Improving Network Architecture Can Help Prevent Future Bitcoin Mining Hacks
When Iowa State University discovered that over 50,000 student and alumni profiles had been exposed to hackers, the school’s first instinct was to disconnect servers and promise to boost data encryption efforts. But will that be enough?
The hackers, who targeted servers containing the personal profiles of past and current University students—including 30,000 social security numbers—were attempting to generate enough computing power to mine for bitcoins, a trend that has littered cybersecurity headlines as of late.
While the common knee jerk response of increasing encryption methods following a security breach is an important measure, there are other issues to be addressed. In the security world,“defense in depth” is a key component to a robust security architecture, since any single protection scheme can be compromised. Layering the security is a proven method to minimize risk, and one of the most effective (and overlooked) strategies is improving network architecture.
Building a strong network archicture is a multistep process, starting with identifying your organization’s most critical data and determining how much of that data needs to be accessible online. Today, organizations are storing enormous quantities of data, a practice that attracts these types of attacks. If you do not need to keep sensitive information like Social Security Numbers, remove them. Fortunately in the University’s case, though the data breach was extensive, it’s unlikely that the victims will encounter further problems since the exposed servers did not contain stored sensitive financial information. For many industries, however, any breach could threaten its victims’ security, even their safety.
The servers containing critical data should be protected behind several layers of security within your network architecture, creating the strongest possible protection against an attack. In addition, distributing these systems across multiple devices can minimize the impact if one is compromised. Build layers of security (hardware, software and written processes) around that information to prevent both internal and external threats. And consider how you collect, analyze and store this information—an often overlooked area is the method used to capture network traffic. Users often depend on Ethernet switch port mirrors to help monitor traffic passing through the network, however network engineers may accidently use port mirrors for other purposes, forgetting to reinstate them for security monitoring. The use of port mirrors may not always allow analysis or recording of 100% of the network traffic that is intended for capture.
A physical, permanent, and robust way to collect traffic from the network, without the use of Ethernet switch or router ports, is to use an external network tap. Organizations should consider implementing a system of Taps to more accurately monitor network traffic at critical points. Placing Taps inside the firewall and along the path to critical servers provides an invisible method to capture traffic from one or multiple locations. Intrusion Detection and Intrusion Prevention systems are also important, since attacks may come in the form of phishing or under-the-radar single packet attacks. Remember to make sure these security systems are up to date in order to minimize recently discovered malware.
Lastly, there is nothing wrong with a good process. Routinely scrubbing data, using offline storage and removing unnecessary information from devices, is a crucial component of a good security practice. You may need to keep some social security numbers available for tax and accounting purposes, but there is most likely no need to keep them actively online, and certainly not on the same device.
While bitcoin mining hacks will likely continue to populate headlines, implementing these rigorous network architecture and monitoring strategies can help organizations stay ahead of and protected from devastating security threats.