Whitelisting can strengthen cybersecurity by treating everything as a potential threat

By restricting employee access to approved applications, companies can keep bad guys out

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

What do Marketwired, PR Newswire and Business Wire share in common with Altiplano, the Mexican maximum-security prison, from which the infamous drug lord “El Chapo” escaped last summer?

Ed note_Solarflare_Russell SternLike the lockup, all three media properties maintained robust perimeter defenses, and yet failed to detect and block a cleverly built tunnel.

U.S. Attorney Paul J. Fishman last month announced a guilty plea entered in U.S. District Court by one Vadym Iermolovych, 28, of Kiev, Ukraine, to conspiracy to commit wire fraud, conspiracy to commit computer hacking, and aggravated identity theft.

From 2010 through 2015, Iermolovych gained direct access to Marketwired, PR Newswire and Business Wire and exfiltrated nearly 150,000 documents. According to court documents, Iermolovych used the financial data from some 800 nonpublic documents to realize a $30 million illicit profit. He gained access to these three business data networks through various email phishing attacks and an SQL injection exploit.

One simple technique could have thwarted these breaches—network whitelisting.

Winnowing access

Have you ever gone to a club and been denied access because you’re not “on the list?” That’s whitelisting. Today it’s possible to set up firewalls on every desktop within an organization and enforce whitelists that block both inbound and outbound connections from these desktops. If an application and destination server is not on the whitelist, then an employee on that desktop can’t gain access to that data.

Today these whitelists can be defined along organizational units and even down to the employee level. If a phishing exploit then activated a scan to try and determine what enterprise resources it had access to, its reach would be severely restricted. Next the phishing exploit might attempt to establish a direct outbound tunnel, say through TOR. It will find that these networks also are unreachable. In the worst case, the phishing application’s connection request might be steered through the company’s proxy servers, which should then scrub the request, and block access to rogue networks.

If Edward Snowden and Sony taught us anything, it was that even with the strongest possible security perimeter, that alone doesn’t protect an enterprise against a breach. What is needed is tighter control over who has access to enterprise data.

Technology exists today for both desktops and servers to enforce whitelist-based access control in software and soon in the actual server network adapter. Why isn’t securing every desktop and server common practice today? Cost shouldn’t be the reason. Most, if not all enterprises, cannot afford the liability of a major data breach. Security in every endpoint and application in the enterprise has never been more critical.

More stories about network security:
As threats multiply, more companies outsource security to MSSPs
More organizations find security awareness training is becoming a vital security tool
SMBs can DCEPT attackers with free network monitoring tools

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page