Tales from the Trenches: Vol 9 — The Law of Unintended Consequences, OR Some Doors Swing Both Ways

/by

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series Bill Burge, RedSeal Professional Services, explains how RedSeal can show you ALL the access from a network change, not just the one access you are expecting.

The Law of Unintended Consequences, OR Some Doors Swing Both Ways

“The law of unintended consequences” states that the more complex the system, the greater the chance that there is no such thing as a small change.

While working with a customer in the early days of my RedSeal Professional Services tenure, I looked for an opportunity to prove the capability of Zones & Policies. In an unfamiliar environment, the easy starting point is creating a policy that examines the access from “Internet to all internal subnets.”

It is easy to setup and easy to discuss the results, UNLESS the results say that most of the Internet can get to most of the internal network.

I thought “I MUST have done something wrong!” I got the impression that the customer felt the same thing, even though neither of us came right out and said it. So, I tore into it.

Using some ad hoc access queries and Detailed Path queries, we figured out the problem and why.

After looking into it, thinking something was amiss, it turned out that RedSeal was RIGHT. It seems there had been a pair of firewall rules for DNS requests:
SRC: inside, SRC PORT: any, DST: outside, DST PORT: 53, PROTOCOL: UDP
(and for the responses)
SRC: outside, SRC PORT: 53, DST: inside, DST PORT: any, PROTOCOL: UDP

At some point, because DNS resolutions got large enough that the responses did not fit in a single UDP packet, DNS needed to include TCP. So, someone simply made a small change and added TCP to each of these rules.

The unintended consequence was that you could reach just about any internal system from the Internet IF you initiated your request from port 53.

After this was verified by the firewall and networking teams, I might have well gone home. Everybody disappeared into meetings to discuss how to fix it, whether it could be done immediately or later that night, etc.

A little time later, I ALMOST felt guilty to point out that they had done pretty much the same thing with NTP, on port 123. (Almost…)

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.

Top 4 Cyber Challenges for Credit Unions

/by

Credit unions continue to be the primary targets of cyberattacks like phishing, ransomware, and supply chain attacks. This is due to the highly confidential nature of the data they collect and store. If this data falls into the wrong hands, the outcome can negatively impact the institution’s reputation, as well as its legal and financial standing.

Cyberattacks aimed at credit unions come at a high cost. Financial loss can range from $190,000 for small credit unions to as high as $1.2 million for large credit unions.

As technology advances, so have the cyber threats targeting credit unions. The National Credit Union Administration (NCUA) has continuously encouraged credit unions to “strengthen their institution’s cyber vigilance and preparedness efforts” to protect themselves and their members.

Read on to learn how credit unions can mitigate cybersecurity risks. The key is to first understand the primary threats and then how to reduce their impact.

Cybersecurity Trends in the Finance Sector

Over the last decade, cybercriminals have found creative ways to target credit unions. Attacks have increased in volume and severity, with hacking and malware being deployed to cripple financial institutions. The first half of 2020 saw a 238 percent increase in cyberattacks targeting the finance sector.

Between March and June of 2020, ransomware attacks aimed at banks increased by 520 percent compared to the same period in 2019. A huge spike was also observed in 2021.

In June of this year, several credit unions in Canada discovered evidence of attempted access by unauthorized personnel. A 2020 survey by the National Credit Union Administration (NCUA) found that 46% of credit unions experienced a cybersecurity incident in the past year. Phishing attacks continue to be a major threat to credit unions, with the NCUA reporting that they accounted for over 50 percent of incidents in 2020.

According to a recent IBM report, the average cost of a data breach in 2022 was $4.35 million. The finance sector is a primary attack target, only second to healthcare organizations, with the average financial breach costing $5.97 million. Credit unions, as a result, are increasingly turning to technology to improve their cybersecurity posture.

Credit unions should also be aware of the risk employees or contractors with access to sensitive information pose to cybersecurity. They can potentially misconfigure servers, networks, and databases and become compromised by hackers. Combating this may involve implementing measures such as keeping an updated inventory of cloud resources, reviewing misconfiguration by identifying unintentionally exposed resources, and reviewing security policies.

With large amounts of money at risk, following cybersecurity best practices can help credit unions stay on top of cyber threats.

Common Cyber Challenges for Credit Unions

Credit unions and financial institutions face a wide range of cybersecurity dangers and challenges —  from hackers looking to exploit loopholes to sophisticated cyber warfare/cyber espionage maneuvers of advanced persistent threat (APT) actors.

Learning about the potential risk factors can help credit unions mitigate these risks.

Here are the most common cybersecurity challenges credit unions should be aware of.

Sophisticated Cyberattacks and Ransomware

A ransomware attack, which involves encrypting files and locking users out of their systems, happens every 11 seconds. Criminals then demand a ransom to release the data. Credit unions must have strategies in place to ensure their systems are protected from such attacks.

Ransomware attacks not only cause credit unions to lose large amounts of money in ransom payments and fines; they also erode consumer trust. In most cases, ransomware attacks happen because employees fall for phishing scams that trick them into downloading suspicious attachments, clicking malicious links, or launching sketchy .exe files.

By regularly assessing and analyzing your entire system, you’re better able to spot any new vulnerabilities and emerging threats. It’s also important to educate employees and customers about cybersecurity best practices so they are equipped to handle various types of cyberattacks.

Supply Chain Interruptions via Third-Party Vendors

Credit unions typically use third-party partners to offer better features and functionalities to their members. Cybercriminals take advantage by attacking less secure software vendors. These vendors then inadvertently deliver malicious code in the form of compromised products or updates, enabling cybercriminals to access the credit institution’s network.

To minimize this risk, credit unions should thoroughly vet vendors before entering into a business partnership with them. They should also scrutinize their security practices and perform regular system updates and maintenance to ensure their existing infrastructure performs optimally for the longest time possible.

Emerging Threats Associated with the Internet of Things (IoT)

Hacking techniques are continuously becoming more sophisticated. IoT adoption is increasing exponentially, and hardware assets connected to the internet such as cameras, printers, sensors, and scanners are becoming a major target of exploitation by cybercriminals.

With over 50 percent of all IoT devices susceptible to severe cyberattacks, credit unions should focus on investing in cybersecurity solutions that make it easier to identify all IoT devices connected to their network. This way, they can easily monitor IoT devices for any security issues and take action before the risks become harder to mitigate.

Shortage of Cybersecurity Skills

The demand for cybersecurity experts, especially among credit unions, is outpacing the supply of qualified professionals. According to the 2022 (ISC)2 Cybersecurity Workforce Study, even with an estimated 4.7 million professionals, there’s still a global shortage of 3.4 million workers in this field. This will affect smaller credit unions as they will find it difficult to hire expertise well-versed in various cloud technologies.

Technical skills such as secure software development, intrusion detection, and attack migration are by far the most valuable skills in this field. Security teams in the credit union space must look for innovative solutions to optimize productivity. This includes identifying security tools and technologies that are easy to use and deploy, providing more opportunities for external training, and identifying solutions that streamline cybersecurity processes.

How Credit Unions Can Strengthen Their Cybersecurity

To ensure your credit union has optimal protection against potential cyberattacks, RedSeal recommends a proactive approach by performing regular cybersecurity assessments to identify any loopholes in your system and also ensure proper defenses are in place. These include having an up-to-date inventory, identifying unintended exposures, and setting a security baseline to meet current and future compliance requirements. It’s also important to establish security protocols that follow industry guidelines and continuously apply security patches and updates to the system.

Working with a prioritized set of risks allows security teams to better allocate resources to areas where they’re needed most.

Want to know more about how you can mitigate cyberattacks in your credit union? Check out this white paper on digital resilience and ransomware protection strategies.

National Cyber Strategy — What We Know So Far

/by

I’ve run into several folks who wanted to ignore the Biden Administration’s recently announced National Cybersecurity Strategy – “isn’t that just for Federal agencies?”. That would be a dangerously flawed assumption! This is a major shift in strategy, and regardless of how small your organization is, it’s going to change how you get to a secure state, and how you show that you’re doing it.

The administration makes no secret of its goals, even if they are controversial. They openly describe a target of shifting the playing field, and as always, this creates winners and losers. You need to be agile to ensure you’re on the winner side of this equation! The tilted playing field is aiming for two effects. One goal is to change the economic risk/reward so that bad actors think twice. The other is a significant shift in the burden of defense, pushing it up from smaller mom-and-pop scale organizations, transferring it to larger, more capable companies.

Both of these sound great, but somebody somewhere has to pay for all this. There are new spending initiatives included in the strategy, but they are focused more on training of a new generation of cyber talent, not so much on the shifting playing field. To achieve the two goals, then, the strategy relies more on stick than carrot.

If you’re a defender of your organization, you don’t need to worry too much about the stick that will be applied to bad actors – you can just take some comfort in the idea that the government has a renewed emphasis on pursuit, hacking back, and on punishment. But that doesn’t mean you can rest. The strategy specifically calls for increased regulation, and even liability, of online businesses – and this means pressure.

We’ve heard plenty of talk about resilience over the last few years in this industry, but now we’re talking about a requirement for resilience.  This means defenders have to do more than just achieve some reasonable level of security – they also have to be able to show they are effective. We don’t test the resilience of buildings by knocking them down every once in a while, just to see – instead, we inspect plans and demand that architects and builders can show how they know their buildings are safe. Expect this kind of thinking to come home to roost in cybersecurity – not just exhortations to do better, but real requirements to prove resilience.

OK, but if your job is securing an organization that is going to face this increased regulation and liability, what can you do?  It’s no longer enough to just follow compliance check-lists and formalities – that can prove you’ve got a compliance program, but it won’t show resilience.  A check-list attestation is the cybersecurity equivalent of being able to fog a mirror – hardly the same as being able to demonstrate fitness or health!

The new strategy requires resilience – both being resilient, and being able to show it. Resilience means, first and foremost, realizing that incidents will happen, but planning ahead to contain the damage. A resilient army is not one that avoids ever getting into combat – it’s an army that has the resources and planning to bounce back and continue to fight. Likewise, your network needs to be able to bounce back, if you’re to have any hope of meeting the requirements of the new national strategy.

This means you need to map out your whole environment – physical sites and across cloud networks. You need to understand what depends on what, and where attacks can spread.  It’s going to require a complete inventory – a challenging objective in itself – but beyond that, some means to demonstrate that a failure in one part of your environment won’t bring it all down. This is the goal of the strategy – resilience, and ability to demonstrate resilience; for those who cannot, new fines, new regulations, and an uphill battle to compete with those organizations who have resilience plans baked right into their networks.

Fortunately, this shift doesn’t require super-human efforts and endless nights at the keyboard. The effort to map out your environment, and see where there are resilience gaps, is automatable. The new strategy presents a new opportunity to get funding and executive buy-in for better, more efficient resilience planning, as a competitive advantage instead of a burden.

RedSeal’s unique approach – mapping out your whole environment, including on premises and in the cloud, and then finding and prioritizing defensive weaknesses and resilience gaps – is an ideal fit into your response to the National Cybersecurity Strategy. And make no mistake – you will need a response, ready or not. New regulation is coming, new liabilities are coming. These are not designed to punish all market participants – rather, they are designed to shift the playing field in favor of those who can deliver resilience, leaving behind those who are stuck in the past.

Tales from the Trenches: Vol 8 — Is that what you are going to say to the Auditor?

/by

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series Brad Schwab, Senior Security Solutions Consultant addresses a tricky network scanning question and how to verify with RedSeal.

Is that what you are going to say to the Auditor?

One of the biggest elephant in the room questions for Security Operations groups that deal with Vulnerability Scanners is very simple to state, but very, very tricky to answer, “are you sure you are scanning the entire network?” Sounds like it should be a simple yes or no answer. However, with any network of scale, the answer can be almost impossible to verify.

I was in a high level meeting for a large Health Organization with the CTO, head of Network Operations (NetOps), the head of Security Operations (SecOps), along with other people that had different stakes in the performance and security of the network. Since the network was the main instrument supporting the “Money Engine” of the operation, all attendees were laser focused on answers to any questions.

At a certain point in the meeting Wendy, the head of SecOps was talking about the scanning program. More specifically, she was speaking about procedures created to scan the entire network. The entire network!? So, at this point, I had to ask the question, “how do you know you are scanning the entire network?” She pointed to Bill, the head of NetOps and said “Bill said I could…”. That is where I looked at Bill, and said “is that what you are going to put on the audit, “Bill said I could?” Now, Bill and I had a good working relationship, and he knew that I was having a bit of fun at his expense, however, others in the room weren’t going to gloss over the subject, and began to pepper both Bill and I with questions. I proceeded to line out where the difficulties were in answering, with the following questions:

  • Does the scanner have a complete list of all IP space on the network that needs scanned?
  • Are there any overlapping subnets? If so, that overlapped portion of a subnet is not visible to the scanner. Thus, creating a possible hiding place for a bad actor.
  • Is there any duplicate IP space in the network? – again creating blind spots to any scanner.
  • And finally, the hard part, does the scanner have logical access to the entire network? Even if the scanner is trying to scan a network subnet, if the network architecture via Access Control Lists and Routing is blocking the access or not granting the access, then the scan won’t be complete. On top of that, you will get no indication from the scanner that the scan didn’t work. Beyond the logical access issue, no one had thought of the other issues. I then explained how RedSeal automatically looks for subnets that have no scan data, thus possibly not part of the IP list giving to the scanner, overlapping subnets and duplicate IP space. At the same time, I explained how a RedSeal Access Query combined with our “show what is missing” feature can give you a list of everything that the scanner can’t reach because of network architecture.

I ended my explanation with “with these features, you can have comprehensive documentation of complete scanner coverage for your upcoming audit(s)…”

After less than a few days of work, we had provided a list to both NetOps and SecOps of additions and changes required by both teams to make their Vulnerability Program complete.

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.

Why Visualizing the Entire Healthcare Attack Surface Is Critical

/by

In recent years, the healthcare sector has been steadily adopting web and cloud-based technologies and shifting towards an internet-enabled system to improve quality of care.

However, along with the limitless benefits that the internet offers — like sharing information, simplifying operational processes, tracking workflows, enhancing connectivity, and storing and organizing data — is an increased risk of cyberattacks, data breaches, and other types of fraud. This makes hospitals and healthcare organizations increasingly vulnerable to advanced threats and targeted attacks.

According to recent reports, data breaches in the healthcare sector have been rising at an alarming rate for the last five years. In 2020, during the COVID-19 pandemic, email-based attacks increased by 42%, so it’s no wonder that more and more healthcare organizations are adopting a robust, multi-faceted strategy to improve their security posture. Hospitals’ expanding digital footprint also complicates their network infrastructures, making complete visibility into the entire attack surface extremely essential to managing cyber risks effectively.

Expanding Healthcare Attack Surface Risks

The widespread use of wireless technology is undoubtedly beneficial to the healthcare system. Wireless technology enables healthcare IT infrastructures to run data center servers, medical equipment, tools and applications, and other devices like smartphones, tablets, and USB drives. Organizations stay connected to deliver effective operations and consistently informed care.

These connected devices help in patient monitoring, medication management, workflow administration, and other healthcare needs. However, the increased number of devices connecting to the network also broadens the attack surface — meaning more entry points for unauthorized access and therefore the need for enhanced infrastructure visibility to mitigate risks.

Why Complete Visualization Is Essential

From booking an appointment to setting foot in the doctor’s clinic or hospital, patients go through several processes and interact with different interconnected devices and software systems. While a connected environment ensures a seamless patient experience, the different touch points provide more opportunities for attackers to gain access to sensitive data.

Currently, there are 430 million linked medical devices deployed globally, connected through Wi-Fi, Bluetooth, and radio transmission. The sheer amount of sensitive and personal information healthcare systems capture and process is why their systems are desirable targets. Therefore, it is critical to safeguard the data stored in these systems.

Protected health information (PHI), such as credit card and bank account numbers, and personal identification information (PII), such as social security numbers, are data cybercriminals find particularly alluring. Selling this sensitive information on the dark web is a very profitable business.

Even just a small part of the healthcare technology spectrum may lead to the greatest cybersecurity gaps, allowing criminals to exploit vulnerabilities and gain access to sensitive data. The resulting cyber crimes directly impact organizational productivity and brand reputation.

Here are a few risks that are most detrimental to healthcare businesses’ bottom lines and reputations.

  • Ransomware: Healthcare services are notably vulnerable to ransomware attacks because they depend on technology to a significant extent, considering the nature of their day-to-day operations. Health records are highly rewarding for criminals because each patient, hospital, or confidential record can command a hefty price in the underground market.
  • Phishing: Phishing attacks are quite common in healthcare. Attackers target the most vulnerable link in the security chain, i.e., people, to make their jobs easier. Through social engineering, users click on malicious attachments or links, thereby infecting their systems and losing access. The repercussions can be disastrous and the losses unimaginable. For instance, a Georgia diagnostics laboratory recently discovered that an employee’s compromised email account led to a phishing attack, impacting 244,850 individuals. The attackers were able to acquire patient information and then attempted to divert invoice payments.
  • Cloud Storage Threats: Many healthcare providers are now switching to cloud-based storage solutions for better connectivity and convenience. Unfortunately, not every cloud-based solution is HIPAA-compliant, making them clear targets for intruders. Healthcare companies must implement access restrictions more carefully and encrypt data properly before transmitting. Additionally, complete visualization of the attack surface is necessary to prevent data breaches, data leaks, improper access management, and cloud storage misconfiguration.

How to Protect Expanding Healthcare Attack Surfaces

Attack surface analysis can help identify high-risk areas, offering an in-depth view of the entire system. This way, you can better recognize the parts that are more vulnerable to cyber threats and then review, test, and modify the security strategies in place as necessary.

Healthcare IT administrators must secure the network infrastructure using stringent policies and procedures like enforcing strong passwords, properly configuring firewalls, setting up user access permissions, and ensuring authorized access to assets and resources. They must also monitor and properly configure all the devices connected to the network — be it standard healthcare devices or personal devices of patients and workers. In addition, a strong encryption policy can help increase data security, making it difficult for cyber attackers to penetrate the system.

Conducting regular attack surface scans can also mitigate cyberattack risks. This helps ensure security control measures are adequate and that decision-makers have the data they need to make informed decisions regarding the organization’s cybersecurity strategy. Also, all types of software and related updates for medical devices must be tested prior to installation.

Secure Your Entire Healthcare Network with RedSeal

Healthcare organizations often hesitate to invest in cloud security solutions. But the average cost of a healthcare breach is $9.23 million, which is far more than the cost of professional cloud security solutions. Additionally, healthcare institutions deal with extremely sensitive information, and fines for data security noncompliance can be extremely costly. Healthcare security leaders must be able to effectively visualize their entire attack surface to bolster their cybersecurity defenses.

RedSeal offers award-winning cloud security solutions that provide comprehensive, dynamic visualization of all connected devices. We partner with leading network infrastructure suppliers to provide comprehensive network solutions and professional services. This way, you can see and secure your entire network environment.

Contact us to learn how we can help strengthen your network security.

Tales from the Trenches: Vol 7 — You Can’t Always Get What You Want

/by

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series, Bill Burge, RedSeal Professional Services places customer questions in full network context and reveals an even better solution with RedSeal.

You Can’t Always Get What You Want

While working with a large customer with multiple, interconnected, environments, their greatest fear was that infection in one environment might cross over one environment into the others.

They had purchased a managed service, which meant I was the primary RedSeal Admin. They approached me with a request and it was obvious they were having a possible “incident”. It was obvious they didn’t want to provide TOO many details, but I’ve spent enough time on both sides of these topics that I was pretty sure what I was up against.

Their request was simple to say, but that doesn’t mean it was simple to perform. “Can you give us a report of all the firewall rules that control this particular subnet?” For RedSeal, I can perform some queries that will do a pretty poor job of that when you factor in the multiple ways to cover a block of addresses in a firewall policy, groups, large masks, even the use of “any”. All these would have to be detected, expanded, broken out and apart, etc. It’s largely a fool’s errand.

So I politely declined. I gave a brief explanation of the dynamics and the fact that firewall policies would also have to be weighed against, and in conjunction with, router ACLs, and even routing. I always say “the firewall rules are only the verb in the sentence of access”. I offered an alternative: “Tell me the IP address that has been compromised, and I’ll tell you all the subnets it might have accessed, and all the vulnerabilities it might have exploited in the process.”

The customer’s response was: “You can do THAT? THAT’S even better! Let’s do it!”

I explained that calculating access is the foundation of RedSeal. As Mick Jagger says “you can’t always get what you want, but you just might find — you get what you need”.

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.

Purdue 2.0: Exploring a New Model for IT/OT Management

/by

Developed in 1992 by Theodore J. Williams and the Purdue University Consortium, the Purdue diagram — itself a part of the Purdue Enterprise Reference Architecture (PERA) — was one of the first models used to map data flows in computer-integrated manufacturing (CIM).

By defining six layers that contain both information technology (IT) and operational (OT) technology, along with a demilitarized zone (DMZ) separating them, the Purdue diagram made it easier for companies to understand the relationship between IT and OT technologies and establish effective access controls to limit total risk.

As OT technologies have evolved to include network-enabled functions and outward-facing connections, however, it’s time for companies to prioritize a Purdue update that puts security front and center.

The Problem with Purdue 1.0

A recent Forbes piece put it simply: “The Purdue model is dead. Long live, Purdue.”

This paradox is plausible, thanks to the ongoing applicability of Purdue models. Even if they don’t quite match the reality of IT and OT deployments, they provide a reliable point of reference for both IT and OT teams.

The problem with Purdue 1.0 stems from its approach to OT as devices that have MAC addresses but no IP addresses. Consider programmable logic controllers (PLCs). These PLCs typically appear on MAC addresses in Layer 2 of a Purdue diagram. This need for comprehensive visibility across OT and IT networks, however, has led to increased IP address assignment across PLCs, in turn making them network endpoints rather than discrete devices.

There’s also an ongoing disconnect between IT and OT approaches. Where IT teams have spent years looking for ways to bolster both internal and external network security, traditional OT engineers often see security as an IT-only problem. The result is IP address assignment to devices but no follow-up on who can access the devices and for what purpose. In practice, this limits OT infrastructure visibility while creating increased risk and security concerns, especially as companies are transitioning more OT management and monitoring to the cloud.

Adopting a New Approach to Purdue

As noted above, the Purdue diagram isn’t dead, but it does need an update. Standards such as ISA/IEC 62443 offer a solid starting point for computer-integrated manufacturing frameworks, with a risk-based approach that assumes any device can pose a critical security risk and that all classes of devices across all levels must be both monitored and protected. Finally, it takes the position that communication between devices and across layers is necessary for companies to ensure CIM performance.

This requires a new approach to the Purdue model that removes the distinction between IT and OT devices. Instead of viewing these devices as separate entities on a larger network, companies need to recognize that the addition of IP addresses in Layer 2 and even Layer 1 devices creates a situation where all devices are equally capable of creating network compromise or operational disruption.

In practice, the first step of Purdue 2.0 is complete network mapping and inventory. This means discovering all devices across all layers, whether they have a MAC address, IP address, or both. This is especially critical for OT devices because, unlike their IT counterparts, they rarely change. In some companies, ICS and SCADA systems have been in place for 5, 10, even 20 years or more, while IT devices are regularly replaced. As a result, once OT inventory is completed, minimal change is necessary. Without this inventory, however, businesses are flying blind.

Inventory assessment also offers the benefit of in-depth metric monitoring and management. By understanding how OT devices are performing and how this integrates into IT efforts, companies can streamline current processes to improve overall efficiency.

Purdue Diagram

 

Controlling for Potential Compromise

The core concept of evolving IT/OT systems is interconnectivity. Gone are the days of Level 1 and  2 devices capable only of internal interactions, while those on Levels 3, 4, and 5 connect with networks at large. Bolstered by the adoption of the Industrial Internet of Things (IIoT), continuous connectivity is par for the course.

The challenge? More devices create an expanding attack surface. If attackers can compromise databases or applications, they may be able to move vertically down network levels to attack connected OT devices. Even more worrisome is the fact that since these OT devices have historically been one step removed from internet-facing networks, businesses may not have the tools, technology, or manpower necessary to detect potential vulnerabilities that could pave the way for attacks.

It’s worth noting that these OT vulnerabilities aren’t new — they’ve always existed but were often ignored under the pretense of isolation. Given the lack of outside-facing network access, they often posed minimal risk, but as IIoT becomes standard practice, these vulnerabilities pose very real threats.

And these threats can have far-reaching consequences. Consider two cases: One IT attack and one OT compromise. If IT systems are down, staff can be sent home or assigned other tasks while problems are identified and issues are remediated, but production remains on pace. If OT systems fail, meanwhile, manufacturing operations come to standstill. Lacking visibility into OT inventories makes it more difficult for teams to both discover where compromise occurred and determine the best way to remediate the issue.

As a result, controlling for compromise is the second step of Purdue 2.0. RedSeal makes it possible to see what you’re missing. By pulling in data from hundreds of connected tools and sensors and then importing this data into scan engines — such as Tenable — RedSeal can both identify vulnerabilities and provide context for these weak points. Equipped with data about devices themselves, including manufacturing and vendor information, along with metrics that reflect current performance and behavior, companies are better able to discover vulnerabilities and close critical gaps before attackers can exploit OT operations.

Put simply? Companies can’t defend what they can’t see. This means that while the Purdue diagram remains a critical component of CIM success, after 30 years in business, it needs an update. RedSeal can help companies bring OT functions in line with IT frameworks by discovering all devices on the network, pinpointing potential vulnerabilities, and identifying ways to improve OT security.

When Moving to the Cloud, Don’t Overlook Resources On-Premises

/by

Today’s cloud infrastructure is complex and constantly evolving. In the cloud, security controls are implemented by developers and DevOps teams while on-premises controls are implemented by the firewall/network operations teams. These can create significant knowledge gaps, leading to unknown attack points.

Most security spending these days is focused on the cloud and treated as a silo, but you can’t afford to ignore your on-prem resources and how the two entities work together.

Challenges with Protecting Cloud and On-Premises Resources

With resources moving to the cloud, most of the attention moves to cloud security and protecting the cloud perimeter and resources. Yet on-prem resources also have connections and exposure. However, you need a comprehensive security strategy that protects both cloud and on-premises resources.

Many organizations and vendors struggle with getting this comprehensive picture. For example, in many companies, in-house teams are responsible for managing on-prem resources while other teams or third-party providers monitor the security of cloud resources. At the same time, you have DevOps teams that are constantly evolving the cloud environment.

Different Languages

The products and tools being used in the cloud and on-premises domains are often disconnected and speak different languages as do the teams using them.

The problem is not people, however. It’s often the tools being used, like having a separate doorman on the front door (cloud) and back door (on-prem), and they both speak different languages and often have competing goals. While security teams are focused on mitigating exposure, DevOps teams are looking for a faster way to bring products to market. Competing goals can only aggravate language barriers.

Even highly skilled teams may not understand how other teams work. The technology is different, the configurations are different, and some nuances require expert interpretation and experience. Few team members will be conversant in both on-prem and cloud resources.

Greater Complexity

More than 90 percent of large organizations already employ multi cloud strategies; 80 percent use hybrid clouds.

This creates an even greater complexity for security and management. For example, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud use different names for instances and virtual machines. Azure calls them virtual machines (VMs), while Amazon has Elastic Cloud Compute (EC2) and Google has the Google Cloud Compute Engine.

Even when the same term is used, it can mean different things. For example, a virtual private cloud (VPC) exists in both AWS and Google, but they are different and operate differently.

This only increases the language barrier that hinders a comprehensive approach to security.

Lack of Understanding of Shared Responsibility

Organizations also assume their cloud service provider (CSP) will protect assets in the cloud. While CSPs such as AWS, Azure, Google Cloud, Oracle Cloud, and others provide robust security for their networks, it’s still the customer’s responsibility to protect their data.

Gartner estimates that 99 percent of cloud security failures are the fault of the customer, not the CSP. The sheer volume of configuration settings and pathways to critical resources makes it difficult to manage security in the cloud. When you add in on-premises data centers or servers that are connected, the infrastructure becomes even more complex.

Constant monitoring and continuous compliance should be a shared responsibility between providers and organizations.

Not Monitoring Resource Misconfigurations

Most vendor security solutions are only as effective as how they’re configured. Yet few are monitoring that and telling you where these configurations are causing potential problems.

You need a comprehensive, end-to-end understanding of your cloud and on-prem infrastructure to analyze every configuration and security policy. While you may have cloud security tools for each environment, you need complete cloud network visibility to protect your infrastructure, look for exposure, and find security gaps.

Are You Seeing the Whole Picture?

Nearly every organization has at least some on-premises that are connected. The challenge often comes when it’s time to configure the right access for communication. You need to ensure that nobody on the cloud side can attack on-prem resources or vice versa. That’s why total visibility is essential.

If you’re not seeing the whole picture, it’s easy to miss attack points. Securing your infrastructure requires you to detail what you have, how it’s connected, and what’s at risk.

You need to:

  • Know what you have in your total infrastructure
  • Understand how everything is connected
  • Determine where your exposure is — all attack paths to cloud and on-premises
  • Uncover what policies or configurations created the exposure

Only then can you remediate problems and plug security gaps. You must understand how your cloud and on-prem resources are all interconnected to determine and mitigate your total risk.

Managing Cloud and On-Prem Resources

Some organizations turn to Cloud Native Application Protection Platforms (CNAPP) as a way to provide visibility amid the complexities and the constant evolution of hybrid resources. Yet all existing CNAPP solutions don’t understand on-Premises and are insufficient to identify access via all attack path and associated risk. Most tools call into the application programming interfaces of cloud service providers, looking for misconfigurations at the compute and container levels. However, they don’t fully understand end-to-end access.

CNAPP is an important weapon in the battle to secure the cloud, but most vendor solutions simply do not provide the total visibility you need across cloud and on-prem resources. RedSeal solves these problems.

RedSeal on-premises and RedSeal Stratus in the cloud provide a complete view of the entire infrastructure. They identify the gaps in your security by pinpointing attack points and any hidden pathways. This analysis also determines the underlying reason why these attack points exist and what needs to happen to remediate them.

RedSeal solutions also work across borders. They provide the platform to speak to DevOps and firewall/network operations teams in the right way, helping eliminate language barriers. This way, you get benefits across borders for cloud and on-prem, enabling you to identify security issues across the entire infrastructure by driving collaborations between the teams and building trust.

Protect Your Entire Infrastructure

On-premise and cloud resources cannot be protected in a silo. Working in tandem with a shared responsibility model, a hybrid solution with RedSeal provides continuous monitoring and compliance across both on-prem and cloud resources, identifies gaps, and helps you protect your entire infrastructure.

Tales from the Trenches: Vol 6 — Barely-Passive Aggressive

/by

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series Bill Burge, RedSeal Professional Services shows the network as configured, not necessarily as designed, with RedSeal.

Barely-Passive Aggressive

While working with a global reach chip manufacturer, a new member was added to those who helped manage RedSeal.

He had spent over a dozen years working his way up the Network Operations group to become one of their top network architects, and his knowledge of the network was determined to be of great value to the Security Architecture group.

As we were reviewing some of the RedSeal findings and giving him a tour of the capabilities of the deployment, it was pretty obvious he was neither impressed nor entertained. With his history of designing, building, and managing the network; he was almost offended that some product could tell him ANYTHING that he didn’t already know about his network.

Reviewing Model Issues, specifically Overlapping Subnets, I’m explaining how there can be multiple reasons why they might exist, but many times they are a simple typo in a netmask. We found such an example.

He proceeds to dig into the config with the intent of showing us how “RedSeal got it wrong”. (I’m preparing for this to spiral into a very bad scene.)
He finds the line, and he finds the typo.

The room gets REAL quiet and I’m holding my breath. Finally, he sits back in his chair and visibly deflates. He then offers “That’s probably been in there for over a DECADE!”
Then he starts laughing and says “I’m probably the person that put it in there!”

After that, he wanted to see “everything!”
He says “There’s 18 months worth of work to fix just the things I’ve seen today!”  His teammates point out to him: “Yes, but it’s not YOUR job anymore to fix it.” (Big smile.)

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.

How to Navigate the Shifting Healthcare Cybersecurity Landscape

/by

Cyberattacks and data breaches in the healthcare sector are increasing at an alarming rate, especially during the pandemic when patient communications and records moved online.

Between March 2021 and February 2022, over 42,076,805 healthcare records were exposed. Businesses lose an average of $10.10 million per healthcare data breach, while lost or stolen protected health information (PHI) and personally identifiable information (PII) cost the U.S. healthcare industry billions of dollars annually.

Valuable data makes healthcare organizations a prime target for cybercriminals. Meanwhile, the fast-shifting technology landscape makes it more challenging than ever to keep up with the latest cybersecurity best practices.

Let’s look at the many factors causing today’s cybersecurity nightmare and how you can navigate the changing healthcare cybersecurity landscape with the right technology and processes.

The Healthcare Sector Faces Ongoing Cybersecurity Challenges

The healthcare industry is complex. Various factors have come together in recent years to create the perfect storm for bad actors to breach networks and steal data.

High-Value Target Data: PHI and medical records are sought after by criminals because they’re worth 10 to 20 times the value of credit card data on the dark web. Meanwhile, biomedical and pharmaceutical research and development data drive a $160-billion industry. Criminals can often use the stolen credential to breach multiple targeted systems, giving threat actors many ways to cause damage through lateral movements.

Fast Adoption of New Technologies: The healthcare industry has been implementing connected medical devices (medical IoT) at a rapid pace. The equipment often uses unregulated mobile applications for processing and transmitting PHI and PII. Additionally, many facilities don’t have the proper security protocols to support the proliferation of devices connected to their networks — creating a large attack surface cybercriminals can exploit.

Overworked and Undertrained Personnel: Employee training is key to preventing social engineering schemes, phishing scams, and ransomware attacks — after all, it takes only one staff member to open one malicious attachment to infect the entire system. However, many healthcare facilities fail to provide sufficient cybersecurity education to their employees. Even end users with the knowledge and best intention often let their guard down because of environmental factors, such as distraction and excessive workload.

Competing Operational Priorities: Operational needs, often urgent, require personnel to prioritize speed of information sharing over data security. Meanwhile, facilities must comply with large-scale data portability regulations that require them to make health records and other sensitive information available in digital and sharable formats. These processes can increase the risks of data breaches if providers don’t have the proper security measures in place.

Budgetary Constraints: Healthcare organizations have limited IT budgets, and their tech teams are often stretched thin. They spend most resources on acquiring and implementing new technology solutions to stay current and competitive, leaving few to secure and maintain their networks. Many organizations don’t have in-house security teams and often outsource the function without assigning any internal stakeholders to coordinate the activities or monitor the outcomes.

Inconsistent Cyber Hygiene: Many healthcare facilities are stuck with legacy systems that are no longer supported by the vendor and can’t be upgraded with the latest security features. As such, they introduce permanent vulnerabilities into the organizations’ networks. Additionally, integrating new and old technology solutions may create interoperability dependencies, network segmentation risks, and blind spots hackers can exploit.

The Pandemic Caused New Issues in Healthcare Cybersecurity

The healthcare industry played a front-and-center role during the COVID-19 pandemic, which necessitated the rapid adoption of digital technologies. While the accelerated digital transformation brought many benefits, it also created various cybersecurity concerns.

An Abrupt Shift to Remote Working: Many non-frontline functions moved to a remote working environment in response to lockdowns. Healthcare organizations lack the time and resources to provide adequate security training to remote workers, implement endpoint protection capabilities, and develop remote system backup and recovery plans to build business resiliency and protect themselves from the consequences of ransomware attacks and data loss.

Rapid Procurement and Implementation of Security Tools: The rapid transition to cloud-based platforms for the new hybrid work environment increased the likelihood of misconfigured security settings and mismanaged security tool deployments. Many organizations also lack plans to maintain and sustain the new platforms and technologies, leading to oversight and creating opportunities for threat actors to strike.

Duration and Scope of the Global Crisis: The pandemic created long-term uncertainty. It increases the stress on individuals and society, which, in turn, raises the population’s susceptibility to social engineering. Meanwhile, the need for coordinated responses from facilities across the nation and authorities around the world requires unconventional partnerships and data-sharing practices that caused chain reactions, increased risk factors, and exposed vulnerabilities.

Navigating the Cybersecurity Nightmare in Healthcare: Today’s complex cybersecurity landscape isn’t easy to navigate, especially in the high-stakes healthcare sector. The rise of remote work and telemedicine, plus the proliferation of connected medical devices, has increased the attack surface dramatically. Budget constraints, competing priorities, and lack of employee training leave a lot of opportunities for hackers to exploit. Also, healthcare providers must comply with increasingly stringent data privacy laws to avoid fines and lawsuits.

A Multi-Layer Approach to Cybersecurity: You need a multi-prong approach to address various challenges. The process starts with gaining visibility across all your network environments to understand who has access to what information. Then, prioritize vulnerabilities and resolve gaps in your scan coverage.

Don’t forget to address all your cloud platforms, especially if you have a hybrid environment that combines cloud applications with legacy software where the connections can become weak links and blind spots. Moreover, you must stay current with all relevant data privacy laws, adhere to the latest security configuration standards, and ensure that your vendors and partners are also compliant to protect your data from supply chain attacks.

RedSeal can help you build a solid foundation by creating in-depth visualizations of your security infrastructure. We then use the insights to prioritize your vulnerabilities and automate your compliance process. Get in touch to see how we can help you assess, remediate, and mitigate your security processes and infrastructure.