When implementing any insurance policy, you need to start with estimating the level of risk, the probability of that risk, and the potential damage should that risk become a reality.
One of the network risks that is often presented to demonstrate the ineffectiveness of 802.1x solutions is the ease of bypassing modern network access control (NAC) by using MAC spoofing. Usually, this involves spoofing the network printer or other vulnerable device.
Now, let’s put aside the fact that network printers today can support certificate or credential-based authentication, and that certain products have remedies against such attempts even when the authentication is based on MAC.
Let’s consider: is MAC spoofing a legitimate threat or an exaggerated, manageable flaw?
But before I try to analyze this risk, I want to point out the biggest advantage a NAC solution can give an organization to cope with modern cyber security threats: the ability to apply dynamic segmentation based on device type or identity.
Without going into too much detail, NAC is one of the only systems that can help you prevent lateral movement, indirectly allowing you to identify breaches and directly helping you to prevent the compromise of your crown jewels.
The threat landscape
Here are some of the most common adversaries when it comes to MAC spoofing:
The employee – a disgruntled current or former employee
The guest – a contractor, customer, patient, etc. who physically visits your organization for a period of time
The hacker – a malicious person trying to attack your network and steal information, causing harm to your organization
And here are the most common attack surfaces:
Wired, ethernet switches
One caveat: most wifi environments contain managed devices. So, for devices that do not have an 802.1x supplicant, and thus does not support certificate-based authentication (or credentials based), it is easy to setup an isolated segment and significantly lower the risk of attack.
As such, we’ll put our focus on examining wired environments, and how they’re vulnerable to the above adversaries.
Let’s be clear – MAC spoofing requires some technical knowledge to execute, which the non-technical lay person typically does not possess. Those doing it know what they’re doing, and they know it’s wrong.
With that said, it’s important to point out that a lot of damage is caused by the unintended – i.e. people clicking on a link in an email, deleting the wrong record or file, or even dropping a laptop into a pool.
Employees should be trustworthy. If they’re not, cyber security is likely not your problem. But, when someone is fired, laid off, or even just mistreated at work, there always exists the potential for them to hold a grudge. It’s human nature.
Disgruntled employees can pose a big risk. If an employee still works for an organization and he/she is determined to do damage, that’s a problem that’s nearly impossible to prevent. The network connection alone is not going to stop he/she from stealing data or worse. This individual likely already has access through other corporate devices and the credentials to access whatever data he/she wants.
At the end of the day, however, this individual’s risk of MAC spoofing can be categorized as “very low” with “low” probability and “low” potential for damage. The reason being is that the potential damage done is not necessarily related to network connection. The first line of defense against a disgruntled current of former employees is physical barriers – i.e. locked doors and other physical security.
A guest visiting your office might want to connect to your network. Most likely, this guest will not go to great lengths to hack your network if they are initially blocked. By supplying a guest network, such as a guest wifi, you will effectively eliminate that risk all together. Thus, like the employee, this individual’s risk of MAC spoofing can be categorized as “very low” for both probability and damage.
A hacker will need physical access to your network in order to do his/her job. Today, spearhead attacks can enable hackers to access your networks from afar. Doing so, however, typically requires some sort of motive.
This motivation is often dependent upon the type of business you operate. If you’re in military and defense, for example, you likely have a higher than average risk of being the target of such an attack. The same going for banking and financial services, healthcare and any other industry with highly sensitive and confidential data.
For most organizations, the threat of physical access hacking is typically low, while the potential for damage could be high. Should a retailer fear physical burglary just because a new device has connected to its network? I think not.
For most organizations, the risk of MAC spoofing is almost non-existent. This is usually fairly easy for an auditor to demonstrate, and would appear as part of a comprehensive security report. So in reality, the perception of the threat is that it’s a much larger problem than it actually is.
You can also prevent MAC spoofing by implementing stronger authentication methods that are fairly common today. One of the major roles of NAC is to provide secure authentication and authorization to the network. Thus, even if authentication is somehow breached, authorization serves as a second layer of defense that can limit access by putting potential individuals of risk in a specific “narrow” segment.
The segmentation of specific types of MAC-based devices is a best practice in NAC. Even if spoofing occurs, such a device won’t be able to access a particularly sensitive VLAN, such as those in Finance or HR, if proper segmentation has been established through your network security policies.
Cyber security data breaches are becoming increasingly common and severe. Today, banks, insurance companies, investment firms, and other financial institutions are considered to be prime targets. Due to the sensitivity and importance of their data, these institutions suffer approximately 300X more cyber breaches than any other industry.
In 2018, the financial sector reported 819 cyber incidents, an explosive increase from the 69 incidents reported for 2017 – including the infamous Equifax data breach. The total numbers for 2019 won’t be available until next year, yet we know that the financial sector has already experienced a number of significant attacks already this year. Such breaches included the attacks on Capital One, First American Financial Corp., Desjardins Group and Westpac/PayID.
Despite these pervasive cyber security threats, financial institutions are still failing to prevent, defend, prepare and respond effectively to attacks – particularly when it comes to network security. In many cases, the problem stems from executive leadership not prioritizing the cybersecurity budget or emphasizing its importance. Few organizations make prevention a priority, few apply the top recommended CIS controls or prepare employees on how to respond effectively in the event of a security incident. Unfortunately, poor network access control and other cyber security oversights lead to hundreds of millions of dollars in losses, the exploitation of personal data and more.
Some financial institutions, however, have already decided to take proactive measures this year to obtain risk monitoring, visibility and access controls. One such group is Royal London, the UK’s largest mutual life, pensions and investment company. Faced with limited network and device visibility, they had a variety of security and compliance issues to contend with. However, since implementing Portnox CORE, the company and all of its locations have instituted a higher level of cyber hygiene.
CORE is a simple to operate network access control solution that provides full visibility into every endpoint and component on the network, along with risk monitoring and enforcement capabilities. It is simple to deploy and manage and has received numerous cyber security awards.
From the moment Portnox’s on-premises NAC solution was implemented, Royal London’s security team has been able to successfully handle all challenges associated with visibility, control and compliance enforcement. This includes the ability to see all endpoints on the network, and ensure that they are properly secured according to company policies, privacy standards and regulatory compliance.
Furthermore, as risk-monitoring and other network security enforcement actions that would otherwise have to be done manually are now automated, Royal London’s IT team can devote their time to more important tasks, thereby increasing efficiency and productivity.
Fill out this form to immediately receive the full case study:
Network Access Control (NAC) sits within the larger field of cybersecurity, and more specifically network security. It is a technology that enables organizations to enact its own unique policy for how and when endpoints (desktops, laptops, smartphones, etc.) can connect to their corporate networks. NAC solutions are typically designed to allow IT security teams to gain visibility of each device trying to access its network, and specifically the type of device and access layer being used (i.e. wifi, wired ports, or VPN).
Today, NAC provides a number of powerful features on top of what it was originally designed for nearly 15 years ago. These include security posture assessments for endpoints, which pinpoints any associated endpoint risks, allowing network security administrators to control network access based on their organization’s risk tolerance threshold.
With the rise of cloud computing, remote workforces, bring-your-own-device (BYOD) policies, and the internet of things (IoT), network access control has become a much more critical part of the larger cybersecurity technology stack at most companies. The technology itself has also evolved quite drastically in response to these emerging trends and their impact on networking and ensuring network security.
The use cases for NAC today are constantly expanding. Network security professionals leverage NAC solutions for network visibility, the discovery of endpoints, security profiling, compliance enforcement, remediation…the list goes on. In general, NAC is designed to do two core tasks: 1) authenticate the endpoint trying to connect to the network, and 2) authorize access based on authentication and posture assessment.
Throughout this piece, we will examine how NAC is being used out in the real world, things to consider when defining your NAC policies, the best way to invest in NAC, and more. Feel free to skip to any section using the links below:
Network access control delivers a host of benefits to the organizations that deploy it. Generally speaking, the value unlocked by NAC can be broken into three distinct areas of focus: 1) operational need, 2) security best practices, and 3) regulatory compliance.
One of the most interesting aspects of NAC is the fact that unlike many other areas of network security, it brings more than just the value of security to the table. In particular, NAC delivers three core operational values:
Device Onboarding – Properly connecting and removing new non-managed devices to/from the network.
Guest / Contractor Access – Securely granting limited access for third-parties connecting to the network, either for short or long periods of time.
Asset Profiling – Identifying which devices exist in your organization and where they are connecting from.
Security Best Practice
The importance of network security goes without saying. Network access control, however, checks the boxes for a variety of IT security best practices, including:
WiFi Security – Nearly 20% of SMBs experience a data breach by a former employee who still has WiFi access…make sure you can control all WiFi connections.
Visibility – See all devices on your network – no matter device type, location, or access layer used to connect.
Containment – The ability to quarantine, block, or provide limited (guest) access to endpoints that do not meet your internal risk policies.
Asset Profiling – see above.
Highly regulated industries like banking, financial services, and healthcare require strict compliance policies when it comes to their networks. NAC helps to deliver this and more through:
Posture Assessment – Continually assess the risk posture of connecting devices across the network, no matter location or access layer.
Port / Wired Security – Ensuring no un-trusted device can physically connect to the network via wired ports in the office.
Segmentation – Properly directing employees into their respective departmental VLANs, or pushing visitors to the guest network.
WiFi Security – see above.
Individual Use Cases for Network Access Control
Within each of the three primary areas of value of NAC are a variety of different use cases for NAC. These include…
NAC is frequently used for device onboarding, which is the process of providing new devices with access to the corporate network for the first time. It sounds simple, but it’s anything but. Business units and even departments (think Finance & Accounting, for example) often have their own VLANs since they’re dealing with very sensitive, confidential data.
The task of setting up such VLANs and onboarding new devices is just one of dozens of tasks overseen by frequently overburdened IT teams. So, if not done correctly at first, it can open the door to potential network vulnerabilities, such as a person gaining access to a part of the network he/she should not have the privileges for.
At a small scale, managing access manually if often sufficient. For larger organizations, however, this just isn’t sustainable. As a result, many large organizations that don’t have a secure onboarding process will often compromise on network security hygiene.
At some point in the workday, most companies will have non-employees visiting their offices for meetings and business dealings. These guests are typically on-site for brief periods of time but may need wifi access during the course of their stay.
Typically, each organization defines the level of authentication and monitoring they want for their visitors. Common policies include:
Disclaimer Only – Notifying the rules for which they might need to abide while using the company network.
Pre-Generated Username & Password – Simple authentication for better control of whom is connecting the network
Sponsorship – Authentication based on an individual working for the organization. Usually, the sponsor will receive an email to approve the connected guest.
Many organizations offer a guest network, where day-to-day visitors are directed. This approach effectively eliminates the most common threat – someone that is just looking to be connected to the internet. The most common way to implement network access for guests is through the use of a captive portal.
Additionally, many businesses hire contractors or consultancies to tackle specific projects. These individuals and groups will need network access for extended periods of time and will need to be granted access to company resources and sensitive, proprietary data. NAC is used to dictate and enforce the level of access these types of individuals receive based on internal policies.
In recent years, remote work has soared due to a greater demand for mobility and flexibility. This has given rise to the adoption of bring your own device (BYOD) policies within many organizations. Now, while this approach makes operational (and even financial) sense, it does come with a caveat. By allowing employees, contractors, and guests alike to use their own devices to connect to the network, you’re immediately faced with issues like data leakage, malware infections, the mixing of corporate and personal data, and more.
With BYOD, a network access control solution can effectively secure such a fragmented network through multiple methods of authentication, and by making sure device risk posture is valid and continuously remediating any security issues in real-time. First, network security administrators can use a dedicated SSID for employee device authentication – no matter if it’s managed or personal. They can then create a separate SSID for guests and contractors to authenticate those individuals to the guest wifi.
The other option available for authentication is through the use of directory credentials. Integrating tools like Okta or Active Directory with your NAC can allow you to authenticate manage corporate devices through certificates, and personal credentials for BYOD.
Captive portal is a web page for authenticating users and verifying their device type and posture state. While this method is sufficient for visitors, it is an insufficient solution for employees or permanent visitors on your network. The most common use cases for captive portal are:
Self-service portal for BYOD / IoT on-boarding
It’s important to note that this is an interactive method to access the network, so when non-interactive devices, such as IoT are “pushed” to a captive portal, they can not react and thus can not gain access to the network. In order to use IoT onboarding with a captive portal, the end-user should either register the IoT in the self-service portal or download some form of credentials to be inserted to the IoT device (such as a digital certificate).
For fully remote employees or contractors, companies have traditionally relied on VPNs to establish secure encrypted connections for remote access to the corporate network. A VPN does not stop an endpoint from accessing the network, however – it’s only a way of providing remote network connectivity. By itself, a VPN is missing the ability to authenticate a user – it can not prevent “unhealthy” devices from connecting to the network.
In the instance of remote access, NAC can be layered over the top of a VPN, VDI or other remote access methods, such as a Meraki Z3 Teleworker Gateway, to provide effective authentication and access control, as well as endpoint risk profiling – just like any other access layer (i.e. wifi or wired port).
Device Risk Posture Assessment
Your corporate network is only as strong as its weakest security link. This means continuous risk posture assessment is paramount. By continually monitoring the network, your network and security teams can stay ahead of cyberattacks with the ability to identify new risks in real-time, react to these risks, and take action. In a world with ever-expanding boundaries and an exponential increase in types of endpoints, continuous risk posture assessment must function no matter location, device type, or the type of data is being transferred.
Having a rapid remediation plan in place will not only help prevent further damage or the lateral spread of attacks but also allow for business continuity. Effective endpoint remediation consists of:
Automated Patch Updates Across the Network – Enforce necessary patch, anti-virus, operating system, and application updates across managed and unmanaged endpoints.
Immediate Incident Response – Contain ransomware events by remotely disconnecting endpoints from the network without the need for manual intervention.
Armed Incident Response Teams – Arm IT professionals and network admins with the ability to remotely take actions on employees’ devices.
The proliferation of IoT devices over the last decade has prompted a growing number of network security concerns. With all of these devices – printers, CCTV cameras, ATMs, MRI machines, etc. – now connected to their respective networks, it’s exponentially expanding corporate threat surfaces.
To combat the many risks posed by these new endpoints, companies are turning to NAC to gain visibility, knowledge, and control over IoT devices – much the same as traditional PCs and VoIP phones based in the office. There is a huge variety of IoT devices, and in general, there’s a serious lack of centralized management with regards to their security posture. Many of these IoT devices still rely on IT security technology from the 1980s, with no password brute force controls and no available patches.
It’s not a question of if vulnerabilities exist on IoT devices, this is a given. Today, it’s a matter of ensuring these devices can be properly controlled to they can’t compromise the network. Currently, the only line of defense is segmenting them out of the network. Making sure only authorized users and devices can access them – this is exactly what NAC solutions are doing in an automatic method.
Industries like banking, financial services, and healthcare are typically subject to a plethora of compliance regulations, such as SOX, HIPAA, PCI-DSS, GLBA, and now GDPR. Embedded in many of these regulations are certain network security parameters that necessitate access control so that sensitive personal and confidential information is not compromised.
Once a company has defined its internal network security compliance policies, it needs to implement a network access control solution to put in them into effect in order to continually assess its compliance standing.
NAC is used to enforce regulatory policies and maintain compliance across the organization. In practice, this typically means:
Understanding how mobile, BYOD, and IoT devices will affect and transform not only the organization but the industry and implementing the right processes and tools control them.
Tracking any network related device or program in real-time via a centrally secured platform providing full and actionable visibility.
Controlling access to the network and to cloud applications, even based on the geographical locations of users.
Ensuring that the business is in compliance with governmental regulations like SOX, PCI DSS, HIPPA, FINRA, FISMA, GLBA among others. Strict compliance will provide legitimacy with clients and partners.
Common Network Access Control Policies
Access Control Policies
Network security teams define and activate access control policies to control device access to the corporate network, which is ultimately based on the device authorization state. Once a device is authorized for network access, a network access policy determines which specific virtual LAN (VLAN) that device or user is directed to. On top of that, the policy also defines, for each type of authorization violation, whether to deny entry or whether to quarantine the device by assigning it to a specific VLAN or apply an ACL.
Risk Assessment Policies
In addition to defining an access control policy, network administrators will typically define a risk assessment policy, which assigns a risk score to each device. This score will indicate the level of risk posed by the device. Depending on the NAC solution in use, these risk scoring systems may differ. A risk assessment policy defines, for each device attribute (such as OS, security posture, geo-location, and more), the risk rating to apply if the device violates the current policy in use. At the end of the day, the risk score is used to determine whether allow, block, or quarantine from accessing the network. This is the backbone of NAC.
In some instances, the network security team may define a series of remediation policies. Essentially, a remediation policy consists of unattended corrective and preventive actions (CAPA), automatically applied to devices upon every transmission or on a recurring basis. A remediation policy can be used to reduce devices’ risk scores and increase compliance levels for network access.
Common Network Access Control Concepts
Post-Connect vs. Pre-Connect
Within the world of network access control, “post-connect” refers to a device being allowed to connect to the network and immediately being checked for authentication. If a device does not meet the organizational criteria for authentication, it will be blocked from having access to the network (or access will be limited).
In contrast, “pre-connect” means that authentication decisions are being made before a device is allowed on the network. Only once the device is authenticated will it be granted access to the network based on the policy. 802.1X is a traditional pre-connect method.
In general, a pre-connect approach is more secure since the device is granted access to the network only after identified as an organizationally trusted device. Post-connect is more operational for end-users, as they are granted access to the network before a decision is made.
Agent-Based vs. Agentless
Today, most NAC solutions can perform authentication and authorization without the need of an agent. Agents are typically employed for the following reasons:
Risk Posture Assessment – This mainly the case for companies with BYOD policies.
Remediation – In order to know if a firewall or anti-virus is out-of-date, you must have an agent.
On-Boarding of Unmanaged Devices – Again this mainly applies to BYOD.
In some cases, the agent does not need to live within the network access control solution. Rather, third-party agents such as mobile app management software (MAM/MDM) and services can be leveraged to execute the above functions.
Cloud NAC vs. On-Prem NAC
As we go into further detail below, if you can move NAC to the cloud, you should. There is a myriad of benefits to doing so. At a high-level, these include operational time savings thanks to easier deployment and less on-going maintenance, better accessibility (especially for distributed enterprises), more flexibility as your business needs change, etc. In general, enterprises are increasingly adopting purpose-built cloud technologies for different operational needs, and NAC is no exception.
Not every organization has the ability to deploy a cloud NAC solution, however. One of the main hindrances of doing so is a lack of openness or internal expertise for cloud services. There still remain dwindling concerns, misconceptions and unrealistic expectations over the potential benefits and overall security of public cloud services, which has resulted in some industries such as government agencies, healthcare, and education – to name a few – to be slow in adopting new enterprise cloud technologies.
Passive Profiling vs. Active Profiling
A core function of NAC is the profiling of network traffic and connected devices. In general, there are two approaches to profiling: 1) passive profiling and 2) active profiling.
Passive profiling means that a company’s NAC solution has been allowed to see all traffic across the network, and uses this intelligence to observe and analyze traffic to develop a passive profile of each device. On the other hand, active profiling means that a company’s NAC solution has been configured to initiate requests to the endpoints so that each device can have a profile created for it.
Must-Have Network Access Control Solution Capabilities
Full Access Layer Coverage
As today’s networks explode in size and scope, particularly with remote workforces on the rise, it’s imperative that your NAC solution can manage access control across all existing access layers. This includes the obvious – wired ports and WiFi. It also must be able to manage the various remote access methods used within your organization. These may include VPN, virtual desktop infrastructure (VDI), Meraki Z-Series Teleworker Gateways, and beyond.
Nearly primary management and productivity tool used by businesses have shifted to the cloud. Network access control is no exception. The inherent productivity, operational, economic, and accessibility benefits have driven this trend in the last fifteen years.
When it comes to NAC, however, there is a big difference between cloud-based and cloud-delivered. Some NAC providers offer an accessible cloud-based platform from which to manage network access, but this typically still requires on-site hardware to be installed. With a cloud-delivered approach, you stand up everything from a RADIUS server in the cloud to allow for centralized authentication and authorization up to certificate authority. This saves a significant amount of time and means that even large distributed organizations can implement NAC across their many locations in a fraction of the time as traditional on-premise network access control solutions.
Today, 802.1X is the standard protocol for network access control. When searching for a NAC solution, the ability of the system to deliver 802.1X authentication is of the utmost importance. With access control based on 802.1X, network administrators can confidently block rogue devices, quarantine noncompliant endpoints, limit access to specified resources – whatever your internal policy calls for. 802.1X remains one of the best ways to authenticate devices because of its continuous and direct communication, in contrast to post-scanners, or other less secure authentication solutions that expose the network to vulnerabilities.
Zero-Trust for Endpoints
While “zero-trust” has become another overused buzzword in the world of network security, it is, in fact, an effective approach to sealing your network off from rogue devices. With zero-trust, an organization inherently does not trust any endpoint inside or outside its perimeters. A zero-trust network access control solution can eliminate the need for extensive endpoint scanning since the status of a device is already known. This doesn’t eliminate all of the attack surfaces, but it does help in protecting both endpoints and your network.
Endpoint Risk Assessment
The ability to continuously assess the risk of devices connected to or trying to connect to your network is paramount. Understanding the risk posture of devices – on-site or remote – and proactively taking action based on endpoint risk – such as allowing, quarantining, or denying access across access layers – is the best way to ensure network threats are kept at bay.
The world is changing – threat surface is expanding, and companies are increasingly turning to purpose-built enterprise cloud applications to streamline business processes. Today, it’s not enough to just protect what’s on-premise – you need to know the risk posture assessment of every device that connects to corporate resources, no matter location.
Continuous Device Remediation
Awareness is only a piece of the puzzle, however. When considering a NAC solution, it’s important to understand if it can easily remediate devices that sit outside of internal risk policies and restore those devices to the proper posture to eventually grant network access. Put simply, ensuring devices are healthy reduces security risk. That means network administrators can sleep a bit more soundly at night.
As we covered earlier, real-time device remediation has a major operational benefit as well – it saves time! By eliminating the need for network or security administrators to fix devices manually, you’re freeing them up for more important tasks.
Corrective & Preventative Action (CAPA)
Risky technology behavior like inserting an untrusted USB drive, or failing to update a firewall or anti-virus is prevalent. We’re almost all guilty of it. The ability to prevent this risky behavior is thus important. Not just for the sake of lowering the exposure time, also saving important time for the organization by fixing the issue automatically and preventing a potential breach.
Multi-Factor Authentication (MFA)
Leveraging MFA for NAC that looks at a user’s credentials and an enrolled device is critical to ensuring access control across today’s expanding networks. MFA should be integrated within your NAC, especially on remote access. This approach ensures that security is offered on two levels: protection of the user identity, and authorization of the device – making sure only managed and secure devices are allowed to gain access. With MFA, if a user’s credentials are compromised, they’re effectively useless and if the device being used is not enrolled with the NAC you cannot access the VPN, VDI, or cloud applications.
The Future of Network Access Control
NAC and the Rise of SD-WAN
The adoption of Software-as-a-Service (SaaS) and cloud services has decentralized data traffic flows, making Multiprotocol Label Switching (MPLS) inefficient for wide area network (WAN) transport. This has given rise to SD-WAN for the implementation of software-defined branch (SD-branch), now allowing IT environments to be extended to branches outside of the headquarters that need high-quality network connectivity.
Traditionally, in order for NAC to effectively operate, it has needed a direct connection to headquarters and appliances deployed on-site at individual branches. This is a costly, time-consuming endeavor, and has historically limited the use of SD-WAN and SD-branch. NAC has adapted by moving to the cloud, eliminating the need for on-site appliances and on-going maintenance. Now, all one needs is an internet connection to implement.
The Impact of Secure Access Service Edge (SASE) on NAC
In 2019, Gartner introduced SASE as a new enterprise networking technology category. In essence, SASE converges the functions of network and security solutions into a single, unified cloud service. This marks an architectural transformation within the realm of enterprise networking and security, and it means that IT teams can now deliver a holistic and flexible service to their businesses.
The logical next step in the evolution of network security is for organizations to be able to leverage a NAC solution that’s delivered as a cloud service. This eliminates the need for costly on-site appliances and on-going maintenance. Now, all that’s needed to control network access at branches and the headquarters alike, is an internet connection.
Ransomware and malware, malicious cyber threats that demand ransom payments from the organization being attacked to retrieve stolen and encrypted data, have become the most prevalent cybersecurity threats. In the last few years, such attacks have increased in frequency and severity, and typically the large-scale cyber-attacks reach the headlines as seen in the 2017 WannaCry and NotPetya attacks that affected close to 300,000 computers globally.
Faced with the increasing threat of ransomware attacks, many organizations are now actively engaging in updating their cybersecurity defenses and authentication procedures to avoid the attention of cyber offenders. This can be a difficult process because many companies lack visibility of their network in terms of which points of connection are vulnerable to threats – such as Internet of Things (IoT) and personal devices (Bring-Your-Own device -BYOD). Therefore, Portnox recommends implementing a layered ransomware defense, response and remediation plan on the enterprise network. This plan would integrate full visibility of the network with all connected and managed/ unmanaged endpoints (including IoT and BYOD); control over access to files, resources and data, and remote remediation capabilities. Furthermore, the plan should include the possibility of quarantining or blocking infected devices to control lateral attacks.
Ideally, an effective plan for defeating cyber extortion would include defense tools, such as anti-virus and anti-ransomware software that provide behavior-based detection, prevent access to files and file modifications, recover files, and vaccinate against the ransomware strain. All of these together create a comprehensive ransomware response and remediation solution. Portnox’s solution addresses all phases of the ransomware kill chain – reconnaissance, exploitation and remediation, and together with its technology partners and integrations, offers a holistic ransomware solution. Notwithstanding the ability to mine data from other sources, Portnox’s solution is known for its seamless deployment, even across the most complex networks and security architectures.
Phase 1 – Reconnaissance:
During this phase, the attacker collects information on the target through research of publicly available information or social engineering. At this phase Portnox’s solutions provide a real-time picture of all network elements, so that organizations can understand the level of risk and identify vulnerabilities early-on. Endpoints that are deemed to have a high risk value (fail to uphold the network security policies, are missing the latest antivirus and OS patches, or have certain technical specifications that have been deemed vulnerable), will be blocked from accessing the network or quarantined until security updates are made. Additionally, Portnox offers the ability to see into the weakest areas of the corporate network, i.e. Internet of Things (IoT) devices. CISOs, network administrators and IT teams can discover where IoT devices are located on the organizational network and detain them in a separate VLAN network with limited access.
Phase 2 – Delivery & Exploitation:
At this point hackers use the information attained in reconnaissance to carry out attacks on vulnerable endpoints, users and different areas of the network. Portnox software receives information from third-party security vendors to actively identify anomalies. There is full communication between Portnox and these vendors, so that their assessments are seamlessly integrated. The system can carry out on-going sandboxing of endpoints according to defined characteristics (including for IoT devices), and it can filter endpoints according to patch, anti-virus, operating system and active applications as well as quarantining them if one or more of these aspects has been deemed vulnerable. Portnox shares information when an endpoint’s posture assessment changes, helping network administrators identify attempts at social engineering in the early stages of a breach. The admin can then bring that device into compliance with security policies, or quarantine it until remedial security measures are taken.
Phase 3 – Command & Control Actions and Extraction:
At times, despite having all the right solutions in place, ransomware still gets through. Once this phase is reached, the ransomware is installed and the hacker can take full control of the organization’s system and do with it as he or she pleases. The hacker could freeze the organization’s data and demand ransom to give the access back (“Cryptolocker attacks”) as in some of the major ransomware attacks in the last few years. A new era of “CryptoWorms” is expected to surface as malware writers become more sophisticated and now, more than ever is time to have the right technologies in place to defend the organization’s assets, accessibility and private customer data.
Having a rapid remediation plan in place will not only help prevent further damage or the lateral spread of the attack; it will allow business continuity. Portnox uses the following:
• Automated Patch Updates Across the Network – Enforces necessary patch, anti-virus, operating system and application updates across managed and unmanaged endpoints, located both on and off premise.
• Immediate Incident Response – Contains ransomware events by remotely disconnecting endpoints from the network (no manual touch required). The program drills down to the level of specification: device type, operating system, anti-virus software version, switch location, and more. Finally, it performs automated actions on every device, in all locations, instantly.
• Armed Incident Response Teams – Portnox arms IT professionals and network admins with the ability to remotely take actions on employees’ devices. In addition, with Portnox’s solution, IT professionals can create an effective incident response plan for any device based on network specifications.
In conclusion, ransomware and malware are considered to be the top cyber-security threats of our time. Therefore, it is imperative to significantly increase organizational security so as to be prepared, with the right response and remediation software to such frequent and wide-reaching attacks. Portnox offers network access control solutions that allow organizations to maintain the upper hand in network security, allowing business continuity, securing company assets and avoiding prohibitive financial losses.
What are the steps necessary to defend your organization’s assets in an optimal framework, while cutting costs at the same time?
If you have spent five minutes on our website or blog, you are probably well-versed on the notion that conducting automated and continuous security assessments of your network is the way to go, where pro-active and preventative security measures are concerned, so as to protect any company’s assets. Still, when new clients get started with one of the Portnox solutions, it is advantageous to kick things off with a simple, yet crucial, security audit. When undertaking an initial security audit, it is important to use the most up-to-date compliance requirements to uphold security protocols. This clearly defines what CISOs should be looking at, and helps in shaping and setting up the future of your automated security monitoring and assessments.
Step 1: The Scope of the Security Perimeter
The first step in the auditing process is to clearly define the scope of the audit. For most companies and organizations this will include both managed and unmanaged devices and machines. Managed devices will encompass a list of computers, machines, devices and data bases that belong to the company directly, which contain sensitive company and customer data. Additionally, in a world that includes BYOD policies and IoT connected devices and machines, as well as contractors and visiting guests, the unmanaged segment of the audit should be positioned to continuously update visibility of all connected endpoints. Without clear visibility, it is impossible to create segmentation and remediation procedures. Thirdly, the security perimeter must include definitions relating to software that is allowed and not allowed so as to define a software perimeter as well. Finally, the scope should include all access layers: wired, wireless and VPN connections. In this manner, the scope of the audit will ultimately include all software and devices, in all locations, so as to ultimately define the security perimeter for the company.
Step 2: Defining the Threats
The next step is to list potential threats to the security perimeter. Common threats to include in this step would be:
Malware – worms, Trojan horses, spyware and ransomware – the most popular form of threats to any organization in the last few years.
Employee exposure – making sure that employees in all locations change their passwords periodically and use a certain level of sophistication; (especially with sensitive company accounts) as well as protection against phishing attacks and scams.
Malicious Insiders – once onboarding has taken place- employees, contractors and guests – there is the risk of theft or misuse of sensitive information.
DDoS Attacks – Distributed Denial of Service attacks happen when multiple systems flood a targeted system such as a web server, overload it and destroy its functionality.
BYOD, IoT – these devices tend to be somewhat easier to hack and therefore must be completely visible on the network.
Physical breaches, natural disasters – less common but extremely harmful when they occur.
Step 3: Prioritizing and Risk Scoring
There are many factors that go into creating the priorities and risk scoring.
Cyber security trends – working with a network access control system in place that factors in the most common and current threats along with the less frequent, could save you and your CISOs a lot of time and cut costs, while at the same time defending the organization in an optimal framework.
Compliance – includes the kind of data that is to be handled, whether the company stores/transmits sensitive financial or personal information, who specifically has access to which systems.
Organization history – If the organization has experienced a data breach or cyber-attack in the past.
Industry trends – understanding the types of breeches, hacks and attacks within your specific industry should be factored in when creating your scoring system.
Step 4: Assessing the Current Security Posture
At this point you should start to have an initial security posture available for each item included in your initial scope definition. Ideally, with the right access control systems in place, no internal biases affect your initial audit or any continuous risk assessments performed automatically later on. Additionally, making sure that all connected devices have the latest security patches, firewall and malware protection will assure more accuracy in your ongoing assessments.
Step 5: Formulating Automated Responses and Remediation Action
Establishing a corresponding set of processes designed to eliminate the risks discussed in step 2 includes a few solutions that should be included in this step:
Network monitoring – establishing continuous automated monitoring and creating automated risk assessments will lead to improved risk management. Cyber offenders are typically working to gain access to networks. Activating software that automatically takes notice of new devices, software updates/changes, security patches, firewall installments and malware protection is the best way for any organization to protect itself. Ideally your CISOs should be alerted to any questionable device, software, activity, unknown access attempts, and more, so as to be a step ahead of any harmful activity whether it is maliciously done or not. Network Access Controls such as the solutions offered by Portnox offer 24/7 risk control and risk management and use machine learning to identify cyber offenders, while at the same time cutting costs oIoT Ip Cameran employee hours and replacing expensive systems with cloud distributed software, pay-as-you-go and scalable options.
Software Updates – Making sure that everyone on the network has the latest software updates and patches, firewalls etc. It is highly recommended to take advantage of this built-in feature in Network Access Control Software that alerts you when those are required.
Data backups and data segmentation – relatively simple but crucial steps, because obviously consistent and frequent data back-ups along with segmentation will ensure minimal damage should your organization ever fall to malware or physical cyber-attacks.
Employee education and awareness – training for new employees and continuous security updates for all employees to make sure best practices are implemented company-wide, such as how to spot phishing campaigns, increasing password complexity, two-factor authentication and more.
If you have completed these simple but crucial steps, you have finished your first internal security audit! Now you can proceed to establishing your ongoing automated risk assessment, management and controls to secure your company’s assets for the short, medium and long terms. Your first security audit, when done properly will serve you well as a touchstone for future risk assessments and self-audits. Monitoring all devices and machines as well as software over time is the best way to control the risks within your device and software security perimeter. The continuous fine-tuning of your controls and processes will maintain ongoing visibility as well as the ability to properly assess your overall preparedness for cyber-threats along with the ability to manage risks and remediate attacks.
Due to the proliferation of wireless networks and mobile devices, through BYOD and IoT, the workplace has become, on the one hand, a more agile and flexible environment, increasing productivity and employee satisfaction, and on the other, a breeding ground for vulnerabilities and cyber risk. As NAC solutions address the needed steps to audit your organization’s security while also providing intelligence into network behavior through various integrations and methods for achieving compliance, they are well suited to help meet and address these risks. For these reasons, NAC, today, is a must-have part of a robust self-auditing security mechanism. By controlling access to the network with a NAC solution, organizations control their exposure to a wide array of emerging digital business risks, keeping their organizational network healthy and secure.
Now that you have completed your initial network security audit, you can focus your attention on keeping your network safe.
A core factor in achieving that is to have full visibility and control of all devices connecting to the network in real time.
Implementing Network Access Control solutions addresses top security concerns and therefore is a crucial step in preparing your network for security audits.
Find out more here: The Importance of a NAC Solution White Paper
You want to stay ahead of the game? The following list of cybersecurity events will help … and they are fun too!
Whether you are a security professional, software developer, security administrator, or any other role in the IT security fields, attending a conference is a great way to network with other professionals and learn about the hottest market trends, new developments, improvements, innovation and information.
Plenty of great cybersecurity conferences are coming up in the months ahead and the Portnox team will attend several of these. We’ve identified these top cybersecurity events that should be on your list. Check them out and update your calendar!
The event is positioned as a global meeting place, featuring representatives from organizations of all sizes, from multinational corporations to emerging startups. There will be a special pavilion for startups, as well as a competition in which entrepreneurs will present their ideas to a panel of international judges. Topics under discussion during the conference include the Internet of Things (IoT), big data and Finsec New in 2018 is a sister conference and exhibition, AutoTech, focusing on the future of smart mobility and the automotive.
Oracle Cloud World brings together forward-looking professionals responsible for finance, operations, supply chain, human resource, sales, marketing, customer service and IT. Learn how leading companies are leveraging the cloud for competitive advantage. Experience what works, what doesn’t, and identify solutions and approaches to accelerate your innovation.
The Gartner Identity and Access Management (IAM) Summit will focus on some of the hottest topics for the coming year, including the role of identity management in securing cloud and mobile apps, the IoT and the importance of privileged access management. For those preparing for the General Data Protection Regulation (GDPR), there is also a focus on the role of IAM as it applies to the privacy regulation.
InfoSec World 2018 Conference & Expo is bringing together CISOs, CIOs, CTOs and other security practitioners who will share hands-on and practical advice on a wide range of security topics. From understanding your adversary to learning about the 0-day exploit market to bridging the gap between the technical and business aspects of security, InfoSec World 2018 will offer a chance for security professionals to learn something new and analyze ideas with peers.
Cloud Security Expo is the fastest growing section of the Cloud Expo Europe event series attracting a record-breaking 19,926 Enterprise IT & Security Buyers and Specialists in March this year! Cloud Expo Europe Keynote Theatre hosts foremost international technology leaders, including internationally acclaimed and top-rated visionaries, senior industry speakers and executives driving a global transformative shift towards cloud computing and other disruptive technologies. Speakers will deliver their outlook on the future, plus leading CIOs and senior IT professionals will be sharing their roadmaps to digital transformation, where cloud lives in the heart of the engine room. Cloud Security Expo provides the tools, training & techniques to ensure companies are compliant and secure as they transition their business assets to the cloud.
The largest cybersecurity event in the world today. The RSA Conference USA 2018 is dedicated to information security topics including data breaches, Cyber threats, compliance, social engineering, cloud security, risk management, application security, mobile security, governance, data security, legislation and policy, law, cryptography and identity management. It brings together information security professionals from across the globe working in industries such as Computer Software Development Finance, Banking, Healthcare, Government, Pharmaceuticals, and Manufacturing. Hear from world-class speakers on topics such as “The Most Dangerous New Attack Techniques, and What’s Coming Next”.
Interop ITX combines a trusted Conference program with a vendor-neutral Business Hall and lots of networking events. The event is entering its 32nd year serving the IT community and it is an opportunity to learn about technologies and solutionsץ You may not realize how much the show has evolved during that time, growing from a plugfest ensuring network interoperability to an industry-oriented trade show to its current model: a week-long event centered around its conference program, including educational sessions, long-form tutorials, mainstage keynotes, sponsored content and a business hall showcasing technology.
Our CEO is Speaking! Sign up for his hands-on IoT workshop here.
The Gartner Security & Risk Management Summit 2018 will focus on practices and strategies that will provide cost-effective security and risk programs in order to support digital business and drive the success of your business or organization.
Among the exhibiting companies are IBM, Thales, Cylance, Varonis, Symantec, HP enterprise, Verizon, Sentinel, AT&T.
Infosecurity Europe (Infosec) is the region’s number one information security event featuring Europe’s largest and most comprehensive conference programme and over 400 exhibitors showcasing the most relevant information security solutions and products to over 19,500 information security professionals. Each year this conference features many sessions on NAC. Watch this space!
Black Hat is the most technical and relevant global information security event series in the world. For more than 18 years, Black Hat has provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment. These high-profile global events and training are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors.
Contact us to schedule private product demos (Portnox CORE for on-Premise NAC and Portnox CLEAR for cloud-based NAC) at one of these shows. We look forward to seeing you there and beginning a conversation with you around network security!
2017 was a very busy year for Portnox, yet throughout we aimed to address cybersecurity trends through our product offerings – Portnox CORE and Portnox CLEAR. With the highest number of ransomware attacks on record in 2017, we introduced a Rapid Ransomware Response and Control feature to our on-premise NAC solution, Portnox CORE, as well as the ability to see and control Internet of Things (IoT) devices through the IoT Visibility Radar. Portnox CLEAR, our cloud solution for network access control and risk management, was introduced to the market, and with its features for ensuring business continuity and securing the mobile workforce. The ability of our products to adequately address 2017 received commendation in the form of various industry awards and recognitions from leading publications and security experts.
Looking forward to 2018, the security landscape will shift and focus more heavily on IoT security, blockchain trends, automation and workforce mobility.
Here are some of our insights on what the 2018 cybersecurity landscape will look like:
Extension of Automation: Together with AI and machine intelligence trends, automation will likely take center stage in 2018 as the leading security trend. Microsoft recently announced that it will begin automated anti-virus updates through its Windows Defender, which means that users and organizations will no longer have a choice when it comes to patching endpoints and software. This is good news, because it ensures that more actors have adequate security postures, and it makes sense for modular devices (like IoT) that present difficulties when it comes to firmware upgrades. Yet automation also creates challenges, namely for industries dependent on older versions of software, firmware and operating systems, such as healthcare and finance. Automated security updates could put the business continuity of these organizations at risk, and with potentially life-threatening and economically risky consequences. In addition, automated security updates across the board could actually make it easier for hackers to carry out large-scale attacks that will affect a larger number of endpoints.
Blockchain and the Hacking of Applications: While many believe that the blockchain is “unhackable”, in the last year we have seen an increase in the number of attacks against blockchain-based applications. The vulnerabilities do not arise from the blockchain itself, but rather the applications that run on the blockchain. Social engineering will be used to extract private keys. Another possible blockchain hack, which has already been proven possible, is through other blockchain technologies such as Ethereum, which is an organization that’s committed to being open source for third-party applications. This creates a vulnerability because almost all applications have bugs can be manipulated by hackers as an attack surface.
DDoS Ransomware: Creating a new and more pungent form of blackmail, DDoS and ransomware are joining forces to topple enterprise progress in digital transformation, while reaping monetary benefits. These attacks are made possible by using botnets, or large groups of “zombie” devices – which often happen to be Internet of Things devices, such as webcams – to funnel traffic to a malware-infected web address that, in turn, extract data from the accessing endpoint and demand ransoms for the return of that encrypted data. These attacks are often called “sinkhole” attacks because the DDoS traffic is being directed to sites that contain dangerous malware. With the wide adoption of Internet of Things devices in the enterprise, and the rise in ransomware demands, it’s likely that we’ll be seeing more of these attacks in the next year.
Growing Regulation of IoT Security: Regulations governing IoT security features are beginning to be drafted, but there is still not enough demand from the consumer side to warrant manufacturer investment in security features. This begs a major question in 2018 of whether governments, in similar fashion to the US and EU, will begin issuing security regulations on IoT device manufacturers that protect consumers and companies from digital risk. Together with GDPR and other compliance regulations, we are likely to see more governments and industry authorities stepping up to enforce privacy, safety and security regulations on IoT manufacturers.
Mobility of the Workforce: With more employees working remotely, organizations are enjoying a significant drop in their capital expenditures (many have even given up on the physical office space), while directing operational expenditures at digital transformation trends such as cloud and BYOD. Workforce mobility is a good thing for companies’ balance sheets, but the technological flexibility it affords results in more areas of cybersecurity vulnerability for the enterprise network. Companies that are set on accommodating mobile workforce trends will be investing in more endpoint, network and cloud security solutions that protect access and assets across a variety of locations and in various connected environments.
At Portnox, we will continue innovating our access control offerings to provide solutions to 2018 security trends and challenges, providing our customers with valuable, holistic solutions to protect their networks.
Here’s to a great 2018!
Last week, news surfaced of a serious vulnerability with the Wi-Fi Protected Access II (WPA2) protocol that is used to secure the majority, if not most, protected Wi-Fi networks. According to the research, published by Mathy Vanhoef of the University of Leuven, the vulnerability lies in the 4-way handshake that is part of the WPA2 protocol, which can be manipulated to carry out man-in-the-middle attacks on network users, forcing them to reinstall the encryption key. Furthermore, Android and Linux devices can be tricked into reinstalling an all-zero encryption key, making it possible for the hacker to intercept and manipulate traffic from these devices when they are connected to the WPA2 network.
The implications of discovering such a vulnerability are huge as most modern networks are protected through the WPA2 encryption protocol, but there are a few caveats. For instance, in order to carry out a KRACK (Key Reinstallation Attacks), the hacker needs to be in close logical proximity to the Wi-Fi range. In addition, browsing over HTTPS may protect some traffic from interception, as it is protected with an additional level of encryption. Yet, at the moment, it appears that most devices that support Wi-Fi are affected, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and more.
So what are the implications of the discovery of KRACK for the enterprise network?
By manipulating the KRACK vulnerabilities, hackers (or even employees, guests and contractors) within close vicinity of the Wi-Fi network can eavesdrop and alter information being transmitted over the network. While the location caveat does have its benefits for smaller and tighter organizations, for larger organizations with far-reaching networks, it provides little solace.
Though little is still known about how the KRACK vulnerability will be addressed (or when a new secure wireless encryption protocol will be issued), there are a number of steps that enterprise IT departments can take to secure their data.
Install the latest security patches and updates: This is a given, following any vulnerability, and should become standard practice throughout the enterprise. If possible, use a network access control solution to alert IT administrators and employees, when their devices are in need of updates, and enforce those updates by quarantining or blocking non-compliant devices until their security posture is updated. Also, regularly check for firmware updates that address WPA2 vulnerabilities across all connected devices and appliances.
Look out for IoT devices: Direct attention to all connected devices – not just managed and BYOD devices – namely IoT devices that present a challenge as many of them cannot be patched or updated with the most recent firmware. Consider sandboxing IoT devices into a separate part of the network until a larger solution for the WPA2 vulnerabilities is reached. Currently, those organizations that depend on the data processing capabilities of IoT devices should be concerned and take all possible measures to protect and manage the security of these devices.
Maintain consistent visibility into connected endpoints: One of the best ways to identify vulnerabilities is to maintain consistent visibility into connected endpoints. That way, if there is suspicious activity being carried out on the network, or if device specifications have been changed (good indications of a KRACK breach), IT administrators can take actions to control access for the device in question. Consistent visibility makes it easier to establish regular patterns of network behavior, providing important context when it comes to identifying and preventing cyber attacks.
Consider wired networks: While these may seem like a thing of the past, in most organizations, wired internet connections still exist in some form. Encourage employees to connect their managed and professional devices over wired networks where possible, at least until firmware updates are installed and a remediation policy is put in place. For mobile devices and BYOD, ask employees to refrain from engaging in work-related activities over the enterprise Wi-Fi connection until the vulnerability is effectively addressed.
Use WPA2 AES-CCMP as opposed to WEP, WPA/WPA2 TKIP and GCMP: The researchers identified that with WPA-TKIP or GCMP, hackers can not only decrypt encryption keys, but forge and inject new encryption packets. Therefore, it’s better to use a different encryption method until a more concrete solution for secure WPA encryption is reached.
The most important thing to remember about WPA is that there is no use in panicking. Most connected devices and enterprise networks are affected at this point. Mathy Vanhoef and his team at the University of Leuven have done us all a favor by informing us of the vulnerability, giving IT departments and security experts an opportunity to shore up their Wi-Fi security and take measures to prevent data loss.
If you’ve been reading cybersecurity publications lately, you’re probably aware that ransomware and Internet of Things (IoT) are now some of the biggest concerns within the cybersecurity community. Besides all of the relevant scenarios and security products that are presented to prepare for or attempt to prevent ransomware attacks or an IoT breach, there is one scenario that isn’t being talked about – ransomware attacks on IoT devices. This blog will attempt to shed some light on how these factors can work together to put your organization, and even human lives, at risk, as well as suggest ways that such an event can be prevented.
At the recent Black Hat conference in Las Vegas, two cybersecurity researchers, Billy Rios and Jonathan Butts demonstrated how the mechanical arm of an automated car washing machine could be hacked to cause damage to a vehicle, and potentially threaten human life. This is not the first time that Rios and Butts have put a connected device to the test; the team has successfully hacked a pacemaker and a smart car to highlight life-threatening vulnerabilities. They are probably not the only team that has made a point of demonstrating the dangers of IoT malware and ransomware, yet still, manufacturers, organizations and consumers continue to produce, purchase and deploy these inherently vulnerable devices. What makes IoT ransomware a grave security flaw?
Let’s start by stating that all connected devices (not just IoT devices) are potential victims of ransomware attacks because they are connected to the Internet. Ransomware attempts to gain access to mission-critical data on the network, then encrypting that data until the organization or individual pays the ransom (usually in a cryptocurrency), at which point they are provided the encryption key to recover the data. While ransomware is well understood when it comes to more “traditional” devices such as computers, phones, and servers, IoT devices are rarely considered as a point-of-entry, and if they are, there’s no way to patch, protect or install anti-virus software. Really, your best hope with an IoT device is that the manufacturer installed firmware and that there are available upgrades that somehow address ransomware risks. In the majority of cases, these firmware updates simply do not exist.
Then there’s the issue of visibility. When organizations and individuals connect IoT devices to their network, the excitement of deploying a new technology resulting in greater efficiency tends to overshadow precautionary measures to ensure the device is secure. There are a number cases in which organizations were attacked via IoT devices that they didn’t have knowledge of. In addition, many of these devices have default passwords that can be easily discovered through the Shodan search engine, Hydra or other IoT search tools and password generators. In most cases, the username is ‘admin’ and well, the password is the same. Oversight of IoT devices on the network greats a gaping hole for hackers to plant ransomware that, while not directly targeting the IoT device, can reach the mission-critical data they are after by gaining access to the network.
Finally, there is the physical aspect of IoT devices. Usually, these devices are deployed to control temperatures in the HVAC room, or as a smart coffee machine, smart TVs and in industry as part of the movement to connect machinery to the Internet (Industry 4.0). That means that unlike most computers and other “traditional” devices, IoT devices are tied to a physical function that could have real, and potentially dangerous consequences. The demonstration of the car wash hack is a good example, but what about IoT door locks that could trap people in a building or prevent entry, or a smart TV that allows for espionage. At the moment, the majority of these are hypothetical scenarios, but as the Mirai botnet incident demonstrated (what’s known as a pivoting attack), the hacking of IoT devices presents a real threat that should be addressed now, rather than later.
At the moment, IoT manufacturers aren’t doing much to make sure these devices are secure, so what should organizations eager to implement IoT devices do to make sure that they aren’t putting their network at risk?
The first thing that should be done is to find out if the IoT devices you’ve deployed have firmware, and if they do, if that firmware can be upgraded. But, as mentioned, not all IoT devices have firmware, which is why the next step should be to secure the IoT network with firewalls or create a network perimeter. With the devices quarantined in a “safe” part of the network, pivot attacks and access to mission-critical data on other devices are (largely) out of the question. Visibility is key for knowing where hidden threats lie on the network, which is why a solution that discovers IoT devices, their location and characteristics should be an essential part of any security stack. If possible, deploy a network access control solution that will allow for authentication of IoT devices to ensure that vulnerable devices can’t enter the network and gain access. Finally, and as previously mentioned, consistently update the default passwords and manage the security certificate lifecycle (if any).
While we haven’t heard of too many IoT ransomware attacks yet, you can bet that they will be in the news soon enough. Beat the black hats to the chase and shore up your network with IoT visibility, discovery and control tools that will protect against malicious exploits, including malware and ransomware.
Recently, ransomware attacks on enterprise were all over the news. From the massive WannaCry attack in May 2017, which affected 300,000 devices worldwide (if not more), and the Petya (also known as NotPetya) attack in June 2017, it seems that there is no rest for the ransomware wicked. More than ever, businesses are aware that they need to have a ransomware game plan, and fast, because if not, they might find themselves in the headlines, having to take on the enormous costs of the attack aftershock, or worse – losing business due to system downtime and outages.
The wide-reaching effects of ransomware attacks on large corporations such as FedEx, Merck, HBO and Maersk are living examples of why it is important to avoid paying the true cost of ransomware remediation. The US pharmaceutical giant Merck was attacked by the Petya strain in June, yet still the organization is struggling to recover all its information and to account for the damages. The attack cost the organization billions in downtime, not to mention the significant funds required to staff around-the-clock IT experts, lawyers and PR reps to get business back on track. Global entertainment giant HBO was presented with a multi-million dollar ransomware demand this August, wasting billions in ad revenues for the company. These are just two examples that highlight the need for a review of remediation procedures, as well as ways to avoid paying the true cost of ransomware.
One of the easiest ways to avoid paying the true cost of dealing with a ransomware attack is simply not to pay the ransom. This may seem to go against organizational, or even your moral principles, but it has been established that paying the ransom seldom pays off. That’s because it’s unlikely that the hackers will release back all the information, upping the PR costs of dealing with potential media backlash, and, despite paying the ransom, showing a willingness to pay might brand your company as an easy target in the hacker community. But more than that, paying the ransom won’t prevent future attacks, because, in most cases, ransomware is distributed at random to any of the non-patched or vulnerable devices that particular strain is targeting. That’s why it’s a better idea to use the money that would go toward paying the ransom to shore up your cyber defenses, authentication tools and network firewalls.
Then there’s the issue of backups. Many organizations create a ransomware response plan that involves storing critical data on a secure server so that they can quickly bounce back from an attack. Yet while it is a good idea to back-up critical data, it’s possible that the back-up won’t recover all the information that’s in hackers’ hands. This presents threats to the stability and safety of your organization, and creates the possibility of a PR mishap (see the HBO example). In addition, the most recent ransomware attacks are targeting network-connected computers that have access to these back-ups, which means that attempts to fully restore systems are largely futile. So while back-ups are a good practice that should remain part of remediation plans, they shouldn’t be too heavily depended upon to get you back on your feet.
The bottom line: You need a multi-pronged approach to remediation. If there’s one thing that can be said about ransomware, it’s that it doesn’t discriminate, which is why, more than ever, companies need to have the right remediation plan in place to avoid paying the true cost of ransomware attacks. A good place to start is integrating a solution that will allow IT professionals to remotely disconnect corporate devices from the network. This will help prevent the lateral spread of the attack throughout the organization, on both patched and unpatched devices (because the latest NotPetya strain targeted both). In addition, it’s important to have constant awareness of network areas at risk. This can be done by deploying a network access control solution that provides full visibility into devices, assess their level of digital risk to your business, and controls which devices are allowed on the network, and which aren’t.
To avoid paying the true cost of a ransomware attack, i.e. system and employee downtime, PR brand name damage as well as brand equity loss, and legal efforts and recovering data losses, your organization should consider a multi-faceted remediation approach that integrates a network authentication and endpoint control solution, allowing for business continuity with customers and partners.