How to Protect Company Data and Why It Might Not Be Enough

April 12, 2023 — Jt Spratley

Protecting the company's data and physical assets is everyone's job, much like customer service. Laws and regulations are reactive deterrents that require user activity to take effect. Physical and information security measures also depend on users, but no one is perfect all the time. That is where information technology (IT) solutions come in. There is a plethora of IT solutions, specifically "technical controls," which "can enable and/or amplify policy enforcement where human behavior is difficult to regulate" [1].


Many technical controls are essential for every information system (computer, server, mobile device, etc.). The reason for this is that many cyber threats affect all types of data at rest, in use, and in motion [2]. However, in a business environment the strategic placement of various technical controls requires careful consideration. A fleshed out risk management plan and risk matrix which "analyzes project risks based on likelihood and severity" [3] will help IT personnel and management with this.

The firewall, usually one of many within the network, is the first line of defense for access into a company's IT network. Sometimes doubling as a router, the firewall allows incoming and outgoing network traffic based on defined rules [4]. Rules generally include ports and protocols. Newer firewalls might check additional info from the origin of requests. Firewalls can be software or hardware-based as well as web applications or full operating systems (e.g., pfSense). The primary problems that firewalls solve: downtime and unauthorized access.

A denial-of-service (DoS) attack is the result of network resource unavailability due to malicious activity [5]. Those resources can be websites, emails, files, and even connections to other networks. This isn't the same as human error causing downtime. This isn't synonymous with cases where an eCommerce site has a massive sale but fails to prepare for a significantly high amount of user activity. There is an intentional effort to disrupt the company's online activity. Downtime from DoS attacks not only hurt productivity but also customer experience and search engine optimization (SEO) rankings, [6] all which directly tie into the bottom line: profit.

One notable DoS attack type is the distributed denial-of-service (DDoS) attack. For this method, the cyber attacker must have previously infected multiple (up to thousands) of external systems to flood a network at once. These infected machines are called "bots," acting as part of the attacker's "botnet." This is worse than the average DoS attack because the outermost firewall is receiving network packets from so many different systems in various locations. Therefore, remediation may require human intervention. Sometimes, it is best to simply warn customers of possible downtime and review security logs after the attack for necessary changes. Most DoS attacks last less than five hours [7].

Unauthorized access is an issue on all layers of the Transmission Control Protocol / Internet Protocol (TCP/IP) and Open Systems Interconnection (OSI) models [8]. There are specialty and multi-function firewalls to address them. Traditional, or stateful inspection, firewalls close network ports and protocols from transmitting data. Hypertext transfer protocol (HTTP) (port 80), its secure version HTTPS (443), and domain name system (DNS) (53) are required to serve web content. File transfer protocol (FTP) (21) is usually unnecessary because downloads are accessible from the web browser, and it is unsafe. IP version 6 (IPv6) is oftentimes disabled because it has been used for DoS attacks [9] and it is rarely needed with IPv4 still being the standard.

Advanced firewall solutions can do much more. A next-generation firewalls (NGFW) can deny traffic based on IP address reputation, geolocation, and other behavioral aspects. A web application firewall (WAF) analyzes application requests for possible code injection and cross-site scripting (XSS) attacks. WAFs can be general or specific to an application. ConfigServer Security and Firewall (CSF) [11] is an open-source software that can handle all aforementioned firewall functions. Wordfence is one of the most popular, free endpoint firewall solutions for the WordPress content management system (CMS). uBlock Origin and Privacy Badger are web browser security extensions that do the same thing.

The last two notable firewalls types are actually primarily for optimizing network speed but can be capable of firewalling. A content delivery network (CDN) is a group of proxy servers scattered across the world with the sole purpose of caching web content to quickly serve online visitors far from the physical server location [12]. Being a software-as-a-service (SaaS) solution, it requires integration via DNS or embedded code to "sit" in front of company servers. Cloudflare, a traditional CDN, requires changing a domain's nameserver (NS) or A DNS records to theirs to handle traffic. Code CDNs like jsDelivr simply require embedding their scripts so that browsers fetch data from the nearest CDN server. CDN firewalling capabilities provide defense-in-depth (DiD) and external DDoS protection through vendor diversity [13].

A load balancer is hardware or software that spreads network requests across a "pool" or "farm" of servers with duplicated data, [14] not unlike a Redundant Array of Independent Disks (RAID) 1 configuration. HAProxy is a straight-forward self-hosted solution, and even it does some packet analysis before accepting requests [15]. Cloudflare.com can accomplish this through DNS management. Again, it is common to find a firewall, CDN, or load balancing solution with features of the other two.

The anti-malware, or anti-virus (AV), scanner is the most popular technical control, and the easiest to implement. Malware, short for "malicious software," scanners check for files that harbor malicious or suspicious code. Anti-malware software can scan attempted downloads to a workstation and uploads to a server before allowing the action to continue. Any files marked as suspicious will usually be quarantined in a "sandboxed" directory for further review or removed from the system [16]. Anti-malware solutions dedicated to a single web application may have the ability to "clean" files by replacing them with known safe code from an official source. Just like firewalls, there are different types of scanners for different types of malware.

"Virus" and "malware" are used synonymously, but a virus is only one of many malware types. Furthermore, viruses require the infected application to be running in order to execute. That is not the case for trojan horses, worms, spyware, adware, and rootkits [17]. Spyware on a system will collect what someone types, regardless of what applications are running. A lot of adware are really just tracking cookies being saved in web browsers [18]. Trojans and worms can execute through automated system services. Rootkits hide in firmware and kernels and often require specialized malware detectors like rkhunter [19] to discover. Likewise, ransomware may require specialized decryption tools [20] or backup restoration to recover company data.

On the opposite end of popularity is file integrity monitoring (FIM), a process for auditing suspicious file changes [21]. FIM solutions alert security analysts when malware bypasses the firewall and malware scanner. Because of its focus on change management, insider threats like disgruntled employees can also be detected faster. Popular FIM solutions like TripWire and AIDE can integrate with anti-malware and firewall solutions for automated protection measures. File integrity is primarily based on two major attributes. First, has the file changed? Second, if the file did change, who did it and how?

Hashes are the basis for detecting file changes. Also known as a "message digest" or "digital fingerprint," a hash is the result of inputting data through a one-way mathematical algorithm to produce an output at a predictable length [22]. Cybersecurity experts debate the difference between a hash and checksum. But they'll generally agree that using hashes to verify whether a file has been modified is known as "comparing checksums."

The most popular hashing algorithms are MD5 and Secure Hash Algorithm (SHA), specifically SHA1, for their speed [23]. However, they're not recommended because of the high risk of hash collision, when two different files hash to the same value [24]. RACE Integrity Primitives Evaluation Message Digest (RIPEMD) is commonly used in Bitcoin and other cryptocurrencies [25]. SHA224, SHA256, SHA384, and SHA512 are best for their lower possibility of hash collision.

Backup management is the easiest example for monitoring file integrity. Businesses must maintain updated copies of proprietary data in multiple locations. Hard disk drives (HDD) can become inaccessible due to excessive bad sectors [27]. After copying backups to various locations, comparing SHA256 (or stronger) hashes is the easiest way to ensure there was no data corruption. When cleaning systems isn't worth the time, or possible due to an extortion ransomware attack, [28] backup restoration is the best solution for true business continuity.

Wireless networks have obvious advantages over wired networks. Routing and maintaining Ethernet cable is expensive and time-consuming. Wi-Fi enables ad-hoc teams to collaborate anywhere in a building. Bluetooth accessories ease cable management. All of that is great for corporate environments. On the other hand, cables can be protected by physical security measures.

Wireless network security is tricky because access starts with the ability the receive radio frequency (RF) signals from a Wi-Fi router or wireless access point (WAP). Unauthorized users may attempt to crack into Wi-Fi networks for benign reasons like checking social media, streaming video, and torrenting large files. Then there are nefarious reasons like for company access point reconnaissance for future cyber attacks, an act known in the information security (InfoSec) community as war driving [29]. The 1986 Computer Fraud and Abuse Act, the most related US law against this today, only applies to accessing computers without authorization, but some states have since created laws to punish stealing Wi-Fi resources [30].

Still, companies can do plenty to mitigate the possibility of unauthorized Wi-Fi users. Wi-Fi Protected Access 2 (WPA2) Enterprise or a succeeding security standard available should be the starting point. Network administrators can ensure signal strength of WAPs do not exceed company office space. Broadcasting of wireless networks should be disabled and have inconspicuous service set identifiers (SSID), or network names. Media access control (MAC) address whitelisting can be time-consuming but provides an additional level of difficulty for companies able to maintain it. The whitelist can aid with limiting how many devices can connect at once. For startup businesses using a consumer-grade router, Wi-Fi Protected Setup (WPS) should be deactivated. Finally, long passphrases with alphanumeric characters, and special characters should be used and changed periodically. Network security software should have features to detect DNS poisoning attempts and similar man-in-the-middle (MITM) attacks against mobile employees.

The average consumer Bluetooth device has a maximum range of 10 meters, or 33 feet, but Bluetooth can exceed well over 100 meters in special circumstances [31]. Business executives should have a serious discussion regarding risk management and Bluetooth vulnerabilities, especially if dealing with classified information. If allowed, the chief information security officer (CISO) should compile an authorized list of devices and use cases. Bluetooth should only be enabled while in use and only available for authorized individuals proven to understand best security measures. These practices help mitigate Bluetooth-related cyber attacks like "bluesnarfing" data from mobile devices [32].

System activity logs are the last digital line of defense regarding technical controls. All aforementioned technical controls - firewalls, malware cleaners, integrity checkers, and cryptographic hashes - can be defeated with enough time and effort. They're all prone to human error and social engineering attacks. Activity logs can provide security analysts with information on how a data breach was accomplished and ways to improve the company's cyber attack surface. Risk management and business continuity (BC) plans are great proactive steps to securing digital assets. At some point, both have to address the need to regularly monitor network activity and adjust accordingly. Even with hardened intrusion prevention methods, there must be a way to detect attempted intrusions. This is important to acknowledge. Nearly half of American companies lack a business continuity plan, yet 90% of businesses fail within a year if they don't recover five days after a disaster [33].

The current industry-standard logging solution is security information and event management (SIEM) software. SIEM tools provide "log management, intrusion detection, event correlation, threat intelligence gathering, incident management, compliance standard fulfillment, and vulnerability assessment processes" [34]. Put simply, SIEM software uses advanced methods to organize logs from multiple applications to better understand network activity. Splunk and "ELK Stack" (Elasticsearch, Logstash, and Kibana) are some of the most popular SIEM solutions today [35].

SIEM and basic logging software are not immune to tampering. Incident response (IR) specialists have seen more and more log file destruction within cyber attacks in an effort to make identification more difficult, a tactic called "counter-incident response" [36]. Log files are usually just text files with formatted lines. An integrity scanner can notify security analysts when logs are removed, but backups can't retrieve the most recent information. Managerial and operational controls must be in place to ensure proactive improvement in the company's cybersecurity posture.

All processes with best security practices must be simplified to discourage users from finding ways to bypass those steps. For example, suggested changes should be tested in virtual machines (VMs) as staging environments to mitigate issues in production. Those staging VMs should be removed or kept updated to prevent additional vulnerabilities [37]. All leadership must foster a culture which eases cross-department collaboration on documentation for proper change management.

This must all be part of a multi-layered security awareness and training program [38]. A lot of people who are reportedly unconcerned about online data collection either ignore the risks or feel there's nothing they can do about it anyway [39]. Those security-unconscious individuals are at every company and will presumably have that same mindset on the clock. All employees must be trained on best security practices within the realm of their occupation to mitigate human error, insider threats, and other cyber threats at all levels. Cybersecurity awareness is the first step to implementing those firewall, anti-malware, FIM, checksums, and logging solutions, not the tech itself.

References

[1] M. E. Whitman and H. J. Mattord. (2019). Management of Information Security (6th Edition). [On-line]. Available: [RETRACTED] [Nov. 23, 2022].
[2] "Best Practices: Securing Data at Rest, in Use, and in Motion." DataMotion, Dec. 12, 2015. [Online]. Available: https://datamotion.com/best_practices_-securing_data_at_rest_in-use_and_in_motion/ [Nov. 24, 2022].
[3] K. Boogaard. "What Is a Risk Matrix?" Asana, May 13, 2022. [Online]. Available: https://asana.com/resources/risk-matrix-template [Nov. 24, 2022].
[4] "What Is a Firewall?" Cisco. [Online]. Available: https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html [Nov. 24, 2022].
[5] "Understanding Denial-of-Service Attacks." CISA, Oct. 28, 2022. [Online]. Available: https://www.cisa.gov/uscert/ncas/tips/ST04-015 [Nov. 24, 2022].
[6] C. McNei. "4 Reasons Why Website Downtime Affects SEO Efforts." Social Marketing Fella, Mar. 13, 2017. [Online]. Available: https://socialmarketingfella.com/4-reasons-website-downtime-affects-seo-efforts/ [Nov 24, 2022].
[7] S. Cook. "20+ DDoS attack statistics and facts for 2018-2022." Comparitech, Jul. 8, 2022. [Online]. Available: https://www.comparitech.com/blog/information-security/ddos-statistics-facts/ [Oct. 5, 2022].
[8] L. Williams. "TCP/IP Model: What are Layers & Protocol? TCP/IP Stack." Guru99, Oct. 1, 2022. [Online]. Available: https://www.guru99.com/tcp-ip-model.html [Nov. 25, 2022].
[9] K. McCarthy. "It's begun: 'First' IPv6 denial-of-service attack puts IT bods on notice." The Register, Mar. 3, 2018. [Online]. Available: https://www.theregister.com/2018/03/03/ipv6_ddos/ [Oct. 7, 2022].
[10] Wordfence. [Online]. Available: https://www.wordfence.com/ [Nov. 25, 2022].
[11] "ConfigServer Security and Firewall." ConfigServer. [Online]. Available: https://configserver.com/configserver-security-and-firewall/ [Nov. 25, 2022].
[12] "CDN’s are very beneficial but also at a big risk of being targeted by hackers." BOSS Magazine, Sep. 14, 2021. [Online]. Available: https://thebossmagazine.com/what-the-2021-cloudflare-cdn-vulnerability-can-teach-us/ [Sep 11, 2022].
[13] C. Wolf. "Diversity in Cybersecurity Tools a National Security Issue." The Daily Signal, May 7, 2021. [Online]. Available: https://www.dailysignal.com/2021/05/07/diversity-in-cybersecurity-tools-is-a-national-security-issue/ [Nov. 19, 2022].
[14] "What Is Load Balancing?" NGINX. [Online]. Available: https://www.nginx.com/resources/glossary/load-balancing/ [Nov. 26, 2022].
[15] HAProxy. [Online]. Available: https://www.haproxy.org/#secu [Nov. 26, 2022].
[16] M. Landesman. "Quarantine, Delete, or Clean: What Should You Do About a Virus?" Lifewire, Mar. 13, 2021. [Online]. Available: https://www.lifewire.com/clean-quarantine-or-delete-3972276 [Nov. 27, 2022].
[17] K. Baker. "The 12 Most Common Types of Malware." CrowdStrike, Aug. 11, 2022. [Online]. Available: https://www.crowdstrike.com/cybersecurity-101/malware/types-of-malware/ [Nov. 27, 2022].
[18] P. Baltazar. "What are Adware Tracking Cookies and How to Remove them?" MalwareFox, Feb. 17, 2022. [Online]. Available: https://www.malwarefox.com/adware-tracking-cookies/ [Nov. 27, 2022].
[19] "Rkunter." KALI. [Online]. Available: https://www.kali.org/tools/rkhunter/ [Nov. 27, 2022].
[20] "Decryption Tools." The No More Ransom Project. [Online]. Available: https://www.nomoreransom.org/en/decryption-tools.html [Nov. 27, 2022].
[21] "What is File Integrity Monitoring?" CrowdStrike, Dec. 8, 2021. [Online]. Available: https://www.crowdstrike.com/cybersecurity-101/file-integrity-monitoring/ [Nov. 27, 2022].
[22] J. Schatten. "Rehashing Hashing: What is SHA-256?" SSLTrust, Jan. 19, 2022. [Online]. Available: https://www.ssltrust.com/blog/what-is-sha-256 [Nov. 28, 2022].
[23] "Difference between MD5 and SHA1." GeeksforGeeks, Jun. 29, 2022. [Online]. Available: https://www.geeksforgeeks.org/difference-between-md5-and-sha1/ [Nov. 27, 2022].
[24] "Hash collisions." Adobe, Feb. 17, 2022. [Online]. Available: https://experienceleague.adobe.com/docs/analytics/implementation/validate/hash-collisions.htmllang=en [Nov. 27, 2022].
[25] "RIPEMD-160." Bitcoin Wiki, Jun. 30, 2014. [Online]. Available: https://en.bitcoin.it/wiki/RIPEMD-160 [Nov. 27, 2022].
[26] "Subresource Integrity." Sep. 14, 2022. [Online]. Available: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity [Nov. 28, 2022].
[27] C. Kim. "Hard Drive Data Recovery: How to Recover Files from Hard Drive." FoneCope, Jan. 30, 2019. [Online]. Available: https://www.fonecope.com/recover-files-hard-drive-recovery.html [Nov. 28, 2022].
[28] A. Sukianto. "What is Double Extortion Ransomware? And How to Avoid It." Upguard, Sep. 7, 2022. [Online]. Available: https://www.upguard.com/blog/double-extortion-ransomware [Nov. 28, 2022].
[29] "Wardriving." Fortinet. [Online]. Available: https://www.fortinet.com/resources/cyberglossary/wardriving [Nov. 29, 2022].
[30] B. Farkas. "Stealing or Borrowing Wi-Fi From Your Neighbor: A Victimless Crime?" Nolo. [Online]. Available: https://www.nolo.com/legal-encyclopedia/stealing-wi-fi-your-neighbor-a-victimless-crime.html [Nov. 29, 2022].
[31] A. Peshin. "What Is The Range Of Bluetooth And How Can It Be Extended?" Science ABC, Jul. 8, 2022. [Online]. Available: https://www.scienceabc.com/innovation/what-is-the-range-of-bluetooth-and-how-can-it-be-extended.html [Nov. 29, 2022].
[32] A. Mohammed. "Linux Affected by Bluetooth Security Bug and It’s Serious. Kind of." Fossbytes, Oct. 16, 2020. [Online]. Available: https://fossbytes.com/linux-bluetooth-security-bug-bleedingtooth/ [Nov. 15, 2022].
[33] D. Shulmistra. "18 Business Continuity Statistics to Know." Invenio IT, Mar. 17, 2021. [Online]. Available: https://invenioit.com/continuity/business-continuity-statistics/ [Nov. 15, 2022].
[34] "10 Best Free and Open-Source SIEM Tools." DNSstuff, Nov. 24, 2019. [Online]. Available: https://www.dnsstuff.com/free-siem-tools [Nov. 30, 2022].
[35] A. T. Tunggal. "Splunk vs ELK: Which Works Best For You?" Upguard, May 12, 2022. [Online]. Available: https://www.upguard.com/blog/splunk-vs-elk [Sep. 28, 2022].
[36] C. Cimpanu. "Hackers are increasingly destroying logs to hide attacks." ZDNET, Nov. 2, 2018. [Online]. Available: https://www.zdnet.com/home-and-office/cyber-monday-deals-under-30-still-available-november-30-2022/ [Nov. 30, 2022].
[37] V. Seget. "The Basics of Virtualization Security." Netwrix, Jan. 13, 2022. [Online]. Available: https://blog.netwrix.com/2020/01/09/virtualization-security/ [Nov. 30, 2022].
[38] "Building an Information Technology Security Awareness and Training Program." NIST, Oct. 2003. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-50.pdf [Dec. 1, 2022].
[39] "2022 Consumer Cyber Readiness Report." Consumer Reports. [Online]. Available: https://consumer-reports-ressh.cloudinary.com/image/upload/v1664551562/Consumer-Cyber-Readiness-Report-Final_edbv9f.pdf [Dec. 1, 2022].

Tags: cybersecurity, IT

Comments? Tweet