White House cyber breach one example of ‘daily’ attacks

Federal Times | Oct 30, 2014

A recent breach of the White House’s unclassified network caused a minor disruption in staffers’ workflows this week as security officials moved to mitigate disruption and any loss of data.

“Whenever we look for any kind of attack, we find that yes, indeed, it is happening,” according to Mike Lloyd, CTO at cybersecurity firm RedSeal, who described the recent breach as akin to “casing the joint.”

The White House breach

Federal Computer Weekly | Oct 29, 2014

Officials acknowledged that hackers breached the White House’s unclassified computer networks in the past few weeks, and a Washington Post report says the Russian government was the likely culprit.

Mike Lloyd, chief technology officer at RedSeal, said modern malware is often designed to do as little as possible in order to avoid detection.

“Adversaries understand the value of good information, of maps and the relationship of assets,” Lloyd said. “Such information can be extracted with a minimum of fuss, unless the person being scanned is very diligent and observant.”

Top 5 Network Security Best Practices

As I sat in one of RedSeal’s headquarters conference rooms last week discussing with two customers their approach to securing their networks, I was reminded how, even in the midst of our diversity, there are some fundamental truths about security and best practices. eWe’ve come up with five of the top network security best practices.

topfiveFirst and ultimately, it’s about people. There is only so much that automation can do, and often we put it in place to discover, determine, or deconstruct the errors people make. One of the primary options we have in this area is to continuously educate and communicate wise choices to limit the potential security incidents. The ultimate best practice is prevention. Creating a security-sensitive business culture is therefore a prime best practice.

Second, identify your critical assets and rank all of your assets based on their importance to your business. This is part of knowing what you are protecting. Once you know what assets are important, you can determine whether or not you are appropriately defending them. If you don’t have them clearly identified, critical assets may remain unprotected and open for attack.

Third, create a zoned network security architecture to delineate between ranks of assets and communication between them, providing for buffer zones that can deflect attacks. The common DMZ network was the first of the general-purpose zones to come into widespread use, and recommendations like those in the PCI DSS add additional zones like Cardholder Data and Wireless to the mix. Having your own clear definitions is critical.

Fourth, being clear about the access that is generally allowed between those zones, that is forbidden, and that is approved for certain business reasons is the next step. Know what access you want to have available and what access you want to make sure isn’t possible. For example, it’s likely you’ll want to prohibit login protocols from any outside link into your network. Some access limitations are also created for you by external standards. For example, PCI DSS makes clear that access into Cardholder from the Internet is prohibited, and access from Cardholder outbound to the Internet is also forbidden.

And fifth, once you’ve defined all of these aspects of your network security, it is criticcal to use automation to make sure that your network correctly implements this design. I have seen many instances where networks are not doing what the design intended. Almost without fail, there are errors in configurations that cause unexpected access, or at least consequences that were not intended. The massive interconnectivity of the network often allows potential paths that can circumvent controls under circumstances that are uncommon but possible. All of these possibilities require the use of automation to continuously review and check the devices and the network for any potential consequence, to provide as much protection as possible.

While this isn’t easy to do by human analysis, RedSeal can model and analyze this kind of information for you every day. You can know what you don’t know. It’s worth it!

PCI Compliance Under Scrutiny Following Big Data Breaches

CIO Magazine | Oct 22, 2014

As details filter out about the Home Depot hack (and many, many more data breaches), you can’t help but ask: How did this happen – especially when the company was supposed to adhere to specific safety regulations or else lose its capability to process credit card transactions?

That said, PCI standards aren’t perfect against preventing fraud. Mike Lloyd, CTO of RedSeal, a security risk management solutions firm, equates it to signs in bathrooms that tell employees they must wash their hands before returning to work.


The Register | Oct 22, 2014

Apple is warning its iCloud users over heightened spying risks following the discovery of attacks which security watchers have claimed are down to crude snooping by the Chinese government.

Steve Hultquist, chief evangelist at network visibility and analytics firm RedSeal, opined: “China uses a nationwide firewall system through which they force all internet traffic to pass so they can filter both what enters and what leaves China.”

Anticipating attack: top 10 ways to prevent a breach

Last week, I spent most of my time in a conference room at RedSeal headquarters presenting our RedSeal Certification training to a mix of our customers and recent additions to the RedSeal team. Showing those in attendance the broad set of capabilities of the system reminded me how important it is to be very clear about the steps for anticipating attack and putting together automation and operations to protect your enterprise and its assets.

telescope-smaller_0Here is my top 10 list:

  1. Scan your hosts for vulnerabilities
  2. Prioritize and schedule patching
  3. Place modern security controls at all ingress and egress points
  4. Monitor all ingress and egress traffic, triggering alerts and interception of inappropriate traffic
  5. Standardize your device configurations
  6. Create a set of network security zones
  7. Review your network’s access paths
  8. Compare access to network security policy
  9. Track approvals of access between critical zones
  10. Monitor and report on access found each day

How does your approach compare to this list? What do you think I’m missing? Is there anything I included that you think shouldn’t be here?

How Does the Cloud and Mobility Change Things?

I remember sitting in a data center deep in an IBM facility in the early 1990s typing access control into a Proteon router that we had installed for our first commercial Internet link at that site. The controls were rudimentary, and severely limited access from outside. No one but I could access most of the connected systems, and very few people even knew that they existed. Few cared. Who wanted access from the Internet, anyway?

Fast forward to today when many people carry the Internet in their pocket. Computational and storage resources are available for pennies from many different cloud providers, and virtually everyone walking into an enterprise facility is carrying a powerful computer capable of connecting to both the Internet and any wireless network within the facility.

How does this change the game?

factoring-in-the-cloudFor one thing, it makes the overall attack surface much larger. That surface now includes all of the wireless networks within your network plus all of the various avenues into any of your public or hybrid cloud infrastructures. This means that knowing the attack surface is critical.

For another, the access controls created must take into account this new set of potential attacks, including source addresses–whether spoofed or not–that may include addresses that are legal within the organization.

Taking that entire set into account and following potential resulting access from outside the organization through all potential paths in the network (including any potential access that would result from legal changes to routing based on either load or lost interfaces) is challenging.

Making sure that necessary, business-critical access is open, while also making sure any unnecessary, potentially dangerous access is blocked, is just as challenging.

On top of this work, being sure that you’ve done all of this in the way you intend, that you maintain it over time with clean, current configurations and documentation, and that you are able to report and determine any changes, is one of the core aspects of managing this ever-more-complex situation going forward.

Why Some Small Businesses Love Hack Attacks

Inc. | Oct 7, 2014

For Aaron Lee, problems with his JP Morgan Chase business bank account started in mid-September, just a few weeks before the nation’s largest bank announced to the world that information related to 80 million of its consumer accounts and 7 million business accounts had been hacked.

A number of Silicon Valley startups are working on solutions, including some that have developed behavioral analytics tools that can crunch big data to do things like identify normal worker behavior, and flag abnormal activity that could be related to a security breach.

In fact, many of the people who start these new companies hail from federal entities such as the National Security Agency and Central Intelligence Agency, says Ray Rothrock, a venture capitalist who jumped ship from Venrock Ventures to run security company RedSeal Networks in February.

Testing the Policy

The day was already hot with the humidity rising as I entered the data center for our third day of consulting. The NOC was state-of-the-art, dimly lit, with displays showing network status, weather, and news. This was the day we would see the results of testing the network policy for the first time. I knew what to expect, and I knew the engineers would be surprised. It happens every time.

testingNetworks today are incredibly complex: from the more traditional routers with ACL s, and firewalls with their rules, to ever-more-sophisticated load balancers, application-layer firewalls, and virtual environments that comprise more functions than the entire enterprise had just a few years ago. The expansive organic and revolutionary growth of network functions has created an elaborate, interconnected, dynamic maze that is practically impossible for human beings to grasp, much less to determine every possible outcome of communication across it.

That is where automation steps in.

As I mentioned in previous posts, first, you identify zones and then you map them to your network. These two steps are essential to any reasonable security policy. However, that’s not enough. You have to know every day that your network enforces those zones and the inter-zone policies you worked so hard to create. The only way to do that is with automation.

As a guy who has built networks for a very long time, one of my primary reasons for using RedSeal on those networks is to abstract the complexity of all those network elements and show me the current state of the security policy: are there any violations to that policy on the network today?

Just like that hot day I spent in the cool confines of a modern data center, every network I have helped customers and prospects analyze — without exception — has had violations of their policy. Many were approved exceptions. Some were emergency changes. It’s also very common to discover completely unexpected violations. Frankly, you should expect that. The complexity and unexpected interactions are far too great to be able to anticipate all of them without automation like RedSeal.

How do you test your policy?

JPMorgan’s Supersize Data Breach Hits 76 Million Households

Bloomberg Businessweek | Oct 3, 2014

The biggest U.S. bank said that a breach of its systems, first reported by Bloomberg News in late August, has affected 76 million households and 7 million small businesses.

“The fact that JPMorgan Chase could be breached should send a shiver of fear through every organization on the planet,” says Steve Hultquist, chief evangelist at RedSeal Networks, a cybersecurity company.