Companies have been dealing with network security issues for decades, and in light of this I want to share my most memorable one. I vividly recall the chaos around me in 1988 while installing a LAN at the Laboratory for Laser Energenics in Rochester, NY. What is now known as the 1988 Internet Worm, took down hundreds of servers on the DARPA network called Arpanet. No one had experienced such a widespread network catastrophe before, but alas, more would follow. At that time, It was like a nuclear bomb had gone off. Ironically, they use nuclear fusion in their research to harness energy. Luckily, my LAN was scheduled to be connected to the Arpanet network that day, so we were able to continue to continue the training… one of the few things working as planned that day.
Today’s networks are an even more complex mix of technologies, vendors, protocols and topologies which require a comprehensive, non-vendor-specific solution. Unfortunately, most efforts to establish and maintain compliance continue to lag compared to the vulnerabilities which threaten these networks. Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. In fact, the top 10 known vulnerabilities accounted for 85 percent of successful exploits per Verizon's 2016 Data Breach Investigations Report.
Among the contributors to non-compliance are:
- Understaffing and untrained staff
- Operational silos
- Lack of effective tools and processes
Often, the major missing factor is not looking at this issue in a holistic way… from all of the dimensions where attack vectors aim. Just keep in mind that siloed thinking is a hacker’s best friend. Down time and non-compliance costs can rack-up and increase quickly. Estimates for the lost time from Internet Worm were between $100k-$10M. That’s expensive for aeration of a garden. (Do you see what I did there?)
At Micro Focus, we’ve been helping customers meet network compliance for over a decade. During that time we have learned that a three-dimensional approach includes: configuration policies, device software, PLUS the running state is what’s required.
3-D Compliance looks at all three dimensions of network compliance – OS Software, Configuration, and last, but not least… the Running State of the device.
Many network engineering teams don’t factor in what is actually happening on the device now—at this moment. Not considering the third dimension can lead to unknowingly leaving your network open to vulnerabilities—resulting in data loss and potential penalties.
By monitoring the Running State of the devices and comparing it to the policies that are defined in the configurations, we can uncover vulnerabilities even before the CVE is communicated. Once we know it’s an issue from the vendor, we can alert users to the severity, protect them with a fix, so they can automatically roll-back to the baseline.
In subsequent blogs, I’ll explain this concept further and take a deep look into a current CVE and how 3-D Compliance addresses it.