Even a company with very high level of security awareness can become a victim to simple oversight. Such companies have implemented the works: network segregation; firewalls on all egress points; corporate antivirus with automatic updates; WSUS server. And yet, a lot of these companies are vulnerable, since they haven't patched or upgraded their security systems.
In the complex infrastructure of today's network, it is very easy to observe certain elements as self-sufficient black boxes, which you set-up and never need to touch. Even more so, since because of budget cuts you don't have enough manpower, or training, or both.
But your security systems are nothing more then computers, even if they have the appearance of strange black devices without a VGA or keyboard interface. And, as any computer, their operating systems have bugs and glitches, the programs that they are running (firewalls, IDS, routing) can have bugs and be compromised.
This is the avenue by which a prepared attacker can gain access into your network.
A number of e-mails destined for the company were undelivered, and a customer is complaining that he cannot communicate properly. An investigation concludes that the Intrusion Protection System (IPS) falsely identifies the e-mails as malicious and drops the IP packets of the SMTP session. The protection feature of the IPS is disabled.
2 days later, the mail server is compromised by a malicious attacker.
Due to a bug in the IPS software, it created a large number of false positives, while also successfully blocking actual malicious attacks. A new version of the IPS software was available but wasn't installed. After the disabling of the protective feature, a bot net performed an automatic attack and discovered that the infrastructure is vulnerable to the malicious message
- When purchasing security systems, apart from purchasing a subscription service to attack/virus signatures, always include an agreement for regular update of the engine/operating system. It is a good idea to task the supplier with proactive responsibility to inform you of the available updates.
- In parallel, task an internal person/team with reviewing the advisories from the manufacturer of equipment, in order to plan upgrades or patching for the infrastructure operating systems. These persons should primarily observe advisories for: firewalls and other security equipment; network infrastructure; services and servers which are contactable from the outside
- An attack can usually be blocked in more then one spots on the attack path. Maintain a layered defense, with updated versions of software and up-to-date patches on all levels. Even if you fall behind on patch level on one layer, you are relatively safe with the other layers in place until you fix the issue.
Talkback and comments are most welcome