Posts

Why Endpoint Security Is Crucial in Our ‘WAN Without Boundaries’ World

Networking: It’s not just about the physical communication structure you have to maintain. Networking is a way to grow your business, your brand, your market potential.

Leveraging the open Internet and social apps in the cloud can be more cost-effective than travel, face to face, and complete reliance on communication and collaboration over expensive private networks. However, employees are not always within the secure enterprise firewall/private WAN as they perform the functions of their jobs. Think electronic payment systems, for example, or public hot spots where the employee doesn’t first connect to your VPN. This venturing outside the perimeter leaves them – and potentially your entire company – exposed to hostile elements. Bad actors, someone or something that tries to deceive, steal or destroy, are lurking out there and trying to break in through the same Internet we’re using.

Your customers’ privacy, data, and finances are at risk, too. Data hosters and managed service providers are targeted regularly. When cracked, they lose their customers’ information and trust. The pilfered private information can be sold on the Dark Web, which is an anonymous realm where more than half of the web domains practice illicit activities.

A stateful firewall, one that inspects network traffic and packets, is not enough. Hackers, cybercriminals and AIs can successfully attack through deeply embedded, well concealed, or file-less schemes. In addition, firewalls are not good at stopping infections once a breach has occurred. You have to also be able to inspect credentials and network behavior so intruders are not able to cover their tracks, control your systems, and ruin your business and reputation.

Unfortunate Security Scenarios for Your Distributed Network and Workforce

So, realizing the threat, do you send teams out to all your branch offices for equipment reconfiguration? Maybe … But what do you do the next time, when the hackers start to exploit vulnerabilities in your soon-to-be legacy protection system? A lot can go wrong during this catch-up period.

  • Hackers, targeting easy prey, get in due to delays in applying a patch for remote access protocol. They borrow administrator privileges and create new phony accounts. It’s a deep hack. Your data, your customers’ data, has become theirs.
  • An employee in a small remote office, prone to email-driven social engineering ploys, gets infected. Any peer to peer communications from the employee’s machine can spread malware or misleading information to other users and systems.
  • Joe plugs his phone into a public charging station … or maybe he’s using a wireless network at a subway coffee shop where a sneaky neighboring device is monitoring traffic on the shared network. Oops. He forgot to log into the encrypted VPN before enjoying his espresso drink and clicking a digital link. Joe’s phone (the endpoint) thereafter starts acting suspiciously inside your own network, whether you can see this happening or not.
  • Poor Joe. In another scenario, he’s at an all-week conference and in the habit of leaving his laptop open and “on” in the hotel room when he’s not there. His system’s apps are still on, and the room’s visitor doesn’t even have to know Joe’s screensaver password. Just a little plug-in and the unauthorized person can fool your network into believing phony instructions from the endpoint are authentic.

Do you want to wait for the next truck roll to bolt on security against these very possible scenarios?

Why Remote Security Is Vital for Your Growth Strategy

Endpoint security is not just about token antivirus protection on mobile devices and a reliance on the user to log into your VPN. It’s about always-on protection wherever your employees go to do business, hence helping your organization to win in the aforementioned scenarios. You have to be able to inventory and secure all corporate-issued mobile computers and bring your own devices (BYODs) to ensure network performance and security. Doing this only at the network equipment level makes for a porous net in fighting crime at a wider network level. Instead, counterattack at the device level (phones, laptops, tablets), for these are the touchpoints roaming into the sometimes-hostile outside world.

Read the OPAQ report that stresses the criticality to:

  • Centralize team security by automatically inventorying remote and mobile endpoints inside a security-conscious dashboard.
  • Apply next-generation endpoint protection including strong authentication, encrypted communication, anti-virus management, anti-spyware, advanced malware filtering and protection, and microsegmentation.
  • Protect users with an always-on VPN that secures them while on the public Internet as well as while accessing private enterprise data, with separate clean corridors for each.

Read the Securing Remote Workers report.

 

SMS Hijacking: What do Midsize Enterprises Need to Know?

The security world has been buzzing recently about attacks that target text message-based multi-factor authentication (MFA) systems. In mid-July an article in Motherboard detailed the criminal underworld that has formed around the lucrative practice, which can be used to compromise consumers’ online banking accounts, steal bitcoins, and hijack popular social media accounts. On August 1st Reddit announced that an attacker exploited SMS-based MFA to compromise several employee accounts at its cloud and source code hosting providers. This is a security issue that deserves some focus because of the fact that criminals have operationalized the attack techniques involved.

How do these attacks work?

The attacks target multi-factor authentication systems that work by sending a text message to the user with a code in it that they must enter in order to access their account. The attack works by taking over the victim’s phone number, so that the attackers receive the access code instead. The most common techniques for hijacking a mobile phone number are a “SIM-swap” and a “port-out scam.” In a SIM swap, the attacker convinces the phone company to associate the phone number with a different SIM card. On a “port-out” the attacker convinces the phone company to transfer the number to a different phone company. These attacks can be performed by social engineering phone company employees, but may also involve corrupt insiders at the phone company who take a cut of the proceeds from the scam.

In both cases, when the attack takes place, the victim’s phone will lose service, and may receive text messages from the phone company indicating that the SIM or phone number has been moved.

What should enterprises do?

First, consider educating end users about the issue. If they receive unexpected messages indicating that their SIM has been moved and their phone won’t connect to the cellular network, they may be the target of an attack in progress, and they should contact their phone company immediately. In some cases it may be possible to dial 611 to reach the phone company even if service is not active. Some phone companies offer additional security features such as PIN codes and Port Validation that can be enabled at no additional charge.

Second, review the multifactor authentication systems that you have in use. Systems that rely on pushes to a mobile app or a hardware token aren’t vulnerable to this attack, but some MFA systems support multiple modes and allow the end user to decide which authentication mode to use. Consider deactivating modes that rely on text messages and phone calls. However, it is also important to keep perspective. Mobile phone based MFA is better than not having MFA at all. It’s vulnerable, but it’s another hurdle that an attacker would have to cross, and it should be adopted in places where it’s not possible to use more secure systems.

Third, consider your network architecture. Organizations increasingly rely on cloud hosted systems that may be exposed to the entire Internet, whereas in the past internal corporate applications were usually hosted behind firewalls. The ‘de-perimeterized’ network requires more care regarding what services are exposed and how/where they can be accessed.

One strategy that can be effective is to lock down remote administration services in the cloud so they will only accept traffic from the egress IP address of your organization’s firewall. Administrators will then have to access your corporate VPN before they can administer your cloud, where you can enforce strong multi-factor authentication.

A more secure approach is to place internal applications hosted in the cloud within your VPN. OPAQ’s unique Firewall-as-a-Service approach can connect far-flung corporate offices with data centers and clouds without the expensive overhead of deploying individual firewalls to each location or backhauling traffic to and from a corporate headquarters. We can work with you to build a network that enables your organization to efficiently adopt cloud services without losing the security capabilities of your traditional VPN.

IoT Systems are Complex, and so is Securing Them

Brian Russell is Chief Engineer, Cyber Security Solutions at Leidos.  In this role, he defines and implements cyber security controls for Internet of Things (IoT) and cloud products and systems. Russell is the co-author of “Practical Internet of Things Security” and is Chair of the Cloud Security Alliance (CSA) IoT Working Group.

OPAQ: How do security risks for IoT devices and applications differ from mobile security or web app security?

BR: Some of the risks related to IoT devices are similar to risks we’re already familiar with, such as those identified by the Open Web Application Security Project (OWASP): security misconfigurations, sensitive data exposure, using components with known vulnerabilities, and privacy risks.  Where we run into differences compared to mobile and web app security relates to the physical nature of IoT devices, acquisition and deployment models for IoT devices, enablement of automation across IoT devices and privacy associated with IoT devices.

For example, we might see IoT products deployed across a city such as smart parking meters or road-side units (RSUs).  These devices need comprehensive physical protections built into them to prevent theft and extraction of firmware for further security analysis.  It’s also important that access controls for these devices are explored thoroughly.  We’ve already seen plenty of scenarios where product makers have used shared credentials across a family of devices.  These configurations make it unnecessarily easy on malicious actors.

The IoT is similar also in some instances to the concept of BYOD in that employees or customers may bring connected products, such as smart watches into the organization.  Or, employees might install smart TVs on corporate networks, and those devices could send data out to the manufacturer.  Security teams need to be on the lookout for these connected devices and make sure that they don’t open avenues to export company data to the outside.

As relates to new acquisition models, a company may decide to lease an expensive connected asset instead of purchasing it. Often, the asset is remotely managed by the vendor.  This opens new interfaces to the organizations’ networks that must be locked down.

OPAQ: What are the top enterprise risks from IoT?

BR: First, it’s useful to understand the core ways that enterprises are using IoT data. We are seeing that manifest in two ways:  the IoT device feeds data into analytics systems that companies rely upon for decision making purposes and secondly, the IoT systems could enable automated decision making within control systems, such as sensors that collect system status data to decide whether to continue or stop a running process.

From an analytics perspective, we must protect against data tampering.  If we do not have confidence in the provenance of the data then decisions made based on that data must come into question.  So, we must apply lifecycle security protections to the data to enforce data integrity. This can be accomplished through cryptographic hashing algorithms for example.  Organizations that collect sensitive data from individuals must not only protect it such as with encryption, but they must recognize that they are collecting sensitive data in the first place. If for example, you’re collecting blood pressure data from your patients, that piece of data alone isn’t necessarily sensitive.  But, when combined with identifying information, the aggregate data is subject to regulatory compliance rules.

If a malicious actor gains access to an IoT-enabled industrial control system, then they can cause unexpected physical actions to occur, which put the safety of the enterprise’s stakeholders at risk.  For example, by increasing the pressure in an oil pipeline, attackers could cause an explosion.  That’s why I usually like to recommend performing at least a rudimentary safety analysis for any IoT system being implemented.

OPAQ: Is security a barrier right now for the adoption of/broader potential of IoT?

BR: What is a bit concerning is that I don’t necessarily know that security is a barrier right now for the adoption of IoT solutions.  IoT-based innovation continues at a rapid pace, even in safety-critical industries.  Connected and autonomous cars are already on the road, medical devices are being connected, control systems are being connected, and the home /consumer IoT market continues to expand.  It seems that many of us are willing to take a chance on new technologies enabled by the IoT and then update those devices when we find that a security flaw has been discovered.

OPAQ: What kind of advice would you give IT departments regarding implementing IoT security plans – whether that’s from employees bringing in personal IoT devices and apps– or from the company having business IoT technology in place?

BR: First, sit down and think about what policies you might need to institute, such as what devices people can bring into a space and what they can connect to the network.  Also, keep track of IoT-related vulnerabilities and make sure to tune your detection processes based on what might be in use in your organization.  For organizations putting business IoT technology in place, make sure that you aren’t infringing on anyone’s privacy with these systems (e.g., conduct a Privacy Impact Assessment) and make sure that you aren’t jeopardizing the safety of users, either. Perform a threat model to identify the high value assets and the data flows within your system and lock them down appropriately.  Apply integrity controls to your data at all points within your systems.  Keep track of all of the IoT assets in your enterprise, which includes tracking the physical locations of your assets and the versions of firmware/software running on these assets.  And, of course, put a plan in place to keep all of your IoT assets updated.

What You Need to Do – Major Wifi Encryption Vulnerability

The vulnerability:

A set of significant vulnerabilities have been disclosed in the encryption of Wifi networks (specifically the WPA2 protocol). An attacker who is within range to connect to a Wifi network can exploit these vulnerabilities to completely decrypt traffic as well as manipulate or inject data. These vulnerabilities impact nearly every vendor of Wifi client software. The impact on Linux and Android devices is particularly severe.

How to mitigate:

The best way to mitigate these vulnerabilities is to install patches. The vulnerabilities impact multiple vendors, so CERT/CC is hosting a webpage with links to security advisory and patch information for each affected vendor. This page will be updated over time as new patches are released: http://www.kb.cert.org/vuls/id/228519

Deploying a second layer of encryption can be a useful mitigation while patches are unavailable. The simplest way to achieve this is to require users on Wifi networks to employ their corporate VPN clients while connected to Wifi. An ACL or firewall rule could be used to block traffic destined from the Wifi network to every destination other than the VPN.

Switching your Wifi network from WPA2 to WEP encryption is not advised as WEP has more significant security problems.

Learn more:

A detailed description of the vulnerabilities and the research surrounding them is available at this link: https://www.krackattacks.com

Briefly, the vulnerability impacts the WPA2 protocol. Part of the handshake for that protocol can be replayed to a client, causing the client to reuse an old encryption key. This key reuse can lead to effective cryptanalysis and decryption. In the case of Linux and Android devices, the encryption key can be reset to an all-zero key, with catastrophic consequences.

From Russia to WannaCry, Bad Actors are Hard to Nab

ka_0011-2David Strom is editor of the email newsletter, Inside Security. He also consults to vendors on emerging technologies, products, strategies, and trends. Strom, formerly the editor-in-chief of Network Computing, has authored two books on the topic.

OPAQ: What are hackers looking for lately when it comes to attacks on business and is there a focus on particular verticals?

DS: Yes, any vertical where there is money. It’s all about whaling attacks and CEO phishing attacks. Any business that is successful is a target, which is scary. Malware is getting a lot sneakier, too. There are all sorts of ways to hide the attacks by using registry exploits, PowerShell and other things that make use of the internals of Windows infrastructure to elude detection. But even when malware authors aren’t using these techniques, their attacks are still sitting on the corporate network for months. Too many people still have their head in the sand. You may be a $1 million or $2 million corporation and think that your business is too small to target. But everyone is a target now. You really need to have the best defenses as possible.

OPAQ: We’ve all heard enough about Russia and the elections, yet not quite enough about why these attacks happened, and what government or political organizations can do to ensure they never happen again?

DS: Russia began with Estonia, and then they moved on to the country of Georgia, and later they hit German destinations and, of course, the United States. Estonia, even, is pretty sophisticated when it comes to digital policies and protections. The problem is that people are not doing a great job of examining what data is leaving their networks. It used to be that everyone was focused on what was coming into their networks, but the real issue is what is leaving. I can grab a database and move it offsite very quickly into a Dropbox account and no one’s the wiser. People aren’t scrutinizing the right side of the equation. You need some kind of intrusion detection system that works in both directions and looks at what is entering and leaving networks and can distinguish between ordinary and abnormal activity.

OPAQ: In recent news related to the WannaCry ransomware outbreak, Marcus Hutchins was arrested and charged with creating and distributing the Kronos banking malware. We rarely hear about the bad actors being discovered and arrested. Any thoughts on why so?

DS: First on Marcus, it’s not even clear that he is a bad guy. It’s not like an accident on the freeway where you get hit and someone sees the accident in plain sight. A lot of this stuff is not readily observable. We need tremendous cooperation between private and government researchers to track these people down. Organizations can put lures called honeypots on their network to bring in the bad actors. Yet, that might not even be legal in some cases. A private business may not have the right to prosecute because the digital fingerprint isn’t always clear. Or if the individual is from another country, they might not be able to do anything about it. Attribution is very difficult: it’s a hall of mirrors. I could try to break into GM and when they come after me, I could say no, they are hacking me! The legal system is way behind on these matters. Even with a lot of technical knowledge, I think it’s going to be really hard to prosecute Mr. Hutchins.

OPAQ: Which new advancements in enterprise security technology are interesting to you and why?

DS: New password and authentication technologies are very exciting. Passwords are still the biggest weakness in companies. We can make this much more automated with the latest single sign-on and password management products. We also need better defense mechanisms, especially on phones and tablets. A lot of people use their phones on enterprise networks. But let’s say my kid downloads an app on my phone that’s infected with malware. The next day I go to work and login to the network from my phone. Very quickly that malware can sniff out passwords across the network. Google has done a terrible job in handling malicious apps in the Play Store but it just came out with Google Play Protect, which automatically screens devices in the background for malware. The third area is ransomware-as-a-service. This will get stronger because that’s where the money is. I can have no skill whatsoever and put together a ransomware campaign with a few mouse clicks and make a lot of money. Corporations have to do a better job of making regular data backups and inspecting their network traffic to combat ransomware attacks.

OPAQ: Any thoughts on the security-as-a-service market and how it will grow in the coming years?

DS: Putting security in the cloud is definitely the wave of the future. We will see many more MSPs doing consolidation in this area to broaden their offerings. Smaller companies want to avail themselves of these services because they can’t afford to have that expertise on staff, yet they’re still going to get attacked. We are seeing threat-sharing databases get more popular. Cloud vendors can still have a proprietary take on security, but don’t need to create their own databases. These two parties will have symbiotic relationships. Over time cloud security services will be more attractive to larger companies. They are moving more of their data into the cloud so it makes sense to put security there too.