Tag Archive for: RedSeal

Accidental Cloud Exposure – A Real Challenge

The recent disclosure that Toyota left customer data accidentally exposed for a decade is pretty startling, but can serve as a wake up call about how cloud problems can hide in plain sight.

It’s not news that humans make mistakes – security has always been bedeviled by users and the often foolish choices that they make. Administrators are human too, of course, and so mistakes creep in to our networks and applications. This too is a perennial problem. What’s different in the cloud is the way such problems are hard to see, and easy to live with until something bad happens. Cloud isn’t just “someone else’s computer”, as the old joke goes – it’s also all virtual infrastructure. If you’ve never seen how cloud infrastructure is really built and managed, you may not realize how inscrutable it all is – think of it like a computer in an old movie from the 1970’s, all blinking lights and switches on the outside, but no way to see what is really happening inside. These days, we are used to visual computers and colorful phones, where we can see what we are doing. Cloud infrastructure is not like that – or at least, is not if you just use the standard management interfaces that are frustrating, opaque, and vendor specific. Are there ways you can escape the lock-in to your specific cloud vendor? Sure – inventions like Kubernetes free you up, but the price is even worse visibility as you drive everything through shell scripts, CLI commands, and terminals. The 1970’s computer has moved up to the 1980’s green screen, but it’s a far cry from anything visual.

I don’t mean to just pick nits with the old-world interfaces of cloud – this isn’t a debate about style, it’s a problem with real world consequences, especially for security. You can’t see through a storm cloud in the sky, and similarly, you really can’t see what’s going on inside most cloud applications today, let alone ensure that everything is configured correctly. Sure, there are compliance checkers that can see how individual settings are configured, but trusting these is like saying a piece of music is enjoyable because every note was tuned exactly – that rather misses the big picture of what makes music good, or what makes a cloud application secure.

This is why you need to be able to separate security checking from the CI/CD pipelines used to set up and run cloud infrastructure. The much-hyped idea of DevSecOps has proven to be a myth – embedding security into DevOps teams is no more successful than embedding journalists with platoons of soldiers. The two tribes don’t see the world the same way, don’t have the same objectives, and largely just frustrate each other’s goals.

Central security has to be able to build the big picture, and needs to check the ultimate result of what the organization has set up. Ideas like “shift left” are good, but do not cover the whole picture, as the Toyota exposure makes clear. Every detail of the apps was working, and was quite likely passing all kinds of rigorous low level checks. But just like checking whether each note is tuned correctly, while not listening to the piece as a whole, Toyota lost track of the big picture, with all the embarrassment that goes with admitting a ten year pattern of unintended exposure.

Solving this is the motivating mission at RedSeal. We know what it takes to build a big picture view, and then assess exposure at a higher level, rather than getting stuck in implementation details. It’s the only way to make sure the song plays well, or the application is built out sensibly. This is why we build everything starting from a map – you can’t secure what you can’t see. This map is complete, end-to-end, covering what you have in the cloud and what you keep on your premises. We can then visually overlay exposure, so you get an immediate, clear picture of whether you have left open access to things that surprise you. We can give you detailed, hop-by-hop explanation of how that exposure works, so that even people who are not cloud gurus can understand what has been left open. We can then prioritize vulnerabilities based on this exposure, and on lateral movement. And finally, we can boil it all up into a score that senior management can appreciate and track, without getting lost in the details. As Toyota found to their cost, there are an awful lot of details, and it’s all too easy to lose the big picture.

What Is Cloud-Native Application Protection Platform (CNAPP), An Extension of CSPM

Modern businesses are increasingly storing data in the cloud and for a good reason — to increase agility and cut costs.

But as more data and applications migrate to the cloud, the risk of data and systems being exposed increases. Conventional methods for addressing security aren’t equipped to manage containers and server-less environments. Therefore, gaps, silos, and overall security complexity increase.

This is where Cloud-Native Application Protection Platform (CNAPP), an extension of Cloud Security Posture Management (CSPM), excels. This new cloud platform combines the features of CSPM, Cloud Infrastructure Entitlement Management (CIEM), Cloud Workload Protection Platforms (CWPPs), CI/CD security, and other capabilities into a unified, end-to-end encrypted solution to secure cloud-native applications across the full application lifecycle.

Where CNAPP/CSPM Vendors Fall Short

It’s important to point out that many CNAPP vendors focus on providing security measures, such as CIS compliance checks or a basic “connectivity” view and segmentation to protect an organization’s applications and infrastructure in the cloud. These measures help prevent malicious actors from gaining unauthorized access to an organization’s resources, but they don’t necessarily provide visibility into potential exposures that may exist in an application’s design or configuration, thus providing a false sense of security.

Most vendors can correlate resources to compliance or identity violations, but the network context of these solutions is often limited, leading to a lack of visibility into the hidden attack surface. This results in insights that are often irrelevant and unactionable, causing security teams to chase false positives or negatives and reducing their overall effectiveness. Additionally, the shortcomings of these solutions can cause DevOps teams to lose trust in the security measures in place, hindering their confidence in the infrastructure.

The most critical gap is CNAPP vendors lack the ability to calculate net effective reachability, which determines the network’s overall connectivity, including identification of potential points of failure or bottlenecks. In simple terms, they cannot accurately determine if their critical resources are exposed to the Internet. Without this information, security teams will be unable to identify the main cause of a problem or effectively prioritize potential threats. The result is inefficiencies and delays in the security response process, leaving the company vulnerable to attacks and flag false positives/negatives to the DevOps teams.

To identify exposures, organizations need to conduct assessments that look for end-to-end access from the internet that drive up risks to the organization from malicious activities such as insufficient authentication or authorization, unvalidated input/output, SQL injection, cross-site scripting (XSS), insecure file uploads, and more.

What Is CNAPP?

CSPM is an automated set of security tools designed to identify security issues and compliance risks in cloud infrastructure.

CNAPPs consolidate the capabilities and functionalities offered by CSPM and CWPPs, providing centralized access to workload and configuration security capabilities. They help teams build, deploy, and run secure cloud-based apps in today’s heavily dynamic public cloud environments.

A CNAPP solution comes with a single control panel with extensive security features such as automation, security orchestration, identity entitlement management, and API identification and protection. In most cases, these capabilities are used to secure Kubernetes workloads.

How Does CNAPP Work?

CNAPP uses a set of technologies, such as runtime protection, network segmentation, and behavioral analytics, to secure cloud-native applications and services. CNAPP provides a holistic view of the security of cloud applications by monitoring and implementing security protocols across the entire cloud application profile.

CNAPP works by identifying the different components that exist in a cloud-native application, such as containers and microservices, and then applying security controls to every component. To do this, it uses runtime protection to monitor the behavior of the application and its components in real time. It leverages methods such as instrumentation to identify vulnerabilities in the application.

Also, CNAPP uses network segmentation to separate different parts of the application and reduce communication between them, thus reducing the attack surface. In addition, CNAPP includes features such as incident response and compliance management to help businesses respond quickly to security incidents, as well as ensure that apps and services comply with industry standards and regulations.

Why Is CNAPP Important?

Cloud-native application environments are quite complex. Teams have to deal with app workloads that continuously move between the cloud, both private and public, with the help of various open-source and custom-developed code. These codes keep on changing as release cycles increase, with more features being rolled into production and old code is replaced with new.

To deal with the challenges of ensuring the security of highly dynamic environments, IT teams often have to put together multiple types of cloud security tools. The problem is that these tools offer a siloed, limited view of the app risk, increasing the company’s exposure to threats. DevSecOps teams often find themselves having a hard time manually interpreting information from multiple, disjointed solutions and responding quickly to them.

CNAPPs help address these challenges by combining the capabilities of different security tools into one platform to provide end-to-end cloud-native protection, allowing security teams to take a holistic approach to mitigate risk and maintain security and compliance posture.

CNAPP with RedSeal

The challenge most enterprises face is that they cannot get clear visibility of their entire network. Most networks are hybrid, with both public and private cloud environments, along with a physical network framework. This provides siloed visibility, which raises security risks.

When CSPM, CWPPs, CIEM, and CI/CD security work together, companies can quickly get a glimpse of what is happening on their network, allowing IT teams to take immediate action.

RedSeal Cloud, a CNAPP solution, provides organizations with a view of their entire cloud framework to identify where key resources are located and a complete analysis of the system to identify where it’s exposed to attacks. RedSeal maps every path and checkpoint, and calculates the net effective reachability of all aspects of your cloud, enabling you to quickly pinpoint areas that require immediate action. Furthermore, it avoids false positives and negatives, and supports complex deployments with different cloud gateway and third-party firewall vendors.

The Right CNAPP Tool for Reliable Cloud Security Management

Ensuring the security of assets in the cloud has never been more important.

Companies can leverage CNAPP capabilities to secure and protect cloud-based applications, from deployment to integration, including regular maintenance and eventual end-of-life. That said, CNAPP solutions are not one-size-fits-all options but rather a combination of different vendor specialties under a single platform, proving single-pane-of-glass visibility to users.

Companies wanting to adopt CNAPPs should focus on how vendors interpret the underlying cloud networking infrastructure, the per-hop policies at every security policy point, including third-party devices, to identify any unintended exposure, and how the solution interacts with other services, both on-premises and in the cloud.

In summary, every company should ask potential CNAPP vendors:

  • How do they uncover all attack paths to their critical resources and expose the hidden attack surface?
  • How do they calculate the net effective reachability to the critical resources on those paths?

RedSeal’s CNAPP solution, RedSeal Cloud, lets security teams know if critical cloud resources are exposed to risks, get a complete visualization of their cloud infrastructure, and obtain detailed reports about CIS compliance violations.

Want to know how you can stop unexpected exposure and bring all your cloud infrastructure into a single comprehensive visualization? Book a demo with our team to get started!

US Marshals Scramble to Shut Down Computer System

Audacy | May 1, 2023

Tune in to KCBS and hear Dr. Mike Lloyd, RedSeal’s CTO, share insights into double dip ransomware attacks, why segmentation matters, hardening your infrastructure and a quick perspective on the importance of Biden’s National Cyber Strategy.

The Hidden Attack Surface: What’s Missing in Your Cloud Security Strategy?

It happens all the time. A company has the right security policies in place but misconfigures the environment. They think they are protected. Everything looks fine. They locked the doors and boarded up the windows to the room where the crown jewels are kept, but nobody noticed that the safe that holds the jewels is no longer in that room. Accidentally, it was moved to another location, which is left wide open.

Here’s another common scenario. When working in the cloud, someone in your company can easily turn on a policy that allows anyone to gain access to your critical resources. Or, maybe you grant temporary access to a vendor for maintenance or troubleshooting but then forget to revoke the access. There may be legitimate reasons to grant access, but if that resource is compromised, your cloud can be infected.

Cloud Environments Are Constantly Evolving and Easy to Misconfigure

The challenge in today’s cloud environment is that things are never static. Things are spinning up constantly, new endpoints are being added, and new connections are being made. Cloud users can easily misconfigure or forget to revoke access to critical resources. So you lock the front door and think you’re safe when the back door might be open or someone is opening and closing new windows all the time.

Nearly seven in 10 organizations report dealing with cyberattacks from the exploitation of an unknown or unmanaged asset connected to the internet. With today’s complex cloud, multi-cloud, and hybrid cloud environments, uncovering the hidden attack surface is crucial to uncover every potential resource that could be compromised.

What is the Hidden Attack Surface?

Uncovering the hidden attack surface involves knowing all unknown resources in your cloud and finding all attack paths to the resources – not just the most likely paths like most CNAPP/CSPM vendors. Finding all attack paths requires deep intelligence to map the full cloud network and determine every potential exposure point.

Cybercriminals are constantly looking for pathways, or hidden attack paths, to get to your crown jewels. With today’s emphasis on cybersecurity, companies rarely leave the front door open to let hackers walk right in. But there may be vulnerabilities that do allow access and then a pathway to reach the jewels. It may be a twisted and convoluted path, but it gets hackers where they want to go.

An attack path analysis details every endpoint and connection to show how threat actors could enter your house and travel the path to find what they’re looking for. By highlighting every possible path and policy detail associated with these pathways, you gain comprehensive visibility into your network.

This information details the traffic that can enter or exit a hop on the attack path and what controls are enabling them to uncover areas of unintended access to critical cloud resources.

Mapping the Entire Infrastructure

Some other solutions are also inadequate to map the entire infrastructure.

Let’s say you have someone conducting penetration testing. Pen testing focuses on the major attack points but doesn’t identify every single way, inside out, to connect to those resources. Think of it this way: You want to drive from San Jose to San Francisco. Nearly everyone making that drive will use the 101 or 280. But 880 can also connect, and there are thousands of side routes that you could use to make the ride. It may take a long time, but you’ll ultimately get to your destination.

Pen tests focus on the most typical routes. Plus, routes are constantly changing. They don’t take into account that new subdivision that didn’t exist last week that allows through traffic. You may segment your data, but new pathways evolve that suddenly allow lateral movement. Without real-time attack path analysis, you may be secure one moment and insecure the next.

Not All Attack Path Analysis Vendors Work the Same Way

When looking to analyze attack paths, it’s crucial to choose the right vendor. Not everyone approaches attack path analysis the same way, and the wrong solution may give you a false sense of security.

Just like penetration testing, most CNAPP/CSPM companies focus on the same major pathways. For example, if you’re using AWS and want to know which resources may be exposed, most vendors will check AWS security groups, AWS network access control lists (NACL), and AWS gateways. But are they also checking gateways such as AWS Transit Gateways, Third Party Firewalls, Load Balancers and all other cloud networking resources.

Effective security demands that you view everything end-to-end including every endpoint, pathway, and policy. While you may start with the obvious paths, it’s not enough. Attackers know that the most obvious spots are usually protected, so they’re constantly probing for the path that’s not so obvious and less likely to be guarded. This is uncovering the hidden attack surface that results in most cloud security breaches.

Comprehensive Attack Path Analysis with RedSeal

RedSeal uncovers the hidden attack surface by providing a comprehensive attack path analysis of every possible entry point and pathway within your infrastructure to determine what resources may be exposed. Besides end-to-end mapping, RedSeal also shows you how the exposure occurred and provides remediation guidance.

You get:

  • A list of all resources, subnets, and instances that are deemed critical, grouped by AWS accounts, Azure subscriptions, AWS VPCs, Azure VNETs, tags, and subnets
  • Specific ports, protocols, and services that are open and exposed — e.g., HTTPS (443), SSH/TCP (22), SMTP/TCP (25), RDP with exposure details
  • Full attack path analysis to critical resources,  highlighting all possible paths and the security policy details associated with each path
  • Details about what and where traffic can enter, what controls are enabling entry, and the paths attackers can take once they gain entrance

You can complement your cloud service provider’s operational tools by getting a real-time evaluation of all affected resources across multiple cloud environments. Using an agent-less, API-based approach, RedSeal Stratus uncovers all resources deployed within your environment and lets you view them in a single pane of glass.

Not only do you get a comprehensive view of your cloud infrastructure and insight into potential exposure points, but you also get a roadmap for remediation. Stratus identifies and calculates every possible path, port, and protocol — not just active traffic — to help you prioritize your remediation efforts. Security teams can then perform root cause analysis and raise a remediation ticket for resource groups that may be impacted by security policies.

This ticket would include information about the affected resources, verification, remediation steps, and the potential risk if they are not mitigated.

RedSeal mitigates exposure with:

  • Out-of-the-box (OOTB) reporting
  • Simple, agent-less deployment
  • Continuous risk assessment
  • Drill-down capabilities with remediation guidance
  • Seamless integration with ticketing and remediation systems like Jira

RedSeal’s cloud security solutions can bring all multi-cloud environments into one comprehensive, dynamic visualization and know the unknowns. This allows you to protect your cloud, conform to best practices and gain continuous monitoring for compliance.

Learn more by downloading our Solution Brief: Stop Unintended Exposure.

Tales from the Trenches: Vol 10 — You Don’t Know What You Don’t Know

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series Michael Wilson, Senior Network Security Engineer, explains how RedSeal empowers customers to verify their contractors are following security best practices and have their organization’s best interest in mind.

You Don’t Know What You Don’t Know

In my customer’s environment, the network is segmented and managed by both the customer and several contracted partners. It is a difficult task to have visibility into an entire network that is distributed across several different contracted partners, let alone keep track of all of the devices and changes that can occur across a network. The adage of ‘you don’t know what you don’t know’ is very relevant in a situation like this. RedSeal has the ability to provide my customer with a single pane of glass to see all these network segments that are managed by different contracted partners.

The customer’s RedSeal deployment runs daily collection tasks, and the customer can see any changes that occur to their network from day to day. One morning, I logged into RedSeal and started my daily maintenance tasks, which includes ensuring that data collections ran correctly, and analysis was performed successfully, and I noticed that there was an increase in device count. This was a cause for investigation, as new devices being brought into RedSeal without any new data collection tasks is a possible indicator of compromise.

I notified the customer, and I started to investigate. I noticed that these changes occurred in the customer’s SDWAN environments. This SDWAN environment uses clusters to manage edge devices, and the customer has devices spread around in many different locations. The environment is managed by one of the customer’s contracted organizations and, previously, the environment used 4 clusters to serve all the customer’s edge devices in this SDWAN environment. The additional devices that RedSeal discovered were an additional 20 clusters that upped the total from 4 to 24. Once I started to arrange the new clusters on the map, I started to see that these new clusters were connected in such a way that they were serving specific geographic regions of the customer’s environment. This indicated the contracted partner was making significant changes to the SDWAN environment and the new devices were likely not an indicator of compromise.

Once I determined that this was likely a planned network change, I asked the customer if they were aware that these changes were planned and being implemented to the network. They were not aware of any plans and changes being implemented. I asked the customer to immediately verify that the changes were planned, and the customer discovered that not only were these changes planned, but they had never been notified of these planned changes. This demonstrated a significant lack of communication between the customer and their contracted partners. I was able to use RedSeal not only to discover network changes that occurred on the network, but a fundamental operational flaw of the entire customer’s workflow surrounding network changes. It gave the customer the ability ‘to know what they didn’t know’.

The risks that the customer was unknowingly accepting (and by default, unable to mitigate or remove) through this lack of communication was that the contracted partner was making changes to the customer’s network, which contains devices that have Payment Card Industry (PCI) data running through them. By making changes without consulting the customer, the contracted partner was potentially exposing the customer to a disastrous breach of customer financial information. The reason this could be the case is that the contracted partner does not control the entire customer network and changes in their network segment may unknowingly lead to security holes in other parts of the network that is managed by either the customer directly or another contracted partner. To top it off, the customer would have had no idea of this risk because they were unaware of what was happening on their network. RedSeal was able to become the stop gap and identify that risk and provide the information needed to make an informed and educated decision on what risks to accept, mitigate, or remove.

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.

Top Reasons State and Local Governments Are Targeted in Cyberattacks

Ransomware attacks affected at least 948 U.S. government entities in 2019 and cost local and state governments over $18 billion in 2020. These agencies are prime targets for cyberattacks. Their dispersed nature, the complexity of their networks, the vast amounts of valuable personal data they process and store, and their limited budget prevent them from staying current with the latest best practices.

Strengthening your defense starts with understanding the top reasons why threat actors choose to target state and local governments. Then, implement the latest technologies and best practices to protect your organization from attacks.

Reason 1: The Vast Number of Local and State Government Agencies

There are 89,004 local governments in the U.S., plus numerous special districts and school districts. That equates to 2.85 million civilian federal employees and 18.83 million state and local government employees — each representing a potential target for threat actors.

Since it takes only one person to click on one malicious link or attachment to infect the entire system with ransomware, the large number of people who have access to sensitive data makes government entities prime targets for social engineering attacks.

Moreover, the dispersed nature of these networks makes it extremely challenging for government agencies to gain visibility of all the data and activities. When one agency suffers an attack, there are no procedures or methods to alert others, coordinate incident response plans, or prevent the same attack from happening to other entities.

Reason 2: These Agencies Process Valuable Personal Information

How much personal data have you shared with state and local government agencies? Somewhere in their dispersed systems reside your social security number, home addresses, phone numbers, driver’s license information, health records, etc. The information is attractive to cybercriminals because they can sell it on the dark web or use it for identity theft.

Many of these agencies also hire contractors and sub-contractors to handle their computer systems or process user data. The more people with access to the data, the larger the attack surface — creating more opportunities for supply chain attacks where criminals target less secure vendors to infiltrate their systems.

Without the know-how or resources to partition their data or implement access control, many government agencies leave their door wide open for criminals to access their entire database. All malicious actors have to do is target one of the many people who can access any part of their systems.

Reason 3: They Can’t Afford Security Experts and Advanced Tools

Almost 50 percent of local governments say their IT policies and procedures don’t align with industry best practices. One major hurdle is that they don’t have the budget to offer wages that can compete with the private sector and a workplace culture to attract and retain qualified IT and cybersecurity professionals.

Meanwhile, cybercriminals are evolving their attack methods at breakneck speed. Organizations must adopt cutting-edge cybersecurity software to monitor their systems and detect intrusions. Unfortunately, the cost of these advanced tools is out of reach for many government entities due to their limited budgets.

Moreover, political considerations and bureaucracy further hamstring these organizations. The slow speed of many governmental and funding approval processes makes preparing for and responding to fast-changing cybersecurity threats even more challenging.

Reason 4: IoT Adoption Complicates the Picture

From smart building technology and digital signage to trash collection and snow removal, Internet of Things (IoT) tools, mobile devices, and smart technologies play an increasingly vital role in the day-to-day operations of local governments.

While these technologies help promote cost-efficiency and sustainability, they also increase the attack surface and give hackers more opportunities to breach a local government’s systems and networks —  if it fails to implement the appropriate security measures.

Unfortunately, many agencies jump into buying new technologies without implementing proper security protocols. Not all agencies require IoT devices to perform their functions. You should therefore balance the cost and benefits, along with the security implications, to make the right decisions.

How Government Agencies Can Protect Themselves Against Cyberattacks

An ounce of prevention is worth a pound of cure. The most cost-effective way to avoid the high costs of ransomware attacks and data breaches is to follow the latest cybersecurity best practices. Here’s what state and local governments should implement to stay safe:

  • Complete visibility into your entire IT infrastructure to provide a comprehensive view into all the possible hybrid network access points to understand what’s connected to your network and what data and files are most at risk. This way, you can prioritize your data security resources.
  • Intrusion detection and prevention systems (IDS and IPS) protect your wired and wireless networks by identifying and mitigating threats (e.g., malware, spyware, viruses, worms), suspicious activities, and policy violations.
  • A mobile device management (MDM) solution allows administrators to monitor and configure the security settings of all devices connected to your network. Admins can also manage the network from a centralized location to support remote working and the use of mobile and IoT devices.
  • Access control protocols support a zero-trust policy to ensure that only compliant devices and approved personnel can access network assets through consistent authentication and authorization, such as multi-factor authentication (MFA) and digital certificates.
  • Strong spam filters and email security solutions protect end users from phishing messages and authenticate all inbound emails to fence off social engineering scams.
  • Cybersecurity awareness training for all employees and contractors helps build a security-first culture and makes cybersecurity a shared responsibility, which is particularly critical for fending off social engineering and phishing attacks.
  • A backup and disaster recovery plan protects agencies against data loss and ransomware attacks by ensuring operations don’t grind to a halt even if you suffer an attack.

Final Thoughts: Managing the Many Moving Parts of Cybersecurity

Cybersecurity is an ongoing endeavor, and it starts with building a solid foundation and knowing what and who is in your systems.

You must map your networks, take inventory of every device, and know where all your data is (including the cloud) to gain a bird’s-eye view of what your security strategy must address. Next, assess your security posture, evaluate your network against your policies, and prioritize resources to address the highest-risk vulnerabilities. Also, you must continuously monitor network activities and potential attack paths to achieve constant visibility, prioritize your efforts, and meet compliance standards.

State and local governments worldwide trust RedSeal to help them build digital resilience. Request a demo to see how we can help you gain visibility of all network environments to jumpstart your cybersecurity journey.

Tales from the Trenches: Vol 9 — The Law of Unintended Consequences, OR Some Doors Swing Both Ways

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series Bill Burge, RedSeal Professional Services, explains how RedSeal can show you ALL the access from a network change, not just the one access you are expecting.

The Law of Unintended Consequences, OR Some Doors Swing Both Ways

“The law of unintended consequences” states that the more complex the system, the greater the chance that there is no such thing as a small change.

While working with a customer in the early days of my RedSeal Professional Services tenure, I looked for an opportunity to prove the capability of Zones & Policies. In an unfamiliar environment, the easy starting point is creating a policy that examines the access from “Internet to all internal subnets.”

It is easy to setup and easy to discuss the results, UNLESS the results say that most of the Internet can get to most of the internal network.

I thought “I MUST have done something wrong!” I got the impression that the customer felt the same thing, even though neither of us came right out and said it. So, I tore into it.

Using some ad hoc access queries and Detailed Path queries, we figured out the problem and why.

After looking into it, thinking something was amiss, it turned out that RedSeal was RIGHT. It seems there had been a pair of firewall rules for DNS requests:
SRC: inside, SRC PORT: any, DST: outside, DST PORT: 53, PROTOCOL: UDP
(and for the responses)
SRC: outside, SRC PORT: 53, DST: inside, DST PORT: any, PROTOCOL: UDP

At some point, because DNS resolutions got large enough that the responses did not fit in a single UDP packet, DNS needed to include TCP. So, someone simply made a small change and added TCP to each of these rules.

The unintended consequence was that you could reach just about any internal system from the Internet IF you initiated your request from port 53.

After this was verified by the firewall and networking teams, I might have well gone home. Everybody disappeared into meetings to discuss how to fix it, whether it could be done immediately or later that night, etc.

A little time later, I ALMOST felt guilty to point out that they had done pretty much the same thing with NTP, on port 123. (Almost…)

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.

Top 4 Cyber Challenges for Credit Unions

Credit unions continue to be the primary targets of cyberattacks like phishing, ransomware, and supply chain attacks. This is due to the highly confidential nature of the data they collect and store. If this data falls into the wrong hands, the outcome can negatively impact the institution’s reputation, as well as its legal and financial standing.

Cyberattacks aimed at credit unions come at a high cost. Financial loss can range from $190,000 for small credit unions to as high as $1.2 million for large credit unions.

As technology advances, so have the cyber threats targeting credit unions. The National Credit Union Administration (NCUA) has continuously encouraged credit unions to “strengthen their institution’s cyber vigilance and preparedness efforts” to protect themselves and their members.

Read on to learn how credit unions can mitigate cybersecurity risks. The key is to first understand the primary threats and then how to reduce their impact.

Cybersecurity Trends in the Finance Sector

Over the last decade, cybercriminals have found creative ways to target credit unions. Attacks have increased in volume and severity, with hacking and malware being deployed to cripple financial institutions. The first half of 2020 saw a 238 percent increase in cyberattacks targeting the finance sector.

Between March and June of 2020, ransomware attacks aimed at banks increased by 520 percent compared to the same period in 2019. A huge spike was also observed in 2021.

In June of this year, several credit unions in Canada discovered evidence of attempted access by unauthorized personnel. A 2020 survey by the National Credit Union Administration (NCUA) found that 46% of credit unions experienced a cybersecurity incident in the past year. Phishing attacks continue to be a major threat to credit unions, with the NCUA reporting that they accounted for over 50 percent of incidents in 2020.

According to a recent IBM report, the average cost of a data breach in 2022 was $4.35 million. The finance sector is a primary attack target, only second to healthcare organizations, with the average financial breach costing $5.97 million. Credit unions, as a result, are increasingly turning to technology to improve their cybersecurity posture.

Credit unions should also be aware of the risk employees or contractors with access to sensitive information pose to cybersecurity. They can potentially misconfigure servers, networks, and databases and become compromised by hackers. Combating this may involve implementing measures such as keeping an updated inventory of cloud resources, reviewing misconfiguration by identifying unintentionally exposed resources, and reviewing security policies.

With large amounts of money at risk, following cybersecurity best practices can help credit unions stay on top of cyber threats.

Common Cyber Challenges for Credit Unions

Credit unions and financial institutions face a wide range of cybersecurity dangers and challenges —  from hackers looking to exploit loopholes to sophisticated cyber warfare/cyber espionage maneuvers of advanced persistent threat (APT) actors.

Learning about the potential risk factors can help credit unions mitigate these risks.

Here are the most common cybersecurity challenges credit unions should be aware of.

Sophisticated Cyberattacks and Ransomware

A ransomware attack, which involves encrypting files and locking users out of their systems, happens every 11 seconds. Criminals then demand a ransom to release the data. Credit unions must have strategies in place to ensure their systems are protected from such attacks.

Ransomware attacks not only cause credit unions to lose large amounts of money in ransom payments and fines; they also erode consumer trust. In most cases, ransomware attacks happen because employees fall for phishing scams that trick them into downloading suspicious attachments, clicking malicious links, or launching sketchy .exe files.

By regularly assessing and analyzing your entire system, you’re better able to spot any new vulnerabilities and emerging threats. It’s also important to educate employees and customers about cybersecurity best practices so they are equipped to handle various types of cyberattacks.

Supply Chain Interruptions via Third-Party Vendors

Credit unions typically use third-party partners to offer better features and functionalities to their members. Cybercriminals take advantage by attacking less secure software vendors. These vendors then inadvertently deliver malicious code in the form of compromised products or updates, enabling cybercriminals to access the credit institution’s network.

To minimize this risk, credit unions should thoroughly vet vendors before entering into a business partnership with them. They should also scrutinize their security practices and perform regular system updates and maintenance to ensure their existing infrastructure performs optimally for the longest time possible.

Emerging Threats Associated with the Internet of Things (IoT)

Hacking techniques are continuously becoming more sophisticated. IoT adoption is increasing exponentially, and hardware assets connected to the internet such as cameras, printers, sensors, and scanners are becoming a major target of exploitation by cybercriminals.

With over 50 percent of all IoT devices susceptible to severe cyberattacks, credit unions should focus on investing in cybersecurity solutions that make it easier to identify all IoT devices connected to their network. This way, they can easily monitor IoT devices for any security issues and take action before the risks become harder to mitigate.

Shortage of Cybersecurity Skills

The demand for cybersecurity experts, especially among credit unions, is outpacing the supply of qualified professionals. According to the 2022 (ISC)2 Cybersecurity Workforce Study, even with an estimated 4.7 million professionals, there’s still a global shortage of 3.4 million workers in this field. This will affect smaller credit unions as they will find it difficult to hire expertise well-versed in various cloud technologies.

Technical skills such as secure software development, intrusion detection, and attack migration are by far the most valuable skills in this field. Security teams in the credit union space must look for innovative solutions to optimize productivity. This includes identifying security tools and technologies that are easy to use and deploy, providing more opportunities for external training, and identifying solutions that streamline cybersecurity processes.

How Credit Unions Can Strengthen Their Cybersecurity

To ensure your credit union has optimal protection against potential cyberattacks, RedSeal recommends a proactive approach by performing regular cybersecurity assessments to identify any loopholes in your system and also ensure proper defenses are in place. These include having an up-to-date inventory, identifying unintended exposures, and setting a security baseline to meet current and future compliance requirements. It’s also important to establish security protocols that follow industry guidelines and continuously apply security patches and updates to the system.

Working with a prioritized set of risks allows security teams to better allocate resources to areas where they’re needed most.

Want to know more about how you can mitigate cyberattacks in your credit union? Check out this white paper on digital resilience and ransomware protection strategies.

National Cyber Strategy — What We Know So Far

I’ve run into several folks who wanted to ignore the Biden Administration’s recently announced National Cybersecurity Strategy – “isn’t that just for Federal agencies?”. That would be a dangerously flawed assumption! This is a major shift in strategy, and regardless of how small your organization is, it’s going to change how you get to a secure state, and how you show that you’re doing it.

The administration makes no secret of its goals, even if they are controversial. They openly describe a target of shifting the playing field, and as always, this creates winners and losers. You need to be agile to ensure you’re on the winner side of this equation! The tilted playing field is aiming for two effects. One goal is to change the economic risk/reward so that bad actors think twice. The other is a significant shift in the burden of defense, pushing it up from smaller mom-and-pop scale organizations, transferring it to larger, more capable companies.

Both of these sound great, but somebody somewhere has to pay for all this. There are new spending initiatives included in the strategy, but they are focused more on training of a new generation of cyber talent, not so much on the shifting playing field. To achieve the two goals, then, the strategy relies more on stick than carrot.

If you’re a defender of your organization, you don’t need to worry too much about the stick that will be applied to bad actors – you can just take some comfort in the idea that the government has a renewed emphasis on pursuit, hacking back, and on punishment. But that doesn’t mean you can rest. The strategy specifically calls for increased regulation, and even liability, of online businesses – and this means pressure.

We’ve heard plenty of talk about resilience over the last few years in this industry, but now we’re talking about a requirement for resilience.  This means defenders have to do more than just achieve some reasonable level of security – they also have to be able to show they are effective. We don’t test the resilience of buildings by knocking them down every once in a while, just to see – instead, we inspect plans and demand that architects and builders can show how they know their buildings are safe. Expect this kind of thinking to come home to roost in cybersecurity – not just exhortations to do better, but real requirements to prove resilience.

OK, but if your job is securing an organization that is going to face this increased regulation and liability, what can you do?  It’s no longer enough to just follow compliance check-lists and formalities – that can prove you’ve got a compliance program, but it won’t show resilience.  A check-list attestation is the cybersecurity equivalent of being able to fog a mirror – hardly the same as being able to demonstrate fitness or health!

The new strategy requires resilience – both being resilient, and being able to show it. Resilience means, first and foremost, realizing that incidents will happen, but planning ahead to contain the damage. A resilient army is not one that avoids ever getting into combat – it’s an army that has the resources and planning to bounce back and continue to fight. Likewise, your network needs to be able to bounce back, if you’re to have any hope of meeting the requirements of the new national strategy.

This means you need to map out your whole environment – physical sites and across cloud networks. You need to understand what depends on what, and where attacks can spread.  It’s going to require a complete inventory – a challenging objective in itself – but beyond that, some means to demonstrate that a failure in one part of your environment won’t bring it all down. This is the goal of the strategy – resilience, and ability to demonstrate resilience; for those who cannot, new fines, new regulations, and an uphill battle to compete with those organizations who have resilience plans baked right into their networks.

Fortunately, this shift doesn’t require super-human efforts and endless nights at the keyboard. The effort to map out your environment, and see where there are resilience gaps, is automatable. The new strategy presents a new opportunity to get funding and executive buy-in for better, more efficient resilience planning, as a competitive advantage instead of a burden.

RedSeal’s unique approach – mapping out your whole environment, including on premises and in the cloud, and then finding and prioritizing defensive weaknesses and resilience gaps – is an ideal fit into your response to the National Cybersecurity Strategy. And make no mistake – you will need a response, ready or not. New regulation is coming, new liabilities are coming. These are not designed to punish all market participants – rather, they are designed to shift the playing field in favor of those who can deliver resilience, leaving behind those who are stuck in the past.

Tales from the Trenches: Vol 8 — Is that what you are going to say to the Auditor?

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series Brad Schwab, Senior Security Solutions Consultant addresses a tricky network scanning question and how to verify with RedSeal.

Is that what you are going to say to the Auditor?

One of the biggest elephant in the room questions for Security Operations groups that deal with Vulnerability Scanners is very simple to state, but very, very tricky to answer, “are you sure you are scanning the entire network?” Sounds like it should be a simple yes or no answer. However, with any network of scale, the answer can be almost impossible to verify.

I was in a high level meeting for a large Health Organization with the CTO, head of Network Operations (NetOps), the head of Security Operations (SecOps), along with other people that had different stakes in the performance and security of the network. Since the network was the main instrument supporting the “Money Engine” of the operation, all attendees were laser focused on answers to any questions.

At a certain point in the meeting Wendy, the head of SecOps was talking about the scanning program. More specifically, she was speaking about procedures created to scan the entire network. The entire network!? So, at this point, I had to ask the question, “how do you know you are scanning the entire network?” She pointed to Bill, the head of NetOps and said “Bill said I could…”. That is where I looked at Bill, and said “is that what you are going to put on the audit, “Bill said I could?” Now, Bill and I had a good working relationship, and he knew that I was having a bit of fun at his expense, however, others in the room weren’t going to gloss over the subject, and began to pepper both Bill and I with questions. I proceeded to line out where the difficulties were in answering, with the following questions:

  • Does the scanner have a complete list of all IP space on the network that needs scanned?
  • Are there any overlapping subnets? If so, that overlapped portion of a subnet is not visible to the scanner. Thus, creating a possible hiding place for a bad actor.
  • Is there any duplicate IP space in the network? – again creating blind spots to any scanner.
  • And finally, the hard part, does the scanner have logical access to the entire network? Even if the scanner is trying to scan a network subnet, if the network architecture via Access Control Lists and Routing is blocking the access or not granting the access, then the scan won’t be complete. On top of that, you will get no indication from the scanner that the scan didn’t work. Beyond the logical access issue, no one had thought of the other issues. I then explained how RedSeal automatically looks for subnets that have no scan data, thus possibly not part of the IP list giving to the scanner, overlapping subnets and duplicate IP space. At the same time, I explained how a RedSeal Access Query combined with our “show what is missing” feature can give you a list of everything that the scanner can’t reach because of network architecture.

I ended my explanation with “with these features, you can have comprehensive documentation of complete scanner coverage for your upcoming audit(s)…”

After less than a few days of work, we had provided a list to both NetOps and SecOps of additions and changes required by both teams to make their Vulnerability Program complete.

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.