Cyber-attacks cost companies and individuals billions of dollars. A report in 2015 estimated that cyber-attacks cost companies over $400 billion annually. In addition to the financial costs, cyber-attacks may result in other damages such as the destruction of valuable information, the release of sensitive information, and so on. The costs and damages will surely increase over time without effective defenses. Cyber-attacks often rely on malicious software, referred to as “malware,” which is installed and executed by a computer that is the target of the attack. The executing malware orchestrates the attack. For example, a ransomware attack may encrypt all the data on a computer, including the only copies of financial documents, family photographs, electronic mail messages, and so on. If the ransom is not paid, then the data may remain encrypted forever. Even if the ransom is paid, the attacker might not provide the key to decrypt the data. Because of the high costs of cyber-attacks, companies and individuals expend considerable resources in developing and purchasing security systems as defenses to cyber-attacks. These security systems include firewall systems, antivirus systems, authentication systems, intrusion prevention systems, access control systems, application blocking systems, and so on.
Malware can be installed on a computer in various ways. For example, ransomware may arrive as an email attachment that contains garbled content and a malicious macro. When the user opens the attachment, the attachment requests the user to enable macros if the content appears garbled. When the user enables the macros, the malicious macro installs and executes the ransomware. As another example, an employee of a corporation may install an unauthorized application on their computer. Normally, the information technology group of a corporation analyzes and authorizes only those applications that meet the strict security standards of the corporation. If an unauthorized application is installed, it can expose all the computers on the network of the corporation to vulnerabilities that significantly increase the chance of a cyber-attack against the corporation.
In a cloud data center, an especially pervasive type of attack is a password attack. To mount a password attack, an attacker identifies an open port on a machine (e.g., physical machine or virtual machine). Knowledge of a user name and a password is typically required to gain access to an open port. If the attacker knows the names of employees of a company, it may be relatively easy to guess the user names. The guessing is especially easy if the attacker knows the algorithm used by the information technology department of the organization in assigning user names. For example, the user name may be the same as the local part of the electronic mail address for the employee. If the address is “jsmith@acme.com,” then the user name is “jsmith.” An attacker may use various types of password attacks such as a brute-force attack or a dictionary attack. With a brute-force attack, the attacker performs a systematic search of the password space starting with most commonly used passwords (e.g., “Password123”). With a dictionary attack, the attacker generates passwords from a dictionary of words such as trying all short words and combinations of short words. So the attacker may, for each password, cycle through the user names, trying that password with that user name until the attacker gains access.
To defend against password attacks, a cloud data center may have a management portal that controls the opening and closing of the ports of the machines so that a port is only open for an authorized access. When a user (e.g., employee or system administrator) wants to log on to a machine, the user first logs on to the management portal, which may require a multi-factor authentication technique such as one that requires a password and one-time code that is sent to the user's smart phone or that is generated by the user's smart phone using a synchronized software token generator. The use of multi-factor authentication is considered to be an enhanced authentication, whereas the use of only a password is considered to be a non-enhanced authentication. Once the user logs on to the management portal, the user requests that the port of a certain machine, which is normally closed, be opened for an access period (e.g., one hour). The management portal may direct the firewall for the machine to open the port for the access period, after which the firewall closes the port. Alternatively, the management portal may direct the firewall to open the port and then, after the access period, direct the firewall to close the port. While the port is open, the user can log on to the machine. Since the port is normally closed and is likely open only a very short time before the user logs on, the “attack surface” of the machine is very small. Such opening of ports for only an authorized access and for only an access period is referred to as just-in-time (“JIT”) access for a JIT access period.
An organization may have thousands of servers and thousands of user computers (e.g., desktops and laptops) connected to its network. The servers may each be a certain type of server, such as a load balancing server, a firewall server, a database server, an authentication server, a personnel management server, a web server, a file system server, and so on. In addition, the user computers may each be a certain type, such as a management computer, a technical support computer, a developer computer, a secretarial computer, and so on. Each server and user computer may have various applications installed that are needed to support the function of the computer. Because of the various types of servers and user computers, such a network is referred to as a “hybrid environment.”
It can be a difficult task to ensure that each computer can execute only authorized applications. As used herein, the term “application” refers to any software that can be separately identified and executed, such as application programs, applets, dynamic-link libraries, operating system software, scripts, add-ins, operating system drivers, and so on. To help support this difficult task, security tools may be installed on each computer to help ensure that only certain authorized applications are allowed to execute on each computer. The security tool may allow an administrator to generate an allowed list for each computer that lists the authorized applications that are allowed to be executed by that computer. When the operating system executing on a computer receives a request to execute an application, the operating system asks the security tool whether to allow the execution. If the application is in the allowed list, the security tool indicates that execution is allowed. Otherwise, the security tool indicates that the execution is to be blocked.