While the bad news is that experts are declaring that we have entered the age of cyber war, the worse news as we enter 2012 is that security systems and professionals are just not able to keep up. Security attacks are increasing in their complexity and intensity every day. These range from inter-state attacks (like the one on Raytheon this year and the ones from China that are being investigated by the U.S. government) to cyber-crime (that includes countless malware and DDOS attacks against businesses and consumers).
The reasons why this is an exceptionally difficult problem are threefold…
The complexity of the attacks
First, the nature of the attacks is changing and getting much smarter than ever before.
Attacks are not just targeting infrastructure components but are specifically targeted towards certain applications and end devices (e.g. Stuxnet).
This is also seen in the attacks that laid low a series of U.S. Department of Energy labs this year (Pacific Northwest National Laboratory and the Oakridge National Laboratory) as well as with companies like RSA Security (where according to this report, the attack successfully obtained files and only when they were being transferred to an external hosting provider was it discovered and stopped). The only solution to this is to increase the agility of the network so that intelligence on the latest attack types can be quickly disseminated globally to affect policy changes and protect critical assets. The same information has to be provided to teams that are building network elements and entire networks so they can make more intelligent design choices to make the network agile and flexible.
The scale of the attacks
Second, the scale of the attacks and their targets has increased to record levels.
Now attacks are targeted at not only network infrastructure but increasingly at hosted web and application servers affecting millions of systems. Arbor reported that DDOS attacks have crossed 100Gbps for the first time in 2011. For this we need better defense systems at various points on the network through the use of Next Generation Firewalls that are designed for handling both massive scale and application- and user-specific security policies.
Security as an after-thought
Lastly, security testing is still not an integral part of the software development lifecycle at most system and software companies.
Although the largest NEMs like Microsoft, Juniper and Cisco include security practices as part of their development processes, the majority of companies building cloud applications for commercial markets are woefully behind. Engineering organizations need to start thinking of security, performance and functionality as integrated parts of the same development process and not think of security as a compartmentalized function. This is the only way to strengthen the network from the inside. To draw an analogy to the human body, just as we wear gloves and masks and wash our hands to prevent the germs from getting in (analogous to Firewalls), the greater need is to boost the strength of the internal organs through exercise, diet and other long-term positive habit forming behaviors (when translated to the network this equates to better development and deployment practices including making security testing integral to the development cycle).
To build a safer, more resilient network, commercial and federal network operators as well as network equipment manufacturers need to consider these challenges very carefully and institute process changes to counter them.
Mu Dynamics provides solutions for both operators and vendors to test and validate security readiness of perimeter defense systems like Next Generation Firewalls, in addition to the security readiness of internal systems like servers and clients through fuzzing. More information on our solutions can be found here.