Category

Blog

onboarding your device

The Best Ways to Secure Device Onboarding in The Enterprise

By | Cloud Security, Network Security | No Comments

With the prevalence of digital transformation in the enterprise, there is a clear necessity to balance IoT security issues and BYOD security measures that will prevent suspicious or malicious devices from gaining access to the enterprise’s assets and data centers, while at the same time, making sure that productivity and easy onboarding of devices is maintained. Employees, guests and contractors are bringing all kinds of Wi Fi enabled devices to the enterprise environment and they expect easy and quick network connectivity.

Onboarding is the process in which new devices gain access to the enterprise for the first time. Unfortunately IT departments can sometimes experience additional workloads while endeavoring to get all the devices on the network so as not to hinder business productivity. At the same time, if they are not handling the process with top security standards in mind, they could potentially place users, devices, enterprise data and the network itself at risk. The question arises: how should IT Security teams allow for BYOD, IoT, contractors, guests, etc. to securely and quickly connect to the network without placing any of its components at risk of a breach or ransomware attack? The answer: automation.

By automating the entire onboarding process enterprises can achieve the following benefits:

  • Reducing the costs that are typically associated with manual work (including configuration and support activities).
  • Enhancing productivity – getting team members, contractors and guests connected to work faster.
  • Increasing end-user satisfaction – instead of hassling end-users with onboarding procedures, the whole process can and should be seamless.
  • Decreasing the risks – unmanaged, unpatched, high-risk devices should be blocked or connected from the beginning to a separate segment of the network from where the key corporate assets are stored (the “crown jewels” of the company).

Easy Onboarding

Employees, students, contractors, partners and guests should onboard their devices once and then automatically re-authenticate after that, within an environment that continuously monitors all devices on the networks and automatically provides a risk score for every device. This ongoing scoring allows security teams to understand the security posture of the devices and the network as a whole, at any given moment. At the same time, there is no need to have end users repeatedly re-enter credentials on subsequent network connections unless a device is deemed to have a high risk-score. This way the enterprise can easily onboard BYOD devices belonging to employees that are traveling, working remotely or working at a satellite office location. Additionally, this allows onboarding of IoT and smart devices for business such as flat screens, printers and IoT devices, as well as gaming consoles, smart refrigerators and more. These items, of course, must be on a separate segment from where company assets are kept.

Reducing Risks on the Network

A while ago Ofer Amitai, Portnox CEO, wrote about tips for securing endpoint devices on college campuses, institutions that are always desiring a relatively simple onboarding process. He discussed how changes in onboarding and guest access policies could reduce risks and improve network visibility and control. The principals for securing the enterprise require these steps and more. Having a clear onboarding set of policies will allow IT teams to have automated actions applied (see examples in the next section).

After handling the company’s initial network security audit and collecting the security posture of all devices, it is important to make sure that the enterprise authorization policies include conducting automated and continuous security assessments of the network.  This way, every device employs baseline security measures before being allowed to connect.  Additionally, the IT security team should use granular policies to govern the level of access while maintaining full visibility and control over network connected devices with the ability to revoke access at any time.

Automated Device Onboarding and Network Authentication

Having an automated onboarding set of policies can allow for automated actions such as:

  • Immediately allowing Internet access
  • Blocking/ disconnecting
  • Segmenting a device to a separate network section
  • Remediation actions

For example, IoT devices are considered to be easy to hack.  Therefore, once connected to the enterprise network, these devices should be separated from where core assets are located.  Having different segments on the enterprise network is a good solution for that.  Additionally, if a visitor is being connected, the visitor should gain access to the Internet and not to company files, even when plugging the computer to the wired network.

Two important advanced guest network onboarding features are recommended to be included:

  • Easy guest access – allowing for simple and fast connections together with the ability to continuously monitor all devices and ensure security.
  • Agentless access – once the IT administrators have set up the onboarding policy – contractors and guests on protected networks should be able to self-onboard without installing an endpoint agent.

Acquiring Advanced Onboarding Capabilities

One of the technologies that can help with safe onboarding is network access control (NAC).  In the past, companies used only desktops and laptops, connected and authenticated over a wired network, however; nowadays wireless networks and mobile technologies have introduced personal devices (via BYOD policies) and Internet of Things (IoT) to the workplace.  In addition, increasingly stringent compliance standards, such as PCI-DSS, SOX, and ISO standards require companies to openly communicate their security controls to external auditing authorities.  All of these can be achieved via NAC solutions. Network access security should be a priority for all companies moving forward.

###

Every enterprise today must support a rapidly proliferating world of devices and platforms.  From an operational view point, this shouldn’t pose an obstruction of workflows and productivity. Ideally, the enterprise IT team will automate and secure network onboarding and authentication so that the IT helpdesk doesn’t have to intervene when guests, contractors and IoT devices need to connect. Additionally, an effective plan for secure network onboarding will on one hand improve end-user experience for BYOD, IoT, users and guests and on the other hand improve IT security as part of a layered protection strategy.

Looking to set IT security policies and automate your device onboarding?

Portnox CLEAR offers easy onboarding while never compromising on network security across the enterprise.

Sign Up for Your CLEAR 30 Day Trial Now

Handling Network Complexities in Today’s Highly Decentralized Organizations Part 3: 5 Things Your Next 802.1X Authentication Solution Must Do

By | Cloud Security | No Comments

Implementation Issues Solved with 802.1X NAC Delivered from the Cloud

In parts 1 and 2 of this blog series we spoke about the idea that decentralized organizations, where mobility plays an important role in network security functionality and visibility; should seriously consider implementing NAC solutions delivered from the cloud, as-a-Service, due to the fact that endpoint risk assessment, as well as network visibility and control can be obtained for all locations and provide flexibility in terms of growing the coverage as the company grows.
With that in mind, today I will explain the five points that we believe are essential in choosing your next network security solution.

When deploying 802.1X NAC as-a-Service, complaints about lengthy deployments, implementation hassles and limited capabilities do not have to be prevalent any longer. In fact, IT security teams can now succeed where others have failed and be the superheroes of network security projects. NAC doesn’t have to be complicated. With NAC as-a-Service, there is no need for physical deployment or network hardware (unless it already exists, such as RADIUS or Active Directory servers), which significantly cuts the costs and deployment-time that were previously associated with the 802.1X authentication protocol.

Additionally, NAC as-a-Service allows for secure and remote access for the geo-distributed workforce, without the need for localized branch appliance deployments. It also enables business continuity, because if appliances go offline at one of the locations, the rest of the locations and endpoints can continue accessing the network without interruptions and regardless of which type of device is being used (corporate, BYOD, IoT, etc.).

As you can see, the NAC as-a-Service cloud delivery model is a different approach altogether for dot1X authentication in the enterprise, as it solves key security issues with the ease, agility and efficiency of a SaaS solution.

Here are the top 5 items you should look for in selecting your next 802.1X NAC solution.

I. SaaS delivery – With the shift to cloud-based solutions in businesses world-wide, many businesses no longer maintain their own data centers and have come to expect and rely on many solutions to be Software as-a-Service orientated. 802.1X NAC solutions provided from the cloud fit the bill and allow for easier and more cost-effective deployments and implementations.
II. Turn-key solutions with pay-as-you-go options – your next network security solution should have a low TCO – Total Cost to Ownership (both in terms of price and man hours), without forcing you to have so many pieces of equipment, installations and cumbersome access controls. These are the traits of NAC solutions which are not a good fit for decentralized organizations. A simple, pay-as-you-go model will allow you to gradually implement your NAC solution, while maintaining the highest standards for network security. While TCO is a major driver for IT infrastructure management, there is no reason to compromise on a network security project, but rather choose a solution that will provide a full and mature solution from day one.
III. A scalable and adaptive multi-branch solution – with enterprise mobility and multi branch businesses that in some cases span across countries and continents (without always having an IT professional available), your NAC solution should be able to follow your company wherever it goes. Your solution should also be able to adapt to growth in the number of endpoints, locations and ports, no matter where they are and which layer of the network is being utilized (wired, wireless, VPN).
IV. A Holistic approach to cyber security – your 802.1X NAC solution should not be limited just to port security. It is advisable to have a system in place that can provide a full network security vulnerability assessment. Once your solution can provide full visibility of all network access layers as well as all types of devices that are currently connected on the network, your IT managers can maintain tighter controls and set up automated actions.
V. Automated policies and actions – automation is a must-have option, as there are so many challenges to deal with in keeping today’s organizational network secured. Having one simple and consolidated platform that handles all access layers and all potential port security dilemmas, will allow for easier automation, configuration and segmentation (as required) of the endpoints for a connection that is based on group permissions. dot1X port control allows for full end-to-end provisioning, automated deployment, management and troubleshooting tasks.

Taking these top 5 points into consideration before selecting an 802.1X solution will assure that decentralized organizations wind up with an easier deployment process in terms of time and budget, as well as a holistic solution that does not ignore any part of the network.

Portnox CLEAR is the recommended solution for simple 802.1X deployment. Without compromising on security across the enterprise. By using a RADIUS and repository servers from the cloud, dot1X port control is delivered as-a-Service, and admins can embrace the benefits of dot1X authentication by deploying a zero-touch solution that eliminates geo-redundancies. Within weeks, it is easy to see and control every device connected to the network and thanks to automated monitoring, risk assessments and automated actions it isn’t necessary to be glued to the admin console ever again.

To find out how 802.1X authentication delivered from the cloud works, read more in the White Paper, “802.1X Authentication Is Simpler Than You Think“.

Sign Up for Your CLEAR 30 Day Trial Now

The IoT Security Revolution is Upon Us

By | IoT | No Comments

It is a long-known fact that most IoT manufacturers neglect IoT security while designing their devices and machines. If you are still amongst those who do not hold this view point, please join our webinar showing just how easy it is to brute-force IP security cameras by using hacking methods that are practically as old as those used in the 90’s. I also recommend catching up on the 2015 Jeep hack and the St. Jude Cardiac Devices hacks that started occurring in 2014. These hacks prove that even companies dedicated to life-saving technologies, often neglect to produce the necessary security measures to go with them.

Register for The Live IoT Hack Webinar

While attending BlackHat 2018, I saw a few jaw-dropping demonstrations. One of these demonstrations was on ATM break-ins. Typically, one might expect a machine containing money to have a more robust security system protecting the cash therein; and yet, the machines were broken into. Additionally, I attended demonstrations of hacks into crucial medical devices and medical networks that are instrumental in keeping people alive.

It was astonishing to find out that companies manufacturing medical devices such as implants, insulin therapy devices (radio-based devices) and pacemakers, completely ignore current security research. One example for this research is the extraordinary work done by Billy Rios & Jonathan Butts (in their free time I might add) in which they discovered many IoT vulnerabilities. This research will no doubt make our world a much safer place.

It was no less appalling to discover the deep contrasts existing between cloud security standards and IoT security standards; or rather, the lack-thereof. Cloud-based enterprises are applying major security standards such as SOC2 to ensure the security of cloud infrastructure and turning certain working procedures into the standard requirement for all. Simultaneously, when it comes to IoT devices, we are living in the proverbial wild west. There are currently no official industry security standards for IoT. In the healthcare industry physicians prescribing the use of these devices have no understanding of their lack of security and I don’t believe that they should be required to have it. However, at this point in time, it is a life-preserving piece of information to know that these devices have feeble security mechanisms in place and are therefore targeted for hacks.

All of this is taking a positive turn as Ijay Palansky, an attorney, stated in his presentation at BlackHat; with the first IoT related lawsuit being launched against Jeep, following the vulnerability discovered back in 2015 that had allowed a remote attacker to control the car’s steering and brakes.

The impressive aspect of this lawsuit is that while no car was damaged or controlled by the attackers beyond the proof-of-concept, there is still a legal bases on which to build the case. Even if FCA US LLC (Jeep’s brand owner) were able to successfully defend itself as far as the damage caused, this case will cause tremendous damage to the company in reputation and in dollars lost.

This lawsuit should be viewed as a striking warning sign for companies manufacturing IoT devices while ignoring security vulnerabilities. This practice will no longer go unnoticed. Manufacturers will have to take responsibility for securing these devices or face the consequences. Hopefully, we are at the beginning of a new security revolution for IoT devices, leading eventually to a healthier and device-secured world.

Looking for better IoT visibility and control? Look no further.
Now, there is another way. Portnox CORE offers a solution that allows for simple implementation, without compromising on security across the enterprise, allowing for visibility, control and segmentation options for IoT devices via a simple network access control solution.

Handling Network Security in Today’s Highly Decentralized Organizations – Part 2: Adopting Cloud Solutions

By | Cloud Security | No Comments

The Business of Risk Assessment

Classical port security is not always understood. Originally it involved the equipment and particularly computers within the physical perimeter. At that point, NAC came into play if someone penetrated the network from a physical port, on-premise. This all changed in the last 15 years, when enterprise mobility and digital transformation took over. These required different levels of authentication to fit the different devices, including managed devices (company owned), unmanaged devices (where Bring Your Own Device – BYOD policies are at play) and IoT devices. The homogenous ways of the old made way for the heterogeneous reality of the new, turning device and port security into the business of risk assessment.

Register for the Decentralization Webinar

Risk assessment and full network visibility are the virtual doormen at the party who will allow the organization’s invitees to enter. Instead of naïvely allowing anyone to access the network, there should be a continuous and automated system performing risk-profiling and allowing full visibility of everything on the network. Where traditional, on premise NAC is limited to a few actions and parameters that do not reflect the complexities outlined above and in part 1 of this blog, a robust NAC solution should be able to scan all access layers and all endpoints for all users. Once this is achieved, continuous endpoint risk assessment becomes a reality, providing a wider solution that is required for today’s complex networks and decentralized organizations.

802.1X Network Security Projects

In today’s 24/7 hyper news cycle, we are constantly learning of new data breaches, costly malware attacks and the need to have solid network security solutions. 802.1X, the trusted authentication protocol used for Network Access Control (NAC) solutions, was initially considered a success when implemented on wired networks, within the framework of a traditional, on-premise solution. However, later on, as more companies became decentralized and shifted to wireless networks and VPNs, traditional on-premise 802.1X solutions no longer fit the bill.

Unfortunately , many companies were burnt by these on-prem 802.1X NAC projects. True, the protocol itself is extremely trustworthy, however, with most solutions there seems to be a never-ending patching and configuration job going on. That’s assuming they have completed the labor intensive and expensive deployment that in many cases, includes moving a lot of equipment around. If this is a decentralized organization, such as a multi-national company with many access points, each location will require a way to protect all endpoints and company assets. In some cases, this could become costly and create a lack of cohesiveness within the organization.

To solve these and many of the challenges discussed in part 1, lighter, adaptable and agile solutions have become necessary in the new reality. Organizations must transition into using easier NAC solutions such as NAC delivered from the cloud and Software-as-a-Service. Among other attributes, a SaaS delivery model will save time and money on deployment, training and implementation, while at the same time providing the agility, visibility and accuracy needed to handle today’s complex and multi component networks. Next-gen solutions offered as-a-Service are able to cope fully with today’s decentralized organizations and the on-prem 802.1X solutions can no longer suffice. Thankfully, there is such a solution. While it provides robust coverage, it is easy to implement in a few simple steps, the first of which is an easy software download.

NAC Solutions Delivered as-a-Service from the Cloud

Using a next-gen 802.1X cloud solution will allow organizations of any size and with any number of geo-locations to gain full visibility of all endpoints on the network, regardless of what the access layer is or which type of device is being used (company issued, BYOD, IoT, etc.). 802.1X is one of the most secure ways to authenticate devices connecting to the network because it is based on set protocols and a verified standard. While other authentication methods may simplify the implementation and management, as of now there are very few solutions that can match the security and strength of 802.1X authentication on all VPNs, wired and wireless networks.

For those concerned with the notion of having security provided from the cloud, it should be noted that according to Gartner’s research, “by 2023, 80% of enterprises will adopt two or more cloud-based security services”. As more companies become decentralized, we believe that more of them will adopt security services delivered from the cloud.

***Tune in next week for part 3: The 5 “must-haves” in your 802.1X NAC solution. ***

Looking for an easier NAC project?
Now, there is another way. Portnox CLEAR offers a solution that allows for simple deployment, without compromising on security across the enterprise.

Sign Up for Your CLEAR 30 Day Trial Now

Handling Network Security in Today’s Highly Decentralized Organizations – Part 1: The Challenges

By | Cloud Security | No Comments

The Perimeter is Dead

We know that our businesses are becoming more digital and connected every minute, of every hour, of every day. This is a global trend and the foundation for increased delivery speeds, efficiency and productivity in all organizations. Organizations these days are no longer limited to their physical office premises as they once were. In many cases, team members are allowed the flexibility of working remotely, telecommuting and working in different branches across different countries, sometimes working in shared co-work offices with other remote employees and business owners. That said, IT Security Officers have their work cut out for them, whether they are handling a large multi-national organization or a small-to-medium business. We all know and feel the incredible threats looming on our networks and the constant care that must be taken to assure the security and integrity of our organization’s assets, whether they are physical or intellectual. In this, first post of a series of three, we’ll review a few challenges with network security and then consider some solutions in parts 2 and 3 of this blog.

Register for the Decentralization Webinar

We Adore Our Mobility

There is a lot of satisfaction that comes with the increased productivity, flexibility and mobility offered by digital transformation. Is there anyone out there who would like to trade their smartphone back to a flip phone? Their laptop for a desktop? The answer is clear: obviously – no. We all adore our mobility and digital advancements. So much so, that IDC predicts that within the next two years there will be close to 200 billion Internet connected devices.

If you are reading this article, there is an excellent chance that you use 5-6 connected devices, including your smartphone, a wearable of some sort, a laptop or two and a tablet or two. Perhaps you have a few IP cameras monitoring your home and office while you are away. And that’s just you. Now think of all the people bringing their own devices to the enterprise these days.

Next, let’s think of the IoT (Internet of Things) devices that are increasing their presence everywhere, according to IDC, there will be 80 billion connected IoT devices by 2025, enhancing a security concern stemming from the fact that IoT devices are almost invisible on many enterprise networks. Additionally, employees are accessing any kind of application under the sun (or florescent light), on their own devices and via the Internet on their company managed computer. These applications and websites are used for both personal and work-related purposes, placing the organizations’ assets at risk.

Network Complexity

In today’s decentralized enterprises there are multiple access layers at play, including the use of wired, wireless and VPN connections. This is one of the core security issues with complex networks in decentralized organizations with locations in different states and countries. Multinational organizations suffer from increased risk due to their IT security loopholes and the abundance of access ports and end-users. It is no wonder then that many IT departments have settled for half-promises of asset security and network controls. They must work within the constant cyber threats that seem to be spreading faster and everywhere these days. Unfortunately, one of these half-promises leads to uncompleted NAC implementations (Network Access Control) and to lengthy and unsuccessful projects.

Security Vendor Fragmentation

Vendor fragmentation is an incredible headache that must be handled. It seems like there is a solution for every inch on the network, as long as you are willing to work with five different vendors.  Implementation is labor intensive and expensive. Moreover, IT leadership struggles when selecting vendor software because the solutions are diverse with no single vendor able to meet all requirements and use cases, especially with decentralized organizations.

Safely On-boarding All Devices

On-boarding devices onto the network in a distributed organization is not hassle-free, often slowing productivity down. Additionally, compliance must be enforced across the organizational network, no matter which location around the world or which device is being used. At the same time, if one of your team members lost their computer, there should be a clear path to prevent that device from on-boarding the network.

Cybersecurity Posture

Many CIOs and CISOs have the constant burden of dealing with and maintaining the organization’s cybersecurity posture while potentially being targeted for cyber-attacks. With cyber-attacks being on the rise and in the news every week, it is no longer a question of if, but rather a question of when one’s organization will be under attack. And so the question arises – are we as prepared as we could and should be?

The network complexities outlined here may be preventing many from establishing optimal solutions and procedures for their organization, especially those that allow full visibility and risk management, not even imagining how serious the threats are till it is too late. Is it really going to take a complete data breach before we do anything about it? Can’t we just learn from other organizations’ mistakes and misfortunes? (Note the 2017 WannaCry attacks for example). Still, once IT departments have been burnt by unsuccessful NAC projects, they might be slow and cautious before initiating the implementation of a new and ideally – better – technology.

Looking for an easier NAC project?

Now, there is another way. Portnox CLEAR offers a solution that allows for simple deployment, without compromising on security across the enterprise.

Sign up for your FREE 30 DAY TRIAL with PORTNOX CLEAR NOW.

Organizational Security Starts with the Network

By | Threat Detection and Response | No Comments

Ransomware and malware, malicious cyber threats that demand ransom payments from the organization being attacked to retrieve stolen and encrypted data, have become the most prevalent cybersecurity threats. In the last few years, such attacks have increased in frequency and severity, and typically the large-scale cyber-attacks reach the headlines as seen in the 2017 WannaCry and NotPetya attacks that affected close to 300,000 computers globally.

Faced with the increasing threat of ransomware attacks, many organizations are now actively engaging in updating their cybersecurity defenses and authentication procedures to avoid the attention of cyber offenders. This can be a difficult process because many companies lack visibility of their network in terms of which points of connection are vulnerable to threats – such as Internet of Things (IoT) and personal devices (Bring-Your-Own device -BYOD). Therefore, Portnox recommends implementing a layered ransomware defense, response and remediation plan on the enterprise network. This plan would integrate full visibility of the network with all connected and managed/ unmanaged endpoints (including IoT and BYOD); control over access to files, resources and data, and remote remediation capabilities. Furthermore, the plan should include the possibility of quarantining or blocking infected devices to control lateral attacks.

Request a DEMO

Ideally, an effective plan for defeating cyber extortion would include defense tools, such as anti-virus and anti-ransomware software that provide behavior-based detection, prevent access to files and file modifications, recover files, and vaccinate against the ransomware strain. All of these together create a comprehensive ransomware response and remediation solution. Portnox’s solution addresses all phases of the ransomware kill chain – reconnaissance, exploitation and remediation, and together with its technology partners and integrations, offers a holistic ransomware solution. Notwithstanding the ability to mine data from other sources, Portnox’s solution is known for its seamless deployment, even across the most complex networks and security architectures.

Phase 1 – Reconnaissance:
During this phase, the attacker collects information on the target through research of publicly available information or social engineering. At this phase Portnox’s solutions provide a real-time picture of all network elements, so that organizations can understand the level of risk and identify vulnerabilities early-on. Endpoints that are deemed to have a high risk value (fail to uphold the network security policies, are missing the latest antivirus and OS patches, or have certain technical specifications that have been deemed vulnerable), will be blocked from accessing the network or quarantined until security updates are made. Additionally, Portnox offers the ability to see into the weakest areas of the corporate network, i.e. Internet of Things (IoT) devices. CISOs, network administrators and IT teams can discover where IoT devices are located on the organizational network and detain them in a separate VLAN network with limited access.

Phase 2 – Delivery & Exploitation:
At this point hackers use the information attained in reconnaissance to carry out attacks on vulnerable endpoints, users and different areas of the network. Portnox software receives information from third-party security vendors to actively identify anomalies. There is full communication between Portnox and these vendors, so that their assessments are seamlessly integrated. The system can carry out on-going sandboxing of endpoints according to defined characteristics (including for IoT devices), and it can filter endpoints according to patch, anti-virus, operating system and active applications as well as quarantining them if one or more of these aspects has been deemed vulnerable. Portnox shares information when an endpoint’s posture assessment changes, helping network administrators identify attempts at social engineering in the early stages of a breach. The admin can then bring that device into compliance with security policies, or quarantine it until remedial security measures are taken.

Phase 3 – Command & Control Actions and Extraction:
At times, despite having all the right solutions in place, ransomware still gets through. Once this phase is reached, the ransomware is installed and the hacker can take full control of the organization’s system and do with it as he or she pleases. The hacker could freeze the organization’s data and demand ransom to give the access back (“Cryptolocker attacks”) as in some of the major ransomware attacks in the last few years. A new era of “CryptoWorms” is expected to surface as malware writers become more sophisticated and now, more than ever is time to have the right technologies in place to defend the organization’s assets, accessibility and private customer data.

Remediation:
Having a rapid remediation plan in place will not only help prevent further damage or the lateral spread of the attack; it will allow business continuity. Portnox uses the following:
• Automated Patch Updates Across the Network – Enforces necessary patch, anti-virus, operating system and application updates across managed and unmanaged endpoints, located both on and off premise.
• Immediate Incident Response – Contains ransomware events by remotely disconnecting endpoints from the network (no manual touch required). The program drills down to the level of specification: device type, operating system, anti-virus software version, switch location, and more. Finally, it performs automated actions on every device, in all locations, instantly.
• Armed Incident Response Teams – Portnox arms IT professionals and network admins with the ability to remotely take actions on employees’ devices. In addition, with Portnox’s solution, IT professionals can create an effective incident response plan for any device based on network specifications.

In conclusion, ransomware and malware are considered to be the top cyber-security threats of our time. Therefore, it is imperative to significantly increase organizational security so as to be prepared, with the right response and remediation software to such frequent and wide-reaching attacks. Portnox offers network access control solutions that allow organizations to maintain the upper hand in network security, allowing business continuity, securing company assets and avoiding prohibitive financial losses.

Request a DEMO

Using Blockchain to Solve IoT Security – PART #2

By | IoT | No Comments

In his recent thought-provoking lecture at InfoSec Europe 2018 and in his recent article, Ofer Amitai explained that in the future blockchain technology could play a significant role in achieving increased security for IoT (Internet of Things) devices and machines due to its decentralized ledger and peer to peer communications that suit IoT machines communicating amongst themselves without human intervention. He outlined a few futuristic scenarios which he believes will become a part of our normal life routine within 5-10 years and that it will be crucial to have outstanding and solid trust-protocols to be set in place so that this future can operate seamlessly and securely. The recent lecture and article had brought up a few questions that were posed to Mr. Amitai, and in part 1 of our conversation Ofer discussed the benefits of the centralized ledger for IoT device security and privacy, as well as other forms of machine to machine communications that will be at play in the near future.

Q: Some peer to peer communications is already happening today, correct?

Amitai: “The best example at the present is Space X landings that are happening via communications between machines – the rocket returning to earth communicates directly with the raft it needs to land on, whether at sea or on land, and it happens without human intervention.
Peer to peer communications is available also within the field of consumer services. For example, I can request Alexa to play a song on Spotify. If I tell Alexa to call my phone there are two electronic components communicating.

The more we fill our spaces with physical IoT devices and machines we will see more peer to peer communications. Still, at the end of the day it is always a person who consumes a service of some sort. IoT and all of these things are designed to serve a human requirement, even if in a remote or roundabout way.”

Q: When speaking about eliminating the ‘men in the middle’, there arises a concern that along with AI these technologies could, at some point in the future, supersede humans making the decisions as far as policy making. Most people would prefer that humans be setting policy. How can we make sure that AI/IoT remain technologies in our service and not the other way around?

Amitai: “That issue is more prevalent with AI, but IoT decision-making would have moral issues as with AIs. There is a philosophical and moral dilemma there related to decision making. For example: if there is an autonomous car that is about to be in an accident, and the computer sees someone is crossing the street but that around the corner, if it avoids one person it would hit the other – the machine needs to calculate what to do, who should it hit?
With autonomous IoT we could have moral dilemmas such as who makes these decisions? Whose life is worth more? Will they calculate age?

The challenge exists also with issues that are not life and death. An autonomous car could decide to fill up on its electricity charge before picking me up from work for example, calculating that it is more important so that I don’t have to wait in the car while it is happening, but then picking me up later from work.

The potential future complaint with IoT might be that machines could eliminate jobs that are currently filled by people. So if I have a chlorine meter in municipal pools in the city, then it could eliminate a job that in the past was filled by a person who went from pool to pool and measured acidity levels.
I believe that the issue in general will be the anticipated reduction in the number of available jobs, the question is – can we create new jobs in their place? Or perhaps humanity’s future is to enjoy all the good and have machines do the work.”

Q: You speak of having a “trust score” that would allow IoT devices and machines to assert if they should allow transactions. Who would be the people or organizations to create this trust score? Would it operate on a country-wide scale? On a global scale? What currency should be used?

Amitai: “Generally speaking, I believe that cryptocurrencies and normal credit cards could be used – each country will have its own cryptocurrency – like a crypto-dollar, a digital dollar, and the future will go to cryptographic coins – country currency will allow countries to continue regulating what goes on in their country, allowing everybody to do transactions without ‘men in the middle’. That is the greatness of the blockchain and the advantage of cryptocurrencies in general, the country would still control and regulate for governance purposes.
We can imagine many government applications with blockchain technology but I believe that most of the applications for government will be half-centralized – as there will still be central governance; for example a ledger for land – when people agree that the data should be kept on a decentralized ledger – someone needs to manage the protocols and write the program – just as Bitcoin manages its protocols and writing the programs – these parts I believe will remain centralized- the government will be responsible for writing the program, and setting the rules of the game; and the good part here is that I do not require a government office to handle the back and forth transactions and communications, as with credit cards, approvals, bank personal identification numbers, authorization points, etc.”

Q: Will there be any connection between what you do at Portnox and Blockchain-of-things technology in the future?

Amitai: “Probably not. Our interest is at the level of thought-leadership and we do actually provide network security for IoT devices. While Portnox does have solutions for monitoring and managing network security for IoT devices, I doubt that we will be researching blockchain solutions at the moment.

In the end of the day, As IoT devices and machines become more integrated in our day-to-day lives and are incorporated in our working environments, there is an increasing risk that individuals and organizations would try to take over those devices and machines and we need to be prepared. There is a fear there that could potentially hold back technological advancements, and that’s not the answer either. Solutions must be found to work through the challenges. That’s what we do. There are always solutions. For example, some people are concerned about being seen involuntarily through their webcam in their laptop, so there is a small plastic cover for that, it looks like a little window. Soon, this window will be a built-in component in laptops as part of their manufacturing process. This is a real concern that consumers have, and there will be creative solutions that will be embedded into all technologies.”

Using Blockchain to Solve IoT Security – PART #1

By | Cloud Security, IoT | No Comments

In his recent thought-provoking lecture at InfoSec Europe 2018 and in his recent article, Ofer Amitai, CEO and co-founder of Portnox Security, explained that in the future blockchain technology could play a significant role in achieving increased security for IoT (Internet of Things) devices and machines due to its decentralized ledger and peer to peer communications that suit IoT machines communicating amongst themselves without human intervention. He outlined a few futuristic scenarios which he believes will become a part of our normal life routine within 5-10 years and that it will be crucial to have outstanding and solid trust-protocols to be set in place so that this future can operate seamlessly and securely. The recent lecture and article have brought up a few questions that have been posed to Mr. Amitai, and in his answers he continues to outline notions regarding our global technological future.

Q: Regarding blockchain tech being “tamper-evident” – If the goal is to use an IoT device to start a DDoS attack, criminal theft, etc., couldn’t the cyber offenders still get away with what they wanted to do?

Amitai: “I believe hackers could check which devices do not have the latest software and security updates, according to the ledger and those potentially might be a target via the identity of the device. In a situation where an IoT machine has verification of the latest update, then it is less likely to be hacked.

The blockchain will create a new data base of IoT devices: it doesn’t mean that you can locate the device, but just by looking at the ledger you can map the devices that are not updated, and hackers could potentially use that for their advantage, knowing which machines don’t have the latest security patches, updates, etc. Then again, if the IoT security programmers are using that ledger to create a trust score, then it wouldn’t help hackers because those devices would have a low trust score and ideally, they wouldn’t be able to transact with most other machines. There would be a race here between the IoT devices to become updated, and cyber offenders wishing to hack and get into the devices.

The Identity on the ledger should uniquely identify the machine, but still keep it safe and anonymous on the ledger – so you wouldn’t know how to communicate with that device just by looking at the blockchain, or be able to pin point it physically, so they have some level of anonymity. You won’t be able to use it like Shodan to hack IoT devices and machines.”

Q: In your lecture at InfoSec Europe you mentioned that within 5-10 years IoT connected devices and machines will be performing transactions on our behalf. Where else do you see this happening? In which industries? Where in the world?

Amitai: “I believe we will see it in the area of virtual assistants, so you’ll have a lot of machine to man transactions, and also machine to machine, such as ‘please book a hotel for me online’; ‘get me a taxi please’, and the taxi is an autonomous car, and so the virtual assistant communicating with the autonomous taxi would be machine to machine communications; tourism and booking trips; transportation; hospitality. Did you see the new Google virtual assistant launch? Well in the future the conversations will be between machines.

IoT household machines for example – the fridge in your home orders items from the grocery store that will deliver everything, without humans being involved. And it will be interesting to see logistically how those deliveries take place, what types of physical infrastructure will have to be in place for that to happen.

Predictive maintenance is where a machine will order components like a battery that will arrive there, in order for the machine to fix itself! In other words, machines will notice when their battery isn’t going to recharge anymore and take actions to order a new one. So machines will be able to fix themselves.

Pizza delivery – if I have a lot of connective points with IoT cars and smart city traffic lights I know how fast the pizza will arrive – the more data points I have, the more I can predict how fast the deliveries will reach any point in the city.

It is interesting to see what happens with big shipping like ZIM containers in the future. Companies are already working on autonomous ships. Typically, you have a whole crew of people manning supply ships. It’s a big operation and those ships and crews are in danger of being kidnapped… then ransom is demanded, and if ships are working autonomously, then sure, people could still try to steal them or goods from them, but then you don’t have to worry about human lives, you can hookup security cameras all over the ships, and if someone comes to steal anything you could deploy law enforcement but at least human beings wouldn’t be in harm’s way. So potentially this type of piracy would disappear from the world.

Think about parking lots. In the future, your car could drop you off at work, and then go find a parking space on its own. If the car has a good trust score it will be granted access without an issue. Then it could come back to pick you up at the end of your work day.

In the end we want to have automation of processes and have less interaction as humans with machines, especially in supply chain and manufacturing, where there are areas of friction with humans. The less people are involved – the smoother it will be.”

We will continue our exciting conversation with Ofer Amitai in part 2, in which Ofer will discuss examples of machine to machine communications that are already in use today; policy setting and the need to be prepared for the new security risks of tomorrow.

IoT ip camera

Why is It So Easy to Hack an IP Security Camera and Any IoT Device?

By | IoT | One Comment

A home or office that has connected IoT (Internet of Things) devices or machines is actually full of possible weak spots for hackers, and, ironic as it may be, security cameras are often at the top of that list. It is up to us, the end-users, to reduce the threat. While cameras are storing security video to prevent crime or corporate espionage, hackers are quietly able to brute-force their way into many devices and turn them into an army of attack soldiers, as was the case in the October 2016 massive Dyn Cyberattacks that affected large chunks of the United States and Europe.

Security cameras are connected to the Internet so as to allow users remote access, along with anyone else they need to let in. This feature lets users check in on security cameras when no one is at home or at the business, and allows manufacturers to update device software without having to make house calls. The convenience and brilliant simplicity notwithstanding, this very feature that is the essence of all IoT devices is actually a cyber-bug. IoT devices are easy to connect to remotely by just about anyone, and unfortunately, not just by the people one would wish to share access with.

Yes, it really is that easy.

All Internet connected devices have IP addresses and therefore can easily be found on search engines such as Google and Shodan (a searchable registry of IP addresses with information about connected devices). Hackers can find thousands of hackable devices such as cameras just by entering a few search terms, and armed with this information they move to the actual breaking in.

Additionally, IoT devices typically come with default passwords, and many users, even after the 2016 Dyn Cyberattacks, stay with the default settings and do not bother to set a unique username and password. Hackers can find lists of vulnerable devices and try out default passwords. If those have never been changed – they are in. Even if the passwords have been changed, hackers can use SSH and telnet services that unfortunately allow hackers to force their way into devices, since changing a device’s web app password typically does not guarantee that the password coded into the device has been updated.

According to Flashpoint (a cybersecurity company), in the 2016 Dyn attacks, hackers inserted Mirai, malicious malware that allowed the use of at least 100,000 IoT devices as soldiers in a botnet (zombie army), including printers, IP cameras, residential gateways and baby monitors. This botnet was used to send thousands of junk requests to Dyn, a company that manages web traffic for many prominent websites such as Twitter, Amazon, Netflix, and Reddit, who were knocked offline by the attack. Dyn couldn’t separate the legitimate requests from the junk, and consequently internet users in the US were cut off from these websites, which is the definition of a DDoS attack (Distributed Denial of Service). This example, though extreme, shows the potential vulnerabilities that unknown and unmanaged IoT devices can cause a network.

Securing IoT devices in two steps:

Step 1: Visibility

With the number of IoT devices entering the enterprise network, it is challenging to keep track of them. Without network visibility, it is impossible to see, manage, control and secure the network, and the risk for breaches increases. Clearly the first step in securing IoT devices is making sure that they are seen and acknowledged as existing on the network. IoT devices in the enterprise could include time-attendance clocks, smart TVs, temperature gauges, coffee makers and the above mentioned IP cameras. To minimize the risks, once identified on the network, there should be a centralized control mechanism that would enforce updates of the latest patches in security software.

Step 2: Network Segmentation

Once an organization has established complete visibility and centralized management across the network, it is crucial to segment all valuable enterprise data and establish controls to protect the expanding IoT surface. IoT devices should be on a separate network segment from the organization’s mission critical systems or data, including segmentation from devices such as laptops, PCs, tablets and smartphones containing enterprise data. Segmenting into secured network zones should be automated and then firewalls must be deployed between these segments to prevent IoT devices from reaching enterprise assets. With intelligent and automated segmentation, the enterprise increases ROI from its existing detection technology, making it more accurate and effective. Thus, even if IoT devices are breached, it shouldn’t expose enterprise assets along with them.

Conclusion – Using Intelligent Network Access Controls (NAC)

For the foreseeable future, it appears that cyber offenders will continue to take advantage of IoT vulnerabilities, but there is no reason for today’s enterprise to sit back and do nothing. All of the steps mentioned above and more can be achieved by using Portnox NAC solutions. Having full network visibility to identify devices on the network, followed by a layered and automated approach will allow the enterprise to secure these devices and respond to any potential breach, keeping important assets protected.

Want to see just how easy it is to hack an IP camera?
There are just a few steps required to perform a live hack of an IoT device, and without proper network segmentation, the consequences could be disastrous.
Once you have seen just how easy it is, check out more information on integrating connected devices into your network in the optimal way for security as well as ease of use purposes.

throwing money away

Stop Tossing Money Out of the Window and Start Investing in NAC as-a-Service from the Cloud

By | Our Technology | No Comments

Tired of bleeding waterfalls of money with your old on-premises NAC solution (Network Access Control)? At the end of the quarter, it is hard to ignore that the indirect and hidden fees that some companies charge make up a big chunk of change in the expenditure associated with old legacy solutions.

When was the last time you bought an on-prem (on-premises) application for your organization? Most CIOs and CISOs have seen their share of large-scale on-prem technology implementations, maintenance and software upgrades with (typically) a high overhead for the enterprise. Most will testify that the strategy of using technologies delivered from the Cloud has had significant cost-savings and operational efficiencies. So now that you have decided that your company should apply a NAC solution ASAP (always a responsible idea), you should consider the cost savings with NAC delivered from the Cloud and as-a-Service Vs. the higher expenses with most older on-prem NACs.

When reviewing the total cost of ownership required for on-prem NAC technologies (based on published methods of calculating them), one finds that with on-prem NAC there are typically large capital outlays to:

  • Purchase servers
  • Data-centers
  • Hardware
  • Software
  • Appliances
  • Implementation fees
  • Training fees
  • Labor (you need an IT staff to be able to manage an on-prem solution)
  • Customer support
  • Software updates and upgrades

This unfortunately places a strain on company finances and cash-flow, as well as taking away from other more mission critical initiatives. In a Cloud environment the cost is typically an OPEX (Operating Expense) amount paid and expensed monthly. This category of business expense is easier on the company’s pocket book and allows cash reserves to be used for more critical business initiatives and investments, while at the same time there is not a long term commitment required to get started.

UsinNAV saving Calcg NAC as-a-Service Cloud solution eliminates many CAPEX costs (Capital Expenditures) as well as substantially reducing the monthly operational costs. The NAC as-a-Service option will also shorten the lead-time required to roll out the technology, providing yet another avenue of cost savings as your time and your team’s time is worth money. Additionally, your team members will be focused on more value-added projects thus increasing the company’s efficiency and bottom line profits. Altogether avoidance of the costs attributed to the hardware, the floor space, heating and cooling, the equipment and the staff required to support and maintain on-prem NAC could be enough right there to decide to use NAC as-a-Service from the Cloud.

And the best part? Your CIO and/or CISO does not have to spend a lot of time and effort on due diligence or planning a strategy. He/she can pick a small pilot and go. There is nothing to lose and everything to gain. Did we mention that the company can cancel and walk away at any time?

Don’t take anybody’s word for it – check the cost-savings out for yourself via this easy to use cost- savings calculator. The benefits are tremendous, and in the end, your easy step forward into NAC as-a-Service from the Cloud will be well worth it.