By David Gugelmann, October 2019
When IT networks merely consisted of the employees’ computers, visibility was only a question of keeping a complete directory. Today, networks are far more complex. Cloud solutions substitute physical servers and networks entail additional mobile devices, printers and possibly IoT devices like thermostats or lighting systems. All of those devices communicate within the network and to the outside. Given this amount of traffic, it is not surprising that around half of above report’s respondents stated, they do not have complete visibility or are not sure of it.
There are various incidents where the lack of visibility has led to severe security issues. A compelling example is the NASA security breach. An employee attached a raspberry pie (credit-card sized computer) to the network, without the administrator’s knowledge. An attacker took control over the unmonitored device, moved within the network and exfiltrated 500 MB of data within ten months.
In terms of visibility, one can break down this incident as a chain of three breached security controls:
It should not be possible to have a device added to the network without the IT administrator’s knowledge. However, given the general overreliance on manual inventories instead of technical solutions, I assume that NASA is by far no isolated case.
The attacker managed to remotely control a device inside NASA’s network and exfiltrate data from this device for months without being detected.
The attacker successfully moved laterally within NASA’s IT network without being blocked.
However, organizations do not have to accept poor visibility and its consequences. With increasing network complexity, cybersecurity tools are also becoming more advanced. Our security software ExeonTrace has various features which provide organizations with an increased visibility into their IT networks:
Who is active in your network? Our algorithms identify and cluster active devices in your network, enabling a more detailed understanding of your IT landscape and allowing you to prioritize your security efforts. Further, ExeonTrace allows you to automatically correlate your IT inventory databases against the actual communication happening in your IT network, providing you with a full list of unknown devices. Below excerpt from ExeonTrace summarizes the activities of endpoints in an easy-to-understand way.
What is happening in your critical server network? Besides the mere overview of the components, it is essential to understand in detail what is happening within your server networks, as this is where your critical data is stored. A successful exploit in your server network can have drastic consequences, such as complete loss of your data or, if systems are encrypted through ransomware, an outage of your services. In a recent analysis, ExeonTrace’s machine learning algorithms detected exactly such suspicious behaviors in-between millions of log events. Evidence suggests that an employee accessed a server hosted in a critical network and used it for Web browsing. This behavior puts the whole organization at risk because a single wrong mouse click could result in a successful malware exploit giving an attacker direct access to the company’s most critical data.
Where to is your data going? ExeonTrace’s visibility features show where the servers are communicating to and highlight suspicious activity. The PrintScreen below shows an example, communication to Russia. If such activity occurs from within the data center of a Swiss company, it’s worth investigating.
I hope this article gave you a more precise view of how visibility in your network can be improved. If you are interested to learn more, please reach out to firstname.lastname@example.org or book a video conference directly over this link.
As CEO of Exeon Analytics, cyber security is the number one topic on my agenda. In this blog post, I will share the most important trends, new topics or background analyses in a condensed form. This blog post is for everyone with an interest in cyber security. Our CTO Markus Happe regularly writes about more technical topics.
Find additional articles on the topic here:
Antivirus Giant Avast Hacked By Spies Who Stole Its Passwords
NASA is by far not the only example where a lack of visibility has led to a security breach. The Czech cyber security company Avast has been breached via a temporary VPN account. The account has been forgotten about and kept open. It was the second breach of the security company within two years. Read full article
Equifax data breach FAQ: What happened, who was affected, what was the impact?
Interesting read on lessons learned from the Equifax incident, one of the largest data breaches in history. With more oversight, Equifax could have prevented the breach. The attackers gained access to the network through an unpatched customer complaint web portal and were then able to move from there to other servers. Read full article
Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer
Impressive example on the increasing threats through IoT. A supposedly well secured casino has been breached through a thermostat in a decorative fish tank. Whereas IoT devices are usually connected to the overall network, their security is often not on par. Read full article
Cybersecurity Storms: Visibility is Key to Cyber Protections
“The most destructive disaster is the one you do not see coming.” This article is an entertaining read and provides you a good overview of visibility considerations. Read full article