All Posts By

Juda Thitron

Palo Alto Networks and Portnox Join Forces On Cloud-Delivered Threat-Response Solution

Palo Alto Networks and Portnox Join Forces On Cloud-Delivered Threat-Response Solution

By | Cloud Security | No Comments

In recent months, Portnox and Palo Alto Networks joined forces to better deal with the current cyber security threat-landscape. Network security teams in the enterprise must cope with several challenges that impact their traditional network infrastructure. Here are some of those challenges.

Lateral Movement.

A significant challenge to network and data security is the lateral movement of cyber security hazards such as malware (or even ransomware) from one compromised endpoint to others.
In recent years, cyber offenders have carried out large-scale attacks targeting organizations by exploiting known vulnerabilities and security gaps on endpoints. WannaCry, NotPetya and Bad Rabbit are malware attacks that used lateral movement to spread in large-scale campaigns during 2017. Using a single entry-point, typically the most vulnerable endpoint detected by the hackers; proliferation via lateral movement can influence an entire organization. In this way, unpatched or unprotected systems can be taken down in no time, leaving an entire organization paralyzed while the offenders achieve their goals.

IoT, BYOD & Unmanaged Endpoints

According to cyber security experts, the majority of harmful attacks exploit well-known vulnerabilities and security gaps on endpoints. Most organizations are unaware of a significant percentage of the endpoints on their network as these are Bring Your Own Device (BYOD), Internet of Things (IoT), guest and other unmanaged endpoints. Additionally, many IoT devices are found to be placed in network segments that are being used by other company devices and IoT endpoints are particularly vulnerable to being breached. These endpoints aren’t transient and typically go undetected by periodic scans. As such, security teams remain unaware of the attack surface on these devices.

Geo-Distribution.

The growing decentralization and de-perimeterisation of worldwide organizations is a crucial factor as well. Once a threat has been identified inside or outside the enterprise perimeter, security teams must be able to handle and contain the threats at HQ and at branch offices anywhere in the world; as well as to be able to secure the devices being used by traveling or telecommuting team members.

Threat Detection.

Today’s threats are evolving rapidly. The current velocity and evasiveness of targeted and sophisticated attacks has never been seen before. These attacks rely on stealth, perseverance and the ability to overcome many cyber security defenses. Oftentimes these attacks use multiple vectors of attack and focus on acquiring crucial personal data, company intellectual property or other insider information. Unfortunately, compromised devices and data breaches can often remain undetected for weeks or months. Detecting advanced threats and infected endpoints will require new and adaptive security controls.

Visibility.

Once a threat is detected, how can one see what kind of device has been compromised? Is it a laptop? A phone? An IoT device? Who is the user behind it? Where is it located on the network?

Threat Investigation.

Today’s security analysts are spending too much time trying to pinpoint the compromised endpoint and figuring out who else in the organization has been affected, especially when lateral movement is such a big risk. Oftentimes data breaches remain undetected for extended periods of time (with more than 80% of breaches undetected, Gartner 2017*). Even when detected, if a threat moved laterally before being shut down, there is a lack of information regarding which other endpoints have been compromised; on or off premise.

Response & Control.

Actions must be taken. Stopping lateral movement and other endpoints from being infected is crucial. Compromised devices must be quarantined or blocked from accessing the network, regardless of how they are connected to the network (wired, wireless, VPN, cloud).

Future Risk Mitigation.

Blocking the current threat and preventing it from infecting other endpoints is a great start, but not enough to maintain optimal network hygiene. Continuously analyzing the security posture of all organizational devices is crucial. This includes the ongoing review of existing threats and Indicators of Compromise (IOC) to determine which endpoints are granted access to the network each time.

With so many challenges to factor-in and the all-time record of the number of vendors offering solutions in the cyber security space, all seemingly overlapping, it is no surprise that security teams have a difficult time sorting through many vendor claims till they finally select the services or products that will best match their security and budget requirements.

The CLEAR App Solution.

In mid-October 2018, the Portnox CLEAR App went live on the Palo Alto Networks Application Framework. This joint solution, between Portnox CLEAR’s cloud-delivered network access control and the Palo Alto Networks firewall, allows security teams to set enforcement policies based on threats detected by the Firewall. The App prevents the lateral spread of malware throughout the organization and effectively isolates the compromised endpoints in real time. The Palo Alto Application Framework is designed from the cloud and therefore this cloud to cloud solution will allow organizations to provide remote branches the same security as at HQ, allowing for a much better handling of threats in and outside of the perimeter.

Security teams can rapidly enable the App without worrying about adding any infrastructure or appliances. Additionally, organizations can create customized policy via CLEAR with the flexibility to assign the right impact on the endpoint’s continuous risk assessment and security posture. This is done by correlating advanced threat categories from the Palo Alto Networks firewall with the organization’s access and risk assessment policies for devices. In essence this will allow the organization to leverage the Palo Alto Network advanced threat detection to better secure the access of all endpoints, including BYOD and IoT devices.

Accelerating the Response to Threats.

The joint solution will accelerate the response to threats by identifying all compromised devices that share the same threat using CLEAR’s unique visibility and data discovery capabilities.

Palo Alto Networks next-gen firewalls identify evasive and sophisticated threats and automatically thwart them through multiple means. The technologies use analysis of all allowed traffic, using multiple advanced threat-detection and prevention technologies.

Continuous Risk Mitigation.

Based on the advanced threat detection data received from the Palo Alto Networks firewall (i.e. detecting malware that is new or has no signature), CLEAR enables the discovery of other endpoints with the same threat. Moreover, CLEAR will provide the user ID, office location, switch location, etc., regarding the compromised endpoints. Once the advanced threat detection alerts are received in the Palo Alto Networks Application Framework, CLEAR quarantines or blocks these compromised endpoints. Automated response actions are customized and tailored by the organization’s requirements. IOCs and vulnerabilities indicated by the Palo Alto Networks firewall are correlated with the risk-score of each endpoint and the appropriate response is issued by CLEAR.

CLEAR continuously monitors and evaluates each endpoint on the network, establishing a risk-score for it over and over again, whether the device is connected on or off premise. This knowledge is used to define access policies and continuous risk-monitoring takes place. Security admins can determine, customize and tailor the access policy based on the organization’s security requirements. If the risk-score is high, CLEAR will not allow access or will allow limited access by quarantining the endpoints to a certain VLAN. If the risk-score is low – CLEAR continues to monitor the endpoint.

The day-to-day operation of the application will enable customers to monitor a network or endpoint threat-indications from the Palo Alto Networks Application Framework, to update the risk score of devices, and to identify all devices that share the same threat.

Cloud Strengths.

The fact that CLEAR is delivered from the cloud as a SaaS solution, has many positive ramifications from every aspect: security, operations, cost efficiency and more. For example, CLEAR is always running the latest version, with seamless upgrades, delivering the most up to date technology advancements to the subscriber. This can save a lot of time and needless worry for the administrators and assures the usage of the best security. Additionally, using a cloud-delivered solution allows for scalability and is geo-distributed across the world, making it a must-have for decentralized and growing enterprises. All of these, contribute greatly to a substantial reduction in the Total Cost to Ownership (TCO).

Additionally, cloud-delivered security solutions allow that managing risks and threats will no longer depend on an IT security team administrator being physically present within the perimeter of the enterprise location. Changes can be made from where the security admin is located at the time, from a central account, allowing for faster hands-on solutions as required. In our ever evolving work spaces, this is a crucial mode of operation.

Conclusion.

With the Portnox CLEAR application on the Palo Alto Networks Application Framework, companies can continuously monitor endpoints on the network and scan for a wide variety of IOCs, for the rapid pinpointing of compromised endpoints, stopping lateral movement and completely avoiding costly data breaches.

Handling Network Complexities in Today’s Highly Decentralized Organizations Part 3: 5 Things Your Next 802.1X Authentication Solution Must Do

By | Cloud Security | No Comments

Implementation Issues Solved with 802.1X NAC Delivered from the Cloud

In parts 1 and 2 of this blog series we spoke about the idea that decentralized organizations, where mobility plays an important role in network security functionality and visibility; should seriously consider implementing NAC solutions delivered from the cloud, as-a-Service, due to the fact that endpoint risk assessment, as well as network visibility and control can be obtained for all locations and provide flexibility in terms of growing the coverage as the company grows.
With that in mind, today I will explain the five points that we believe are essential in choosing your next network security solution.

When deploying 802.1X NAC as-a-Service, complaints about lengthy deployments, implementation hassles and limited capabilities do not have to be prevalent any longer. In fact, IT security teams can now succeed where others have failed and be the superheroes of network security projects. NAC doesn’t have to be complicated. With NAC as-a-Service, there is no need for physical deployment or network hardware (unless it already exists, such as RADIUS or Active Directory servers), which significantly cuts the costs and deployment-time that were previously associated with the 802.1X authentication protocol.

Additionally, NAC as-a-Service allows for secure and remote access for the geo-distributed workforce, without the need for localized branch appliance deployments. It also enables business continuity, because if appliances go offline at one of the locations, the rest of the locations and endpoints can continue accessing the network without interruptions and regardless of which type of device is being used (corporate, BYOD, IoT, etc.).

As you can see, the NAC as-a-Service cloud delivery model is a different approach altogether for dot1X authentication in the enterprise, as it solves key security issues with the ease, agility and efficiency of a SaaS solution.

Here are the top 5 items you should look for in selecting your next 802.1X NAC solution.

I. SaaS delivery – With the shift to cloud-based solutions in businesses world-wide, many businesses no longer maintain their own data centers and have come to expect and rely on many solutions to be Software as-a-Service orientated. 802.1X NAC solutions provided from the cloud fit the bill and allow for easier and more cost-effective deployments and implementations.
II. Turn-key solutions with pay-as-you-go options – your next network security solution should have a low TCO – Total Cost to Ownership (both in terms of price and man hours), without forcing you to have so many pieces of equipment, installations and cumbersome access controls. These are the traits of NAC solutions which are not a good fit for decentralized organizations. A simple, pay-as-you-go model will allow you to gradually implement your NAC solution, while maintaining the highest standards for network security. While TCO is a major driver for IT infrastructure management, there is no reason to compromise on a network security project, but rather choose a solution that will provide a full and mature solution from day one.
III. A scalable and adaptive multi-branch solution – with enterprise mobility and multi branch businesses that in some cases span across countries and continents (without always having an IT professional available), your NAC solution should be able to follow your company wherever it goes. Your solution should also be able to adapt to growth in the number of endpoints, locations and ports, no matter where they are and which layer of the network is being utilized (wired, wireless, VPN).
IV. A Holistic approach to cyber security – your 802.1X NAC solution should not be limited just to port security. It is advisable to have a system in place that can provide a full network security vulnerability assessment. Once your solution can provide full visibility of all network access layers as well as all types of devices that are currently connected on the network, your IT managers can maintain tighter controls and set up automated actions.
V. Automated policies and actions – automation is a must-have option, as there are so many challenges to deal with in keeping today’s organizational network secured. Having one simple and consolidated platform that handles all access layers and all potential port security dilemmas, will allow for easier automation, configuration and segmentation (as required) of the endpoints for a connection that is based on group permissions. dot1X port control allows for full end-to-end provisioning, automated deployment, management and troubleshooting tasks.

Taking these top 5 points into consideration before selecting an 802.1X solution will assure that decentralized organizations wind up with an easier deployment process in terms of time and budget, as well as a holistic solution that does not ignore any part of the network.

Portnox CLEAR is the recommended solution for simple 802.1X deployment. Without compromising on security across the enterprise. By using a RADIUS and repository servers from the cloud, dot1X port control is delivered as-a-Service, and admins can embrace the benefits of dot1X authentication by deploying a zero-touch solution that eliminates geo-redundancies. Within weeks, it is easy to see and control every device connected to the network and thanks to automated monitoring, risk assessments and automated actions it isn’t necessary to be glued to the admin console ever again.

To find out how 802.1X authentication delivered from the cloud works, read more in the White Paper, “802.1X Authentication Is Simpler Than You Think“.

Sign Up for Your CLEAR 30 Day Trial Now

Handling Network Security in Today’s Highly Decentralized Organizations – Part 2: Adopting Cloud Solutions

By | Cloud Security | No Comments

The Business of Risk Assessment

Classical port security is not always understood. Originally it involved the equipment and particularly computers within the physical perimeter. At that point, NAC came into play if someone penetrated the network from a physical port, on-premise. This all changed in the last 15 years, when enterprise mobility and digital transformation took over. These required different levels of authentication to fit the different devices, including managed devices (company owned), unmanaged devices (where Bring Your Own Device – BYOD policies are at play) and IoT devices. The homogenous ways of the old made way for the heterogeneous reality of the new, turning device and port security into the business of risk assessment.

Register for the Decentralization Webinar

Risk assessment and full network visibility are the virtual doormen at the party who will allow the organization’s invitees to enter. Instead of naïvely allowing anyone to access the network, there should be a continuous and automated system performing risk-profiling and allowing full visibility of everything on the network. Where traditional, on premise NAC is limited to a few actions and parameters that do not reflect the complexities outlined above and in part 1 of this blog, a robust NAC solution should be able to scan all access layers and all endpoints for all users. Once this is achieved, continuous endpoint risk assessment becomes a reality, providing a wider solution that is required for today’s complex networks and decentralized organizations.

802.1X Network Security Projects

In today’s 24/7 hyper news cycle, we are constantly learning of new data breaches, costly malware attacks and the need to have solid network security solutions. 802.1X, the trusted authentication protocol used for Network Access Control (NAC) solutions, was initially considered a success when implemented on wired networks, within the framework of a traditional, on-premise solution. However, later on, as more companies became decentralized and shifted to wireless networks and VPNs, traditional on-premise 802.1X solutions no longer fit the bill.

Unfortunately , many companies were burnt by these on-prem 802.1X NAC projects. True, the protocol itself is extremely trustworthy, however, with most solutions there seems to be a never-ending patching and configuration job going on. That’s assuming they have completed the labor intensive and expensive deployment that in many cases, includes moving a lot of equipment around. If this is a decentralized organization, such as a multi-national company with many access points, each location will require a way to protect all endpoints and company assets. In some cases, this could become costly and create a lack of cohesiveness within the organization.

To solve these and many of the challenges discussed in part 1, lighter, adaptable and agile solutions have become necessary in the new reality. Organizations must transition into using easier NAC solutions such as NAC delivered from the cloud and Software-as-a-Service. Among other attributes, a SaaS delivery model will save time and money on deployment, training and implementation, while at the same time providing the agility, visibility and accuracy needed to handle today’s complex and multi component networks. Next-gen solutions offered as-a-Service are able to cope fully with today’s decentralized organizations and the on-prem 802.1X solutions can no longer suffice. Thankfully, there is such a solution. While it provides robust coverage, it is easy to implement in a few simple steps, the first of which is an easy software download.

NAC Solutions Delivered as-a-Service from the Cloud

Using a next-gen 802.1X cloud solution will allow organizations of any size and with any number of geo-locations to gain full visibility of all endpoints on the network, regardless of what the access layer is or which type of device is being used (company issued, BYOD, IoT, etc.). 802.1X is one of the most secure ways to authenticate devices connecting to the network because it is based on set protocols and a verified standard. While other authentication methods may simplify the implementation and management, as of now there are very few solutions that can match the security and strength of 802.1X authentication on all VPNs, wired and wireless networks.

For those concerned with the notion of having security provided from the cloud, it should be noted that according to Gartner’s research, “by 2023, 80% of enterprises will adopt two or more cloud-based security services”. As more companies become decentralized, we believe that more of them will adopt security services delivered from the cloud.

***Tune in next week for part 3: The 5 “must-haves” in your 802.1X NAC solution. ***

Looking for an easier NAC project?
Now, there is another way. Portnox CLEAR offers a solution that allows for simple deployment, without compromising on security across the enterprise.

Sign Up for Your CLEAR 30 Day Trial Now

Handling Network Security in Today’s Highly Decentralized Organizations – Part 1: The Challenges

By | Cloud Security | No Comments

The Perimeter is Dead

We know that our businesses are becoming more digital and connected every minute, of every hour, of every day. This is a global trend and the foundation for increased delivery speeds, efficiency and productivity in all organizations. Organizations these days are no longer limited to their physical office premises as they once were. In many cases, team members are allowed the flexibility of working remotely, telecommuting and working in different branches across different countries, sometimes working in shared co-work offices with other remote employees and business owners. That said, IT Security Officers have their work cut out for them, whether they are handling a large multi-national organization or a small-to-medium business. We all know and feel the incredible threats looming on our networks and the constant care that must be taken to assure the security and integrity of our organization’s assets, whether they are physical or intellectual. In this, first post of a series of three, we’ll review a few challenges with network security and then consider some solutions in parts 2 and 3 of this blog.

Register for the Decentralization Webinar

We Adore Our Mobility

There is a lot of satisfaction that comes with the increased productivity, flexibility and mobility offered by digital transformation. Is there anyone out there who would like to trade their smartphone back to a flip phone? Their laptop for a desktop? The answer is clear: obviously – no. We all adore our mobility and digital advancements. So much so, that IDC predicts that within the next two years there will be close to 200 billion Internet connected devices.

If you are reading this article, there is an excellent chance that you use 5-6 connected devices, including your smartphone, a wearable of some sort, a laptop or two and a tablet or two. Perhaps you have a few IP cameras monitoring your home and office while you are away. And that’s just you. Now think of all the people bringing their own devices to the enterprise these days.

Next, let’s think of the IoT (Internet of Things) devices that are increasing their presence everywhere, according to IDC, there will be 80 billion connected IoT devices by 2025, enhancing a security concern stemming from the fact that IoT devices are almost invisible on many enterprise networks. Additionally, employees are accessing any kind of application under the sun (or florescent light), on their own devices and via the Internet on their company managed computer. These applications and websites are used for both personal and work-related purposes, placing the organizations’ assets at risk.

Network Complexity

In today’s decentralized enterprises there are multiple access layers at play, including the use of wired, wireless and VPN connections. This is one of the core security issues with complex networks in decentralized organizations with locations in different states and countries. Multinational organizations suffer from increased risk due to their IT security loopholes and the abundance of access ports and end-users. It is no wonder then that many IT departments have settled for half-promises of asset security and network controls. They must work within the constant cyber threats that seem to be spreading faster and everywhere these days. Unfortunately, one of these half-promises leads to uncompleted NAC implementations (Network Access Control) and to lengthy and unsuccessful projects.

Security Vendor Fragmentation

Vendor fragmentation is an incredible headache that must be handled. It seems like there is a solution for every inch on the network, as long as you are willing to work with five different vendors.  Implementation is labor intensive and expensive. Moreover, IT leadership struggles when selecting vendor software because the solutions are diverse with no single vendor able to meet all requirements and use cases, especially with decentralized organizations.

Safely On-boarding All Devices

On-boarding devices onto the network in a distributed organization is not hassle-free, often slowing productivity down. Additionally, compliance must be enforced across the organizational network, no matter which location around the world or which device is being used. At the same time, if one of your team members lost their computer, there should be a clear path to prevent that device from on-boarding the network.

Cybersecurity Posture

Many CIOs and CISOs have the constant burden of dealing with and maintaining the organization’s cybersecurity posture while potentially being targeted for cyber-attacks. With cyber-attacks being on the rise and in the news every week, it is no longer a question of if, but rather a question of when one’s organization will be under attack. And so the question arises – are we as prepared as we could and should be?

The network complexities outlined here may be preventing many from establishing optimal solutions and procedures for their organization, especially those that allow full visibility and risk management, not even imagining how serious the threats are till it is too late. Is it really going to take a complete data breach before we do anything about it? Can’t we just learn from other organizations’ mistakes and misfortunes? (Note the 2017 WannaCry attacks for example). Still, once IT departments have been burnt by unsuccessful NAC projects, they might be slow and cautious before initiating the implementation of a new and ideally – better – technology.

Looking for an easier NAC project?

Now, there is another way. Portnox CLEAR offers a solution that allows for simple deployment, without compromising on security across the enterprise.

Sign up for your FREE 30 DAY TRIAL with PORTNOX CLEAR NOW.

Easy 802.1X

By | Cloud Security | No Comments

The IEEE standard for port-based authentication, 802.1X, has been around since the early 2000’s, but in recent years has been met with frustration from network administrations and architectural experts. While 802.1X is well suited to the needs of the wired, desktop-dependent enterprise, with the shift to wireless networks, together with an upsurge of BYOD and Internet of Things (IoT) devices, deployment of 802.1X has become more of headache than a help.

Much of the criticism for 802.1X centers around the difficulty of deployment, namely that certain hardware infrastructure, such as RADIUS authentication and user repository servers, are required. In addition, with an increase of mobile devices in the enterprise, 802.1X is not able to provide enough contextual information on devices to allow for effective security controls. Finally, the difficulty of deployment involves the allocation of agents, which must be carefully managed on endpoints and could become a nuisance for employees if they are constantly required to enter their access credentials.

So Why Reconsider 802.1X?

Despite these technical difficulties, 802.1X has proven to be the strongest method for authenticating devices on the corporate network due to its continuous and direct communication with authenticating servers as opposed to pre/post scanners or the use of logs. The benefits for centralized management and enhanced security should not be deserted based on the sheer complexity of 802.1X deployments.

802.1X Delivered as a Cloud Service

Now, there is another way. With the growth of cloud computing technologies, Portnox CLEAR offers a solution that allows for simple deployment of 802.1X authentication , without compromising on security across the enterprise. By deploying RADIUS and user repository servers from the cloud, and delivering 802.1X as a software-defined cloud service, admins can embrace the benefits of 802.1X authentication by deploying a zero-touch solution that eliminates geo-redundancies. In a matter of minutes, admins can see and control every device connecting to their network and issue agents to monitor and control those devices with one swift action.

To find out how 802.1X authentication from the cloud works, read more in our White Paper, “802.1X Authentication Is Simpler Than You Think“, or TRY PORTNOX CLEAR NOW!

A New IoT Botnet Is Upon Us – What You Need To Know

By | IoT | No Comments

As if we all haven’t gotten over the Mirai botnet attack that happened last year, there’s news of a new IoT botnet in town. “IoTroop” or “Reaper” as it is being called by security researchers at Check Point and Qihoo 365 that discovered the attack, is said to affect millions of devices, but it’s still early days with information still being compiled on the full list of vulnerabilities.

So far, 9 exploitable vulnerabilities have been identified in Wireless IP security cameras from manufacturers such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology, and others. Check Point and Qihoo report that they identified recurring security vulnerabilities in the IoT devices beginning from the end of September, but report that the recruitment phase of the botnet attack is still underway, with up to 10,000 new devices compromised each day.

IoTrooper/Reaper appears to use some vestiges of code from the Mirai attack, but as opposed to the Mirai attack that recruited IoT devices with factory default or missing telnet credentials, this botnet attack dives deeper into inherent IoT hardware and software vulnerabilities. This makes the potential for recruitment much greater in this current attack, garnering the potential to take down the entire internet, according to experts. These “thingbots”, as they are called,  carry out distributed denial of service (DDoS) attacks to the similar effect of Mirai, or create the possibility of an anonymity network, which allows for anonymous surfing of the internet and preventing network surveillance.

Before panic over the potential damage ensues, know that there are ways to secure IoT devices and prevent them from being recruited as thingbots. The first step is to check if there are available firmware updates for network-connected IoT devices (particularly those from manufacturers listed above), and to verify if your security solutions have picked up on one of the 9 published vulnerabilities being targeted.

Next, a rule of thumb with all IoT devices is to disable the peer-to-peer (P2P) communication mechanism that’s available on many security cameras and DVRs. With P2P enabled, hackers can remotely locate and gain access to vulnerable devices that may not be connected to the internet. In addition, consult with security professionals regarding your IoT security stack – if you aren’t using an IoT visibility and detection solution, now is the time to consider the investment. With IoT botnet attacks proliferating, organizations should do everything in their power to understand and protect their enterprise IoT environment.

Finally, and most importantly, don’t panic. At the moment, we know very little about the intentions, scope and warpath of the IoTroop/Reaper attack, so don’t jump to any conclusions just yet and do not abruptly disconnect connected devices; if those devices are infected, they could cause significant network-wide damage once disconnected, not to mention data loss.

If we thought that Mirai was as bad as IoT botnet attacks could get, it appears that IoTroop/Reaper is here to prove otherwise.

Find out about Portnox’s IoT Security Solutions and start protecting your network from botnet attacks today.

Portnox integrates with Check Point’s ThreatCloud solution to provide complete control and strong security for enterprise network IoT.

What KRACK Means For Your Wireless Networks

By | Threat Detection and Response | No Comments

Last week, news surfaced of a serious vulnerability with the Wi-Fi Protected Access II (WPA2) protocol that is used to secure the majority, if not most, protected Wi-Fi networks. According to the research, published by Mathy Vanhoef of the University of Leuven, the vulnerability lies in the 4-way handshake that is part of the WPA2 protocol, which can be manipulated to carry out man-in-the-middle attacks on network users, forcing them to reinstall the encryption key. Furthermore, Android and Linux devices can be tricked into reinstalling an all-zero encryption key, making it possible for the hacker to intercept and manipulate traffic from these devices when they are connected to the WPA2 network.

The implications of discovering such a vulnerability are huge as most modern networks are protected through the WPA2 encryption protocol, but there are a few caveats. For instance, in order to carry out a KRACK (Key Reinstallation Attacks), the hacker needs to be in close logical proximity to the Wi-Fi range. In addition, browsing over HTTPS may protect some traffic from interception, as it is protected with an additional level of encryption. Yet, at the moment, it appears that most devices that support Wi-Fi are affected, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and more.

So what are the implications of the discovery of KRACK for the enterprise network?

By manipulating the KRACK vulnerabilities, hackers (or even employees, guests and contractors) within close vicinity of the Wi-Fi network can eavesdrop and alter information being transmitted over the network. While the location caveat does have its benefits for smaller and tighter organizations, for larger organizations with far-reaching networks, it provides little solace.

Though little is still known about how the KRACK vulnerability will be addressed (or when a new secure wireless encryption protocol will be issued), there are a number of steps that enterprise IT departments can take to secure their data.

  1. Install the latest security patches and updates: This is a given, following any vulnerability, and should become standard practice throughout the enterprise. If possible, use a network access control solution to alert IT administrators and employees, when their devices are in need of updates, and enforce those updates by quarantining or blocking non-compliant devices until their security posture is updated. Also, regularly check for firmware updates that address WPA2 vulnerabilities across all connected devices and appliances.
  2. Look out for IoT devices: Direct attention to all connected devices – not just managed and BYOD devices – namely IoT devices that present a challenge as many of them cannot be patched or updated with the most recent firmware. Consider sandboxing IoT devices into a separate part of the network until a larger solution for the WPA2 vulnerabilities is reached. Currently, those organizations that depend on the data processing capabilities of IoT devices should be concerned and take all possible measures to protect and manage the security of these devices.
  3. Maintain consistent visibility into connected endpoints: One of the best ways to identify vulnerabilities is to maintain consistent visibility into connected endpoints. That way, if there is suspicious activity being carried out on the network, or if device specifications have been changed (good indications of a KRACK breach), IT administrators can take actions to control access for the device in question. Consistent visibility makes it easier to establish regular patterns of network behavior, providing important context when it comes to identifying and preventing cyber attacks.
  4. Consider wired networks: While these may seem like a thing of the past, in most organizations, wired internet connections still exist in some form. Encourage employees to connect their managed and professional devices over wired networks where possible, at least until firmware updates are installed and a remediation policy is put in place. For mobile devices and BYOD, ask employees to refrain from engaging in work-related activities over the enterprise Wi-Fi connection until the vulnerability is effectively addressed.
  5. Use WPA2 AES-CCMP as opposed to WEP, WPA/WPA2 TKIP and GCMP: The researchers identified that with WPA-TKIP or GCMP, hackers can not only decrypt encryption keys, but forge and inject new encryption packets. Therefore, it’s better to use a different encryption method until a more concrete solution for secure WPA encryption is reached.

The most important thing to remember about WPA is that there is no use in panicking. Most connected devices and enterprise networks are affected at this point. Mathy Vanhoef and his team at the University of Leuven have done us all a favor by informing us of the vulnerability, giving IT departments and security experts an opportunity to shore up their Wi-Fi security and take measures to prevent data loss.

How to Discover and Control a Vulnerable Device

By | Our Technology | No Comments

With BYOD, IoT and the growth of the mobile workforce, CISOs and system administrators are faced with mounting challenges in discovering and controlling all of the devices on their network. The proliferation of these technologies makes it easier for hackers to gain access to the network, by gaining control over and access to rogue and vulnerable devices, although they have obvious benefits for business. In this environment, a cloud-based network access control solution like Portnox CLEAR can go a long way in identifying and automatically controlling access for endpoints on the corporate network, both on and off premise.

Watch the following video to find out how easy it is to discover and control vulnerable devices with Portnox CLEAR.

Don’t Let your Network Become Hostage to WannaCry

By | Threat Detection and Response | No Comments

The WannaCry cyber attack has reached 150 countries (and still counting), which will leave its mark for months and years to come. As the damage is still being sorted out, one story is most prominent –  the story of unpatched devices being connected and having access to the corporate networks.

To think that with one simple action of patching a well-known “Eternal Blue” vulnerability by Hot-Fix released by Microsoft two months ago, organizations were able to delay dramatically the spread of the malware and to a degree even stop the ransomware worm from end-point to end-point.

It’s such a shame that even today, after so many cyber-attacks have hit organizations, they still fail to adopt a very simple but powerful approach to control the risk of devices connecting to the corporate network and especially via remote, VPN access.  Not making intelligent, threat and risk oriented access decisions leads to finding a huge exploit in the backyard of organizations. One simple decision, based on one click, that defines access policy – “do not let in unpatched devices” will make the difference between being cyber-breached and humiliated and being safe and undisrupted.

How can organizations address these critical steps of devices entering the network? One example of a solution that can make the difference without additional configurations, rules or signatures, is Portnox CLEAR. CLEAR is a cloud-based, Security-as-a-Service, which allows organizations to monitor, detect and manage device risks and vulnerabilities along with managing end-point access to corporate networks by remote or local access.

Powered by machine learning, CLEAR constantly analyzes hundreds of different endpoint parameters, including the state of patches for the operating system and for multiple applications installed on a device. In the case of detecting an unpatched system, “Eternal Blue” missing patch, as an example, CLEAR will immediately, in real-time, notify the security officer or IT manager about the high level of risk. If needed, it will even block access for such a device to the network. This will be done in default, no changes to the configuration, and without any additional cost (CLEAR is a SaaS system) to the organization. With Portnox CLEAR, there is an immediate benefit of detecting and removing from the network vulnerable devices that could make your organization potential ransomware victims.

It is clear that ransomware is a complex problem with many different aspects of cyber defense, which requires a wide coalition of multiple products and technologies to fight a kill chain of a cyber-attack. End-point risk and access management should be the center and front of this cyber defense effort.

Take these steps now to remain safe and not allow attacks such as WannaCry to get to your network!

 

 

Don’t trust that TV in your boardroom

By | IoT | No Comments

With the recent hacking developments, we are constantly reminded how dangerous IoT devices can be in a corporate environment. No IoT device is off the table for hackers, considering the massive set of DDoS attacks that utilized compromised surveillance IP cameras to generate a huge amount of traffic that crippled many websites and the recent WikiLeaks news, threatening that your Samsung TV could be spying on you.

The leaked documents from WikiLeaks reveal that the CIA developed an exploit that perhaps utilize some unknown, “zero-day” vulnerability to breach and take control of TVs. This malware puts the TV on a “dissipation mode” which misleads the owner to believe the device is turned off, when in fact the TV is still on and recording conversations.
Is it possible to protect your business from being yet another victim of an IoT-based breach? If so, what can we do?
In order to keep your network secure and compliant, organizations should follow best practices for IoT security. This includes rapidly adopting software systems to help implement and enforce threat prevention and security management of IoT devices.

These best practices include 4 major areas:

1. “Lock-Down” – Implement a device lock-down, hardening policy, or procedure. Vendors of IoT devices don’t always provide the best security configuration and correct security posture. Instead, adopt systems and processes that automatically reconfigure the IoT system and constantly institute a lock-down policy with respect to best practices, known vulnerabilities and threat intelligences. Minimal complexity of passwords, open ports, running unused services and always-on peripheral devices such as microphones are all part of a wide attack surface that must be reduced by fully-automated hardening of IoT devices. Automated hardening solutions provide the ability to restrict device features and services, allowed control of incoming and outgoing traffic, and even force patch updates for device software.

2. “Micro-visibility and Risk Monitoring” – Adopt systems that provide pervasive inside monitoring on all aspects of IoT devices on your network, from running processes to firmware changes and more. These systems discover and deeply understand the nature of any IoT device on corporate networks, and consciously monitor and present all possible risk factors introduced by a device. Such a security system must collect and analyze hundreds of different parameters from IoT devices. The system then can analyze and correlate collected data against known vulnerabilities and threats, and detect behavioral anomalies or post-breach activities on the device.

3. “Untrusted by Default” – Do not allow unauthorized devices to plug into your network. Implement secure access and governance flow of how to on-board new devices. Each device that is connected to your network, whether wired or wirelessly, must be authenticated, authorized, and assessed. Determine each device’s risk level prior to entering the corporate environment.

4. “Discover the invisible” – Adopt network-wide actionable visibility on all devices connected to the corporate network, and constantly discover new and unknown IoT devices. Act on each device that has been discovered by such network visibility systems to ensure the device is known, authorized and properly configured.
Protecting against IoT attacks begins with visibility, followed by detection and then reaction.
Portnox CORE provides an additional layer of device visibility and offers full capabilities for device discovery, authentication, and compliance enforcement. It provides a cutting-edge approach to network security that allows you to see any device on the corporate network, manage its risk and react upon automatically and in real time.

Use these best practices listed above to ensure your network is secure, and then nobody will be able to record your meeting discussions without consent via that TV in the boardroom.

Contact us to learn more about how Portnox CORE can help your organization secure its network.