Layered Security: Essential for a Safe Company Network

Long gone are the days when system security was about little more than choosing an effective antivirus product.

Threats to IT security now come from several different angles, and companies wishing to avoid the costs and reputational damage associated with security breaches must take a multi-faceted approach.

In this article, we speak to David Attard, a GFI product manager specializing in Web security, about the threats facing modern, connected businesses.

How has the IT security landscape changed in recent years?

The biggest change has been a move away from traditional viruses and Trojans. Of course these still exist, and there are multitudes of them, but some of the scariest threats nowadays are those posed by social engineering and phishing, which take advantage of user naivety rather than holes in an infrastructure. Moreover, malware is pushed aggressively to victims. Rather than a chance encounter with a virus on a dodgy website, even the most educated and wary of users are likely to encounter malware being pushed to them via what is perceived as “normal” web browsing such as search engines, news and social networking sites.

Also, there are various downloads which are likely to contain malware. Research by Microsoft suggests that 1 in 14 downloads is actually malicious.

How should IT departments respond to this?

It’s now essential that companies take a multi-layered view of IT security. At the top level, this means doing all you can to prevent users accessing compromised areas of the Web by using content filtering – but it shouldn’t stop there.

If users are able to inadvertently access a malware-infected site, companies need to know that their machines are sufficiently patched and protected to prevent hackers taking advantage of exploits.

Finally, businesses need to ensure that other routes into the network are protected; there’s no point in having perfect Web security if a user can introduce malware by plugging in an infected USB stick or connecting their personal laptop or other device to the network without any mitigating security practices in place.

Do businesses have good reason to be alarmed by how malware is evolving?

If they’re not protected at every level, then definitely. Phishing is a particular concern, as compromised sites can look so genuine that they fool a large proportion of people. Obviously the ideal scenario is to use software that protects users from being tricked in the first instance, but user education is clearly very important too.

You only have to look at how many high-profile Twitter accounts have been hacked to know how real this threat is. The Syrian Electronic Army compromised many accounts with targeted phishing emails that convinced people sufficiently to give up their credentials.

Do SMEs need to worry as much as larger companies?

Yes, because (arguably) they are easier targets, with smaller budgets for IT security and it is essentially a game of numbers. Create large scale scatter shot and many victims are bound to get caught in the crossfire. We are also seeing a trend towards Advanced Persistent Threats (APTs), where hackers persistently target a company with a range of different attacks, including social engineering, in an attempt to gain system access.

Once they’re in there’s plenty they can do. Hackers can even access “malware as a service” such as the Blackhole Exploit Kit, which effectively allows them to design and distribute malware to meet their own ends with very little effort and at a very cost-effective price.

What’s the best advice you could give to an IT department concerned about these issues?

Use a product such as GFI Cloud that can integrate patch management, antivirus and from early October, content filtering in one easy to use, web-based console. Only by thinking of every possible “way in” can IT professionals really sleep soundly at night!