Many organisations have a desktop estate that could range from an SMB with handful of desktops in a single site or an enterprise with several hundred (or thousand) workstations and laptops deployed across many sites. Take the example of an organisation with 500 windows workstations. In our experience, many organisations will not have USB device control and the ports are free for anyone to access (or use) without futher thought given to Data Loss Prevention (DLP). The data loss vector here is fairly obvious. A user can copy data to (or from) a removable device, potentially stealing data, accidentally disclosing data or introducing malware to your IT environment. Read more
There are several ways of address the risks that originate from a risk assessment; you can avoid the risk entirely (withdraw), reduce or mitigate the risk, transfer the risk (e.g. insurance) or accept the risk.
If you consider a datacentre operator who houses a large amount of IT equipment, fire is a risk, whether that is due to an electrical malfunction or a fault with customer equipment. Read more
Shadow IT is a term often used to describe a situation where IT systems; applications, software, devices, cloud services and similar solutions are used by an enterprise without the knowledge or approval of the business. This can present a security and operational risk to the business given it bypasses the organisations’ standards, processes and procedures. This could include the enterprises’s configuration, licensing setup, security controls, documentation and implementation standards. More serious scenarios could actually jeapordise an organisation’s ability to comply with certain industry regulations such as data protection, PCI or even SOX. Imagine a serious breach relating to software even the IT department wasn’t aware of!
Security incidents are not new. Data theft, DDOS attacks and website defacements have been commonplace for many years. The thing that stands out with the recent spate of attacks is the amount of time it can take an enterprise to realise they have been compromised. The attackers may have been inside for some time.
The recent UCLA breach is a prime example. They suspected something as early as October, the FBI identified the breach in May. Quite some time, but a reflection of how good the malware is at remaining undetected. I do not doubt UCLA had firewalls, antivirus and followed best-practice, you have to assume they did.
Many commentators are quick to criticise the IT team, the lack of security investment or they blame human-error. There is no denying the fact that human error and poorly developed software are common causes, but not always.
Advanced Persistent Threats
Nowadays, there is a new class of threat, the Advanced Persistent Threat (APT).
APTs are forcing many enterprises and organisations to rethink their security strategy and revisit their approach to identifying and safeguarding against threats.
I am not going to explain what an APT is, definitions vary by vendor – but in short, it is a new type of advanced threat that can go unnoticed, bypassing existing security controls and often moving throughout an organisation’s internal systems. Some describe it as custom malware. Vendors are quick to develop APT-beating solutions, analysts have a new market segment to discuss and businesses have something new to worry about!
The purpose of this brief article is to outline some of the technologies available to helpsafeguard your business against APTs.
(I am assuming your systems are already patched, hardened and you have a robust perimeter security policy – that is common sense.)
1) Control lateral movement with an Internal Segmentation Firewall
In the network world, your LAN to Internet traffic iscan be described as North-to-South. The traffic flow between your users and servers is referred to as East-to-West. Traffic that moves East-to-West is also known as Lateral movement.
Once you are infected by modern malware or an APT, it (or they!) will attempt to move laterally throughout your IT and network environment. Using network enumeration, privilege elevation and further exploitation, they will try and compromise other systems or hone-in on higher value targets. This can be automated or controlled externally by an individual with malicious intent. The end-game could be ransom ware or data theft.
A common approach to prevent this lateral movement is to break up your network into zones or segments.
Think of your network as a big circle. Your network is on the inside, and the perimeter of the circle is your firewall. Outside of that firewall is the internet. Once someone is inside, they are free to move around your business. It is very similar to castle walls.
Segmentation takes a different approach. Instead of a single circle or “wall”, your network still has that perimeter wall, but it is also made up of several internal zones. Think of a honey-cone structure within the circle, each department is a zone.
Traffic passing between these zones is subject to a network security policy, traffic flows are limited and scanned for malicious content or anomalous behaviour. A breach in one zone can (hopefully) be contained to that zone.
Most firewall vendors such as Fortinet, Palo Alto and Cisco have sold solutions like this for some time. It is only recently that the terms such as internal segmentation firewall and internal network firewall have grown in popularity. SANS has a paper about internal firewalls dating back to 2001, so it’s certainly not new!
In the absence of a firewall, most modern switching platforms also support some form of IP access list or network policies that can be applied to zones (typically L3 VLANs or SVIs). These can be used to inhibit or control lateral movements. They don’t solve the problem but they can make things harder. That is the name of the game.
The network segmentation approach is relatively inexpensive, and unfortunately for high-end environments, it may not scale.
For your typical enterprise or large organisation; 1GE, 10GE and 40GE solutions are available. If you are trying to secure 100Gbps of traffic between blade chassis or Hadoop clusters, then things can and will get out of hand.
Ultimately the cost will depend on your topology (e.g. the number of zones) and the volume of traffic.
Virtualisation presents another challenge. East-to-West traffic can physically move around your network (between devices). With VMWare and the likes, this lateral movement takes place within the virtual environment. Fortunately, many vendors (including VMWare) have virtual product equivalents and to some extent, these are easier (and cheaper) to implement than dedicated appliances. If you run VMWare/Citrix, you cannot overlook the virtual network.
2) Identify threats with DNS Intelligence and behavioral analysis
Every time one of your internal systems or servers wishes to access the internet, the DNS protocol will be used somewhere to resolve the domain name of the website or mail server they are trying to reach. When malware (or a hacker) tries to phone home, they too may use DNS to connect to their command and control (C2) servers.
A growing number of DNS and security providers are offering a new kind of DNS service. Essentially you re-point your DNS traffic towards one of these providers and they screen it.
DNS and its functionality continues as before. The key difference is they check each one of your DNS queries in an attempt to identify anomalous behaviour or attributes that may indicate ill intent. Using their intelligence networks, machine-learning and the power of the crowd – they can make split-second judgements on the behaviour of your DNS traffic, this could be based on known-knowns, inference or patterns.
This is an easy service to implement and rarely requires any kit or significant change in your infrastructure.This service is more of a diagnosis tool rather than a fix. It can tell you something is going on, but it won’t necessarily prevent it. It is a starting point though!
DNS solutions are often priced upon the number of users or on the volume of DNS queries originating from your network. This is often a simple inroad for an organisation, even if the solution is used as a barometer to gauge if something is going on.
It is worth mentioning that many firewalls support IP reputation analysis which performs a similar function. If your network assets are connecting to dodgy networks (and IP addresses), it alerts you and blocks said traffic.
3) Advanced Endpoint Threat Detection
Traditional antivirus has its limitations. It uses a database of known vulnerabilities and viruses. It attempts to identify known threats through signatures or basic behavioural observations, often using heuristics. Traditional AV has a place but in many respects it is being overtaken by more advanced solutions.
The concept of databases is like having a register of all the bank robbers in the world. Naturally, you wouldn’t want these in your bank, but at what point does a bank robber become a bank robber… After they’ve robbed a bank. Before they do, they are a civilian like any other. In a similar way, a virus is only a virus once someone says it is. Until then…
The latest generation of solutions that build upon the limitations of AV are known as Endpoint Threat Detection systems or Endpoint Behavioural Analysis platforms.
The intelligence in these solutions is typically a central appliance, software solution or it is located in the Cloud (keeping the vendors intellectual property safely tucked away).
The agent’s job is to observe behaviour, kernel system calls, privileged processes, network-traffic and file access – all the while communicating its findings to a centralbrain. The brain has insight into your whole IT environment so using its advanced intelligence, machine learning, pattern matching or crowd-intelligence – it can make a judgement call.
Many of these agents work in harmony with additional devices or controls, providing containment alongside detection. In the event an attack or if a potential incident is detected, the solution can trigger events that can force other solutions to take action, whether that be containment or alerting individuals.
To make this work effectively, you need an agent on each and every endpoint (workstation or server). This can be costly, but effective.
4) Sandboxing (Payload Analysis)
Sandboxing is a technology that effectively mimics your live environment. In an enterprise, traditionally if someone e-mails you an attachment, your mail filter would scan it for spam and viruses, perhaps the file-type (e.g. PDF) and if ok – pass it through.
Much like traditional AV, these solutions are unable to spot advanced threats.
Sandboxing takes a different approach. When someone e-mails you a file, the sandbox will open the attachment in a secure contained environment and observe its behaviour. Does it act maliciously? What does it do? What files does it access? It then makes a judgement call. This is also known as payload analysis. Rather than looking at the label on the packet, it opens the packet, pokes it, eats it, tests it and sees what happens.
The challenge with sandboxing is that malware is intelligent. Modern malware attempts to detect the presence of a sandbox, trying to evade detection.
Sandboxing solutions are clever too. They are aware of these evasion techniques so they employ their own anti-evasion techniques.
Crafted malware is intelligent too, it understands the evasion-detection techniques the sandboxes use so it tries to avoid the anti-evasion-detection techniques with more magic. You get the picture. It really is a constant battle.
Sandbox solutions are rated on the number of files or messages they can process per hour. There is typically a capex purchase with ongoing support and maintenance. Some sandboxing vendors are cloud solutions, so represent an ongoing opex.
With Cloud, you need to be careful from a regulatory compliance perspective (HIPAA, Data Protection, PCI-DSS), after all, you may be uploading your files to the sandbox provider who could be located in a country that falls foul of your obligations.
That was a quick run through some of the technologies available to help safeguard your organisation against APTs. It is by no means exhaustive list but serves as starting point in any discussion around network security.
Cyber-security is an increasingly board-level topic of discussion, and conversations about security should now happen at every level. If you are in IT, educate your board. If you are on the board, ask IT.
Now is a good time to consider the security controls your organisation employs to safeguard against these emerging threats.
If your IT budget is a challenge or if the business has other priorities, you may find your existing systems (albeit with some tweaks) are already capable of providing an additional level of security without a massive capex or the sudden onslaught of a security subscription.
— Technologist Joe Hughes is a CEO of Manx Technology Group, a company that provides a range of IT, network and security services to organisations of every size. A key area of interest to Joe is cyber-security, FinTech, healthcare technology and the growing use of data throughout every aspect of business.
Fortinet’s FortiGuard Labs released an advisory relating to Flash earlier this month. Essentially a specially crafted SWF could allow an attacker to execute code on a user’s PC arbitrarily. The exploit actually uses a vulnerability patched in Flash 220.127.116.11. There are more details on their website here. Fortinet classified the vulnerability as SWF/SwfDlr.BC!tr?
If your organisations requires Flash, the obvious course of action is to ensure that Flash is up to date. The continued use of Flash is not really recommended unless you need it. With the widespread adoption of HTML5 for video and interactive web applications, there have been questions for sometime regarding the longevity of Flash. With exploits appearing in the wild every so often, it is not wonder its demise is perhaps accelerating, with people turning to open standards such as HTML5.
We have talked about IPS (Intrusion Prevention Systems) in a number of articles and discussed how there is often a misconception that these are positioned around hosted applications or e-commerce. In the case of this particular vulnerability, this is exactly where an IPS excels.
FortiGuard’s own labs tested and identified this exploit. They have created a signature that is deployed to Fortinet firewalls and Web Application Firewalls (WAF) in real-time. These devices could be protecting the perimeter or internal network segments. Once this signature is loaded on, if any user in the organisation is tricked into connecting to a malicious website (or a legit compromised website), the IPS engine will identify the attempted exploit and block it. In these scenarios, the IPS is in effect blocking intrusions that are to some extent initiated by the user.
The ability to inspect SSL encrypted traffic is equally challenging, especially if the crafted exploit code was delivered via a website over HTTPS. Your common web-filters or firewalls (not configured to do SSL inspection) will simply not see it. The use of SSL inspection does need some careful consideration given that as a business you can look at all traffic, including potentially employee-confidential traffic. It is for this reason you staff handbook, terms and security policy make it clear what actions you are doing and why.
10GE (10 Gigabit Ethernet) networks are commonplace in service provider, cloud and datacentre environments. Whilst there is some adoption in the enterprise, many of the solutions can be cost prohibitive or they tend to be all-or-nothing solutions. The purpose of this post is to highlight some ways you can increase network throughput within your organisation. Read more
Windows 2003 officially went EOL (end of life) July 2015, this is not exactly news. If your organisation still operates Windows 2003 then we would recommend you lock them up and enforce strict visitation rights. Read more
Unified Communications is considered one of the top IT investments for European Healthcare Providers in 2015.
Unified Communications (UC) solutions are one of the most widespread communication technologies used in business today. UC platforms integrate voice, video, instant messaging, e-mail and voicemail into a seamless communications platform. Read more
We are regularly engaged by clients who are looking to enhance or replace their perimeter security solution (e.g. firewalls).
When we embark on a project like this we rarely approach the problem from a technical or network standpoint. To implement a solution that confidently protects a customer network and your information assets, you first need to understand their business. What systems do they use? Where are their users located? How many sites? Do they permit remote access? Who and what should access the internet? Read more
We have been busy recently upgrading a number of our customers to VSphere 6.0. Nearly every one of our customers uses virtualisation and VMWare for their core IT infrastructure requirements. The benefits of virtualisation are well understood and the ease of DR is a key driver. VMWare’s latest version improves on its predecessors, keeping apace with the latest trends in IT, storage and compute.
The key enhancements and changes are highlighted below:
- Scalability. Hosts now support 480 CPU cores, 12TB RAM and 1024 VMs per host.
- Support. The HCL has been extended to include a number of other chipsets, drivers, devices and OS.
- Graphics. Native NVIDIA GPU support provides hardware-accelerated graphics.
- Instant Clone. Technology that allows you to copy VMs up to 10x faster than before.
- Control/Traffic-Shaping. You can now provision per-VM bandwidth reservations to control bandwidth and apply limis.
- Multicast Snooping. For environments that use IGMP, snooping (and MLD for IPv6) provides greater performance and scale.
- VMotion IP Stack. VMotion now has its own IP-Stack/Instance, enabling separate IP address and gateway management.
- VMotion. You can now VMotion guests between hosts even with 100MS Latency between sites. This allows inter-continental VMotion moves.
- Replication Assisted VMotion. Customers who use active:active replication can now leverage this to VMotion guests with up to 95% savings on efficiency.
- Fault-Tolerance. Now allows 4 x vCPU, a significant improvemnet.
- Content-Library. A central repository to store you templates, ISO, scripts and VMs. This can be distributed using a publish/subscribe model.
- Cross-VCenter Clone/Migration. Copy and move guests between different VCenter servers.
- UI. Web client improvmeents.
If you would like to learn more about VSphere6, speak to MTG or refer to the VMWare website.