Tag Archive for: Network Defense

The Eyes Have It: Six Commonly Overlooked Cybersecurity Threats

/by

It’s been a banner year for cybersecurity threats. According to the Identity Theft Resource Center  (ITRC), the number of breaches reported as of September 30th, 2021, already exceeds the total number of breaches in 2020. And while rapid shifts to remote and hybrid work are partly responsible for this increase, attackers are also taking this opportunity to expand their efforts and find new ways to confuse security tools, confound infosec defenders and compromise critical services.

The result? Even with a focus on security, businesses often overlook cybersecurity threats that could cause substantial harm. Here’s a look at six commonly overlooked concerns and what companies can do to mitigate the risk.

The State of Cybersecurity in 2021

In many respects, 2021 has marked a return to form for attackers — threats such as phishing and ransomware are on the rise, as are the use of advanced persistent threats (APTs) to conduct reconnaissance and collect data. The result is a familiar landscape for information security professionals: Teams need to establish and maintain defensive systems capable of detecting, identifying, and removing common threats.

But there’s also an evolution of attacker efforts. Not only are they broadening their horizons, but they’re also selecting new targets: Small and midsize businesses now account for more than 70 percent of all attacks. With many of these businesses now storing valuable personal and financial data but often lacking specialized IT teams and robust infrastructure, attackers are more likely to get in — and get out — without being noticed.

The result is a changing security landscape that requires both active observation and robust response from IT teams. Unfortunately, continual monitoring for common threats often shifts the focus to the growing forest of technology threats — and leaves companies struggling to see the trees.

Six Overlooked Security Threats

Despite best efforts, it’s easy for teams to overlook cybersecurity vulnerabilities. Six of the most commonly neglected threats include:

1. Ineffective Encryption

Encryption remains a front-line defense against both familiar and overlooked security threats. If attackers can’t use data they steal, its value to them is significantly reduced. The challenge? Many businesses still rely on outdated encryption models that are easily circumvented or fail to consider the continuous movement of data across internal networks and external connections.

2. Open Source Solutions

Open source tools and application programming interfaces (APIs) are great ways for companies to reduce the work required to build new apps and services. But there is a caveat. These open solutions may contain critical vulnerabilities that could be exploited to compromise critical data.

3. Phishing 2.0

While phishing efforts remain popular, attackers now realize the need for innovation as businesses become more security-savvy. As a result, the quality of phishing emails has increased substantially over the past few years. Gone are the obvious grammar and spelling mistakes. Instead, they’ve been replaced with socially-engineered data and details designed to fool even experienced team members.

4. IoT Interconnection

The Internet of Things (IoT) offers a way to connect mobile devices, sensors, and monitoring to help streamline operations. But this same interconnection creates an increased attack surface that provides malicious actors multiple points of compromise.

5. Malvertisements

Malvertising — the process of using online ads to spread malware — is once again on the rise. By injecting malicious ads into legitimate ad networks, attackers can compromise even well-defended networks to capture user behavior and log keystrokes.

6. Invisible Assets

What you don’t see can hurt you. This is especially problematic as companies expand into multiple cloud networks. More devices and apps mean less visibility, which in turn increases the chance of a successful attack.

Potential Harms of Unseen Threats

The potential harms of unseen threats are variable — the nature and depth of these threats speak to their impact at scale. In general, however, businesses face three broad harms if attacks are successful.

Operational Impacts

First up are operational impacts. Consider the SolarWinds attack reported in late 2020. Attackers actually compromised the company’s system much earlier last year, allowing them to conduct significant data collection and eventually exploit SolarWinds’ IT management platform, which more than 33,000 companies use. As a result, more than 18,000 companies were rendered vulnerable to cybersecurity attacks and had to interrupt operations temporarily to get systems back on track.

Compromised Compliance

The next potential harm of unseen threats is compromised compliance. If companies don’t have processes and procedures to detect and mitigate attacks ASAP, they may fail to meet security due diligence obligations as outlined in compliance regulations. Sanctions or fines can result.

Reputation Damage

Finally, unseen threats can lead to severe reputation damage. While customers are now willing to share their personal and financial data if businesses can offer increased personalization and improved service, they also have no patience for companies that lose or misuse this information. If attacks go undetected and consumer data is compromised, your business reputation may be irreparably damaged.

Four Steps to Mitigate Risk

While it’s impossible to predict every potential threat to your network — or account for the evolution of attack vectors — there are four steps companies can take to mitigate cybersecurity risk.

1. Discover your assets. What services and software are on your network? How do these solutions connect and interact with other operations? Locally? At scale? Complete asset analysis helps you discover what you have so you can protect what matters.

2. Conduct a vulnerability assessment. Next, you need to determine where your assets are vulnerable with an in-depth scan of all interconnected resources. This provides both increased visibility of detected assets and can also help uncover “blind spots” that need attention.

3. Triage your findings. Prioritization is the third step in this risk mitigation process. By considering potential severity and asset value along with upstream and downstream access requirements, your teams can prioritize defensive efforts.

4. Remediate your issues. Finally, you need a plan to remediate and mitigate overlooked issues. In practice, this includes the identification of precise access paths and devices that require updating or adjustment to isolate, contain and eliminate potential threats.

Keeping Your Eyes on the Prize

The goal of any infosec effort? To defend networks, services, and people from harm. Unfortunately, traditional tools can’t keep up with the volume and variety of cyberattacks in today’s environment. To maximize protection and stay ahead of potential threats, organizations need to boost visibility with vulnerability best practices that help teams zero in on overlooked cybersecurity threats.

See more to secure more: Learn more about Network Vulnerability Best Practices with RedSeal.

3 Ways Social Distancing Can Strengthen your Network

/by

Dark Reading | July 31, 2020

Security teams can learn a lot from the current pandemic to make modern hybrid business networks stronger and more resilient. Here’s how.

We all know the role social distancing plays in combating COVID-19. Most people also understand why this is our primary line of defense; it’s about slowing down the progress of the disease to prevent our healthcare defenders from being overwhelmed. Today’s network security teams live in a similar shifting landscape and need to apply these same ideas to avoid getting overwhelmed. Here are three tactics to help “social distance” your network.

Tactic 1: Focus on Flare-ups

Read More

Keep Up with the Basics

/by

RedSeal Blog - Keep Up with the Basics

I just came across a WSJ Pro article titled “Inside the NSA: Companies Need to Follow the Basics,” and figured I could offer an “amen.” The NSA gets points for seeing things clearly – but then, I suppose that is their job, whether we like it or not! The area they discuss isn’t easy to write about; in fact, it’s similar to the challenge that investment magazines face. Every month, they have to write about what’s new and interesting as if it will help readers make money, when the best advice is rather boring — buy and hold.  What are these magazines supposed to do?  Make another cover article out of “Indexing – Still the Great Deal It’s Always Been?”

The same thing happens in network defense. Props to Rob Sloan, the author (and WSJ Pro) for making news out of the point that what we need to do is go back to the basics, and do them well … and then do them well again.  The biggest challenge we face in defending our networks is just getting around to doing all the things we already know how to do. Our enemies don’t need to be James Bond villains in super-secret lairs with super-weapons – we leave out many “Welcome to Our Network” mats in the form of unpatched systems and easily evaded perimeters.

The article clearly lays out what we need to do to up our defensive game: first, we have to pay attention to the basics. Second, we have to pay attention to the basics. And yes, third, we have to pay attention to the basics (just like “location, location, location” for real estate). We’re all overwhelmed, but as the article points out, 98% coverage for any given issue isn’t good enough. We need to prioritize and find the 2% we missed, by gathering all our inventory, not just most of it, and testing every asset.

And then, after all that preventative work, we still need to plan for digital resilience. Resilience starts from all that inventory, and mapping of how your business functions and what is critical in your infrastructure. After that, it’s about hardening. And after that, it’s about testing your readiness so you can bounce back from the inevitable assaults. This is exactly what the RedSeal Digital Resilience score measures. We directly quantify the quality of your inventory, then look at hardening, and then at attack readiness.

So, I value the NSA’s perspectives, as reported in the article. The folks at NSA are among the government’s thought leaders for digital resilience. While government execution of cyber ideas isn’t above criticism, their networks are some of the very biggest, and their adversaries are some of the most motivated.  For folks in the intelligence community, it’s not paranoia – people really are out to get them, and they plan accordingly.  We should listen to their advice.

Closing (and bolting) the back door in ScreenOS

/by

by Dr. Mike Lloyd, CTO RedSeal

The recently disclosed back door in Juniper’s ScreenOS software for NetScreen firewalls is an excellent reminder that in security, the first and foremost need is to do the basics well.  The details of the vulnerability are complex and interesting (who implanted this, how, and what exactly is involved?), but that is not what matters for defenders.  What matters is knowing whether or not you have basic network segmentation in place.  This may sound counterintuitive – how can something as routine as segmentation solve a sophisticated problem like this?  But this is a textbook example of the benefits of defense in layers – if you think too much about only one method of protection, then complex things at that layer have to be dealt with in complex ways, but if you have layers of defense, you can often solve very complex problems at one layer with very simple controls at another.

The vulnerability in this instance involves a burned-in “skeleton key” password – a password capable of giving anyone who can use it potentially catastrophic levels of control of the firewall.  To compromise your defenses when you have this particular version of software installed, an attacker needs only two things – 1) the magic password string itself, which is widely available, and 2) ability to talk to your firewall.  For point 1, the cat (saber-toothed in this instance) is long since out of the bag, but point 2 remains.  If someone can talk to your firewall and present a credential, they can present the magic one, and in they go, with full privilege to do whatever they want (for example, disabling all the protections you bought the firewall for in the first place).  No amount of configuration hardening can prevent this, since the issue is burned in to the OS itself.  But what if the attacker cannot talk to the firewall at all?  Then the magic password does no good – they cannot present a credential if they cannot talk to the firewall in the first place.

So note that someone who relies on strong password policies has a real problem here.  If you think “it’s OK to allow basic access to my firewalls, nobody can get in unless I give them a credential”, well, that’s clearly not true.  Unfortunately, many network defenses are set up in this way.  If you think about this problem at the password or credential layer, the situation is a disaster.  But if you think about multiple layers, something more obvious and more basic emerges – why do you need to allow anyone, coming from anywhere, to talk to you firewalls at all?  You should only ever need to administer your infrastructure from a well-defined command and control location (using “C&C” in the positive sense used by the military), and you can lock down access so that only people in this special zone can say anything AT ALL to your firewalls and the rest of your infrastructure – you can effectively reduce the attack surface for an attack, directly mitigating the huge risk of this kind of vulnerability.  Thinking in layers moves the question from “how do I prevent someone using the magic password?” (Answer: if you have the vulnerable software, you can’t), over to the easier and better question, “How do I limit access to the management plane of the firewall, to only the zone I run management from?”

Cyber Concerns Dominate 2015 AFCEA TechNet Asia Pacific

/by

by Derek Heese, RedSeal’s director, Department of Defense RedSeal

I recently returned from Hawaii where I attended the AFCEA TechNet Asia Pacific trade show for the fifth time in a row. It’s always a good opportunity to hit a couple of birds with one stone: meet with some customers, develop relationships with new prospects and hear which issues and initiatives are getting the highest attention.

It wasn’t a surprise given the events of the past few years, but I was pleased to hear the deputy commander of the Pacific fleet, Rear Admiral Phillip G. Sawyer say, “If you’re not resilient in communications, you’re not relevant.” Of course, this applies to the traditional communications infrastructure as well as to cyber security.

As another speaker, Maj. Gen. Dave Bryan, USA (Ret.), pointed out, “We’re at war in cyberspace, and this has been a hard lesson to learn.” He added that the threat lies not to network access or to the network itself, but to the data. “It’s the database, stupid,” he said. “Look for the technologies coming out that protect the database.”

Adm. Dick Macke, USN (Ret.), former commander, U.S. Pacific Command, offered deductive reasoning to set a high priority for cyberspace. “Cyber equals C2 [command and control], C2 equals victory. Therefore, victory needs cyber,” he stated. Adm. Macke called for the ability to beat the enemy at its own game. “We’re going to be attacked, and we are going to lose some part of our C2,” he warned. “I’m a warfighter, and I want rules of engagement that allow me to attack [cyber] before I have to defend.”

Needless to say, we had a steady stream of visitors drop by our booth, mostly new prospects, asking how RedSeal could provide solutions to their various problems. Network mapping. Vulnerability identification.  Automating security controls. As one Navy officer said, “If you have to do it more than twice, automate it.”

I agreed. And we scheduled a demo of RedSeal for his team this week.

US & UK Joint Wargames – let’s not wait for Pearl Harbor

/by

The idea of the US and UK working together on war-games is a good one.  It recognizes that we are in a war, and that we are losing.  We need to improve our defensive game.  Chris Inglis, the former NSA director, has commented that the state of security today massively favors the attacker – he suggests that if we kept score, it would be 462-456, just 20 minutes into the game, because our defense is so poor.

The continuous stream of announcements of new breaches, along with the UK stats indicating the vast majority of large companies are suffering serious breaches, adds up to clear evidence of weak defense.  War games are a good way to get one step ahead, shifting to a proactive rather than purely reactive stance.  Nation states can do this with teams of people, but this is too labor intensive and expensive for most organizations.  This is why the security industry puts so much emphasis on automation – not just the automated discovery of weaknesses, but automating the critical process of prioritizing these vulnerabilities.  The inconvenient truth is that most organizations know about far too many security gaps to be able to fix them all.  War-gaming is a proven approach to dealing with this reality – find the gaps that are most likely to be used in a breach, and fix those first.  Perfect security is not possible, but realistic security comes from understanding your defensive readiness, stack-ranking your risks, and acting on the most critical ones.

Security’s Nightmare: Negative Unemployment

/by

Unemployment is bad, so negative unemployment must be good, right?  Um, no.  (I’ll steal a line from Douglas Adams: “It’s unpleasantly like being drunk” … “What’s so unpleasant about being drunk?” … “Well, ask a glass of water.”)  Security as an industry is short-staffed – critically so, and it’s getting worse.

This came into sharp focus with the recent suit between MasterCard and Nike.  I’ve no comment on the specifics of the case, but the general lesson is clear: security geeks are in desperately short supply.  When I think of where this industry was just a few years ago, it would have been preposterous to imagine two household name, world class companies unleashing lawyers over such a fracas.

This is why security automation is such a big deal.  Security teams everywhere are drowning in unaddressed, basic problems.  We know plenty about what we need to do, but we just can’t get it all done – there aren’t enough fingers on the keyboards.  (Anyone remember “The 5,000 Fingers of Dr T”?)  We need machines to prioritize all the signal overload; there’s no other way to make headway.

Identify and Close Before the Bad Actor Exploits

/by

It happened again yesterday. I was taking a break on my back porch and listening to the Colorado summer rain when an alert hit my phone: news of another breach. They seem to be coming with a disturbingly increasing regularity and with ever more serious consequences. For example, one company, Code Spaces, was completely destroyed when they refused to pay an attacker who then destroyed their customers’ data. The Energetic Bear group accessed utilities’ networks and could have launched attacks against them. In all likelihood, the number, extent, and veracity of these attacks will simply continue to expand.

telescope-smaller_0So what do you do? The good news is that the steps are well known and understood: place security controls into your network to isolate a set of subnetworks (typically called “zones”) and both set and monitor the potential access paths between the zones. This is the first set of defenses against attacks, and one which many organizations do not fully deploy.

It is common for me to see organizations that partially deploy zones – but do not monitor their implementation. This is akin to the multi-petabyte database that contains one incorrect byte of information: you can trust none of the information as a result.

So, the first step is to create clear and concise zones in your network and to analyze all potential access paths through your network to be sure that your zone rules are respected network-wide.

Do you do this? If so, what’s your approach?