Search Learning Center for

Cyber Security

AppSec, Essentials, Threats 3k views

What Is Cyber Security?

Just like physical security is aimed at protecting physical property and people from criminal activity or accidental damage, cybersecurity protects computer systems, back-end systems and end-user applications, the users of those systems, and the data they store.

Cyber security is aimed at preventing cybercriminals, malicious insiders, or others, from accessing, harming, disrupting or modifying IT systems and applications.

The importance of cyber security

As human society goes digital, all aspects of our lives are facilitated by networks, computer and other electronic devices, and software applications. Critical infrastructure including healthcare, financial institutions, governments, and manufacturing, all use computers or smart devices as a core part of their operations. A vast majority of those devices are connected to the Internet.

Threat actors have a greater incentive than ever to find ways to infiltrate those computer systems, for financial gain, extortion, political or social motives (known as hacktivism), or just vandalism.

Over the past two decades, cyber attacks were launched against critical infrastructure in all developed nations, and countless businesses suffered catastrophic losses. There are over 2,000 confirmed data breaches globally each year, with each breach costing over $3.9 million on average ($8.1 million in the USA). Since the year 2000, over 3.5 billion people, half the world’s population, have had their private information stolen by cyber criminals.

Security breaches and threats can affect nearly any system including:

  • Communication — phone calls, emails, text messages, and messaging apps can all be used for cyberattacks
  • Finance — naturally, financial institutions are a primary target for attackers, and any organization processing or dealing with bank or credit card information are at risk
  • Governments — government institutions are commonly targeted by cybercriminals, who may be after private citizen information or confidential public data
  • Transportation — connected cars, traffic control systems and smart road infrastructure are all at risk of cyber threats
  • Healthcare — anything from medical records at a local clinic to critical care systems at a national hospital are vulnerable to attack
  • Education — educational institutions, their confidential research data, and information they hold about students or staff, are at risk of attack

In the vast majority of these systems, websites and web applications are a gateway for attackers. They are exposed to the public Internet, and commonly connected to sensitive back-end systems, representing a weak link in the organization’s security strategy

Whether your organization is a business of any size, a website receiving substantial traffic, or an institution or non-profit organization serving the public interest, preparing and defending against cyber security threats should be one of your foremost concerns.

Principles of Cyber Security

The primary objective of cyber security is to protect data. The security community commonly refers to a triangle of three related principles that ensure data is secure, known as the CIA triad:

  • Confidentiality — ensuring sensitive data is only accessible to those people who actually need it, and are permitted to access according to organizational policies, while blocking access to others.
  • Integrity — making sure data and systems are not modified due to actions by threat actors, or accidental modification. Measures should be taken to prevent corruption or loss of sensitive data, and to speedily recover from such an event if it occurs.
  • Availability — ensuring that data remains available and useful for its end-users, and that this access is not hindered by system malfunction, cyber attacks, or even security measures themselves.
Cybersecurity

The CIA Triad defines three key principles of data security

To achieve the CIA objectives organizations must protect two aspects or their IT environment: application security and data security.

Common Application Security Strategies

Application security ensures user-facing applications are protected from penetration or disruption by external threats, attacks on the devices that host or use the application (endpoints), and insider threats. Below are three of the most common application security strategies.

DDoS protection

A Distributed Denial of Service (DDoS) attack uses a large number of connected devices controlled by an attacker, to overwhelm a website’s resources with fake traffic. Because of the massive scale of today’s DDoS attacks, a common protective measure is a cloud-based DDoS mitigation service. These services use either DNS or BGP routing to divert traffic to cloud-based scrubbing servers, dropping malicious requests and forwarding legitimate ones to the web server.

Web Application Firewall

A web application firewall (WAF) is deployed on the network edge as a reverse proxy, inspects incoming and outbound HTTP/S traffic to a web application, and filters out malicious traffic. A WAF uses security policies, and threat intelligence data such as known bad traffic sources and known attack patterns, to determine which traffic should not reach the application.

Advanced Bot Protection

Bots are automated programs that perform actions over the Internet. Some bots are legitimate and should be allowed access to a website, while others are malicious and can be used to launch automated attacks. Bot management is a rapidly evolving field that protects organizations from bad bots using bot reputation databases, challenges that test whether a bot is a real user or not, and behavioral analysis that identifies suspicious bot behavior.

Common Data Security Strategies

Data security ensures data cannot be accessed by external parties or unauthorized internal parties, identifying risks to sensitive data and addressing them, and setting up detection methods to identify when data is accessed, modified or deleted by threat actors. Below are three common strategies for data security.

Data Masking

Many data breaches occur not in production environments, but on testing or DevOps environments. These environments are often not secured, but are commonly loaded with live, sensitive customer data. Data masking makes it possible to use realistic data on testing servers, while using transformation techniques to hide or scramble the original data.

Vulnerability Discovery

Many software systems have known vulnerabilities, which can be exploited by hackers to compromise the system. Vulnerability discovery is a process that relies on vulnerability databases, which contain details about known vulnerabilities. It allows an organization to detect which systems are affected by vulnerabilities, understand severity and impact, and remediate the vulnerabilities.

Endpoint Security

The number of endpoint devices at organizations is exploding. There are millions of laptops, mobile devices, and Internet of Things (IoT devices), which connect to the Internet and represent a growing security risk.

Endpoint security involves deploying an agent on each endpoint, which can provide security capabilities like Next-Generation Antivirus (NGAV), to detect zero day attacks and inside threats, and Endpoint Detection and Response (EDR), to help security teams investigate and block attacks on endpoints in real time.

Common Cyber Threats

The cyber security landscape is complex, with millions of known threat actors and documented Tactics, Techniques and Procedures (TTP), and new types of attacks emerging every day. Here are a few of the more common cyber threats you may be exposed to:

Threat How it Works Risk to Your Organization
Phishing Attackers send emails and messages to victims, disguised as legitimate, but in fact tricking the recipient into compromising security. Phishing can be used by attackers as a precursor to almost every other type of cyber attack. It opens the door to your network and internal systems.
Advanced Persistent Threats (APT) An organized group of cybercriminals wages a long-term cyber attack campaign against a specific organization. APT groups can compromise data, including sensitive customer data, steal funds, and destroy or disrupt critical systems.
Malware Software built to assist or carry out cyber attacks or cause damage to computer systems. It is typically able to spread itself and infect additional computer systems. Malware can cause direct damage, for example corrupting data or disrupting system operations, and may include backdoors that give attackers unlimited access to perform other malicious actions.
Ransomware A type of malware that encrypts data on computer systems, rendering it inaccessible to users, and demands a ransom for its release. Ransomware is a threat to all organizational data. It can be very difficult to recover from it without an effective backup and disaster recovery plan.
Zero-day exploit A first attempt to perform a cyber attack by exploiting a security vulnerability in a computer system. Because the vulnerability is not yet known, the attack is highly likely to succeed. Zero-day exploits can have deadly consequences. Depending on the system targeted, they can result in attackers accessing critical systems, disrupting service and compromising sensitive data.
Code injection An attempt by attackers to send malicious code to a computer system and cause it to process and execute that code. Common variants are SQL Injection and Cross-Site Scripting (XSS). Code injection can be used to gain control of systems like web servers, application servers or databases, and manipulate them to perform actions desirable to the attacker.
Denial of Service (DDoS) Involves sending large amounts of fake traffic to a computer system, until the volume of traffic overwhelms it, denying access to legitimate users. Disruption of critical services, damage to reputation. Can also serve as a diversion, used to draw the attention of security staff and hide other malicious activities.
Bots and automated attacks The vast majority of cyber attacks are carried out by automated systems called bots, which can scan systems for vulnerabilities, try to guess passwords, infect systems with malware, and perform many more malicious actions. Bots are dangerous because they operate at large scale, constantly scanning the Internet for victims and attacking relentlessly. All websites are constantly hit with bot traffic, some of it malicious.

Building a Cyber Security Strategy

Addressing the cyber security problem in your organization starts from a strategy, which should be supported by senior management and shared with the entire organization.

Here is a process you can use to build your security strategy:

  1. Perform an inventory of computing assets—identify which applications and data your organization possesses, and the consequences if they should be attacked or compromised. Create a list of assets that need to be protected.
  2. Identify compliance requirements—is your organization subject to any regulations or industry standards that affect cybersecurity? Identify the compliance requirements related to cybersecurity and add them to your list of protected assets.
  3. Identify threats and risks—review a comprehensive list of threats affecting your industry, identify which of them are the most relevant for your organization, and review key systems to how vulnerable they are to an attack. For example, an organization that operates a website should be concerned about web application threats like code injection and malicious bots, and should perform an assessment of its web applications to see how vulnerable they are.
  4. Prioritize risks—given the systems you need to protect, your compliance responsibilities, and the common threats, map out your biggest risks. Which are the systems that are the most valuable to the business and most likely to be attacked? These are the first risks you should target with your cybersecurity program.
  5. Identify your security maturity level and existing tooling—do you have a cybersecurity program in your company? Are there in-house staff or existing vendors that provide security services? Also map out cybersecurity measures that already exist. Consider protection of physical facilities (a security guard, locked doors for server rooms), security systems like firewalls and antivirus, and security measures in applications and services the organization uses, including cloud services.
  6. Build a cybersecurity team—leverage existing staff in your organization with cybersecurity skills, hire new staff and involve consultants if necessary. Create a capable team that is able to execute on a cybersecurity plan to improve your security posture.
  7. Build a timeline and milestones for improving your cybersecurity—what are the quick wins you can immediately carry out to improve protection of critical systems? What are longer term measures that need more time but can be important to improving cybersecurity? Build a long-term plan for at least 1-2 years, with clear milestones indicating what should be achieved by the security team each quarter.

See how Imperva Application Security can help you with your cyber security strategy.

7 Cyber Security Trends

The following are important trends in the cyber security community which you should be aware of, as you develop your strategy and select your toolset.

1. Cyber Security and Machine Learning

In the past, cyber security systems relied on manually defined rules and human inspection to identify and classify security incidents. This was effective but limited, because it required a high level of expertise to manage security tools, and overloaded security staff.

Many modern security tools use machine techniques to automate security decision making, without requiring rules to be defined in advance. This can save a lot of time for security teams and result in a faster and more accurate response to threats.

A few examples of the use of machine learning in cyber security are:

  • Next-generation antivirus (NGAV) tools use automated malware classification, identifying malware even if it does not match any known binary pattern
  • Data loss prevention (DLP) systems use machine learning to read documents or other materials and automatically classify their sensitivity
  • Email protection systems are trained using a large dataset of phishing vs. legitimate emails, and can identify emails that “look like” they might be phishing attempts

How Imperva Helps

Imperva’s Machine Learning security solutions use contextual comparative analysis, based on machine learning, to identify anomalous or suspicious behavior, prioritize alerts and help security teams focus on real security incidents.

2. API Security

Application Programming Interfaces (APIs) allow computing systems to communicate with each other and share data. An entire API economy has emerged that allows organizations to share data and software capabilities with each other.

While APIs provide a lot of value to organizations, they also represent a security risk. There is limited awareness for the importance of API security, and many API endpoints lack basic security measures. They can be manipulated by attackers to abuse the service behind the API, and can also be an entry point to an organization’s critical systems.

In the past few years, dedicated API security solutions are emerging that help organizations lock down API endpoints, protect them from malicious traffic, and defend against DDoS attacks. The OpenAPI initiative helps organizations define their APIs in a standardized way, making it possible to enforce a security policy built around API capabilities.

How Imperva Helps

Imperva API Security protects APIs by ensuring only desired traffic can access your API endpoint, as well as detecting and blocking exploits of vulnerabilities. Based on the OpenAPI initiative, Imperva offers a maintenance-free API protection solution that automatically adapts to changes in API specifications.

3. Advanced Bot Protection

Bots are systems that access websites and perform automated actions. Some bots are legitimate, for example, the Googlebot crawls websites in order to add them to Google’s search index. But other bots are malicious, used by threat actors to launch attacks against millions of vulnerable websites.

Bots account for 58% of web traffic today, and a full 22% of web traffic is attributed to bad bots. Bad bots can be installed on end-user devices compromised by attackers, forming massive botnets. These devices might be home computers, servers, and IoT devices such as game consoles or smart TVs. Attackers leverage networks of compromised devices to launch DDoS and many other types of attacks.

Bot management systems help organizations identify unwanted bot traffic and filter it out, while allowing legitimate bot traffic and user traffic to continue uninterrupted. To do this, they need to identify bad bots, using a variety of methods like:

  • Reputation management—managing a database of known good and bad bots
  • Device fingerprinting—identifying attributes of the operating system or browser that may indicate a bad bot
  • Challenges—subjecting a bot to a “challenge” such as a dynamic page element or a CAPTCHA, which human users are able to process while bots cannot.

How Imperva Helps

Imperva’s Advanced Bot Protection analyzes your bot traffic to pinpoint anomalies, identifies bad bot behavior and validates it via challenge mechanisms that do not impact user traffic or good bots. Reputation management also allows you to filter out unwanted traffic based on sources, geographies, patterns, or IP blacklists.

4. File Security

File security is critical to ensure sensitive data has not been accessed or tampered with by unauthorized parties, whether internal or external. Many compliance standards require that organizations put in place strict control over sensitive data files, demonstrate that those controls are in place, and show an audit trail of file activity in case of a breach.

File security technology can automatically identify suspicious file activity, which may represent an attempt at data exfiltration, a ransomware attack, or even a careless user deleting files by mistake or copying them to an insecure location.

How Imperva Helps

Imperva’s File Security continuously monitors all user access to enterprise file storage systems and keeps a detailed record of all file access activity, including privileged users.

5. Runtime Application Self-Protection

Historically, many organizations adopted Application Security Testing (AST) tools that automatically scanned application code for code quality issues and software vulnerabilities. Today, many organizations are shifting to Runtime Application Self-Protection (RASP), which scans and monitors application code in real time, when it is running in production.

RASP is deployed together with a web application. It monitors traffic and user behavior, and if it detects an issue, it can block specific user requests and alert security staff. RASP does not rely on specific attack signatures, and is able to block entire categories of attacks.

The unique element of RASP is that it leverages inside knowledge of an application’s source code. It knows how an application behaves and can detect attacks that leverage weaknesses in the code, like code injection and exploits of known vulnerabilities.

How Imperva Helps

Once you’re ready to deploy your applications, Imperva RASP is here to keep them protected and give you essential feedback for eliminating any additional risks. It requires no changes to code and integrates easily with existing applications and DevOps processes, protecting you from both known and zero-day attacks.

6. Cloud Security

As organizations undergo digital transformation and move mission-critical workloads to the cloud, cloud security becomes an essential part of a cyber security strategy. Securing the cloud is a challenge, because cloud-based systems do not have a traditional security perimeter, and can provide attackers access to almost every aspect of the IT environment.

Organizations must understand the division of responsibility between themselves and their cloud provider, and correctly configure security features offered by the cloud provider, in particular network isolation features like Virtual Private Cloud (VPC). They must also have a robust Identity and Access Management (IAM) solution – a way to define user accounts, roles and access control policies.

When deploying hybrid cloud or multi-cloud infrastructure, which connects between private and public clouds or multiple public clouds, organizations must ensure security is consistent across all their cloud environments, and pay special attention to integration points.

How Imperva Helps

Imperva’s Cloud Security secures private, public, and multi cloud environments. It provides a complete solution stack that protects your applications, APIs, and databases, with one point of control and one pane of glass for application and data security. Imperva security solutions are delivered as a service or as self-managed VMs.

7. Alert Fatigue

Organizations collect a huge volume of logs and events from IT systems and security tools. It is now common, even in small to medium organizations, to use Security Information and Event Management (SIEM) to aggregate security data and create alerts for security teams.

The sheer number of alerts, together with the chronic shortage of security staff at many organizations, results in alert fatigue. Security teams receive thousands of alerts at all hours of the day, making it difficult to sift through the alerts and identify real security incidents.

The problem is not new and there are several approaches to mitigating alert fatigue. For example, organizations implement threat intelligence to identify when an alert correlates with a signature or attack pattern of a known attacker. Machine learning approaches like User and Event Behavioral Analytics (UEBA) help identify unusual behavior, and automatically score it to identify events that are more likely to be malicious.

How Imperva Helps

Imperva’s Attack Analytics uses AI and machine learning technology to look across the stream of security events and prioritize the ones that matter most. It also provides easy integration with leading SIEM platforms, to simplify analysis of security data and extraction of actionable insights for security teams.