Evasion threat to critical systems goes ignored, says Stonesoft

Many organisations continue to rely on ineffective intrusion prevention systems (IPS), says security firm Stonesoft

Many organisations continue to rely on ineffective intrusion prevention systems (IPS) for defending information systems, says security firm Stonesoft.

Advanced evasion techniques (AETs) – which combine several known evasion methodologies to create new and dynamically changing techniques – bypass most IPS systems on the market, tests have shown.

Attackers using these techniques have found ways to split attacks across different network layers to make harmful traffic appear harmless to standard IPS appliances.

In July, Stonesoft released a free AET defence test tool called Evader that it developed to test its own products against AETs, to raise awareness among suppliers and their customers about the threat.

The biggest response came from academic institutions keen to learn more about AETs, said Olli-Pekka Niemi, head of Stonesoft’s vulnerability analysis group.

Few security suppliers have responded to the challenge. But since the release of Evader – which has been downloaded thousands of times – there have been fewer denials about AETs, Niemi said.

However, many organisations are vulnerable to attack using AETs, despite deployments of IPS by well-known suppliers.

The main area of concern is about organisations that form part of critical national infrastructures around the world that rely on IPS to safeguard key industrial control systems.

“There needs to be dynamic detection and prevention systems in dynamic networks – static hardware-based systems do not work,” said Niemi.

IPS that is largely hardware-based cannot be updated, he said, and cannot keep up with the pace of change in the threat landscape.

Engineers at Stonesoft have lost track of the number of core evasion techniques used in continually varying combinations to bypass IPS defences.

In the face of the use of AETs and other continually evolving techniques by attackers, there is an urgent need to raise the bar, said Ilkka Hiidenheimo, president and CEO of Stonesoft.

“The threat reality has changed, yet many are still trying to protect their networks in much the same way as they have always done,” Hiidenheimo said.

Stonesoft’s for helping customers raise the bar includes integrating AET detection capability into its products and using the same security engine for military, government and enterprise customers.

This means raising the bar according to requirements is merely a matter of changing configuration settings, said Hiidenheimo.

However, he warned that ensuring cyber security is mainly about building resilient systems, which will require many organisations to rethink their security architecture and processes.

Security technologies will never provide 100% protection, he said. For this reason, everyone on the network must be treated as potentially dangerous and segmenting the network to be able to contain breaches quickly and efficiently when they occur.

Raising the bar is necessary, said Hiidenheimo, because estimates show that cyber crime is worth more than $400bn a year and the risk of getting caught is extremely low.

“The number of thefts in the digital world exceeded the number in the physical world in 2010 and is continuing to grow at a faster rate,” he said.

Some estimates show the cost of cyber crime to US businesses as $5.6m a year. The US has a whole is believed to lose $50bn a year through the theft of intellectual property, said Hiidenheimo.

Everybody is getting hacked all the time, he said. Some studies have projected that 30% of all attacks taking place are never detected.

The fact that, in 2012 alone, so many top companies – such as Thompson Reuters, Siemens and AT&T – have been breached, indicates a lack of real understanding, commitment and responsibility when it comes to cyber security, said Hiidenheimo.

He believes that less than 1% of board members – including those at top companies – understand the true dependency of their organisations on electronic information systems.  

“It is in the digital world where organisations will win or lose strategic advantage because everything is connected,” said Hiidenheimo.

The UK government understands this, he said, and consequently has put business benefit at the heart of the UK’s national cyber security strategy.

Similarly, organisations need to upgrade their cyber security strategies to reduce the risk to business.

Read more on Hackers and cybercrime prevention