Avoiding the Security Pitfalls of SD-WAN and Network Modernization

Network modernization, like any wave of innovation, is multifaceted in its good intentions. It’s about rearchitecting your network so it is better able to handle increasing traffic and high-bandwidth-consuming apps such as video, ensure availability and quality of experience, flex for the delivery of new revenue-generating service offerings, and reduce network and application maintenance and overall costs.

The much ballyhooed yet still somewhat enigmatic cloud, with its highly virtualized and outsourced infrastructure, has already delivered some of this modernization by enabling organizations to offload some traffic from today’s predominantly hair-pinned and expensive MPLS-based WANs in favor of direct user access to Internet services. The cloud ecosystem offers other network modernization enablers such as shared service economies of scale, ready-to-leverage network capabilities such as automation, and transport independence (i.e., the ability to use broadband, LTE, Carrier Ethernet and MPLS “lines”).

Software-defined WANs (SD-WANs) could occupy a complementary network management and orchestration role to relieve some of the cost of (and dependence on) today’s rigid and expensive private networks. However, the path to network modernization is not all neatly wrapped and tied in pink ribbons, and uncertainty exists from a security perspective as well. Every time a user, whether stationed at one of your branch offices or remote, accesses the Internet directly he or she is potentially opening Pandora’s Box or letting sensitive data out. MPLS schemes require this sort of risky traffic to first pass through the core network for networking protocol and security application, which is a good thing, but at what cost? Traffic over MPLS lines can be dozens of times the Mbps/month cost versus broadband and the public Internet, so you want to orchestrate traffic in a way that reserves private lines for high-priority traffic and utilizes the public Internet for lower-priority interactions. Although SD-WAN may be ideal for this role and faster enablement of branch office and mobile workers through software-as-a-service, it is not an advanced security solution.

 

Advanced Security for SD-WAN and Cloud Networks

SD-WAN, which can empower organizations to exercise centralized SaaS control over traffic to and from the cloud and the WAN as a whole, poses some vulnerability issues. Centralized security is more difficult to administer when traffic isn’t backhauled to the data center or network hub, and malicious code and hacker schemes can more easily pass through to your distributed users undetected (north-south traffic).

What’s more, without the intervention of advanced security mechanisms, infections can more easily spread laterally – from user to user, system to system, and office to office (east-west traffic).

If you’re going to capitalize on the potential efficiencies of the cloud and SD-WAN controllers, you must first secure the egressing of traffic directly between the Internet and remote sites as well as protect against lateralization attacks. This can be accomplished through an advanced security solution designed for the cloud, which includes fully integrated next-generation firewall and endpoint protection as-a-service.

 

Secure Network Modernization Webinar

These and other topics will be explored during a webinar titled, “Avoiding the Security Pitfalls of SD-WAN and Network Modernization,” moderated by Security Now, and presented by Rik Turner, Principal Analyst, Ovum, and Ken Ammon, Chief Strategy Officer, OPAQ.

By attending this webcast, you will:

  • Understand the top security vulnerabilities plaguing companies as they modernize their networks
  • Learn how critical security vulnerabilities can be easily addressed with security-as-a-service
  • Discover how cloud and automation are enabling companies to simplify their ability to modernize their networks and security

Register for the webinar.

Download the white paper.

Adopting SD-WAN Shouldn’t Mean Compromising Your Security

Here at OPAQ we believe that SD-WAN technologies hold great promise as a toolset for making more efficient use of high performance Internet connectivity. However, like many new technologies, SD-WAN solutions are being adopted by organizations and put into production before they’ve learned how to navigate the security pitfalls associated with them. We’re seeing these solutions get deployed in the field ways that compromise information security or introduce new vulnerabilities. It’s important that organizations approach SD-WAN armed with an understanding of how to do it right.

 

SD-WAN Solutions Can Introduce Vulnerabilities

Last month at the 35th annual Chaos Communication Congress, Sergey Gordeychik gave an excellent presentation covering attack surface areas and vulnerabilities in a variety of SD-WAN products. A number of these products have shipped with default passwords, cross site scripting and command injection vulnerabilities in their management interfaces, as well as vulnerable versions of cryptography protocols such as SSL. Gordeychik and his research collaborators published a set of tools and resources including a tool called SD-WAN Harvester that can automatically enumerate SD-WAN nodes on the Internet. Using this tool, they discovered thousands of SD-WAN systems with known vulnerabilities exposed to the open internet.

 

SD-WAN Solutions Can Route Around Security Controls

Many organizations are using high-performance MPLS links to backhaul Internet bound traffic from satellite offices to security centers where next-generation firewalls can inspect that traffic for threats. SD-WAN solutions are often introduced for the express purpose of reducing load on MPLS links. The introduction of SD-WAN can result in some internet bound traffic leaving directly from satellite offices without being inspected. Sometimes this occurs because users don’t understand how their SD-WAN has been configured. In other cases, this is done intentionally in order to reduce MPLS backhaul, with the problem being that the kind of security inspection that can be performed by the SD-WAN devices themselves usually doesn’t measure up to the capabilities of a full next-generation firewall, with important capabilities such as SSL decryption, application awareness, and dynamic threat intelligence missing. Regardless of the reason, the result is that important security controls are bypassed, opening up an avenue for malware to reach inside the organization.

 

Asking the Right Questions

OPAQ recommends that organizations which have adopted or are considering the adoption of SD-WAN ask themselves a set of questions about their approach:

  • Assess Your Vendors: How security savvy are they? Do they have a good track record of responding to security vulnerability disclosures?
  • Assess Your Deployments: Do your SD-WAN nodes have services listening on the open Internet? Have you changed the default passwords? How is access controlled?
  • Assess Your Usage: Are you sending traffic from your users directly to the Internet in a way that bypasses your security controls? Do you have a way to monitor for changes that might introduce that sort of condition in the future?

OPAQ believes that our ability to provide next-generation firewall services from the cloud can help customers who adopt SD-WAN avoid making security compromises. OPAQ’s Security-as-a-Service can be deployed in conjunction with SD-WAN, enabling customers to bypass MPLS backhaul for Internet-bound traffic by sending that traffic to the OPAQ Cloud instead. Our network of regional Pods and peering relationships enable us to deliver that traffic to its destination with minimal latency while providing the full protection of our cloud hosted next-generation firewalls provided by Palo Alto Networks. This architecture provides a best-of-both-worlds WAN optimization solution in which high performance MPLS links are reserved for the most latency sensitive voice and video traffic while the whole organization remains protected behind the best security infrastructure available.

Read the white paper.

SMS Hijacking: What do Midsize Enterprises Need to Know?

The security world has been buzzing recently about attacks that target text message-based multi-factor authentication (MFA) systems. In mid-July an article in Motherboard detailed the criminal underworld that has formed around the lucrative practice, which can be used to compromise consumers’ online banking accounts, steal bitcoins, and hijack popular social media accounts. On August 1st Reddit announced that an attacker exploited SMS-based MFA to compromise several employee accounts at its cloud and source code hosting providers. This is a security issue that deserves some focus because of the fact that criminals have operationalized the attack techniques involved.

How do these attacks work?

The attacks target multi-factor authentication systems that work by sending a text message to the user with a code in it that they must enter in order to access their account. The attack works by taking over the victim’s phone number, so that the attackers receive the access code instead. The most common techniques for hijacking a mobile phone number are a “SIM-swap” and a “port-out scam.” In a SIM swap, the attacker convinces the phone company to associate the phone number with a different SIM card. On a “port-out” the attacker convinces the phone company to transfer the number to a different phone company. These attacks can be performed by social engineering phone company employees, but may also involve corrupt insiders at the phone company who take a cut of the proceeds from the scam.

In both cases, when the attack takes place, the victim’s phone will lose service, and may receive text messages from the phone company indicating that the SIM or phone number has been moved.

What should enterprises do?

First, consider educating end users about the issue. If they receive unexpected messages indicating that their SIM has been moved and their phone won’t connect to the cellular network, they may be the target of an attack in progress, and they should contact their phone company immediately. In some cases it may be possible to dial 611 to reach the phone company even if service is not active. Some phone companies offer additional security features such as PIN codes and Port Validation that can be enabled at no additional charge.

Second, review the multifactor authentication systems that you have in use. Systems that rely on pushes to a mobile app or a hardware token aren’t vulnerable to this attack, but some MFA systems support multiple modes and allow the end user to decide which authentication mode to use. Consider deactivating modes that rely on text messages and phone calls. However, it is also important to keep perspective. Mobile phone based MFA is better than not having MFA at all. It’s vulnerable, but it’s another hurdle that an attacker would have to cross, and it should be adopted in places where it’s not possible to use more secure systems.

Third, consider your network architecture. Organizations increasingly rely on cloud hosted systems that may be exposed to the entire Internet, whereas in the past internal corporate applications were usually hosted behind firewalls. The ‘de-perimeterized’ network requires more care regarding what services are exposed and how/where they can be accessed.

One strategy that can be effective is to lock down remote administration services in the cloud so they will only accept traffic from the egress IP address of your organization’s firewall. Administrators will then have to access your corporate VPN before they can administer your cloud, where you can enforce strong multi-factor authentication.

A more secure approach is to place internal applications hosted in the cloud within your VPN. OPAQ’s unique Firewall-as-a-Service approach can connect far-flung corporate offices with data centers and clouds without the expensive overhead of deploying individual firewalls to each location or backhauling traffic to and from a corporate headquarters. We can work with you to build a network that enables your organization to efficiently adopt cloud services without losing the security capabilities of your traditional VPN.

What is a Next-Gen Host-Based Firewall and why would anybody care?

Host-Based Firewalls are a simple technology that is generally used to prevent unwanted inbound traffic by port number. They don’t play a significant role in most enterprise security programs because its too much work to manage policies for each individual host. Instead, organizations prefer to enforce policies with network firewall devices that can protect large numbers of hosts from a single location.

New technologies have recently started to change this by providing a way to manage large numbers of individual endpoint firewall policies from a central system. We call these solutions Next-Generation Host-Based Firewalls, although the term Micro-Segmentation is also sometimes applied to this space. There are two primary trends that are driving this change:

Cloud Adoption: Workload mobility combined with the absence of traditional network architecture in cloud environments has meant that in some cases, firewall policies have to be managed on an individual endpoint basis, and there need to be tools that facilitate this.

Sophisticated Targeted Attacks: These days the initial point of infection for an attacker within a network is just a foothold that is used to spread internally in search of vital information to steal or encrypt with ransomware. This fact has driven organizations to pursue a Zero Trust approach to network security, where hosts inside the perimeter are not considered inherently more trustworthy than hosts outside the perimeter. The ultimate Zero Trust model means that every host is capable of defending itself, and tools are needed to orchestrate that defense.

As various Next-Generation Host-Based Firewall solutions have come on the market, the market has begun to define itself around a few key features or characteristics that all of these products share:

Central Policy Management: Obviously a “table stakes” requirement for these solutions is the ability to create a policy for a large number of individual endpoints from a central policy management tool. These policies are managed in one place, but enforced in many places — by each individual endpoint system.

Network Visualization:Crafting a security policy for large numbers of endpoints can be challenging. Next-Generation Host-Based Firewalls typically collect logs of network traffic from each endpoint and can provide the user with the ability to see and explore their network and it’s interrelationships. This can be a powerful tool for investigating security incidents as well as building policies that can contain them.

Abstract Policy Making: Traditional Firewalls enforce policy based on IPs, ports, and protocols. This can be inadequate for dealing with the complex set of interactions that occur on an internal network where workloads and workstations can move around. Typically, Next-Generation Host-Based Firewalls allow policies to be defined based on the identity of a user or of a workload or application, regardless of what system, IP or port is involved. This makes policy definition much simpler by allowing the user to express rules in human terms.

In our view there are three main architectural approaches to building Next-Generation Host-Based Firewalls. In describing these architectures, we use the words “active” and “passive” to refer to the role that the central policy management system takes in making case-by-case enforcement decisions.

Passive: A Passive Next-Generation Host-Based Firewall system is capable of pushing traditional, static firewall policies out to endpoints, but the central policy management system takes no direct role in policy enforcement. When new connections are made or received by each endpoint, the endpoint evaluates them against the policy it has been given and chooses whether to allow or block them.

This architecture has the advantage of imposing minimal latency at connection establishment and being resilient against temporary loss of connectivity between endpoints and the central policy manager.

Active: Instead of pushing static policies out to endpoints, an Active Next-Generation Host-Based Firewall makes enforcement decisions at a central controller. When each new connection is made or received by each endpoint, the endpoint contacts the controller and the controller decides whether or not the endpoint should allow or block, on a case-by-case basis. In this sense the controller is playing an active role in making enforcement decisions.

This architecture has the advantage of being able to adapt policy enforcement decisions immediately to changing circumstances on the network, such as when a host moves to a different network segment, or when a decision has been made to quarantine a compromised host. This adaptability is necessary to enable micro-segmentation in traditional office environments where rapid changes are commonplace. While there is some cost associated with this architecture, the latency and availability impacts are comparable to those imposed by the use of DNS servers.

Hybrid: A hybrid solution combines the best of both architectural approaches, allowing for dynamic policies to be enforced in real time by a central controller, with static backups in place that can make rapid decisions when the controller cannot be reached.

The OPAQ Cloud delivers Active & Hybrid Next-Generation Host-Based Firewalls. We believe that these technologies play a key role in securing the hybrid networks of today, especially as workloads move to the cloud and networks de-perimeterize. They enable enterprises to pursue a true Zero Trust approach to network security — where hosts on the internal network are not inherently trusted. The Zero Trust model is a prerequisite for defense against sophisticated threat actors, and a step toward totally new kinds of enterprise network architectures where perimeter defenses are no longer required.

Drawing a New Map of Enterprise Networking

Earlier this year I got to hear Tim O’Reilly speak at Grand Central Tech as part of their Authors @ GCT lecture series. Mr. O’Reilly is out promoting his new book, “WTF? What’s the Future and Why It’s Up To Us.” One of themes of his book is the process of innovation – how we go about creating technologies that completely change the way that we think, work, and live.

O’Reilly writes about drawing visual maps of the different elements within a company’s business plan, in order to understand how they interrelate with each other, a process that he learned about from a strategic consulting firm called BEAM. He then proceeds to draw such a map for an on-demand transportation company like Uber or Lyft.

There was a particular way that on-demand transportation worked a decade ago – you called a cab company, and a dispatcher announced your location on a radio network, and hopefully one of the cab drivers agreed to pick you up. Over time a particular set of technologies have become available, including the Internet, smart phones, and dispatching algorithms, that have enabled a completely different way of organizing this process. However, the new map for on-demand transportation didn’t draw itself – it was the job of innovators to realize that an opportunity existed to connect each of these ingredients in a new way, and to persuade the public that this new way is, in fact, a better way.

Of course, this got me thinking about what we’re doing at OPAQ Networks. IT organizations have been building enterprise networks in the same way ever since we started connecting businesses to the Internet in the early 1990’s. I usually credit Steven Bellovin and William Cheswick for drawing the original maps of this territory in their book “Firewalls and Internet Security.” This model is often called the “perimeter security model” – “We’ve got a bunch of sensitive computer systems here in our corporate headquarters, so we connected all of our satellite offices into that headquarters and we’ve built a stack of security solutions there to protect everything.”

Over time that model has started to show signs of strain. The sensitive systems that used to collect at headquarters are gone – they’ve moved into the cloud. However, the security stack is still there, and all kinds of traffic is still getting backhauled through headquarters for the sole purpose of sending it through the stack. Despite this approach, attackers are successfully getting inside by infecting end user workstations. Once their malware is running on the other side of the firewall, they have free range over the internal network and can get right to the data they want to steal.

At OPAQ Networks we are building a new map for this territory. First, we’re moving the security stack into the cloud, where the sensitive assets now live. This solves the backhaul problem, because satellite offices and remote VPN users can connect to cloud assets through our network instead of backhauling through a corporate headquarters. OPAQ has a nationwide network of points of presence and more than 200 peering relationships with major service providers that enable us to get traffic to it’s destination as efficiently and reliably as possible. Most small and medium sized enterprises don’t have the means to build this kind of infrastructure for themselves.

Second, we’re introducing software-defined network segmentation, a completely new technology that provides enterprises with unparalleled visibility and control over their internal networks. Using this tool, it’s possible to granularly segment internal networks so that end users only have access to the resources that they need, without having to reconfigure VLANs or wrestle with NAC solutions. Our partners’ midsize customers are able to adopt a better security posture, so that a single endpoint compromise does not imperil their entire business.

We are entering a time when the traditional way of building enterprise networks is being disrupted, and other maps are being drawn. Google’s BeyondCorp is one such map, along with the idea of Zero Trust Networks that was eloquently detailed in a recent O’Reilly publication. These approaches suggest doing away with the VPN and the security stack entirely, placing internal applications directly on the Internet and connecting users to them through authenticating proxy servers.

While I believe the BeyondCorp approach has merit, and there is a great deal that we can learn from it, it’s also very difficult for small and medium sized businesses to adopt. The traditional security stack delivered from the cloud has value, particularly for businesses where consistent patch and configuration management can be a challenge. The VPN has value, because it draws a clear line between the organization’s assets and the outside world. The problem is that these assets are often hosted in the wrong place today, and better segmentation is needed behind them.

This is what we’re doing at OPAQ Networks – we’re drawing a new map for the practice of enterprise networking in the cloud computing era. By leveraging network security-as-a-service, software-define network segmentation, and a modern, global network infrastructure, we’re enabling our customers to build networks that are more efficient, reliable, and secure than they have ever been before.

Simplified Microsegmentation — From the Cloud

It is time to change the way that organizations approach network segmentation. In the past few years we have seen a mounting collection of threats target the wide open nature of most organizations’ internal computer networks. Although security pros have been harping on this for some time, most networks remain crunchy on the outside and chewy in the middle – once attackers get past the perimeter, they often have access to any and everything inside the organization.

We’ve seen repeated threats recently exploit this exposure. We’ve seen incidents where entire organizations are crippled from ransomware spreading internally within their networks. We’ve seen the return of internet worms like WannaCry and NotPetya. We’ve seen more automated attacks that pivot from an initial point of compromise within a Windows network to Domain Admin access. In fact, experts are predicting significant increases in the volume of these attacks because of developments in attack automation.

Almost every organization needs to improve their network segmentation strategy in their internal network to cut down on these threats. What is preventing organizations from taking action?

Traditional Network Segmentation is Complex and Difficult to Manage

Unfortunately, the traditional approach to implementing network segmentation poses significant challenges. Configuring and managing internal firewalls and VLANs is both labor intensive and relatively inflexible. Network architecture is usually driven by the need to provide connectivity rather than security. Organizing machines with different security requirements onto separate VLANs is complex, and as soon as the work is done, users demand changes. Deploying multi-factor authentication for internal applications and services can also be a daunting project as each application must be separately integrated.

It’s no wonder organizations — particularly midsize enterprises — continue to struggle with implementing a smart, sustainable network segmentation strategy. What are midsize enterprises — and the service providers supporting them — supposed to do?

Zero Trust Software-Defined Network Segmentation from the Cloud

The term “microsegmentation” has recently become a buzzword in the IT world. These solutions provide a manageable way to lock down east/west traffic policies for cloud workloads. However, many of the threats we’re seeing – ransomware, worms, and domain lateralization – target end user workstations instead. What organizations need is a technology that provides easy-to-deploy software-defined microsegmentation capability that is flexible enough to support the entire enterprise network.

Since the acquisition of Drawbridge Networks in May 2017, we have embarked on integrating unique intellectual property into the OPAQ Cloud that allows users to manage software-defined microsegmentation for the entire enterprise, from a single pane of glass. The OPAQ PathProtect™ capability dramatically simplifies network segmentation, enhances network visibility and control, and enforces policy locally at each device, whether it’s a cloud workload or an employee laptop.

OPAQ PathProtect™ works by connecting software agents running on endpoints with a central controller hosted in the OPAQ Cloud. This architecture provides visibility and control from the cloud into every network interaction happening on every endpoint. This capability gives you the power to investigate incidents, protect against insider and external attacks, and prevent certain devices, such as compromised endpoints, from talking to other workstations on the network.

Microsegmentation with OPAQ PathProtect™ can be used to define granular access segments for users that operate independently from the network’s hardware and physical topology. It also can be easily updated when business needs change. Segments can be defined based on user identity, group membership and job function, and they will follow users as their laptops move throughout the network. OPAQ PathProtect™ can be used to enforce multi-factor authentication for access to any resource or service on the network, without any need to integrate with individual applications. This is possible because the central controller oversees all communication within the network and can authenticate users before allowing traffic to flow.

These capabilities allow organizations to adopt a security posture that is more aligned with Zero Trust security principles, in which users only have access to the specific applications required by their job function. Cutting down on unnecessary access closes the avenues that malware and network attackers use to spread laterally within an organization.

Microsegmentation for Endpoints, Not Just Data Centers

OPAQ PathProtect™ is a microsegmentation solution that can protect the whole network, including workstations, servers, datacenters, and cloud workloads, supporting the following capabilities and use cases:

  • Network Visibility provides detailed topological views of the interactions between hosts on the internal network. It is possible to drill down into different timeframes, hosts, users, process names, ports, and protocols for complete insight into network activity.
  • Network Access Control (NAC) to assign which resources, hosts and users can access services on the network. For example, unmanaged hosts can be prevented from accessing sensitive servers, and are identified and cataloged when they send traffic.
  • Multi -Factor Authentication (MFA) integration enables step-up authentication to tighten security for VPN access and within the internal network.
  • Granular Segmentation which is completely separate from the physical network architecture or network addressing, can be used to segment specific devices, applications, and data, and can keep track of hosts as they move around the network.
  • Quarantine allows organizations to quickly isolate infected hosts from sensitive resources at the touch of a button.

To find out more, view the press announcement, sign up for our upcoming webcast and schedule a demo to see how simple microsegmentation can be from the cloud.

OPAQ CTO Tom Cross Writes on Lateralization Attacks in First Article on CSO Online

Lateralization attacks are commonly used in most sophisticated breaches today. An adversary will typically gain a foothold inside the victim’s network by installing malware on a vulnerable device.

From there, the attacker will compromise other computers within the organization by moving laterally throughout the compromised network. A number of experts are predicting an increase this year in Windows Domain lateralization attacks. Organizations are increasingly looking for a solution that can prevent and isolate lateralization attacks from spreading in their network.

OPAQ chief technology officer Tom Cross was recently invited to be a regular contributor to CSOonline, one of our industry’s most respected publications. In Tom’s first article, he discusses lateralization attacks against Windows networks, and how to defend against them. You can read the full article here.

Tom Cross Joins Forbes Technology Council

We are pleased to report that our CTO, Tom Cross has been accepted into the Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs and technology executives. 

Tom joins other Forbes Tech Council members, who are hand-selected to submit thought leadership articles on Forbes.com. As an expert in cyber security, cyber conflict, malware and vulnerability research, Tom will cover these topics and more.

In his first article for Forbes, Tom weighs in on recent changes to international export controls covering computer network intrusion software.

The Wassenaar Arrangement is a governing body that crafts export control rules for technology with military and civilian applications. There are 42 member states that are party to the Wassenaar Arrangement, including the United States.

The new rules represent a significant victory for computer security practitioners, since they remove obstacles that have interfered with the ability of researchers in different countries to exchange security intelligence on vulnerabilities and malware.

In the article, Tom explores the reasoning behind the old rules, why they were flawed and how the new changes will benefit the cyber security industry. He also discusses why, despite this important victory, more work remains to be done before the new rules are implemented in the United States. You can read Tom’s full article here.

IoT Systems are Complex, and so is Securing Them

Brian Russell is Chief Engineer, Cyber Security Solutions at Leidos.  In this role, he defines and implements cyber security controls for Internet of Things (IoT) and cloud products and systems. Russell is the co-author of “Practical Internet of Things Security” and is Chair of the Cloud Security Alliance (CSA) IoT Working Group.

OPAQ: How do security risks for IoT devices and applications differ from mobile security or web app security?

BR: Some of the risks related to IoT devices are similar to risks we’re already familiar with, such as those identified by the Open Web Application Security Project (OWASP): security misconfigurations, sensitive data exposure, using components with known vulnerabilities, and privacy risks.  Where we run into differences compared to mobile and web app security relates to the physical nature of IoT devices, acquisition and deployment models for IoT devices, enablement of automation across IoT devices and privacy associated with IoT devices.

For example, we might see IoT products deployed across a city such as smart parking meters or road-side units (RSUs).  These devices need comprehensive physical protections built into them to prevent theft and extraction of firmware for further security analysis.  It’s also important that access controls for these devices are explored thoroughly.  We’ve already seen plenty of scenarios where product makers have used shared credentials across a family of devices.  These configurations make it unnecessarily easy on malicious actors.

The IoT is similar also in some instances to the concept of BYOD in that employees or customers may bring connected products, such as smart watches into the organization.  Or, employees might install smart TVs on corporate networks, and those devices could send data out to the manufacturer.  Security teams need to be on the lookout for these connected devices and make sure that they don’t open avenues to export company data to the outside.

As relates to new acquisition models, a company may decide to lease an expensive connected asset instead of purchasing it. Often, the asset is remotely managed by the vendor.  This opens new interfaces to the organizations’ networks that must be locked down.

OPAQ: What are the top enterprise risks from IoT?

BR: First, it’s useful to understand the core ways that enterprises are using IoT data. We are seeing that manifest in two ways:  the IoT device feeds data into analytics systems that companies rely upon for decision making purposes and secondly, the IoT systems could enable automated decision making within control systems, such as sensors that collect system status data to decide whether to continue or stop a running process.

From an analytics perspective, we must protect against data tampering.  If we do not have confidence in the provenance of the data then decisions made based on that data must come into question.  So, we must apply lifecycle security protections to the data to enforce data integrity. This can be accomplished through cryptographic hashing algorithms for example.  Organizations that collect sensitive data from individuals must not only protect it such as with encryption, but they must recognize that they are collecting sensitive data in the first place. If for example, you’re collecting blood pressure data from your patients, that piece of data alone isn’t necessarily sensitive.  But, when combined with identifying information, the aggregate data is subject to regulatory compliance rules.

If a malicious actor gains access to an IoT-enabled industrial control system, then they can cause unexpected physical actions to occur, which put the safety of the enterprise’s stakeholders at risk.  For example, by increasing the pressure in an oil pipeline, attackers could cause an explosion.  That’s why I usually like to recommend performing at least a rudimentary safety analysis for any IoT system being implemented.

OPAQ: Is security a barrier right now for the adoption of/broader potential of IoT?

BR: What is a bit concerning is that I don’t necessarily know that security is a barrier right now for the adoption of IoT solutions.  IoT-based innovation continues at a rapid pace, even in safety-critical industries.  Connected and autonomous cars are already on the road, medical devices are being connected, control systems are being connected, and the home /consumer IoT market continues to expand.  It seems that many of us are willing to take a chance on new technologies enabled by the IoT and then update those devices when we find that a security flaw has been discovered.

OPAQ: What kind of advice would you give IT departments regarding implementing IoT security plans – whether that’s from employees bringing in personal IoT devices and apps– or from the company having business IoT technology in place?

BR: First, sit down and think about what policies you might need to institute, such as what devices people can bring into a space and what they can connect to the network.  Also, keep track of IoT-related vulnerabilities and make sure to tune your detection processes based on what might be in use in your organization.  For organizations putting business IoT technology in place, make sure that you aren’t infringing on anyone’s privacy with these systems (e.g., conduct a Privacy Impact Assessment) and make sure that you aren’t jeopardizing the safety of users, either. Perform a threat model to identify the high value assets and the data flows within your system and lock them down appropriately.  Apply integrity controls to your data at all points within your systems.  Keep track of all of the IoT assets in your enterprise, which includes tracking the physical locations of your assets and the versions of firmware/software running on these assets.  And, of course, put a plan in place to keep all of your IoT assets updated.

What You Need to Do – Major Wifi Encryption Vulnerability

The vulnerability:

A set of significant vulnerabilities have been disclosed in the encryption of Wifi networks (specifically the WPA2 protocol). An attacker who is within range to connect to a Wifi network can exploit these vulnerabilities to completely decrypt traffic as well as manipulate or inject data. These vulnerabilities impact nearly every vendor of Wifi client software. The impact on Linux and Android devices is particularly severe.

How to mitigate:

The best way to mitigate these vulnerabilities is to install patches. The vulnerabilities impact multiple vendors, so CERT/CC is hosting a webpage with links to security advisory and patch information for each affected vendor. This page will be updated over time as new patches are released: http://www.kb.cert.org/vuls/id/228519

Deploying a second layer of encryption can be a useful mitigation while patches are unavailable. The simplest way to achieve this is to require users on Wifi networks to employ their corporate VPN clients while connected to Wifi. An ACL or firewall rule could be used to block traffic destined from the Wifi network to every destination other than the VPN.

Switching your Wifi network from WPA2 to WEP encryption is not advised as WEP has more significant security problems.

Learn more:

A detailed description of the vulnerabilities and the research surrounding them is available at this link: https://www.krackattacks.com

Briefly, the vulnerability impacts the WPA2 protocol. Part of the handshake for that protocol can be replayed to a client, causing the client to reuse an old encryption key. This key reuse can lead to effective cryptanalysis and decryption. In the case of Linux and Android devices, the encryption key can be reset to an all-zero key, with catastrophic consequences.