Whitelisting can strengthen cybersecurity by treating everything as a potential threat

By restricting employee access to approved applications, companies can keep bad guys out

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

What do Mar­ketwired, PR Newswire and Busi­ness Wire share in com­mon with Alti­plano, the Mex­i­can max­i­mum-secu­ri­ty prison, from which the infa­mous drug lord “El Chapo” escaped last sum­mer?

Ed note_Solarflare_Russell SternLike the lock­up, all three media prop­er­ties main­tained robust perime­ter defens­es, and yet failed to detect and block a clev­er­ly built tunnel.

U.S. Attor­ney Paul J. Fish­man last month announced a guilty plea entered in U.S. Dis­trict Court by one Vadym Ier­molovych, 28, of Kiev, Ukraine, to con­spir­a­cy to com­mit wire fraud, con­spir­a­cy to com­mit com­put­er hack­ing, and aggra­vat­ed iden­ti­ty theft.

From 2010 through 2015, Ier­molovych gained direct access to Mar­ketwired, PR Newswire and Busi­ness Wire and exfil­trat­ed near­ly 150,000 doc­u­ments. Accord­ing to court doc­u­ments, Ier­molovych used the finan­cial data from some 800 non­pub­lic doc­u­ments to real­ize a $30 mil­lion illic­it prof­it. He gained access to these three busi­ness data net­works through var­i­ous email phish­ing attacks and an SQL injec­tion exploit.

One sim­ple tech­nique could have thwart­ed these breaches—network whitelisting.

Win­now­ing access

Have you ever gone to a club and been denied access because you’re not “on the list?” That’s whitelist­ing. Today it’s pos­si­ble to set up fire­walls on every desk­top with­in an orga­ni­za­tion and enforce whitelists that block both inbound and out­bound con­nec­tions from these desk­tops. If an appli­ca­tion and des­ti­na­tion serv­er is not on the whitelist, then an employ­ee on that desk­top can’t gain access to that data.

Today these whitelists can be defined along orga­ni­za­tion­al units and even down to the employ­ee lev­el. If a phish­ing exploit then acti­vat­ed a scan to try and deter­mine what enter­prise resources it had access to, its reach would be severe­ly restrict­ed. Next the phish­ing exploit might attempt to estab­lish a direct out­bound tun­nel, say through TOR. It will find that these net­works also are unreach­able. In the worst case, the phish­ing application’s con­nec­tion request might be steered through the company’s proxy servers, which should then scrub the request, and block access to rogue networks.

If Edward Snow­den and Sony taught us any­thing, it was that even with the strongest pos­si­ble secu­ri­ty perime­ter, that alone doesn’t pro­tect an enter­prise against a breach. What is need­ed is tighter con­trol over who has access to enter­prise data.

Tech­nol­o­gy exists today for both desk­tops and servers to enforce whitelist-based access con­trol in soft­ware and soon in the actu­al serv­er net­work adapter. Why isn’t secur­ing every desk­top and serv­er com­mon prac­tice today? Cost shouldn’t be the rea­son. Most, if not all enter­pris­es, can­not afford the lia­bil­i­ty of a major data breach. Secu­ri­ty in every end­point and appli­ca­tion in the enter­prise has nev­er been more critical.

More sto­ries about net­work security:
As threats mul­ti­ply, more com­pa­nies out­source secu­ri­ty to MSSPs
More orga­ni­za­tions find secu­ri­ty aware­ness train­ing is becom­ing a vital secu­ri­ty tool
SMBs can DCEPT attack­ers with free net­work mon­i­tor­ing tools