Browse Illumio’s library of cybersecurity 101 articles to learn about the fundamentals, key trends, and latest insights
Application Dependency Mapping
Application discovery and dependency mapping gives you an overview of what is on your network and how it operates.
Application dependency mapping is the process to determine the following:
- All applications running on a network
- Which devices are these applications installed on
- How these applications are interconnected and dependent on each other
Fortunately, many automated tools on the market will do this work for you. No more spreadsheets. These automated tools give you a consistent view of all of your applications, the ports they use, and how they connect to other applications on your network. They usually accomplish this by either polling the network for devices, monitoring and capturing packets on the network, or through agents installed in your applications and infrastructure.
An attack surface is all of an organization's IT assets that are exposed to a potential attacker.
These assets may have physical or digital vulnerabilities that an unauthorized user can leverage to gain access to a corporate network and extract data. People themselves can also be an attack surface when they are targeted with phishing emails and other types of social engineering.
Botnets are networks of computers that have been hijacked by malware and used to carry out cyberattacks. Most of the time, devices that are part of the botnet or "bots", are not the target of the attack and may only experience slower processing speeds when the bot software uses resources.
But if your network or applications are a target of a botnet, the bots in a botnet will point all of their processing power toward that one target, creating much more damage than one computer can inflict.
Botnets, a shortened version of "robot networks", can give an attacker an enormous amount of processing power that they can direct at any target they choose, usually for malicious reasons. The threat of botnets is one of the most serious issues facing businesses today.
Cloud migration is a process many companies are undergoing to modernize their IT infrastructure. In this article, we explain what cloud migration is, how an enterprise can benefit from it, and strategies you can use to implement it. Before we learn about cloud migration, let's look at cloud computing.
Cloud security is the protection of data, technologies, controls, policies, and services in cloud computing environments from cyber threats and cyber attacks. Cloud security is a form of cybersecurity.
Cloud adoption has enabled companies both large and small to build a more efficient, scalable, and available IT infrastructure. Instead of storing resources in an in-house data center, they can use a cloud provider to store their applications, files, and data in the cloud. This modernized development and software deployment comes with a distinct set of security concerns. Let’s look at the security challenges you will run into when you move to the cloud.
Cloud Workload Protection
Cloud applications and workloads are distributed across the country or the world to provide speed, access, and scalability. Cloud workload protection keeps these workloads secure as they move between different cloud environments. Older security strategies like endpoint protection and firewalls miss what is happening in the cloud environment.
Common Criteria or CC is an international standard for computer security. It is a framework that computer users can employ to specify functional and assurance requirements for security.
The US, Canada, the Netherlands, Germany, France, and the UK developed the Common Criteria for Information Technology Security Evaluation in 1994. They defined a set of security requirements that products and systems must meet for government deployments. Since then, many other countries have signed the agreement.
Container orchestration is the automated management of containers. This allows a software team to maneuver these containers. This is done using strategic deployment, managing lifecycles, load balancing, and networking. An application consists of different microservices. One of which, the frontend, is what end-users interact with. However, in addition to the frontend, there are other microservices. These all work together to make the application function. A container orchestration platform manages each microservice of a container environment.
By utilizing container orchestration, you can decide which nodes manage the different microservices. This is done through duplicating individual microservices as needed and spreading the overall workload across different nodes. A container orchestration platform also monitors how each microservice functions. If one element of the stack malfunctions, the orchestration tool can fix the problem. It can duplicate that element and run it on another node.
For instance, if the frontend were to malfunction on one node, the container orchestration tool can run it on another one. This maintains a fluid experience for the end-users who are interacting with the front end. In this way, container orchestration enables detailed control over the microservices that power the application stack.
Containers are often penetrated by attacks like access control or application code exploits, or attackers take advantage of container image vulnerabilities. This can lead to kernel panics, the execution of privilege escalations, or other threats against your system.
Despite these risks, containerization offers several benefits. They’re fast, lightweight, making it easy to replicate your apps’ environments. They're also a great asset during the testing and refinement phase of the development process.
Without adequate security measures, containers could expose your process to threats you wouldn’t have to deal with otherwise. The benefits, however, certainly outweigh the risks. Here are five actionable steps you can take to enhance your container security.
A cyberattack is an assault that cybercriminals have launched to target a network or the devices, applications, and data on a network. Attackers can steal data, disable or damage devices, and leave malware behind that can launch future attacks on other networks. The methods used to deploy a cyberattack can include malware, phishing, ransomware, distributed denial of service attacks, and other techniques.
Cybersecurity is a term that defines the processes, technologies, and practices used to safeguard devices, applications, networks, and data from damage or unauthorized access. Cybersecurity is also known as electronic information security or information technology security.
DevSecOps means "development, security and operations." It is a mindset and a way of working that ensures everyone is accountable for the security of the IT in the organization. When DevSecOps best practices are implemented, everyone is responsible for making good security decisions and taking action throughout the development process and with regard to how solutions are deployed, used and managed.
DevSecOps ensures that systems are continuously defended against attackers. It is not enough to write secure code if the system, once deployed, is not maintained. It is not enough to try to plug security holes and use firewalls or intrusion detection systems if the software itself is insecure. A sound approach to security covers all avenues.
Distributed Denial of Service (DDoS) Attack
A distributed denial of service attack (DDoS) is an attempt to make an online service inaccessible by hitting it with a massive amount of traffic from a variety of machines. A DDoS attack can block access to servers, devices, databases, networks, and applications.
The difference between a DDoS attack and a standard denial of service attack is that a DDoS attack comes from multiple machines rather than just one. Let's look at how this is accomplished.
Many employees today are issued laptops. Some workers at the office even have desktop systems, often for development work. These are the endpoints that need to be protected from malware with endpoint security.
Why? Because attacks start at an endpoint or are headed to one.
That being the case, you’ll probably want to know, “What is endpoint security?” Let’s examine how today’s endpoint security, consisting of tools like next-generation antivirus (NGAV), endpoint segmentation, or endpoint detection and response (EDR), came to be.
A firewall is a network security device that monitors and controls incoming and outgoing network traffic. Security rules set in the firewall device determine what type of data packets will be allowed into or out of a network.
Any device connected to the internet needs to be secured from the risks that come with being connected. A firewall is one type of device used for internet security.
The purpose of incoming traffic rules is to stop traffic from malicious sources such as hackers and bot networks that can damage resources on the network, access sensitive data, or block legitimate traffic. Admins will often set outgoing traffic rules to prevent users from visiting websites known to be dangerous or capable of transmitting sensitive data outside the network.
A hypervisor is what makes virtualization technology possible. A hypervisor is a layer of software that allows a host machine to host multiple virtual machines. Let's look at the definition of virtualization to get a clearer understanding of what hypervisors do.
A hypervisor manages the partitioning of host hardware into separate virtual machines and runs these virtual machines. Another name for a hypervisor is a virtual machine monitor or VMM.
Most operating systems run directly on hardware. Normally to access another operating system, you would need more hardware to install it on or you would have to partition a hard drive with the new operating system and boot to it. The machine would still only be able to one operating system at a time. Virtualization allows for the creation of virtual resources. Operating systems, servers, and desktops can share the same physical hardware at the same time. Each partition in the hardware can run an isolated virtual machine. What makes this possible is a hypervisor.
The physical hardware used by a hypervisor is called the host machine, and the hypervisor can divide this for use among multiple guest operating systems. A hypervisor will treat the physical resources that it manages as a pool. This pool of CPU, memory, and storage can be allocated to existing guests or new virtual machines as needed.
Kubernetes security is an open-source system for automating the deployment, scaling, and management of containerized applications. It is easier to manage, secure, and discover containers when they are grouped into logical units, and Kubernetes is the leading container management system in the market today. Securing your systems with Kubernetes requires understanding how the system works and when and how vulnerabilities of different types can enter your system when creating, deploying, or running applications using Kubernetes.
Broadly speaking, Kubernetes security addresses native security in the cloud, in your application clusters, in containers, and in your code. It involves many interlocking and overlapping systems and processes, such as following important physical security best practices, ensuring cluster and application security, managing microservice security, following intelligent container design standards, and managing access control. This also involves scanning for build-time vulnerabilities, code encryption, TLS handshakes where required, securing unused ports, and regularly scanning the entire system for vulnerabilities that can arise in a production environment.
Lateral movement has become synonymous with data breaches over the past several years, which references cybercriminals' techniques once they gain access to a network. Lateral movement allows hackers to move deeper into a system to track sensitive data, intellectual information, and other high-value assets.
The threat actor initially gains access to the system through an endpoint via a phishing or ransomware attack or malware infection. They then impersonate an authorized user to continue. Once inside the network, the threat actor moves from one asset to the next, maintaining ongoing access by traveling through the compromised system and stealing advanced user privileges using various remote access tools.
Cyberattackers use lateral movement as a core tactic, moving today's advanced persistent threats (APTs) far beyond yesterday's more simplistic cyberattacks. Internal network security teams must work overtime to detect lateral movement and stop it in its tracks.
Malware is a catch-all phrase that is a shortened version of "malicious software," which means it is any type of software that can damage devices, steal data, and cause chaos. This differs from a bug in software because while a bug is an accident, attackers create malware to intentionally cause harm.
While malware won't most usually damage physical hardware or systems, it can steal information, encrypt data and demand a ransom, delete files, spy on you to capture personal data, or hijack your system to use for free processing resources.
There are many motives behind malware, including making money, sabotaging your ability to work, making a political statement, or just wreaking havoc.
Microsegmentation is a security technique that breaks data centers and cloud environments into segments down to the individual workload level. Organizations implement microsegmentation to reduce attack surface, achieve regulatory compliance, and contain breaches.
Microsegmentation detaches segmentation from the network by leveraging the host workload firewall to enforce policy across east-west communication, not just north-south.
Sometimes microsegmentation is referred to as host-based segmentation or security segmentation. This advanced approach emerged in recent years to deliver more effective segmentation and visibility to ease compliance.
Network Access Control (NAC)
A network access control (NAC) system is a network solution that allows only authenticated, compliant, and reliable endpoint nodes, users, and devices to gain access to corporate networks and otherwise restricted access areas. Once devices are connected, these systems provide visibility into what is on the network, on both managed and unmanaged devices.
NAC systems also control where users may go on a network once they have been granted access. This process is also known as segmentation, which takes larger networks and compartmentalizes them into smaller pieces or networks.
Network Security is an umbrella term that encompasses the security measures which are taken to protect computer systems, the data they store, transport and utilize, and also the people who use and look after these systems and data. It is concerned with the hardware, software, and policies that aid in the quest to protect computer networks, especially where sensitive information is involved. Network Security, therefore, aims to prevent unauthorized access, data loss, or any activity, malicious or accidental which may lead to the compromise of the confidentiality, integrity, and availability of network resources. This means that network security is not just about tools and technology alone.
Network segmentation is the practice of breaking larger networks or environments into smaller pieces or networks, sometimes down to the host itself.
How to do network segmentation? There are multiple ways to segment a network. One common approach is relying on the network itself. Another way is to deploy hardware firewall appliances. Newer approaches enforce network segmentation on the host workload itself, so segmentation is carried out without touching the network.
PCI DSS stands for Payment Card Industry Data Security Standard, and is a set of information security standards for any organization that handles and accepts branded credit cards from the major credit card networks—American Express, Discover Financial Services, JCB International, MasterCard, and Visa. PCI DSS has been around since 2006 and covered organizations are currently required to comply with PCI DSS 3.2.1. Businesses and corporations who comply with the PCI data security standards are more trusted by their customers, providing reassurance that they are keeping sensitive information safe. Failure to comply with these standards can result in security breaches, and, in turn, severe losses in revenue and customer loyalty.
A new version, the PCI DSS 4.0, is currently under the RFC (request for comments) phase, and is expected to be completed in mid-2021. According to the PCI Council, PCI DSS 3.2.1 will remain active for 18 months once all PCI DSS 4 materials are released.
The PCI Standard is enforced by the card networks and businesses that use card interactions, but administered by the Payment Card Industry Security Standards Council. The Security Standards Council ensures that all compliance information and policies are up to date and provide the most accurate and helpful information for companies.
Personally Identifiable Information (PII)
Personally identifiable information (PII) is any sensitive information or data intended to identify an individual. Sometimes a single piece of PII can identify a specific person, while at other times, other relevant PII details are required to result in a precise match to an individual.
Bad actors take advantage of the increasing need to present this personal information. Hackers can take a file with thousands of PII individuals and use their personal data to cause chaos in their lives. They can often distinguish or trace a specific individual’s identity with one or more direct identifiers.
When used appropriately and according to the United States General Services Administration (GSA) Privacy Act and the Rules of Behavior for Handling Personally Identifiable Information (PII), this vital information serves as shorthand identifiers for healthcare facilities, state motor vehicles agencies, and insurance companies.
Phishing attacks are an attempt to trick people into doing things they would "never" do using social engineering. By masquerading as people with authority and using fear tactics, scammers can scare people into submitting their login credentials on a site that looks just like their banking site but isn't.
Have you ever received a scary email from your bank saying that your account will be frozen unless you verify your account right away? Or maybe you received a call from the "IRS" stating that “you owe taxes and they must be paid immediately or legal action will be taken”. Chances are that you may have been "phished".
Fortunately, a phishing attack is one type of cyberattack that is ultimately preventable.
Ransomware is a type of malware that encrypts files and information on a system and prevents access to the information until a ransom is paid via cryptocurrency to decrypt them. The hallmark of ransomware has been the conspicuous ransom note that appears on victims’ computer screens indicating files have been encrypted. Victims are often given a specified amount of time to pay the ransom prior to their files being destroyed. For example, CryptoWall gave victims three days to pay.
Role-Based Access Control (RBAC)
Role-based access control (RBAC) is a way of limiting or managing access to or use of an application or network, based on an individual or device’s role in the organization and the permissions assigned to their role. RBAC allows employees to have access only to the applications and information necessary to do their job, and limits access to any information that doesn’t pertain to their role.
Many of us have experienced it at one time or another – we go to log into an online account only to discover that we’ve been hacked. We’ve lost access, and there’s a good chance that at least some of our sensitive, personal data is now in unknown hands. But data theft doesn’t just happen to individuals; often, businesses and other organizations are the victims of corporate security breaches.
A security breach is when an attacker circumvents organizational security controls to illicitly access and steal corporate data.
Security breaches can be unintentional in some situations. Sometimes, employees will accidentally leak information to third-party sources by failing to secure devices, allowing cookies on a machine, or downloading information incorrectly. However, security breaches are usually the result of intentional action by dedicated attackers.
Attackers target many types of sensitive – and valuable – information in a security breach. Some of the most common types of targeted data include credit-card or social-security information, account data, corporate financial and legal records, or patient healthcare data (PHI or PII).
As you may imagine, security breaches can be incredibly costly for the organization that has been victimized. There are many direct costs, including investigating the source of the breach and remediating and rectifying damage. There are also many indirect costs, like reputational damage, the need to update cyber security tools, and the costs associated with assisting employees or customers that were impacted.
An information technology (IT) security policy sets the rules and procedures for users who access a company's IT resources. These rules protect an enterprise's data and systems from unauthorized access, use, modification, or destruction. They establish the incident response actions that will be taken if IT systems are ever compromised. These security standards are also used to configure authentication services and other security-based software.
Every business needs to be concerned about information security. Data breaches, ransomware attacks, and other malicious actions cost companies millions of dollars each year, forcing some out of business. Network and data security begin with an IT security policy.
Software-Defined Networking (SDN)
Software-defined networking is a modern, dynamic alternative to traditional networking that aims to make the network easier to administrate and troubleshoot. In place of hardware devices like routers and switches, SDN communicates within the infrastructure established using APIs or software-based controls. This makes an SDN a more efficient alternative to an old fashioned network as improving network performance is much simpler for administrators.
Within the SDN, the routing and forwarding of data packets are kept separate, which allows network intelligence to be incorporated into the control plane.
The use of SDN can offer increased flexibility and customization from administrators, who can define and change the network speeds, capacity, and security level in real-time.
Threat intelligence is the information that a business or other organization uses to identify potential cybersecurity threats that it will face. Professionals look into these potential threats so that they can be prepared for a breach to take place pre-emptively. This means that the organization can install antiviral and malware-combatting software, back up necessary data, and stop valuable resources from being stolen or lost.
To say that there is a lot of digital data around the world would be a vast understatement. In fact, there are approximately 2.5 quintillion bytes of data generated online each day!
Because there is so much data on the web, it's critical that your business use threat intelligence software to keep your data safe. There are a lot of opportunities for cybersecurity breaches, after all, so you can never be too safe.
VDI (Virtual Desktop Infrastructure)
Virtual Desktop Infrastructure (VDI) is a technology that allows the hosting of desktop environments on a central server or a cloud provider. End users can then access these virtual desktop environments remotely over the network from their personal laptops or tablets. A VDI can host virtual PCs, virtual tablets, thin clients, and other device images.
Not every type of desktop virtualization uses VDI technology. Desktop virtualization just means the ability to run a virtual desktop and this can mean a local desktop image on the user's hard drive. VDI specifically refers to systems that leverage host-based virtual machines where users can access a desktop from anywhere using theInternet.
To adjust to changes in the business landscape, enterprises have had to focus on technologies that support a distributed workforce. Virtualization is a technology that makes remote work easier and Virtual Desktop Infrastructure (VDI) is an important type of virtualization.
Vulnerability management is the process of discovering, prioritization, remediation, and ongoing measurement and reporting of security vulnerabilities in software and systems. This process is essential for organizations to understand and address vulnerabilities to minimize their "attack surface."
A reliable management solution will regularly scan for new vulnerabilities in order to limit the risk of cybersecurity breaches. Without this, discovered security gaps may be exploitable for long periods. Attackers can capitalize on this to target organizations.
ZTNA (Zero Trust Network Access)
Zero Trust Network Access (ZTNA) models adaptively grant access to authorized users or devices based on contextual awareness. These systems set access permissions to deny by default, and only authorized users who are approved based on identity, time, device, and other configurable parameters are provided access to your network, data, or applications. Access is never implicitly granted and is only granted on a preapproved and need-to-know basis.
Cybercrime is expected to cost society upwards of $6 trillion annually. IT departments today are responsible for managing a substantially larger attack surface than ever before. Potential attack targets include network endpoints between devices and servers (the network attack surface), code that your networks and devices run (the software attack surface), and the physical devices that are open to attack (the physical attack surface).
With the growth of remote work and the use of cloud applications for everyday tasks, it can be difficult to provide workers with the access they need while simultaneously protecting your organization from malicious attacks. This is where zero trust network access (ZTNA) comes in.
Zero Day Attacks
Learn what a zero-day exploit vs. a zero-day vulnerability is, how they are used in cyber attacks, and why your organization needs to be able to protect against zero-day attacks.
Zero Trust architecture is a security strategy eliminating implicit trust by using micro-segmentation to help prevent breaches, ransomware, and lateral movement.