5 Critical Steps to Identifying and Remediating Exfiltration Paths

Summary. Cybersecurity risks continue to rise, further increasing the severity of long-term impacts.  

The latest IBM Data Breach Report revealed 82% of breaches involved data stored in the cloud—public, private, or multiple environments, with attackers gaining access to multiple environments 39% of the time. In 2023, the average cost of a data breach reached an all-time high of USD 4.45 million, representing a 15.3% increase (from USD 3.86 million) in 2020.   

It is clear that in today’s interconnected and digital age, safeguarding sensitive information is of paramount importance for any organization. Data breaches not only cause significant financial loss but can also erode the trust of customers and stakeholders. One critical threat an organization faces is ‘data exfiltration’—the unauthorized transfer of data from within an organization to an external location. 

In this article, we’ll explore the concern exfiltration paths cause and important steps you can take to identify and mitigate them. 

Understanding Exfiltration Paths 

Exfiltration paths are like hidden backdoors that malicious actors use to smuggle out sensitive information. These paths can often exploit various vulnerabilities in an organization’s network, be it misconfigured devices, neglected access controls, or compromised endpoints.  

The consequences of overlooking these paths are substantial:  

  • Loss of sensitive data: This can include everything from proprietary business information to customer data.  
    • In March, 1.2% of ChatGPT subscribers’ payment-related and personal information were exposed during an outage. While the actual number of people exposed in the breach was “extremely low” according to OpenAI, the breach exposed a number of areas requiring immediate improvement to ensure safety of subscribers. 
  • Reputation damage: Data breaches can significantly harm an organization’s reputation, leading to a loss of trust. 
    • According to Forbes, nearly half of all organizations that suffer data breaches also suffer damage to their brand – the report identifies data loss as the “fourth most common threat to reputation.” 
  • Financial repercussions: This encompasses both direct losses and potential fines from regulatory bodies. 
    • IBM found the average cost of a data breach reached an all-time high in 2023 of $4.45 million, while the number is more than double in the U.S., averaging $9.44 million.  

Safeguarding Data, Reputation, and the Future   

Designed to provide a detailed and holistic view of an organization’s entire network—including all devices, access paths, and potential vulnerabilities, RedSeal’s platform has helped hundreds of organizations gain an understanding of potential exfiltration paths while identifying and sealing off pathways.  

By the time a breach is detected, the damage is often done. It is almost always less expensive to stop an attack before it starts than to remediate. With tools like RedSeal, organizations can transition from defensive to proactive security.  

5 Steps your organizations can take to identify exfiltration paths: 

  1. Comprehensive network modeling: RedSeal creates a detailed, up-to-date model of an organization’s entire network. By doing so, it highlights all potential data flow paths, including those that might be unintentionally left open or overlooked. 
  2. Visual representation of exfiltration paths: One of RedSeal’s standout features is its ability to visually represent every possible path out of a network, providing IT teams with a clear and intuitive view of how data might be siphoned out to better recognize and address vulnerabilities. 
  3. Highlighting vulnerable access points: Using its sophisticated analytics, RedSeal can pinpoint devices or access points within the network that are susceptible to breaches or have misconfigured settings, allowing for potential data exfiltration. 
  4. Prioritization based on risk: Not all vulnerabilities are equal. RedSeal’s platform ranks potential exfiltration paths based on risk, allowing prioritization of response and patching strategies. 
  5. Simulating attack paths: RedSeal can simulate potential attack vectors, allowing organizations to proactively understand and counteract the strategies that malicious actors might employ.

Understanding potential exfiltration paths is not just a cybersecurity best practice—it’s an organizational imperative. With threats growing in sophistication and number, tools like RedSeal are no longer optional but a necessity. By identifying and sealing off these potential exfiltration pathways, businesses can safeguard their data, reputation, and future. 

Custom Best Practice Check for Detecting Juniper Firewall Vulnerabilities

Name: Juniper Firewall Vulnerability Detection Description: This Custom Best Practice Check (CBPC) detects potential vulnerabilities in Juniper firewalls that could lead to unauthorized access and remote code execution.

Rule: Regex: ^ *web-management \{(\r?\n) *htt.*

 Explanation: This regular expression (regex) is designed to match specific configuration lines within a Juniper firewall’s configuration related to web management settings. It identifies lines that start with zero or more spaces, followed by the string “web-management {” and potentially followed by any characters related to HTTP settings.

 Purpose: Juniper firewalls are known to have vulnerabilities (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847) that can allow unauthenticated attackers to upload arbitrary files and potentially execute remote code. This CBPC aims to identify configurations related to web management, as attackers often exploit such configurations to gain unauthorized access and control over the device. Detecting such configurations will help security teams identify potential vulnerabilities and take appropriate action.

 Instructions:

  1. Log in to the RedSeal platform.
  2. Navigate to the “Best Practices Checks” section.
  3. Create a new CBPC and give it a meaningful name and description.
  4. Copy and paste the provided regex (^ *web-management \{(\r?\n) *htt.*) into the “Rule” field.
  5. Save the CBPC and run it against the target Juniper firewall configurations.

 Outcome: When the CBPC is run against Juniper firewall configurations, it will identify any lines that match the provided regex pattern. If matches are found, it indicates potential vulnerabilities related to web management settings that might need further investigation and remediation.

***Please note that while this CBPC can help in identifying potential vulnerabilities, it’s important to have a thorough understanding of your network environment and configurations. Always perform additional assessments and validations to ensure accurate results.***

Vulnerabilities Overview:

  1. CVE-2023-36846 and CVE-2023-36847: Remote Code Execution via J-Web:These two vulnerabilities allow an unauthenticated attacker to exploit the affected Juniper firewall devices. By sending specially crafted requests to the devices, attackers can upload arbitrary files to the file system through the J-Web interface. This can lead to remote code execution and compromise the integrity and availability of the firewall and the network it protects.
  2. CVE-2023-36844 and CVE-2023-36845: Unauthorized Modification of PHP Environment Variables:These vulnerabilities enable an unauthenticated attacker to modify specific PHP environment variables on the vulnerable Juniper firewall devices. By exploiting these flaws, attackers can manipulate the behavior of the firewall’s PHP environment, potentially gaining unauthorized access and control over the device.

Potential Impact: Successful exploitation of these vulnerabilities could result in:

  • Unauthorized remote code execution, enabling attackers to compromise the firewall and the entire network.
  • Unauthorized access to the firewall’s PHP environment, leading to potential data breaches, network disruption, and unauthorized control over the device.

Additional Resources:

RedSeal will continue to monitor and test vulnerabilities, please check back for updated versions with additional refinements. Let’s discuss your concerns and how RedSeal can help, contact us today.

What the Rockwell Automation ThinServer Vulnerabilities Mean for Industrial Cybersecurity

The cybersecurity landscape is an ever-evolving domain with threats sprouting up constantly. The recent revelation concerning vulnerabilities in Rockwell Automation’s ThinManager ThinServer has highlighted the urgency for robust cybersecurity measures in the realm of industrial control systems (ICS).

Understanding the Rockwell Automation ThinServer Vulnerabilities

Rockwell Automation’s ThinManager ThinServer, a product designed for thin client and RDP server management, recently came under scrutiny after researchers from the cybersecurity firm Tenable discovered critical vulnerabilities. Classified as CVE-2023-2914, CVE-2023-2915, and CVE-2023-2917, these vulnerabilities center on improper input validation issues. They can potentially allow attackers, even without prior authentication, to induce a denial-of-service condition, delete, or upload files with system privileges.

What’s most alarming is that an attacker only needs access to the network hosting the vulnerable server for exploitation. This means that if the server is connected and exposed online – against the vendor’s best practices – it becomes susceptible to attacks directly from the internet.

The potential fallout from a successful exploitation? Complete control of the ThinServer. This presents an enormous risk, especially when considering the critical role of ICS in managing and overseeing essential industrial operations.

Enhancing Industrial Cybersecurity with RedSeal Capabilities

This backdrop brings to the fore the vital role of cybersecurity solutions like RedSeal. For existing and prospective customers, leveraging RedSeal’s capabilities can be the game-changer in fortifying their cybersecurity infrastructure.

  1. Network Visualization: RedSeal provides a detailed view of network architectures, including potential access paths. By visualizing these paths, organizations can understand how a potential attacker might navigate through their infrastructure, enabling them to take preventive measures.
  2. Risk Assessment: RedSeal’s platform assesses network risk, helping businesses identify vulnerabilities like the ones discovered in ThinManager ThinServer. By pinpointing these vulnerabilities early, proactive steps can be taken before they are exploited.
  3. Validation of Network Segmentation: Often, best practices dictate that sensitive servers, like ThinManager ThinServer, should be isolated from general network access. RedSeal can validate the effectiveness of this segmentation, ensuring that the server isn’t inadvertently exposed.
  4. Incident Response: In the unfortunate event of a breach, understanding the scope and the affected areas quickly is paramount. RedSeal’s capabilities assist in narrowing down affected segments, making response measures more targeted and effective.
  5. Continuous Monitoring: With RedSeal’s continuous monitoring, organizations can stay abreast of their network’s security posture. This ensures that as networks evolve and change, security measures evolve in tandem.
  6. Compliance Assurance: Adhering to industry standards and compliance requirements is a non-negotiable in the ICS space. RedSeal aids in ensuring that the cybersecurity measures in place align with the requisite standards, thus minimizing potential legal and reputational fallout.

In an era where cyber threats are pervasive and continuously evolving, relying on advanced cybersecurity solutions like RedSeal is no longer a luxury but a necessity. The vulnerabilities in Rockwell Automation’s ThinManager ThinServer underscore the fragility of ICS environments and the dire repercussions of lapses in cybersecurity measures. For businesses operating in the industrial domain, it’s essential to stay a step ahead. By leveraging the multifaceted capabilities of RedSeal, organizations can not only shield themselves from present vulnerabilities but also future-proof their operations against emerging threats. In the battle against cyber adversaries, being prepared and proactive is the key to victory.

Key Insights from Black Hat 2023: RedSeal’s Perspective

Last week approximately 40,000 cybersecurity professionals, researchers, and experts, met in Las Vegas for the annual Black Hat conference to discuss the latest trends, emerging threats, and groundbreaking technologies in cybersecurity. The RedSeal team engaged in all the event had to offer and left with several key takeaways into the current state of cybersecurity and market transitions that are driving up cyber risk.

GenAI: Pioneering Technologies, Unveiling Novel Vulnerabilities

The advent of Artificial Intelligence (AI), particularly Generative AI, has ushered in a new era for organizations. Maria Markstedter, the founder of Azeria Labs—a prominent company specializing in ARM exploit development, reverse engineering, vulnerability research, and cybersecurity training—delivered an insightful keynote revolving around the emergence of AI. Confirming that while artificial intelligence and machine learning fuel innovation, they concurrently expose unprecedented security vulnerabilities. This dual nature of AI underscores the imperative for a proactive security approach.

On the heels of our experience at the Omdia Analyst Summit, Maria’s keynote fortified the belief in expanding strategies to deepen proactive measures. This entails educating teams, crafting new policies, deploying innovative cybersecurity technologies, and embracing a forward-thinking perspective. Central to this is the deployment of a robust cybersecurity solution, like RedSeal, to stop breaches by detecting vulnerable attack paths.

2023 White House Cybersecurity Strategy: A Path Forward Amid Challenges

The unveiling of the 2023 White House cybersecurity strategy heralded a new phase for national security initiatives. The prominence of the Cybersecurity and Infrastructure Security Agency (CISA) in this strategy symbolizes the government’s dedication to bolstering cyber defenses.

The introduction of a new rule mandating critical infrastructure entities to promptly report cyber-attacks within 72 hours, alongside ransom payments within 24 hours, holds immense potential for elevating incident response and coordination. The efficacy of this strategy hinges on seamless execution and adaptability in the face of the ever-evolving threat landscape and strives for collaboration across government and commercial accountability for establishing robust cyber defenses. Learn more about RedSeal’s position on the National Cyber Strategy here.

Bridging Silos: Navigating Cloud, OT/IoT, Data Center, and IT Convergence

As organizations embrace cloud migration, adopt IoT/OT devices, and integrate modern data center technologies, challenges arise—including the risks of lateral movement between these domains. Despite the ongoing convergence of these realms, numerous cybersecurity vendors remain entrenched within traditional infrastructure silos. Engaging discussions on enterprise applications and data during Black Hat highlighted the pressing need for product enhancements that streamline the incorporation of applications and data via ports and protocols information. “Attack Path Analysis” and “Security Graph” resonated within all security circles, underscoring the growing emphasis on mapping potential attack vectors, visualizing security postures and their impact within complex, hybrid environments.

Amidst these insights, RedSeal offered demos to hundreds of conference attendees. These demonstrations showcased how the RedSeal platform accurately uncovers potential lateral spread pathways across on-prem and cloud environments, enabling organizations to fortify their defense strategies comprehensively and address vulnerabilities proactively.

RedSeal also announced the unique support for third-party firewalls in public clouds, driven by experience that breaches stem from complexity. The automation of understanding third-party firewalls deployed in public clouds eliminates blind spots arising from distinct security consoles. With a unified view, the fragmentation of defenses is mitigated, preventing potential vulnerabilities. RedSeal’s integrated end-to-end perspective into cloud and on-prem environments calculate attack paths to critical data and applications, offering unparalleled insights to mitigate risk.

CISO Dialogues: Addressing the Cybersecurity Talent Gap

Engaging in conversations with Chief Information Security Officers (CISOs), we learned that while traditional IT security concerns and the rise of cloud and OT infrastructures remain top challenges, one concern consistently looms large – the scarcity of cybersecurity talent. As organizations grapple with a growing skills gap, CISOs are compelled to look outside the organization for resources to not only support team development but also have the people and tools required to confront evolving threats head-on.

Promisingly, solutions do exist. Organizations can bridge this gap by engaging with experts, allowing their teams to focus on core competencies. RedSeal’s recent case study, “Regional Health System Increases Network Visibility and Mitigates Cybersecurity Risk,” demonstrates the efficacy of engaging RedSeal’s Fully Managed Services (FMS) team to augment security teams to prioritize and focus on critical security issues, enabling the health network to redirect resources towards pivotal issues, deliverables, and patient care. Read more here.

Black Hat 2023 has our team exploring a myriad of insights into the present and future of cybersecurity challenges and opportunities. From the dynamics of cutting-edge technologies like GenAI to evolving governmental strategies and the indispensable need to bridge security gaps, the conference underscored the need for proactive approaches in securing our digital future with the right tools and the right teams. As we act on these key takeaways, RedSeal remains committed to driving innovation and empowering organizations with the most comprehensive, dynamic model of your hybrid network allowing you to navigate the dynamic cybersecurity landscape with confidence, trust and resilience. Get in touch to see how we can help you stay ahead in today’s fast-evolving digital environment.

Finding Internet-facing Vulnerabilities: RedSeal Perspective on The Five Eyes Advisory

Today, the international cybersecurity consortium known as The Five Eyes (Australia, Canada, New Zealand, the UK, and the US) published a joint Cybersecurity Advisory. It’s a scary read, on several fronts. It details the top 12 vulnerabilities that are actively being exploited, in current breaches. The advisory doesn’t detail the breaches, because a lot of that data is not public, but we can safely assume that these organizations are trying to offer a wake-up call about what they are seeing in the real world.

One shocking aspect of the advisory is the vulnerabilities are quite old – the top spot is taken by a vulnerability that was disclosed in 2018! The lingering question is how can antiquated vulnerabilities still pose a threat? The answer lies in the struggles faced by organizations in locating and effectively patching patch their Internet facing equipment.

This is why RedSeal builds a digital twin of your network, then shows you where you have blind spots, defensive gaps, and (most relevant to this advisory) uncover exactly what you have that is exposed to the Internet.

The Five Eyes Advisory is an important reminder that vulnerabilities exist in our Internet-facing systems. RedSeal is a trusted partner to 75 federal agencies, 6 arms of the military, and 100s of F1000 organizations, helping identify and address vulnerabilities; securing networks against the growing complexity and frequency of threats.

Let’s talk about how we can help your organization stay secure. Contact us today.

Zero Trust 2.0: Why RedSeal Is Key to Executing a Zero Trust Strategy

In February 2023, a 21-year-old Massachusetts Air National Guard member accessed and posted hundreds of classified documents on voice over Internet Protocol (VoIP) and instant messaging platform Discord. The impacts were far-reaching. Not only is the Air Force working to understand how top secret information could be leaked so easily, but the base where the leak happened has been stripped of its current intelligence mission.

However, according to Don Yekse, the Navy’s chief technology officer (CTO), implementing a zero trust approach could have improved both detection and response times, reducing the severity of the attack.

To help public and private organizations better manage their zero trust deployments, the Cybersecurity and Infrastructure Security Agency (CISA) released version 2.0 of its Zero Trust Maturity Model (ZTMM). Efforts are also underway to develop and implement what’s known as zero trust network access (ZTNA) version 2.0, which focuses on a more granular approach to ZTNA.

In this piece, we’ll cover the current state of zero trust security, why it matters to organizations, and how RedSeal can help companies navigate the shift to ZTNA 2.0.

Zero Trust Security: Why It Matters, How It Helps, and Where It’s Used

The core principle of zero trust security is simple: Never trust, always verify. No matter the user, no matter the device, and no matter the request, zero trust asks for verification.

Consider a team manager logging in to the same admin portal at the same time every day, using the same device as they have for the past few years. Under a zero trust model, history doesn’t guarantee access. Instead, verification is required, which might take the form of two-factor authentication such as a one-time text code or identity verification via email confirmation.

Why Zero Trust Matters

Zero trust makes it more difficult for unauthorized users to gain network access. Implemented effectively, zero trust can improve cybersecurity without increasing complexity for authorized users. For example, the integration of mobile authentication tools can boost security while minimizing friction.

Statistics showcase the growing impact of zero trust. Consider that 80% of organizations now have plans to implement zero trust, and 96% of security decision-makers say that zero trust is “critical” to business success. Given that attacks such as ransomware have been on a steady rise — the volume of attacks increased 17% from 2021 to 2022 — zero trust is more critical than ever to help companies identify potential threats before they compromise key systems.

Benefits of Zero Trust

Zero trust offers multiple benefits for businesses.

First is reduced security risk. By replacing trust with verification, companies can reduce the risk of potential breaches. Even if attackers manage to steal user credentials, additional verification can frustrate their efforts.

ZTNA also provides greater control over security policies. For example, companies may leverage automated controls that lock out users after a certain number of failed attempts or that shunt traffic to a designated location for further evaluation. Perhaps one of the biggest benefits of zero trust, however, is visibility. Because zero trust requires continuous monitoring of devices and networks, implementing ZTNA naturally boosts overall visibility.

Common Zero Trust Use Cases

One common zero trust use case is reducing third-party risk. Given the increasing number of third-party applications used by companies and third-party providers that may have access to company networks, implementing zero trust can limit the risk of compromise from an unexpected source.

Other use cases include the security of Internet of Things (IoT) and legacy devices on business networks. In the case of IoT, ZTNA can help provide consistent security practices across both local and cloud networks. For legacy devices such as industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems, zero trust can help limit the chance of unauthorized insider access.

Zero Trust 2.0

Zero trust isn’t static. As a result, efforts are underway to supplement existing ZTNA solutions with “Zero Trust 2.0.” There are three primary differences between ZTNA 1.0 and 2.0.

1. Granular Controls

ZTNA 2.0 replaces the coarse controls of version 1.0 with more granular options. For example, under the 1.0 model, access is all or nothing. Users could either access all app services or none. In ZTNA 2.0, access can be restricted on a per-function basis.

2. Continuous Inspection

Many ZTNA 1.0 deployments use what’s known as the “allow and ignore” model. This means once users are verified and access is granted, this access remains in place indefinitely, ignoring any changes. ZTNA 2.0 reconfirms identity each time.

3. Comprehensive Protection

ZTNA 2.0 continuously verifies trust and inspects security to detect potential problems. This creates a dynamic security environment capable of responding as issues emerge. 

The Zero Trust Maturity Model

CISA has now released ZTMM version 2.0. The five pillars remain unchanged. Management of identity, devices, networks, applications, workloads, and data is required for effective ZTNA deployments. Where the model expands is maturity.

Under ZTMM 2.0, companies at the “Traditional” level still have manually configured lifecycles and static security policies. “Initial” maturity includes limited automation and increased visibility, while “Advanced” delivers on centralized visibility and identity control. Finally, companies at the  “Optimal” level of maturity use fully automated processes that self-report and are underpinned by dynamic policies.

How RedSeal Can Help Advance Your Zero Trust Strategy

Identity and information are key components of zero trust. Companies often think in terms of who is trying to access IT environments and what they’re trying to access.

But these aren’t the only considerations in creating an effective zero trust environment. Organizations also need to consider how and where. Where are critical assets located on local systems? In cloud networks? And how can these assets be accessed? It’s critical to create an inventory of IT environments including devices, ports, and protocols. In addition, companies need to understand external connectivity — what potential access routes exist and what risks do they pose?

At a small scale, the process of identifying who, what, where, and how is straightforward. Once companies move into the cloud, however, challenges emerge. With most organizations now using at least two and likely more cloud providers in addition to on-site storage and compute, complexity rapidly ramps up. Consider that service providers often have their own terminology for similar processes. For example, while both Google and AWS offer virtual private clouds (VPCs), they’re not the same. Each has its own set of features, functions, and vernacular.

In other words, different services speak different languages, making zero trust 2.0 implementation challenging. RedSeal makes it possible to create an IT lingua franca — a consistent translation that allows companies to automate and orchestrate key tasks across multiple environments.

RedSeal solutions also help with inventory and segmentation. By mapping and discovering all connections and endpoints across both cloud and on-site networks, companies can create complete inventories of all solutions and services, then create segmentation policies that reduce total risk in the event of an attack.

Taking on ZTNA 2.0

Effectively implementing zero trust 2.0 requires complete network knowledge. While who and what are the starting points, they’re not enough without where and how. RedSeal helps companies consolidate the pieces by creating a comprehensive inventory and asset map backed by a common defensive language.

Ready to take on ZTNA 2.0 and master the maturity model? See how RedSeal can help.

Exploring the Implications of the New National Cyber Strategy: Insights from Security Experts

In March 2023, the Biden Administration announced the National Cybersecurity Strategy, which takes a more collaborative and proactive approach.

RedSeal teamed up with cyber security experts, Richard Clarke, founder and CEO of Good Harbor Security Risk Management, and Admiral Mark Montgomery (ret.), senior director of the Center of Cyber and Technology Innovation, to discuss the latest strategy. Both have developed previous national cybersecurity strategies so we couldn’t be more privileged to hear their take on the newest national strategy’s impact on cybersecurity regulations. This blog covers the importance of harmonizing the rules, trends in resilience planning, the role of cyber insurance, the transfer of liability, and the need to keep pace with AI and quantum computing. Keep reading to learn more, or click here to listen in.

Expanding Cybersecurity Regulations

Although this is the first time the administration gives a clear and intentional nod to cybersecurity regulations, the federal government has regulated every other major sector for over 20 years. This step makes sense. Clarke points out, sectors with heavy cyber regulations have fared better in the past two decades than those without. Montgomery predicts that most changes will happen in areas where regulations are lagging, such as water, oil pipelines, and railroads.

But many agencies don’t have the resources for effective enforcement. The government must thus use a combination ofregulations, incentives, and collaboration to achieve meaningful outcomes.

The Importance of Harmonizing the Rules

The new strategy aims to “expand the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonize regulations to reduce the burden of compliance.” But the expansion of cybersecurity regulations must come hand in hand with better coordination.

Clarke observes, today’s regulations aren’t well-coordinated. Agencies must share lessons learned and align their approaches. Private sectors will benefit from the standardization of various regulations to streamline compliance, reducing cybersecurity complexity and lowering costs.

However, coordination and standardization doesn’t mean a one-size-fits-all solution. Agencies must tailor their regulations to each specific sector. The good news is that we can apply the same network security technologies to any industry and encourage knowledge-sharing across verticals. For instance, we can take the high standards from the defense industry and apply them to healthcare and transportation without reinventing the wheel.

A Focus on Resilience Planning

The cybersecurity definition of resilience has evolved as the world has become more digital. We will get hacked. It is a certainty. Instead of only looking to protect systems from attacks, regulatory mandates must also focus on prompt recovery. The government should also hire industry experts to assess digital resilience plans and stress-test them for reliance.

Cyber resilience must be applied to national security as well as private business. Transportation infrastructure must be able to operate without extended interruption. The economy (e.g., the power grid and financial systems) is our greatest weapon, and must keep functioning during conflicts and crises. Lastly, we must have the tools to quickly and effectively battle disinformation, a new frontier in the fight against nation-state threats.

The Impact of the Internet of Things (IoT)

Regulations must also cover IoT devices, but focus on the networks instead of the thousands of individual endpoints. Clark suggests that organizations should install sensors on their networks and conduct regular vulnerability scans. Montgomery adds to this, emphasizing the need for certification and labeling regimens as part of a long-term plan to make vendors responsible for their products’ performance and security.

Shifting Liability to Vendors

Speaking of making vendors responsible for their products’ performance and security, the new strategy intends to transfer liability to software vendors to promote secure development practices, shift the consequences of poor cybersecurity away from the most vulnerable, and make our digital ecosystem more trustworthy overall.

Clarke agrees that this approach is necessary, but holds that the current regulatory framework can’t support the legal implementation. IT lobbyists, some of the most well-funded and influential players on Capitol Hill, will make enforcement of such a shift an uphill battle. Clarke believes that, unfortunately, this hard but necessary shift may not happen until a tragedy shakes the nation and leaves it the only way forward.

Keeping Pace with AI and Quantum Computing

We, as a nation, have many issues to consider around AI, including beyond security. Clarke points out that we must establish rules about transparency: what’s the decision-making process? How did AI get to a conclusion? Is it searching an erroneous database? Is the outcome biased? Large language models (LLMs) are constantly learning, and adversaries can poison them to impact our decision-making.

While AI is the big problem of the moment, we can’t afford to continue ignoring quantum encryption challenges, cautions Montgomery. We have already fallen behind and must spend a substantial sum today to prepare for what’s in store in 10 years. We must start building quantum security into our systems instead of attempting to jury-rig something on later, adds Clarke.

The Rise of Cyber Insurance and Real-time Monitoring

Montgomery predicts that, if run properly, the cyber insurance market can bring these pieces together. Insurance companies may, for instance, encourage proactive measures by reducing premiums for organizations that invest in cybersecurity upfront and establish a track record of reliability and resiliency.

But organizations must prove they’re continuously protected instead of merely showing “point in time” compliance to take advantage of lower premiums. Real-time monitoring will play a critical role in lowering premiums and maintaining cybersecurity.

A Step in the Right Direction

The new National Cyber Strategy introduces timely and much-needed shifts. We must harmonize regulations to maximize the benefits without overburdening the private and public sectors.

In anticipation of the impending changes, organizations must approach their cybersecurity strategies proactively and implement the right tools and services to stay compliant. These include a comprehensive network security solution for complete visibility and ongoing monitoring, cloud security tools to protect all IT assets, and professional services to ensure airtight implementation and continuous compliance.

RedSeal has extensive expertise and experience in delivering government cybersecurity and compliance solutions. Get in touch to see how we can help you stay ahead in today’s fast-evolving digital environment.

Advisory Notice: MOVEit Transfer Critical Vulnerability

CVE: CVE-2023-35708

Description:

Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment. In Progress MOVEit Transfer versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.

Recommended Mitigation Steps:
  1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:
      • Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.
      • It is important to note that until HTTP and HTTPS traffic is enabled again:
        • Users will not be able to log on to the MOVEit Transfer web UI.
        • MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
        • REST, Java and .NET APIs will not work.
        • MOVEit Transfer add-in for Outlook will not work.
      • SFTP and FTP/s protocols will continue to work as normal.
  2. As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. 
 
For more information on localhost connections, please refer to MOVEit Transfer Help: https://docs.progress.com/bundle/moveit-transfer-web-admin-help-2023/page/Security-Policies-Remote-Access_2.html
  3. Apply the Patch
    As patches for supported MOVEit Transfer versions become available, links will be provided below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note, the license file can remain the same when staying on a major release to apply the patch.
  4. Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment
  5. Please bookmark the Progress Security Page and refer to it to ensure you have all of the latest updates.
How Can RedSeal Help?
  • By bringing Host Data into your RedSeal instance, we can identify hosts with the targeted CVE in both the “Endpoint Data” tab, as well as the “Vulnerabilities” tab.
  • First be sure to update your CVE definitions on your endpoint scanning system and run a data collection in RedSeal.
  • If the vulnerability does not show up at first, try changing the radio button to “Show All Vulnerabilities”
  • Next, search specifically for the CVE in question:
  • In the bottom details pane, you will get a list of hosts that are affected by the MOVEit vulnerability. Right click on a device and select “Show in Maps and Views”:
  • Now that you have identified which subnets these hosts live on, you can run detailed path queries from “Untrusted” to the subnet and IP in question, on TCP ports 80 and 443, to find out which firewalls are in the path and should have blocks placed on them.
Alternative Steps

An alternative method to obtain a comprehensive list of network segments is to use the Zones and Policies feature in RedSeal. Following steps 1-4 above:

  • Set up a new view in Zones and Policies and have Group A be “Untrusted”, and Group B be “Affected Hosts”.
  • Add all your Untrusted Subnets to the “Untrusted” group, and all the hosts to your “Affected Hosts” group.
  • Set up access rules between the two, such as “Approval Required”, or “Access Forbidden”, and run analysis.

Once complete, you will have a comprehensive listing of every source that can get to the specific destinations, and even run detailed path queries directly from that menu to find your firewall rules.

The Shifting Landscape of Cybersecurity: Top Considerations for CISOs

1. AI Is Changing the Game

The increasing use of generative AI tools such as ChatGPT comes with both defensive and offensive impacts. On the defensive side, companies can leverage these solutions to analyze security data in real time and provide recommendations for incident response and security vendors developers can write code faster. As for the offensive impact, attackers may be able to optimize malware coding using these same AI tools or leverage code released unknowingly by a security vendor’s developer. If malicious actors can hide compromising code in plain sight, AI solutions may not recognize the potential risk. And if hackers ask generative AI to circumvent network defenses leveraging code released unknowingly, the impact could be significant.

As a result, according to The Wall Street Journal & Forbes, JPMorgan Chase, Amazon, Bank of America, Citigroup, Deutsche Bank, Goldman Sachs and Wells Fargo are limiting employees’ ChatGPT use and we expect to see other companies follow.

2. Market Forces Are Shaping Security and Resilience

The looming economic recession is shaping corporate practices around security and resilience. While many IT teams will see their budgets unchanged or even increased in 2023 compared to 2022, security professionals should also expect greater oversight from C-suite executives, including chief information officers (CIOs), chief information security officers (CISOs), and chief financial officers (CFOs).

Both CIOs and CISOs will expect teams to justify their spending rather than simply giving them a blank slate for purchasing, even if the budget is approved. CFOs, meanwhile, want to ensure that every dollar is accounted for and that security solutions are helping drive business return on investment.

Consider network and cloud mapping solutions that help companies understand what’s on their network, where, and how it’s all connected. From an information security perspective, these tools have value because they limit the frequency and severity of IT incidents. But from a CFO perspective, the value of these tools ties to their ability to save money by avoiding the costs that come with detection, remediation, and the potential reputation fallout that occurs if customer data is compromised and acts as a force multiplier across multiple teams.

3. Multiple Vendor Architecture Is Everywhere

Firewall options from cloud vendors do not meet the enterprise’s security requirement. Enterprises are deploying traditional firewalls (ex. Palo Alto Network, Cisco or Fortinet) in their clouds. They are using cloud workload protection tools from vendors such as Crowdstrike or SentinelOne.

On-premises or cloud deployments cannot be treated in a silo. An adversary could get in from anywhere and go anywhere. The infrastructure has to be treated as one with proper segmentation. Pure-play cloud companies are also switching to on-premises collocated data centers to save on their rising cloud costs.

4. Public Oversight Impacts Private Operations

The recently announced National Cybersecurity Strategy takes aim at current responsibilities and long-term investments. According to the Strategy, there must be a rebalancing of responsibilities to defend cyberspace that shifts away from individuals and small businesses and “onto the organizations that are the most capable and best-positioned to reduce risks for all of us.” The strategy also recommends that businesses balance short- and long-term security investments to provide sustained defense over time.

To help companies achieve these goals, the Cybersecurity and Infrastructure Security Agency (CISA) recently released version 1.0.1 of its cross-sector cybersecurity performance goals (CPGs). Many of these goals fall under the broader concept of “security hygiene,” basic tasks that all companies should complete regularly but that often slip through the cracks.

For example, CPG 2.F recommends that companies use network segmentation to limit the impact of Indicator of Compromise (IOC) events. CPG 1.A, meanwhile, suggests that companies inventory all IT and OT assets in use, tag them with unique identifiers, and update this list monthly.

While no formal announcements have been made, it’s possible that under the new strategy, CISA will shift from providing guidance to enforcing regulatory expectations. For example, FDA may mandate pharmaceutical companies to submit their compliance to CISA CPGs.

5. IT and OT Meet in the Middle

RSA 2023 also touched on the continued merger of IT and OT environments. For many companies, this is a challenging shift. While IT solutions have been navigating the public/private divide for years, many OT frameworks are still not designed to handle this level of connectivity.

The result? A rapidly increasing attack surface that offers new pathways of compromise. Consider an industrial control system (ICS) or supervisory control and data acquisition (SCADA) system that was historically air-gapped but now connects to internal IT tools, which in turn connect to public cloud frameworks. If attackers are able to compromise the perimeter and move laterally across IT environments into OT networks, they will be able to encrypt or exfiltrate customers’ personal and financial data. Given the use of trusted credentials to access these systems, it could be weeks or months before companies notice the issue.

To mitigate the risks, businesses are looking for ways to segment IT and OT plus continuously validate segmentation policies are met. This starts with the discovery and classification of OT devices along with the development of standards-based security policies for both IT and OT functions. These two networks serve different aims and need to avoid the risk of any lateral movement between the networks.

Old, New, and Everything in Between

OT threats are on the horizon, companies need to prioritize basic security hygiene, and economic downturns are impacting IT budgets. These familiar frustrations, however, are met by the evolution of AI tools and the development of new national strategies to combat emerging cyber threats. As we look towards the second half of the year, the lessons learned can help companies better protect what they have and prepare for the next generation of cybersecurity threats. Take on the new cybersecurity landscape with RedSeal. Reach out to see how we can help you. 
[/av_textblock]

Accidental Cloud Exposure – A Real Challenge

The recent disclosure that Toyota left customer data accidentally exposed for a decade is pretty startling, but can serve as a wake up call about how cloud problems can hide in plain sight.

It’s not news that humans make mistakes – security has always been bedeviled by users and the often foolish choices that they make. Administrators are human too, of course, and so mistakes creep in to our networks and applications. This too is a perennial problem. What’s different in the cloud is the way such problems are hard to see, and easy to live with until something bad happens. Cloud isn’t just “someone else’s computer”, as the old joke goes – it’s also all virtual infrastructure. If you’ve never seen how cloud infrastructure is really built and managed, you may not realize how inscrutable it all is – think of it like a computer in an old movie from the 1970’s, all blinking lights and switches on the outside, but no way to see what is really happening inside. These days, we are used to visual computers and colorful phones, where we can see what we are doing. Cloud infrastructure is not like that – or at least, is not if you just use the standard management interfaces that are frustrating, opaque, and vendor specific. Are there ways you can escape the lock-in to your specific cloud vendor? Sure – inventions like Kubernetes free you up, but the price is even worse visibility as you drive everything through shell scripts, CLI commands, and terminals. The 1970’s computer has moved up to the 1980’s green screen, but it’s a far cry from anything visual.

I don’t mean to just pick nits with the old-world interfaces of cloud – this isn’t a debate about style, it’s a problem with real world consequences, especially for security. You can’t see through a storm cloud in the sky, and similarly, you really can’t see what’s going on inside most cloud applications today, let alone ensure that everything is configured correctly. Sure, there are compliance checkers that can see how individual settings are configured, but trusting these is like saying a piece of music is enjoyable because every note was tuned exactly – that rather misses the big picture of what makes music good, or what makes a cloud application secure.

This is why you need to be able to separate security checking from the CI/CD pipelines used to set up and run cloud infrastructure. The much-hyped idea of DevSecOps has proven to be a myth – embedding security into DevOps teams is no more successful than embedding journalists with platoons of soldiers. The two tribes don’t see the world the same way, don’t have the same objectives, and largely just frustrate each other’s goals.

Central security has to be able to build the big picture, and needs to check the ultimate result of what the organization has set up. Ideas like “shift left” are good, but do not cover the whole picture, as the Toyota exposure makes clear. Every detail of the apps was working, and was quite likely passing all kinds of rigorous low level checks. But just like checking whether each note is tuned correctly, while not listening to the piece as a whole, Toyota lost track of the big picture, with all the embarrassment that goes with admitting a ten year pattern of unintended exposure.

Solving this is the motivating mission at RedSeal. We know what it takes to build a big picture view, and then assess exposure at a higher level, rather than getting stuck in implementation details. It’s the only way to make sure the song plays well, or the application is built out sensibly. This is why we build everything starting from a map – you can’t secure what you can’t see. This map is complete, end-to-end, covering what you have in the cloud and what you keep on your premises. We can then visually overlay exposure, so you get an immediate, clear picture of whether you have left open access to things that surprise you. We can give you detailed, hop-by-hop explanation of how that exposure works, so that even people who are not cloud gurus can understand what has been left open. We can then prioritize vulnerabilities based on this exposure, and on lateral movement. And finally, we can boil it all up into a score that senior management can appreciate and track, without getting lost in the details. As Toyota found to their cost, there are an awful lot of details, and it’s all too easy to lose the big picture.