalls are an essential part of network security, many (especially traditional firewalls) offer limited protection. They can monitor and block traffic based on source and destination information. But they can’t look inside packets to detect malware, identify hacker activity or help you manage what end users are doing on the internet. Even if you have purchased a firewall just a few years ago, it might not be able to inspect encrypted traffic, leaving you exposed to encrypted malware.

Securing the small business

Just because your business is small doesn’t mean you are at any less risk for a security breach than a larger business. The reality is that cyber-criminals use automated scanning programs that don’t care whether your company is big or small; they are only looking for holes in your network security to exploit.

With tight budgets and fewer resources, small businesses need to make sure their firewalls are delivering maximum protection without sacrificing productivity. To achieve this goal, IT administrators should insist on solutions that provide:

  • Blazing-fast performance: Your firewall must not become a network bottleneck. If it holds up network traffic, then users complain about poor performance and slow response times. Administrators respond by easing security restrictions. The result? The business compromises its security to maintain acceptable performance. It’s a dangerous trade-off that should never happen.
  • Exceptional security: Insist on a firewall that includes deep packet inspection (DPI) technology to decrypt and inspect Secure Sockets Layer (SSL) traffic into and out of the network. Unfortunately, traditional firewalls lack this capability, which means hackers and cybercriminals can smuggle malware right through the firewall just by concealing it in SSL traffic. Many say their firewalls do inspect SSL traffic but fail to tell you how this impacts performance.
  • Low total cost of ownership (TCO): Security solutions that operate in silos can result in gaps and complexity that can kill efficiency and squander resources. Look for an integrated firewall that can be quickly set up and fine-tuned. Easy-to-use features, such as graphical interfaces and setup wizards, can save administration time and help reduce operation and maintenance costs.

As small business’ growing use of cloud applications, the security perimeter becomes blurred between your network and the internet so there is nothing as essential as a solution that draws the line to keep out unwanted intrusions. Your network provides access to critical applications and houses sensitive company and customer data. A single network breach can shut down your operations for days, or allow a hacker to steal vital business data. If you are not currently using or evaluating a next-generation firewall, you should be there’s too much at stake.

Thanks to advances in firewall protection technology, achieving robust network security without sacrificing performance is possible and affordable. To read more tips on how to keep your small business network more efficient and secure, read the e-book, “Securing your small business.”

Ten Tips for Protecting POS Systems from Memory Scraping Malware

In the recently published 2015 SonicWall Security Threat Report, one of the observations on the evolution of attacks on POS systems is the rise in popularity of malware that uses memory scraping to steal sensitive data. No matter how many layers of encryption are applied to sensitive payment data and how carefully this encryption is deployed, at some point the primary account number and other sensitive information must exist in an unencrypted form in order to be useful. The moment that payment data is decrypted for processing, it ends up in the memory of the POS machine, creating a perfect window of opportunity for an attacker to snag this data. Advanced malware can use multiple techniques to access and scan contents of this temporary storage and look for patterns that resemble raw payment data. This data can then be used, for example, to clone cards for fraudulent purchases. This is exactly what happened in some of the high profile retail breaches of 2013 and 2014.

The ultimate goal of RAM scraping malware is exfiltration of the unencrypted data stolen from memory of the infected machine. Therefore, this malware will be very well hidden and it will attempt to remain as invisible as possible in order to access as much data as possible. Mitigating the risks of being hit with such malware falls into two categories: Pre-infection best practices to avoid infection and post-infection best practices to detect and control the attack.

Pre-infection best practices

Protecting yourself from new advanced attacks must always be done on top of executing on the basics which serve to reduce the risk of getting critical systems such as POS systems infected by any malware.

  1. Keep the OS and applications on POS systems fully patched. Most patches are security related, so ignoring them only opens up a larger window of opportunity for attackers.
  2. Firewall off the POS network from the rest of the network with strong (i.e. bare minimum access) access policies as well as with Intrusion Prevention and Anti-Malware.
  3. Use strong, non-default and not shared, passwords.
  4. Deploy and enforce endpoint anti-virus as a last measure of defense.
  5. Encrypt traffic VPN tunnels.
  6. Enable protection against MAC spoofing within the POS network and for critical systems with which the POS terminals communicate.
  7. Lock down remote access to pin-point level of access. Do not allow full L3 tunnels into sensitive networks and use remote access tools that allow verification of remote host integrity before granting access.

Post-infection best practices

A good to approach in evaluating your network security stance is to assume that you will be infected at some point in the future and design processes to allow you to detect and control the infection. In the context of memory scraping malware, the ultimate observable behavior will be communication with non-trusted hosts on the internet. It may not be immediate and it may not be in bulk, as the attacker may want to put time between the act of infection and the act of data theft. However, sooner or later, the attacker will need to get the stolen data from the POS systems into his or her possession. This may happen naively via direct communication, or via more sophisticated methods such as using another compromised system outside the POS network, but with a connection to the POS network, as a gateway. That system may reside in a network that is less strictly observed than the POS network on which may not raise alarms at communication with random servers on the internet.

There are several key technologies that can help you detect or neutralize this data exfiltration:

  • Don’t allow direct communication with the internet from the POS network. This will lock down allowable communications and will block and detect naïve approaches at data exfiltration. For processing purposes, payment data can be sent via an encrypted tunnel to another trusted server(s) on the network (outside the POS network) and then via another encrypted tunnel to the processing server. Communication between these systems should be whitelisted by the firewall via ACLs, with all other traffic (besides perhaps management and updates) blacklisted.
  • Deploy Geo-IP and Botnet filtering detection on all networks. Lock down communication from sensitive systems only to locales that they need to communicate with (if your processor is in the US, why would your POS data need to have access to and from Europe, Asia, LATAM, etc.?)
  • Configure DLP and SSL Decryption to detect Credit Card type data leaving the network in plaintext or inside of SSL tunnels to internet hosts that are unknown. In other words, only allow such data to flow to CC processing servers known to you. Communication of such data to any other system on the internet should be intercepted, logged and investigated. Deny any SSL communication from sensitive networks that does not lend itself to inspection by not accepting your NGFW SSL inspection certificate.

Firewalls occupy an extremely valuable piece of real estate on any network since all Internet bound traffic must go through them. When properly deployed, next-generation firewalls play an important role in reducing the risk of advanced malware infection and data theft in POS networks. To find out more about the capabilities of state of the art NGFWs from SonicWall, read the eBook “Types of Cyber-Attacks and How to Prevent Them.” Follow me on Twitter: @threadstate.