CIFS – How to Protect Legacy Industrial PCs (IPCs)
Before the popularity of cloud began to take over, the only choice that companies large and small had with regard to IT infrastructure, was to build their own network. This of course consisted of servers, web servers and workstations, all connected together for the purposes of information sharing, and was based on permissions as to who could access what.
While it’s safe to say that cloud offers an alternative to smaller businesses when it comes to IT infrastructure, it’s not always the answer for larger organizations and this means that servers and IPCs are often still on-site.
However, change is constant and this also means that many companies have ‘legacy’ IT hardware and software that they need to maintain. Implementing a completely new network is a costly affair and while choices exist with regard to hybrid cloud, for example, it’s not always a viable option when it comes to capital expenditure and downtime.
This means that many companies and organizations are still running legacy products, which may no longer be supported. This is especially true of Microsoft products and it’s now old news that the company will be pulling support for XP in April this year. Add to this that support for Windows 2000 (best MS OS ever, IMO) ended some four years ago now and the security risks to these systems are substantial. This is where CIFS monitoring (also known as File Integrity Monitoring or FIM) can play a role in security.
What Support Does Microsoft Provide?
With the aforementioned OS, at its most basic level it means that there will be no updates to the software, which could cause driver issues, but more importantly, leaves it with ‘holes’ in the OS in which malware can attack.
Generally, for newer OSs, Microsoft releases patches and updates to ensure that any vulnerability found in the OSs are ‘closed’ so that the risk of infection from malware and attackers is minimized. Unless there’s a real emergency, these are usually released on ‘ Patch Tuesday’, which occurs on the second Tuesday of every month.
However, from April of this year, this will no longer apply to Windows XP and although the software (trying to turn hardware) giants acknowledge that this will leave many open to various types of infection, including “permanent 0-days”, complaining about it isn’t going to make any difference.
Won’t Antivirus Solutions Pick These Up?
Sometimes. AV products only work by protecting against threats that they already know about. So if a new threat, especially a 0-day threat comes along, then it’s inadequate protection, especially for businesses. A 0-day threat basically means that it’s not yet been recognized as a threat by the AV vendors and so can’t be cleaned or quarantined before doing the damage.
Worms can be especially damaging, as they travel across a network quickly and while different variants have diverse effects, it’s not something that any business needs on their network. Worms can completely disable programs, making them impossible to open and use, (this includes AV products) or can simply travel around the network stealing information as they go. Worms often also come packaged with other forms of malware, such as trojans, which can contain keystroke loggers and more.
Possibly the most famous worm is Stuxnet, which attacked an Iranian nuclear plant with the intention of causing the engines to spin out of control. A similar worm, which was dubbed the ‘Son of Stuxnet’ was Duqu, which stole information rather than causing damage. Both of these are accepted to have been created by a state, rather than an individual hacker, and most security experts agree that it was an Israeli and US collaboration.
Worse than either of these was a worm known as Conficker, which in theory had the ability to take down the entire internet. Imagine how much we rely on the net for national power systems, emergency services and so much more and it’s a scary idea. The author of Conficker was never caught and the worm never dropped its payload, but it’s thought that millions of PCs around the world remain infected.
The interesting thing about Conficker was the ability of its creator to stay one step ahead of the world’s top security experts at all times, thwarting every attempt to stop it. If you’re interested in learning more, then give Mark Bowden’s (also author of Black Hawk Down) book WORM: The First Digital World Wara read, it’s fascinating stuff.
What if my IPC Isn’t Internet Connected?
One of the most interesting things about Stuxnet, is that it attacked an unconnected (to the internet) system and it’s commonly thought that an insider infected the Siemens-based control systems with a USB drive. However, the worm also existed ‘in the wild’ before being picked up by the AV companies. The plant systems were not connected to the net, as many IPCs aren’t, but it didn’t stop them becoming infected.
One way to help ensure that your legacy IPCs are protected is with the use of Common Internet File System (CIFS) monitoring, which can take snapshots of Windows and Linux-based systems regularly in order to pick up any changes in the file system.
According to ECN’s Dan Schaffer, “An industrial security device with CIFS monitoring capability can alert the engineering staff of a possible malware infection on day zero, even if the malware was previously unknown.”
This means that CIFS monitoring is a viable alternative and/or addition to AV products when it comes to protecting legacy IPCs. It warns if any system files have been altered, deleted or added and alerts the relevant member of staff to the problem so that they can take immediate action. This means that even zero-day exploits can be discovered quickly and dealt with before doing any serious damage.
Further advantages include:
- Updates are unnecessary
- Can be used for Windows or Unix systems
- Uses a single license
Should you use CIFS Monitoring as a Stand-Alone Solution?
There’s nothing to stop you doing this and it’s a very effective solution, but in the modern world, where we are continuously playing a game of keep up with cyber threats, then a layered approach is sensible. This can include hardware firewalls, as well as AV solutions to work alongside the CIFS monitoring software.
These threats are becoming increasingly sophisticated and those with legacy IPCs, or indeed consumer PCs that they use for work should strongly consider a solution that can alert you to a problem as soon as it occurs. While it is a “reactive” solution, it’s really one of the only options open to those with legacy IT products.
Why Choose CIFS Monitoring?
Security is paramount of course, but it’s also worth remembering that should you keep customer records on your network, then a hefty fine will be applied should you fail to protect customer details adequately. This is especially true if you process customer payments using credit cards such as Visa and American Express.
PCI compliance will be examined when it comes to audit time and many companies fail in this and find themselves in a whole heap of trouble, financially. In fact, many businesses that fail to put security and backup measures in place fail within 6 months of an IT disaster occurring.
Of course software and hardware monitoring can also protect against potential problems that may be about to occur, such as drive failure and it’s always wise, if not essential, to have a good disaster recovery plan which allows for the worst.
Is CIFS monitoring Difficult to Set up?
Not especially, like any software program it will of course depend on your specific needs. File extensions can be specified, such as .exe, .scr and so on and you can add files that need to be monitored closely that are specific to your organization. You can monitor entire directories as well as file types and even sub-directories if absolutely necessary.
Likewise, for those files that change often as a natural part of business operations, then these can be excluded from alerts during scans. In fact, you can even ‘train’ monitoring software so that, much like speech-recognition software, it comes to know what to expect when any changes occur and what action should be taken.
Back to Security
It’s a sad fact that we’re playing an ongoing game of chase when it comes to IT security threats, both from a business and consumer point-of-view. As well as implementing monitoring software, firewalls and AV solutions, it’s really also necessary to train staff.
A large majority of end-users aren’t security savvy and this leads to problems within the enterprise. However, this needn’t be the case if training is put in place alongside strict policies. Phishing and social engineering remain common tactics and many of these are sophisticated enough to get past the average user.
Recently, we’ve seen a rise in phishing attacks purporting to be from the IRS, payroll or even company complaints and these pretty much always come in via a zip attachment. Social media is also responsible for many infections, so it pays to develop security policies which should be delivered alongside training.
Social media is also something that is valuable both in the intranet and outside, so it’s important that staff know the dangers. It’s equally important that if you run a BYOD scheme that strong policies surround this also, as these are high-risk areas (think Stuxnet again, although that was deliberate sabotage).
CIFS monitoring is an ideal solution for those that retain legacy products. While in an ideal world we would all simply upgrade to the latest versions, this is easier said than done for many companies. The cost involved can be more than substantial and even if the cloud is chosen as an alternative or additional solution, deployment can be a time-consuming and difficult process that needs the help of experts. Whatever the case, security for all businesses in the connected world is vital and something that cannot be ignored.
Image Credits
By Condorchem (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
Photo Credit: PresseBox.de flickr via Compfight cc