Revealed: The cyber Achilles heel for large companies

Corporate Risk and Compliance | August 28, 2018

While a new survey from analytics firm FICO has found that the number of US companies with full-coverage cybersecurity insurance has skyrocketed from last year, 24% still reported that they did not have any cyber insurance. For those that remain uninsured, and the insurance companies with an eye on targeting these firms, a cybersecurity analytics platform has come up with a more effective way to price policies.

“From a cybersecurity perspective, when you’re an insurance company and you’re writing a policy for somebody, how do you charge them for it? We measure the risk and give them the metrics to charge for that policy,” said Steve Timmerman, VP of marketing and business development at RedSeal, which offers enterprise software that builds a model of a company’s network, identifies vulnerabilities, and provides a digital resiliency score that allows insurers to write a cyber premium based on that score.

Sarder TV with Ray Rothrock

Sarder TV | August 24, 2018

With Ray Rothrock, RedSeal CEO

Ray Rothrock is a venture capitalist and former partner at Venrock, he has invested primarily in the industries of infosecurity and energy. Rothrock is currently the CEO of RedSeal Inc. and serves on the board of directors of several other companies, as well as the board for the Northern California chapter of NACD.

We sit down for a full video interview to discuss cyber attacks, their impact on business and his journey to success.

Which is more valuable – your security or a cup of coffee?

The drumbeat of media coverage of new breaches continues, but it’s useful sometimes to look back at where we’ve been.  Each scary report of so many millions of records lost can be overwhelming.  It certainly shows that our network defenses are weak, and that attackers are very effective.  This is why digital resilience is key – perfect protection is not possible.  But each breach takes a long time to triage, to investigate, and ultimately to clean up; a lot of this work happens outside the media spotlight, but adds a lot to our sense of what breaches really cost.

Today’s news includes a settlement figure from the Anthem breach from back in 2015 – a final figure of $115 million.  But is that a lot or a little?  If you had to pay it yourself, it’s a lot, but if you’re the CFO of Anthem, now how does that look?  It’s hard to take in figures like these.  So one useful way to look at it is how much that represents per person affected.

Anthem lost 79 million records, and the settlement total is $115 million.  This means the legally required payout comes out just a little over a dollar per person – $1.46 to be exact.

That may not sound like a lot.  If someone stole your data, would you estimate your loss to be a bit less than a plain black coffee at Starbucks?

Of course, this figure is only addressing one part of the costs that Anthem faced – it doesn’t include their investigation costs, reputation damage, or anything along those lines.  It only represents the considered opinion of the court on a reasonable settlement of something over 100 separate lawsuits.

We can also look at this over time, or over major news-worthy breaches.  Interestingly, it turns out that the value of your data is going up, and may soon exceed the price of a cup of joe.  Home Depot lost 52 million records, and paid over $27 million, at a rate of 52 cents per person.  Before that, Target suffered a major breach, and paid out $41 million (over multiple judgements) to around 110 million people, or about 37 cents each.  In a graph, that looks like this:

Which is more valuable – your security or a cup of coffee?

 

Note the escalating price per affected customer. This is pretty startling, as a message to the CFO.  Take your number of customers, multiply by $1.50, and see how that looks.  Reasonably, we can expect the $1.50 to go up.  Imagine having to buy a Grande Latte for every one of your customers, or patients that you keep records on, or marketing contacts that you track.  The price tag goes up fast!

Cyber Protection Team Workshop

Recently, I was privileged to spend half a day with some of our nation’s finest cyber warriors at a RedSeal workshop. Early in the morning, members of various DoD Cyber Protection Teams (CPTs) gathered around a u-shaped table in Columbia, Maryland.

The workshop showcases how CPTs use RedSeal every day to secure cyber terrain and support the warfighter’s mission. This was the fourth workshop that RedSeal has organized this year.

RedSeal in a simulated real world mission environment

The workshop’s mission concept is to validate that a secure network for a THAAD antimissile battalion had been deployed in South Korea. For the workshop, we say that an initial network survey has been completed on the deployed THAAD system and we are in phase two of a CPT mission called Secure. In this phase, the teams must verify that the network — primarily the key battery line IT systems — is secure.

Further, verifying that the THAAD system’s key cyber terrain is secure is of paramount importance to protect alliance forces in South Korea. Intelligence indicates a high probability of a kinetic war breaking out on the Korean peninsula soon. Cyber activity penetrating military C2 and civilian infrastructure would be a precursor to a shooting war.

RedSeal for Network Mapping and Automation

First, the attendees are shown how RedSeal ingests all the network information in a matter of hours, using configuration files. Everyone could see that manually attempting this process would be a time-consuming folly. It would take years to scan thousands of lines of code in each config file, multiplied by hundreds and thousands of devices.

RedSeal automates this process for CPTs and generates an accurate, up-to-date network model.

Second, the attendees are shown that RedSeal’s network topology map is not static but can be moved around and adjusted. All the network information can be organized into an easy and clear graphic representation of the devices and how they connect with each other.

When attendees ask if this is a scanning tool that will jam up their networks, we explain that there isn’t any scanning at all.

Then, we show detailed path results that look like a subway map of connected devices. One attendee said, “RedSeal shows me all the hops on the path from device to device.”

Visualizing cyber terrain serves an important role. CPTs often find themselves in debates with network operators about the significance of vulnerabilities. RedSeal provides a single source of truth that everyone can agree on.

Another attendee commented, “Now that I’m done worrying about access control, I’m worrying about threats. I can focus on higher level questions like, how are they using payloads against us?”

We discuss the value of using RedSeal to make higher-level informed decisions and to create hypotheticals around changes to the network. This allows accurate risk management of proposed network changes, even “temporary” changes.

RedSeal has been deployed successfully by active CPTs in every service branch. Our team looks forward to supporting each and every CPT as it conducts its important mission.

Want to learn more about RedSeal’s support of CPTs and how it will improve your agency’s digital resilience? Click here to set up your free trial of RedSeal and choose the better way.

Millions of businesses vulnerable to fax-based cyber attack

ComputerWeekly | August 13, 2018

Hackers could exploit security vulnerabilities in fax machines to launch cyber attacks in millions of organisations around the world, researchers warn, underlining the need for cyber resilience.

Ray Rothrock, chairman and CEO of security analytics firm RedSeal, said the Check Point research underlines the need for organisations to focus on resilience.

“We recommend that companies validate their segmentation policies and make sure there’s very limited access to their most valuable assets,” he said. “This isn’t a one-and-done exercise. Companies must remain vigilant, constantly monitoring all possible pathways within and between their network environments so they can quickly isolate a compromised device.

RedSeal and DHS CDM DEFEND

This year, the big news in government cybersecurity is the DHS CDM DEFEND program and task orders being announced by various federal departments. The DHS CDM DEFEND, which stands for Continuous Diagnostics and Mitigation (CDM) Dynamic and Evolving Federal Enterprise Network Defense, task orders are awarded under the General Services Administration’s Alliant 1 Unrestricted contract. GSA and the Department of Homeland Security (DHS) jointly run CDM to secure civilian agency “.gov” networks from cyber attacks.

RedSeal and Government Cybersecurity

RedSeal has a history of support for federal government cybersecurity initiatives. The company’s network modeling and risk scoring platform is installed in numerous defense, intelligence, and civilian organizations for continuous monitoring.

At the highest level, RedSeal delivers three core security controls:

  • Visibility: Automated network mapping and situational awareness
  • Verification: Continuous comparison of network security architecture against desired posture
  • Prioritization: Analysis of vulnerability scan data and network architecture to identify the highest risk vulnerabilities that must be remediated immediately

These controls apply to both legacy deployments and new architectures. In legacy deployments, RedSeal allows you to understand the existing environment and identify security control gaps. In new architectures, RedSeal validates that the network is built and operated as designed. And in all situations, RedSeal increases the value of scanning and penetration testing by prioritizing those vulnerabilities that are the most dangerous cybersecurity threats – based on how each network is put together.

The objective of the DHS CDM DEFEND program is to discover, assess and plan for 100% agency network coverage and provide context for prioritizing the closure of coverage gaps. Winners of task orders must discover all networked assets in an agency – including perimeter, cloud and mobile environments. Plus, they must develop a plan to protect all environments within six months of work commencing, and on a continuous basis after implementation. What’s more, merely visualizing what’s on the network isn’t enough, but vendors must prioritize fixing the worst problems first.


How Does RedSeal Fit with DHS CDM DEFEND Solution Requirements?

RedSeal supports six of the eight DHS CDM DEFEND solution requirements.

Hardware Asset Management: RedSeal’s complete network map and network device inventory provides a framework for hardware inventory processes and discovery. The solution also provides a complete inventory of in-scope Layer 2 and Layer 3 network devices.

Configuration Settings Management: RedSeal automatically analyzes individual device configurations to see if they are secure. This includes password policies for firewalls, routers, load balancers, and wireless controllers, services enabled, logical port configurations, and networking parameters. You can also create custom checks and be notified automatically about any deviations from baselines.

Vulnerability Management: At the highest level, vulnerability management consists of two tasks: vulnerability scanning and remediation. RedSeal can determine if you have any gaps in your vulnerability scan coverage and identify the device blocking it. In addition, RedSeal has a unique ability to prioritize remediation by identifying the vulnerabilities that pose the highest risk—in each network. RedSeal combines results from top scanners (such as Rapid7 InsightVM, Tenable Nessus, and Qualys) and centralizes scoring and prioritization. Then, it overlays its detailed knowledge of all network paths to prioritize the specific systems and vulnerabilities that could be used to do the most damage if they were exploited. Without this, organizations waste huge amounts of time remediating “high priority” vulnerabilities that could wait, because the potential damage from an exploit is very limited. And they ignore “low priority” vulnerabilities that are actually dangerous because they can be used to pivot into higher value targets in a network.

Boundary Protection: Effective boundary protections are typically based on network architecture and access policies on routers, switches and firewalls. In practice, it is extremely difficult to operationalize this control, especially in multi-vendor environments. However, RedSeal Is able to analyze networks continuously and evaluate possible connectivity against desired policy. This enables even the largest organizations to implement boundary protections on multi-vendor networks in an operationally efficient manner. And this, in turn, makes it realistic to implement multi-layer segmentation policies, where assets can be isolated from the rest of the internal network to better protect sensitive data, and limit the ability of malware to spread after initial compromise.

Incident Response: Many information sources and technical disciplines must work in concert for effective incident response. Once an indicator of compromise is identified by a SIEM, RedSeal brings network topology and reachability information to help determine how significant the risk is and what systems may be at risk. Normally this is a manual and time-consuming process, relying on traceroutes and network maps that are often out of date. Staff must comb through configurations to piece together the potential malware exploit paths. This delays an organization’s ability to respond appropriately to the event, increasing both risk and the eventual overall damage. RedSeal automates this entire network investigation process, providing incident response teams with accurate information about network exploitation paths so their response can be quicker and more focused.

 

  RedSeal Capabilities
CDM DEFEND Requirements Hardware Config Vuln Mgmt Boundary Response
Rapid Assessment Yes Yes Yes
Boundary Architecture Changes Yes Yes Yes Yes
Evaluate multiple CDM states Yes
Vuln Mgmt and Triage Yes Yes Yes Yes Yes
Change Control & L2/L3 Auditing Yes Yes Yes Yes
Incident Response Yes Yes Yes Yes

 

Summary

The federal government’s DHS CDM DEFEND program is a response to today’s cybersecurity reality. By encouraging organizations to rely less on auditing static preventive measures but instead on implementing CDM, the program better positions agencies to ensure their defenses are well established at all times. The program also encourages agencies to put in place procedures to detect, evaluate, and respond to incidents, no matter when they occur.

RedSeal provides a substantial contribution to the CDM framework by delivering a unique control set for boundary protection, situational awareness, vulnerability mitigation prioritization, and configuration management.

RedSeal is a “must-have” part of any CDM team currently bidding for DHS CDM DEFEND task orders.

Want to learn more about RedSeal’s integration with cybersecurity tools and its integral part of any CDM program? Click here to connect with RedSeal today.

Check Point shows how faxes can be route into a company

iTWire | August 13, 2018

Fax machines, which are part of many all-in-one printers, can be compromised over the telephone line and used to attack Windows PCs on the networks to which they are attached, researchers from security firm Check Point say.

The exploit was demonstrated on Sunday in a talk titled “what the Fax?” at the DEFCON security summit held in Las Vegas. A detailed technical explanation of the methods used is available here.

Harvard Business School: Alumni and Faculty Books

Harvard Business School | June 2018

Digital Resilience: Is Your Company Ready for the Next Cyber Threat?
by Ray Rothrock (MBA 1988)

Amacom:
Rothrock lays bare tactics used by hackers, vulnerabilities lurking in networks, and strategies not just for surviving attacks but also for thriving even while under assault. This book helps businesses understand the threats they face, assess the resilience of their networks against attacks, identify and address weaknesses, and respond to data theft swiftly and effectively.