Cyber security data breaches are becoming increasingly common and severe. Today, banks, insurance companies, investment firms, and other financial institutions are considered to be prime targets. Due to the sensitivity and importance of their data, these institutions suffer approximately 300X more cyber breaches than any other industry.
In 2018, the financial sector reported 819 cyber incidents, an explosive increase from the 69 incidents reported for 2017 – including the infamous Equifax data breach. The total numbers for 2019 won’t be available until next year, yet we know that the financial sector has already experienced a number of significant attacks already this year. Such breaches included the attacks on Capital One, First American Financial Corp., Desjardins Group and Westpac/PayID.
Despite these pervasive cyber security threats, financial institutions are still failing to prevent, defend, prepare and respond effectively to attacks – particularly when it comes to network security. In many cases, the problem stems from executive leadership not prioritizing the cybersecurity budget or emphasizing its importance. Few organizations make prevention a priority, few apply the top recommended CIS controls or prepare employees on how to respond effectively in the event of a security incident. Unfortunately, poor network access control and other cyber security oversights lead to hundreds of millions of dollars in losses, the exploitation of personal data and more.
Some financial institutions, however, have already decided to take proactive measures this year to obtain risk monitoring, visibility and access controls. One such group is Royal London, the UK’s largest mutual life, pensions and investment company. Faced with limited network and device visibility, they had a variety of security and compliance issues to contend with. However, since implementing Portnox CORE, the company and all of its locations have instituted a higher level of cyber hygiene.
CORE is a simple to operate network access control solution that provides full visibility into every endpoint and component on the network, along with risk monitoring and enforcement capabilities. It is simple to deploy and manage and has received numerous cyber security awards.
From the moment Portnox’s on-premises NAC solution was implemented, Royal London’s security team has been able to successfully handle all challenges associated with visibility, control and compliance enforcement. This includes the ability to see all endpoints on the network, and ensure that they are properly secured according to company policies, privacy standards and regulatory compliance.
Furthermore, as risk-monitoring and other network security enforcement actions that would otherwise have to be done manually are now automated, Royal London’s IT team can devote their time to more important tasks, thereby increasing efficiency and productivity.
Fill out this form to immediately receive the full case study:
When examining WiFi security, the first layer of defense is the method being used to authenticate to the network. The most widely used methods of authentication are Open authentication, WPA2-PSK (Pre-Shared Key) and WPA2-Enterprise (read more about WPA protocols below).
As the name implies, an open authentication network allows access to all, and users are not required to authenticate at the association level. It is important to know that open networks are not encrypted, and so everything transmitted can be seen by anyone in its vicinity.
The best security practice is to completely avoid connecting to open networks. If there is an immediate need to connect, it is best not to allow devices to connect automatically but rather to select the network manually in the device settings. Open networks are easily forged, and hacking tools such as Pineapple use the fact that mobile devices are constantly searching to connect automatically to an open network. These tools perform Man-in-the-middle attacks to steal data such as passwords, credit cards, etc.
WPA / WPA2 / WPA3
WPA stands for WiFi Protected Access. This authentication method uses different encryption algorithms to encrypt the transport. Therefore, this type of network cannot be forged easily, unlike open networks, and users get privacy. Today, WPA2 is probably the most commonly used method to secure WiFi networks.
Sadly, WPA and WPA2 protocols have been hacked and are considered to be less secure. Performing a WPA2 hack requires a lot of time and is somewhat theoretical. Slowly, we are noticing a move to the WPA3 method, but for that to happen, different infrastructure is needed to support that protocol.
WPA2-PSK (and WPA3-PSK) is WiFi Protected Access (WPA) with a Pre-Shared Key. In simple terms, it is a shared password to access the WiFi network. This method is commonly used for home and small office WiFi networks. Even in a small office setting, using this method is problematic, because each time an employee leaves the company, the password must be replaced; otherwise, the former employee could still connect to the company WiFi.
Furthermore, employees tend to share the password with guests, visitors and contractors in the building, and you shouldn’t have the whole building connecting to the internet at your expense, risking the security of your data and assets in the process.
This method, also referred to as WPA-802.1X mode, authenticates to WiFi by using different identities instead of a single password. An identity can be credentials (user + password) or it can be a digital certificate.
This authentication method is better suited for enterprise networks and provides much better security for wireless networks. It typically requires a RADIUS authentication server as well as a configuration process to different repositories, enabling the organization to authenticate different types of endpoints.
The underlying protocols to secure the authentication vary between different Extensible Authentication Protocols such as EAP-TTLS / EAP-TLS, EAP-PEAP, each one representing a different type of authentication method and level of security.
With WPA2-Enterprise one can use advanced features such as assigning each endpoint after authentication to a specific VLAN or assigning ACLs (Access Control Lists) to specific sections. Additionally, enterprises can audit the connection with additional details. These features are important as they allow enterprises to properly secure their wireless networks and to make sure that they are compliant with security best practices.
CLEAR is a SaaS, cloud-delivered, WiFi access control solution that allows you to secure your WiFi based on WPA2/3-Enterprise, using personal identities or digital certificates. CLEAR supports a wide range of authentication providers, from on-premises AD through cloud providers such as GSuite and Azure AD. CLEAR comes with a cloud-RADIUS, therefore there is no overhead, as there is no equipment to install or maintain. It requires no training or skilled personal to deploy and operate. In less than 10 minutes, large and small companies are deploying CLEAR’s enterprise-grade Wi-Fi security.
See a Demo of CLEAR – Please fill out this form:
Are you using a pre-shared passkey to allow access to the organization’s WiFi?
Securing WiFi access in businesses has been historically weak. Oftentimes, companies protect their Wi-Fi access with a pre-shared password, sometimes posting it on whiteboards within the company or placing it for all to use at the reception desk to enable easy access. This is primarily for modern convenience purposes, as businesses would like to enable productivity and collaboration with contractors and guests, as well as allow for staff mobility within the premises of the enterprise.
What’s the problem? And why should I care?
The problem with this practice is that this is a “home style” level of security that places the company’s data and assets (whether intellectual or physical) at risk of being damaged or stolen. If an outsider successfully connects to the company’s WiFi, they could bypass the Firewall and all traditional cyber security mechanisms applied by most companies today. Once inside, they could damage the organization’s reputation by accessing illegal web sites, or company data, whether it resides on premises or in the cloud. Accessing these items is easy, and there are many automated network tools that can enable “non-techies” to do the work. Additionally, this type of hack could easily be achieved via simple social engineering. Another reason to be worried about the use of passkeys is that WiFi hacks and damages do not require being physically present at the organization. These simple actions could be taken from a nearby public space such as the parking lot and would leave no trace. Trying to track who accessed the enterprise WiFi by using a shared password is almost impossible.
Internal players – disgruntled and former employees
One of the scariest scenarios are the hacks performed by disgruntled employees that can use their remaining access to perform nefarious activities, including damaging, sabotaging or stealing company data, resources and assets. Roughly one out of five organizations has experienced a data breach by a former employee. The Gartner analysis of criminal insiders found that 29 percent of employees stole information after quitting or being fired for future gains, while 9 percent were motivated by simple sabotage.
Attacks by disgruntled employees who commit deliberate sabotage or intellectual property theft are considered to be among the costliest risks to an organization. For example, one of our customers, a food manufacturer in the United States, fired an employee. The disgruntled employee decided to get even. Using the organization’s Wi-Fi password, he connected to the network from the parking lot and changed the temperature setting for the refrigerators. The result was the destruction of food inventory to the tune of hundreds of thousands of dollars.
Bottom line? Former employees, even those who left amicably, should no longer have access to any part of the network.
Removing employees’ access to all accounts immediately after leaving the company is the best practice to use; however, typically it is not possible to revoke all access due to shared passwords for certain systems and services. In some cases, these systems do not require a password at all, such as printers and Point of Sale devices. For certain organizations, such as law firms and medical facilities, these represent the crown jewels in terms of company data and therefore should be highly secured.
Do I have important assets on the network that I should be protecting?
With the growing numbers of Wi-Fi connected IoT devices (IP cameras, printers, etc.) in the enterprise, each network has a lot of devices that could be compromised and thereby causing data leaks, denial of service attacks or severe damage to the organization. Therefore, ensuring that IoT endpoints are segmented into separate sections of the network and cannot be accessed by outsiders is crucial.
What is the alternative to PSK?
Using enterprise-grade authentication & access services is a good idea.
The best security practice would be to have digital certificates, but at the very least, it is recommended to establish a personal identity-based authentication solution. It would enforce network access via unique user credentials, thereby dramatically reducing the chances of unauthorized access to the organization’s Wi-Fi network, and it would ensure a much better security standard over the shared password practice. Traditionally, this was difficult, as setting up such services required high levels of technological knowledge, as well as extensive maintenance and long and complicated deployments.
This is exactly where Portnox CLEAR can help.
CLEAR is a cloud-delivered, WiFi access control solution that among other benefits provides a cloud-RADIUS, therefore requiring no training or skilled personal to deploy and operate. There is no overhead, as there is no equipment to install or maintain, and the service is inexpensive and based on the number of devices in the enterprise. Additionally, there is no need to manage a WiFi password as authentication is based on user accounts or digital certificates (customer’s choice), and therefore all passwords are unique. In less than 10 minutes, companies are deploying CLEAR’s enterprise-grade Wi-Fi security, providing the highest level of security to any enterprise, large or small.
See a Demo of CLEAR – Please fill out this form:
To help organizations select and implement a set of cyber defense best practices that will protect against today’s most pervasive and dangerous threats, the Center for Internet Security (CIS) devised a list of 20 controls. A principal benefit of the CIS Controls is their ability to prioritize and focus on a smaller number of actions with high pay-off results.
Published in itspmagazine.com
In this new article Ofer Amitai, CEO & co-founder of Portnox, outlines the seven most important capabilities that agencies should focus on when choosing a NAC solution.
After all, we live today in the world of devices. In almost every enterprise, devices outnumber employees. Everything is connected these days — IP phones, the conference room smart TV, the AC systems, the lighting infrastructure and coffee machines. IP addresses rule.
The people in charge of network security must now plan for a new set of threats. For each organization that plan looks a bit different, but it should always surround the “crown jewels” with the appropriate security techniques. For government agencies, these jewels would include personally identifiable information on citizens and employees, national security-related information, financial data and mission-critical systems. IT managers must make sure that IoT, bring-your-own and managed devices are not posing a risk to the agency’s assets.
Published in GCN.com.
“Easy NAC”… Easier said than done?
As you know, the enterprise network no longer sits within traditional and secured walls in offices. The enterprise intellectual property, data bases, workflows and communications have been moving in a perimeter-less environment for a while now, extending to any place where employees and data travel. Mobility, digitization, and IoT have changed the way we live and work, resulting in ever expanding networks and increasing complexities in resource management and disparate security solutions.
The fact that organizations are decentralizing has made it more important than ever to have solid network security and controls for every endpoint, no matter which access layer is being used to connect with the network. For this reason, having centralized and software-based network access controls (NAC) are more important than ever. No matter where your employees are connecting from and through which devices, no matter which contractors or guests are requesting access; IT security teams can now offer smooth continuity of workflows and productivity while maintaining full visibility and implementing security-controls on any endpoint accessing the enterprise network.
Over here at Portnox, we must take all of the latest changes to the network into consideration as we continue to innovate and craft our solutions. It helps that the main focus point at Portnox has always been to deliver a simple experience to the end-user as well as the IT administrator. Portnox solutions simplify onboarding, operations and maintenance by offering simplified architecture in a centralized, software-based solution for easy deployment and management. Our team does not deal with physical appliances but rather delivers software solutions – whether using the on-prem or cloud options. All solutions function across all access layers, providing 100% coverage and visibility of the network and continuous risk-monitoring.
For these reasons, among the main NAC vendors, Portnox has been named the leader for network access control products in the category of midsize to large organizations with a 22% market share by global research firm Frost & Sullivan. In the new report, analyst Tony Massimini said: “Portnox’s simplified architecture, which supports both 802.1X authentication and SNMP based control, sets it apart from competitors.” A full copy of the report is available here.
The Frost & Sullivan report highlighted several Portnox innovations, including:
- Agentless architecture (but includes optional agent) for specific use cases, including continuous risk monitoring for roaming devices, remote access and cloud access.
- Vendor agnostic design that connects directly to network infrastructure equipment via native protocols
- Support for both 802.1X and non-802.1X devices
- Powerful RESTFul API which enables customers to automate threat response workflows
- Unique, profiling (fingerprinting) technology
Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs).
Oftentimes, SMB to Large organizations turn to Managed Service Providers and Managed Security Service Providers (MSP/MSSPs) to handle their cyber security protective services.
In reviewing the key factors to growth in the NAC market in 2018, the report cited, among other things, the severe shortage in skilled security professionals that challenges all organizations, but more so the SMB-to-large segments than large enterprises. Next-generation NAC provides tools to offload many of the functions and automate workflows, thereby helping these organizations to overcome this shortage in skilled IT security professionals. At the same time, NAC will insert great relief to the many overworked and busy IT teams that are handling Network security and administration responsibilities.
This same automation and ease is extended to the management of customers by MSP/MSSPs. Portnox offers convenient and scalable NAC as-a-Service that allows MSP/MSSPs to serve their customers quickly, to keep track of what they are using and to handle growing organizations efficiently.
No matter the circumstances of the organization, Portnox is proud to offer a solution that is flexible and simple enough for anybody:
- On premises Vs. cloud-delivered network security platforms
- 802.1x protocols Vs. non-802.1X systems
- Agentless Vs. agent (based on use case)
Read all about it in the full report available here
Here’s to a secure, productive and prosperous 2019!
When choosing which specific risk management tools to use, there are a few key factors to address. Portnox’s CEO and Co-Founder, Ofer Amitai, shares a few tips to follow.
“It is extremely difficult to protect against threats that are not recognized by your risk management tools and not assessed as potential threats,” said Amitai. “Once detection is possible, protection is a viable option.”
Published in IT Business Edge.
Read the full article here.
Tired of bleeding waterfalls of money with your old on-premises NAC solution (Network Access Control)? At the end of the quarter, it is hard to ignore that the indirect and hidden fees that some companies charge make up a big chunk of change in the expenditure associated with old legacy solutions.
When was the last time you bought an on-prem (on-premises) application for your organization? Most CIOs and CISOs have seen their share of large-scale on-prem technology implementations, maintenance and software upgrades with (typically) a high overhead for the enterprise. Most will testify that the strategy of using technologies delivered from the Cloud has had significant cost-savings and operational efficiencies. So now that you have decided that your company should apply a NAC solution ASAP (always a responsible idea), you should consider the cost savings with NAC delivered from the Cloud and as-a-Service Vs. the higher expenses with most older on-prem NACs.
When reviewing the total cost of ownership required for on-prem NAC technologies (based on published methods of calculating them), one finds that with on-prem NAC there are typically large capital outlays to:
- Purchase servers
- Implementation fees
- Training fees
- Labor (you need an IT staff to be able to manage an on-prem solution)
- Customer support
- Software updates and upgrades
This unfortunately places a strain on company finances and cash-flow, as well as taking away from other more mission critical initiatives. In a Cloud environment the cost is typically an OPEX (Operating Expense) amount paid and expensed monthly. This category of business expense is easier on the company’s pocket book and allows cash reserves to be used for more critical business initiatives and investments, while at the same time there is not a long term commitment required to get started.
Using NAC as-a-Service Cloud solution eliminates many CAPEX costs (Capital Expenditures) as well as substantially reducing the monthly operational costs. The NAC as-a-Service option will also shorten the lead-time required to roll out the technology, providing yet another avenue of cost savings as your time and your team’s time is worth money. Additionally, your team members will be focused on more value-added projects thus increasing the company’s efficiency and bottom line profits. Altogether avoidance of the costs attributed to the hardware, the floor space, heating and cooling, the equipment and the staff required to support and maintain on-prem NAC could be enough right there to decide to use NAC as-a-Service from the Cloud.
And the best part? Your CIO and/or CISO does not have to spend a lot of time and effort on due diligence or planning a strategy. He/she can pick a small pilot and go. There is nothing to lose and everything to gain. Did we mention that the company can cancel and walk away at any time?
Don’t take anybody’s word for it – check the cost-savings out for yourself via this easy to use cost- savings calculator. The benefits are tremendous, and in the end, your easy step forward into NAC as-a-Service from the Cloud will be well worth it.
Every enterprise has a different pain point when it comes to security, whether it employs a large remote workforce or the company operates at a global scale. According to a survey by Gallup, 37% of U.S. workers have worked from home, which is up from 9% in 1995. This trend in an agile employee base allows companies to be competitive with one another when hiring talent, but it is leaving back doors and heightened risks to your network. With the right technology, companies can control access to its networks in any region and from any device.
Here are two use cases where NAC as-a-Service helps organizations control its network security. You can read more in the NAC-as-a-Service eBook.
Enterprises with Remote Workforces
As companies adopt work from home policies, it is raising security concerns for IT departments. Remote workers and co-working spaces aren’t just for startup entrepreneurs anymore. In fact, Fortune 500 companies like GM, GE, IBM and Microsoft all rent office spaces from WeWork. According to Gallup, the average U.S. employee works remotely at least two days a month. 9% of those polled work from a remote location for at least ten days a month, whether that is from their home office or a more public location.
Remote employees often connect to wireless networks that are also being accessed by other individuals whether the employee is at a coffee shop or traveling using their hotel’s guest Wi-Fi. Many companies require remote employees to authenticate their devices via a virtual private network, but enforcing VPN policies can be difficult. Using these connections may leave back doors open for hackers into the enterprise’s network.
With NAC-as-a-Service, IT departments gain visibility into their network endpoints from the cloud, giving network administrators the contextual knowledge to be confident their data and networks are secure. With strong authentication credentials, NAC as-a-Service prevents unauthorized access.
Global Companies Looking to Minimize Risk
With the growth of BYOD, IoT and companies scaling their business globally, the need to control network endpoints and streamline security practices for the network is higher than ever. Managing global networks with multiple regional offices can be daunting. With global corporations like GE, IBM, and Microsoft encouraging co-working spaces more IT departments are sitting down to minimize the potential risks to their network. If a vulnerable device is attempting to join the network at a regional office or a shared office space like WeWork, it may put the entire global network at risk. Many traditional NAC solutions are on-premise and some regional offices may have differences in their security policies. Streamlining these policies are crucial, and with a cloud NAC solution there is no requirement for any hardware or complex installation, and can, therefore, be streamlined across a global network from the cloud.
Whether you are managing regional offices or your IT department is authenticating your work at home employees, with NAC-as-a-Service small businesses and large enterprises can monitor their risks and secure entire networks with ease. Portnox CLEAR works to put IT department’s minds at ease with NAC via the cloud whether your company works at a global scale or you are retaining a large remote workforce.
Interested in reading more about the next generation of NAC? Read our NAC-as-a-Service eBook.