Intrusion Detection Systems
Intrusion detection systems (IDS) are an old idea, in theory very similar to antivirus. The concept is that an alert should be created if there’s an attack flying over network traffic that has an identifiable fingerprint, or it behaves in a way that’s suspicious. It’s based on the idea that there’s a certain amount of bad things that can be identified on the fly and that you can make a list of them all. Like antivirus, it’s nearly impossible to list everything; something will be missed. Likewise, the behavioural approaches have the typical problem that they tend not to be 100 percent effective and also increase the alert fatigue that SOC teams are too burdened with anyway.
IDS comes in two variants: network-based and host-based. Network-based IDS (NIDS) listens to network traffic, usually at the choke point, like one side of a firewall. The other variant, host-based IDS (HIDS), is the software or rules that are applied to a single system, like a server. NIDS listens to network traffic and gives alarms, while HIDS monitors the integrity of the system and any bad signs of something happening inside the system itself.
The focus of HIDS is usually to monitor any important changes within a system. Let’s say a company is running a Unix server. A HIDS running in the server notices that binaries, or executable files, are changing. An alert would be raised that a change is detected, but not necessarily where it came from. Maybe someone internally made the change by updating the binaries to a newer version, or maybe a hacker signed in and is replacing executables with malicious ones.
The obvious pitfall of this technology is that it creates a lot of false alarms. There’s also a high chance that any attack will fail to be detected at all. In practice, these detection systems work like an alarm bell that doesn’t always ring, and when it does, there’s usually nothing to worry about. Is it really a good alarm then? If it were a fire alarm, you’d probably throw it away after a week. The technology isn’t necessarily bad, but it has its limitations and requires a lot of pruning and maintenance.
We’ve talked a lot about backups already, and our advice is simple: do them. Do them first, test them, and do them again. Have a process in place that ensures they actually work. If you don’t do anything else in security, do this. Don’t even have a firewall if you don’t have the money, but have backups. Take the backups offline at least once in a while.
Online backup has become very popular. Everybody has an iPhone or Android, and if you take a photo, after a minute, it will be in the cloud, backed up. Companies should look for similar solutions that are equally easy for the user—automatic data transfer, low maintenance, and an adequate level of security. It might not go to Google or Apple’s cloud, but there are separate solutions that give you the promise of online backup with encryption and security and central management. Companies should look into this because almost everyone has already adopted the idea of online backups based on their personal experience with mobile devices. There’s no adoption curve.
A good online backup service should provide you with the innate ability to have data offsite and available immediately for restore when it’s needed. Many services offer encryption, user management, and other security features that should make it easy for most businesses to adopt these services. They also provide some protection against ransomware attacks that are commonplace nowadays.
Vulnerability Blind Spots
We are constantly surprised at how organisations fail to recognise their security blind spots. Sometimes, these blind spots are technical in nature; other times, they are failures in physical security or access control. Here’s a real-world example.
We worked with a major company in Europe that’s in the real estate and facilities construction business. They are one of those entities who are considered as critical infrastructure for that country. They had virtually hundreds of physical locations and huge buildings. Most of their access control systems are online, connected to the internet.
The servers that controlled the doors were grey metallic boxes that were screwed on to the walls in a dusty room and essentially forgotten about. This company had these in most of their buildings, usually somewhere locked away in the basement floor. The boxes were connected to the internet by routers that were managed by the service provider who installed the system. Interestingly, but not surprisingly, most of the routers were installed in 1999 and were actually managed by nobody. It’s very commonplace that these boxes quickly become forgotten by everyone because all they care about is that access to the buildings works and nothing more. We inspected some of these routers and found that they were full of multiple vulnerabilities that could have been exploited from outside of the network. Anyone from the internet could find the system and scan it and see that it was vulnerable to all kinds of known exploits.
Of course, someone did exploit that modem vulnerability and gained access to the company’s built-in access control systems and used it to their advantage. Remarkably, before the attack, IT didn’t have any idea that this was a risk.
The worst part was that even after they were exploited, they still didn’t consider it a serious problem. This was surprising, especially considering they had a law enforcement agency in one of their facilities. Despite all that, they probably still have the same vulnerable modems in use today.
The point of this story is that even the biggest and most forward-thinking companies in the world have security blind spots and vulnerabilities that they don’t know about. Or they do know about them but fail to fix the problem. That’s why it’s important for every cybersecurity manager to follow the steps and guidelines spelled out in our articles and our book ‘Smiling Security’. By adhering to these suggestions, security blind spots can be uncovered, and they can be addressed. Ideally, before a breach or an attack happens.