Published on September 13, 2013
It’s always something. You might run a careful, security conscious shop. Your IT group might be completely onboard, keeping their patches current and using best practices for provisioning accounts and supporting mobile devices. And you pay attention – you think about lost or stolen laptops, vulnerable IP Cameras and SSH key management. But it doesn’t matter. You can never know all the things you don’t know, even when the bad guys can find them with a search engine.
Take IPMI. The Intelligent Platform Management Interface is an out-of-band lights out server management protocol implemented on a hardware platform called the Baseboard Management Controller. Now IPMI SHOULD be a boon to overworked SysAdmins all over the world, allowing them to remotely manage individual or groups of servers at a level below the host operating system. This can be done because the BMC is a micro-controller that can be configured to run in standalone mode, receiving its own IP address and having a direct communication channel to the server hardware.
But unless it is very carefully configured, the BMC is terribly vulnerable, with a very broad attack surface. Accidental misconfiguration is bad enough, but many organizations have servers with BMCs but have not implemented IPMI, so they don’t use them. They sit there inside the data center, in their default configuration, drawing a valid IP address from DHCP and listening on a dozen ports. They’re easy for an attacker to find, and easy to exploit. And once the attacker has control of the BMC, he has control of the server, even to the extent that he can reboot it with his own hacked OS. He could even update the BMC’s firmware with his own malicious version, making the attack especially persistent.
But this post really isn’t about the (pretty frightening) vulnerabilities in IPMI. It’s about all the holes in your network security. Let’s face it – if you know about a security flaw, you’ve done what you can to secure it. But it’s a near certainty that there are many more weaknesses in your network, and it’s much more likely that the bad guys know about them than you do. It’s just another example that there’s nothing you can do to keep determined, professional attackers out of your systems, your data, your IP and your funds.
But that doesn’t mean you have to throw up your hands and give up on trying to secure your organization’s digital resources. It just means you need a different kind of tool, a technology platform that can monitor your complete IT environment and alert you when something suspicious happens. But how do you know what’s suspicious? Securonix solves that question. The Securonix security intelligence platform monitors and analyzes everything your users do. It uses machine intelligence to correlate each account with an actual specific user identity and it develops a complete picture of what each user and their peers do in the course of a normal day. The premise here is that no matter how an attacker gets into the system, he will eventually do something that will be unusual for the account he is using, and your incident response team will get an alert immediately. Besides the obvious benefit of stopping an attack before it becomes a catastrophe, this process also has the intelligence to recognize activities and accesses that are benign, so instead of sifting through a long list of false positives, you get immediate, actionable threat alerts.
The point is simple and obvious – information security is imperfect, and in many ways we operate at a relative disadvantage to the criminals who are looking for any opportunity. In addition to the measures we must take to secure the perimeter and the network endpoints, we need a method that can find the attacks we don’t even know how to look for. Securonix provides an advanced combination of data integration and behavioral analytics to detect the attacks you can’t prevent, and warn you before they can become costly disasters. We’ll happily give you a demo or a hands-on free trial – why not check it out?