Why are IT systems still getting hacked?

With the pace of technology developments and the increasing number of security devices and solutions why are system breaches as common today as they were 15 years ago? Well from my experience the answer would be the constant component that was used 15 years ago and today. The IT professional, support engineer, consultant or any other name you wish to call your IT person that installs and maintains the systems.

In theory as technology advances and improves it should be even more difficult to be able to breach a company’s security. I guess you could say that the methods that the hackers are using are also developing keep the cat and mouse game advancing constantly. Which to a certain degree would be correct, however from experience of working with large national companies and smaller organisations the answer may be much simpler than this.

You would assume that security solutions should now be able to protect us from the majority of malicious attacks with the use of known threat databases and heuristic scans. However, the multitude of security layers that are now required for the systems and the complexity of implementing them and maintaining them is now a full-time job for IT professionals. And as most companies are not able to afford the expense of a permanent security officer managing and monitoring their IT systems, allows holes to appear over time for unwanted attackers to access.

Much like your car’s MOT a security review is only a moment in time snapshot of your systems. You can go back to the date and say everything was safe at that point in time, but in reality as soon as your systems are signed off new threats are appearing constantly.

So with all the new technology available for protecting our systems why are the IT professionals still not able to protect their company’s assets. Well in most cases this is down to them still making the same mistakes as they did 15 years ago. In their defence, this is also down to the business owners not understanding the importance of maintenance windows. How many times have we heard that the systems must be up 24/7 and no one dare ask for downtime!

So what are the mistakes still being made?

Firstly systems are only as secure as the latest software release. As nearly all systems have software updates at certain times in their lives to help with improvements or security vulnerabilities. It would seem sensible to have all your equipment up to date. In real terms how practical is this, well if we take a simple infrastructure, how many components would need updating on at least a quarterly basis to stay secure?

Below is a list of components that are needed to run a basic business, all of these are potential access points for hackers to compromise your systems.

We will start with the Internet facing devices first and work inwards.

Router
|
Firewall
|
Network Switch
|
Domain Controller
|
Access Point
|
Client Laptop

Just 6 devices in this simple model must be easy to secure, correct? Well, let’s break it down into its component parts of risk. Firstly your internet router, how often do companies upgrade their internet router sat outside of all their security on the Internet? You may say you are not that bothered with anything outside of your firewall, or it’s your ISP’s responsibility. But if this device in compromised, all your traffic could be captured at this point exposing detailed information about your systems and data. This can then be exploited to access your other systems.

Next is the most important security device in your infrastructure, so this will always be the most secure! Well surprisingly most companies have at least one good server engineer, but the firewall is barely changed, so having a full-time firewall engineer is expensive. I have seen so many firewalls over the years with out-of-date software/firmware, it’s worrying. They normally end up in this state because someone tried to update it once and it failed and nobody would dare to touch it now. Or there are firewall rules that were configured 5 years ago and because they were never commented on,no one knows what they are for and won’t delete them in case it takes something down. Leaving big open holes straight through your Internet security. All of a sudden you are relying on your internal systems to protect you from malicious attacks. But what about if your firewall is reviewed regularly and is always updated, surely you are secure? Well, all firewalls have to allow certain traffic to pass or the business would be isolated from the outside world. This is where the risk to the internal clients starts. Although you could argue with systems like IPS, AMP but to name a few, surely all risks are removed. Sadly these technologies still have flaws that take time to discover and fix, allowing a very low risk to your business.

Now for the network switch, although not known to be the hacker’s main target, if it has a management IP, it is a valid device for attackers to use. Once securely connected to an internal device they can piggyback from this onto other internal systems. Only now the source device is on your internal network opening up internal systems to a possible allowed address range. This is another system that needs to be updated and protected. I have seen too many network devices to count that still have default usernames and passwords, let alone the original firmware installed.

So we have now got to the point where we are happy that our router, firewall and network switches are all patched to the latest level and as secure as they possibly can be. The usernames changed, complex passwords applied and unwanted services and ports all closed down. We also have IPS, malware, web filtering and all the other available security services applied to our firewall with a valid subscription. Surely we are secure now?

Well remember those ports we opened up early to allow services into our systems and clients out, this has now exposed our internal systems to the outside world. This is either by allowing inbound connections to things like email or web services or outbound connections from our clients. You may argue that inbound connections should terminate on the DMZ, well this is correct. However, I have seen so many internal hosts exposed on the majority of sites I have worked on. Also, servers on the DMZ still carry valuable data to allow them to function, so they are still exposed.

The next step is to protect our internal clients, firstly the obvious protection is to ensure our servers and clients are patched to the latest level. This is normally easy for client devices as they are usually rebooted daily. However, our server are running shared business functions that potentially will go offline if they are rebooted. This now becomes a business decision on when and how they can be patched. If they require security patches the time between the patch being released and the patch being installed is exposing your business to risk. Is this ever fed back to the business owners to help them make a more judged decision on how important the work is?

Even if your systems are patched to the latest level, no doubt you are also running a recommended antivirus solution or better still End Point Protection. Again this needs the policies to be managed and reviewed, the software engine and signatures to be maintained to the latest level. Reports should also be reviewed regularly, if not monitored daily to spot outbreaks as soon as they happen. It also still surprises me today that many business owners and IT professionals still don’t realise that an updated antivirus solution cannot fully protect your client machine if the OS patching is not up-to-date.

All in all this simple system design requires multiple levels of protection, management and constant updating and reviewing. Now imagine adding additional security layers for added protection and then apply that to 10’s of servers and 100’s of PC’s and laptops. This is then separated into different teams to manage the network, server and clients, adding additional complications. Finally, the addition of the blame culture of it’s always someone else’s responsibility. All of a sudden the risk management is massive, but to add to this complexity you have support staff changing system settings regularly. Users accessing systems creating data, probing ways to access their iTunes and other personal services. Before long your security systems are full of vulnerabilities making all your investment in security technology worthless.

The conclusion is that in some cases security is becoming too complex and difficult to implement and manage hence enabling easier access to hackers. The answer is not always to add more complexity and systems but to simplify what you have and how you manage it. By ensuring you have implemented the basics and keep them updated and well maintained will in most circumstances be more secure than adding complex security systems that will require more time, skills and resource to manage and monitor.

Although security threats will never be totally removed due to the complexity and resource required, completing the most basic of tasks will help to get you as close to 100% protected as possible.

For more information about Managed Backup click here