Category

Threat Detection & Response

The Truth About MAC Spoofing

By | BYOD Security, Cloud Security, Network Access Control, Network Security, Threat Detection & Response | No Comments

The threat behind MAC spoofing

When implementing any insurance policy, you need to start with estimating the level of risk, the probability of that risk, and the potential damage should that risk become a reality.

One of the network risks that is often presented to demonstrate the ineffectiveness of 802.1x solutions is the ease of bypassing modern network access control (NAC) by using MAC spoofing. Usually, this involves spoofing the network printer or other vulnerable device.

Now, let’s put aside the fact that network printers today can support certificate or credential-based authentication, and that certain products have remedies against such attempts even when the authentication is based on MAC.

Let’s consider: is MAC spoofing a legitimate threat or an exaggerated, manageable flaw?

But before I try to analyze this risk, I want to point out the biggest advantage a NAC solution can give an organization to cope with modern cyber security threats: the ability to apply dynamic segmentation based on device type or identity.

Without going into too much detail, NAC is one of the only systems that can help you prevent lateral movement, indirectly allowing you to identify breaches and directly helping you to prevent the compromise of your crown jewels.

The threat landscape

Here are some of the most common adversaries when it comes to MAC spoofing:

  • The employee – a disgruntled current or former employee
  • The guest – a contractor, customer, patient, etc. who physically visits your organization for a period of time
  • The hacker – a malicious person trying to attack your network and steal information, causing harm to your organization

And here are the most common attack surfaces:

  • Wifi
  • Wired, ethernet switches

One caveat: most wifi environments contain managed devices. So, for devices that do not have an 802.1x supplicant, and thus does not support certificate-based authentication (or credentials based), it is easy to setup an isolated segment and significantly lower the risk of attack.

As such, we’ll put our focus on examining wired environments, and how they’re vulnerable to the above adversaries.

Adversaries in-depth

Let’s be clear – MAC spoofing requires some technical knowledge to execute, which the non-technical lay person typically does not possess. Those doing it know what they’re doing, and they know it’s wrong.

With that said, it’s important to point out that a lot of damage is caused by the unintended – i.e. people clicking on a link in an email, deleting the wrong record or file, or even dropping a laptop into a pool.

The employee

Employees should be trustworthy. If they’re not, cyber security is likely not your problem. But, when someone is fired, laid off, or even just mistreated at work, there always exists the potential for them to hold a grudge. It’s human nature.

Disgruntled employees can pose a big risk. If an employee still works for an organization and he/she is determined to do damage, that’s a problem that’s nearly impossible to prevent. The network connection alone is not going to stop he/she from stealing data or worse. This individual likely already has access through other corporate devices and the credentials to access whatever data he/she wants.

At the end of the day, however, this individual’s risk of MAC spoofing can be categorized as “very low” with “low” probability and “low” potential for damage. The reason being is that the potential damage done is not necessarily related to network connection. The first line of defense against a disgruntled current of former employees is physical barriers – i.e. locked doors and other physical security.

The guest

A guest visiting your office might want to connect to your network. Most likely, this guest will not go to great lengths to hack your network if they are initially blocked. By supplying a guest network, such as a guest wifi, you will effectively eliminate that risk all together. Thus, like the employee, this individual’s risk of MAC spoofing can be categorized as “very low” for both probability and damage.

The hacker

A hacker will need physical access to your network in order to do his/her job. Today, spearhead attacks can enable hackers to access your networks from afar. Doing so, however, typically requires some sort of motive.

This motivation is often dependent upon the type of business you operate. If you’re in military and defense, for example, you likely have a higher than average risk of being the target of such an attack. The same going for banking and financial services, healthcare and any other industry with highly sensitive and confidential data.

For most organizations, the threat of physical access hacking is typically low, while the potential for damage could be high. Should a retailer fear physical burglary just because a new device has connected to its network? I think not.

In conclusion

For most organizations, the risk of MAC spoofing is almost non-existent. This is usually fairly easy for an auditor to demonstrate, and would appear as part of a comprehensive security report. So in reality, the perception of the threat is that it’s a much larger problem than it actually is.

You can also prevent MAC spoofing by implementing stronger authentication methods that are fairly common today. One of the major roles of NAC is to provide secure authentication and authorization to the network. Thus, even if authentication is somehow breached, authorization serves as a second layer of defense that can limit access by putting potential individuals of risk in a specific “narrow” segment.

The segmentation of specific types of MAC-based devices is a best practice in NAC. Even if spoofing occurs, such a device won’t be able to access a particularly sensitive VLAN, such as those in Finance or HR, if proper segmentation has been established through your network security policies.

Royal London Bolsters Network Security & Gains Visibility & Access Control with Portnox

By | Network Access Control, Network Security, Portnox Technology, Threat Detection & Response | No Comments

Cyber security data breaches are becoming increasingly common and severe. Today, banks, insurance companies, investment firms, and other financial institutions are considered to be prime targets. Due to the sensitivity and importance of their data, these institutions suffer approximately 300X more cyber breaches than any other industry.

In 2018, the financial sector reported 819 cyber incidents, an explosive increase from the 69 incidents reported for 2017 – including the infamous Equifax data breach. The total numbers for 2019 won’t be available until next year, yet we know that the financial sector has already experienced a number of significant attacks already this year. Such breaches included the attacks on Capital One, First American Financial Corp., Desjardins Group and Westpac/PayID.

Despite these pervasive cyber security threats, financial institutions are still failing to prevent, defend, prepare and respond effectively to attacks – particularly when it comes to network security. In many cases, the problem stems from executive leadership not prioritizing the cybersecurity budget or emphasizing its importance. Few organizations make prevention a priority, few apply the top recommended CIS controls or prepare employees on how to respond effectively in the event of a security incident. Unfortunately, poor network access control and other cyber security oversights lead to hundreds of millions of dollars in losses, the exploitation of personal data and more.

Some financial institutions, however, have already decided to take proactive measures this year to obtain risk monitoring, visibility and access controls. One such group is Royal London, the UK’s largest mutual life, pensions and investment company. Faced with limited network and device visibility, they had a variety of security and compliance issues to contend with. However, since implementing Portnox CORE, the company and all of its locations have instituted a higher level of cyber hygiene.

CORE is a simple to operate network access control solution that provides full visibility into every endpoint and component on the network, along with risk monitoring and enforcement capabilities. It is simple to deploy and manage and has received numerous cyber security awards.

From the moment Portnox’s on-premises NAC solution was implemented, Royal London’s security team has been able to successfully handle all challenges associated with visibility, control and compliance enforcement. This includes the ability to see all endpoints on the network, and ensure that they are properly secured according to company policies, privacy standards and regulatory compliance.

Furthermore, as risk-monitoring and other network security enforcement actions that would otherwise have to be done manually are now automated, Royal London’s IT team can devote their time to more important tasks, thereby increasing efficiency and productivity.

Fill out this form to immediately receive the full case study:



Organizational Security Starts with the Network

By | Network Access Control, Network Security, Ransomware, Threat Detection & Response | No Comments

Ransomware and malware, malicious cyber threats that demand ransom payments from the organization being attacked to retrieve stolen and encrypted data, have become the most prevalent cybersecurity threats. In the last few years, such attacks have increased in frequency and severity, and typically the large-scale cyber-attacks reach the headlines as seen in the 2017 WannaCry and NotPetya attacks that affected close to 300,000 computers globally.

Faced with the increasing threat of ransomware attacks, many organizations are now actively engaging in updating their cybersecurity defenses and authentication procedures to avoid the attention of cyber offenders. This can be a difficult process because many companies lack visibility of their network in terms of which points of connection are vulnerable to threats – such as Internet of Things (IoT) and personal devices (Bring-Your-Own device -BYOD). Therefore, Portnox recommends implementing a layered ransomware defense, response and remediation plan on the enterprise network. This plan would integrate full visibility of the network with all connected and managed/ unmanaged endpoints (including IoT and BYOD); control over access to files, resources and data, and remote remediation capabilities. Furthermore, the plan should include the possibility of quarantining or blocking infected devices to control lateral attacks.

Request a DEMO

Ideally, an effective plan for defeating cyber extortion would include defense tools, such as anti-virus and anti-ransomware software that provide behavior-based detection, prevent access to files and file modifications, recover files, and vaccinate against the ransomware strain. All of these together create a comprehensive ransomware response and remediation solution. Portnox’s solution addresses all phases of the ransomware kill chain – reconnaissance, exploitation and remediation, and together with its technology partners and integrations, offers a holistic ransomware solution. Notwithstanding the ability to mine data from other sources, Portnox’s solution is known for its seamless deployment, even across the most complex networks and security architectures.

Phase 1 – Reconnaissance:
During this phase, the attacker collects information on the target through research of publicly available information or social engineering. At this phase Portnox’s solutions provide a real-time picture of all network elements, so that organizations can understand the level of risk and identify vulnerabilities early-on. Endpoints that are deemed to have a high risk value (fail to uphold the network security policies, are missing the latest antivirus and OS patches, or have certain technical specifications that have been deemed vulnerable), will be blocked from accessing the network or quarantined until security updates are made. Additionally, Portnox offers the ability to see into the weakest areas of the corporate network, i.e. Internet of Things (IoT) devices. CISOs, network administrators and IT teams can discover where IoT devices are located on the organizational network and detain them in a separate VLAN network with limited access.

Phase 2 – Delivery & Exploitation:
At this point hackers use the information attained in reconnaissance to carry out attacks on vulnerable endpoints, users and different areas of the network. Portnox software receives information from third-party security vendors to actively identify anomalies. There is full communication between Portnox and these vendors, so that their assessments are seamlessly integrated. The system can carry out on-going sandboxing of endpoints according to defined characteristics (including for IoT devices), and it can filter endpoints according to patch, anti-virus, operating system and active applications as well as quarantining them if one or more of these aspects has been deemed vulnerable. Portnox shares information when an endpoint’s posture assessment changes, helping network administrators identify attempts at social engineering in the early stages of a breach. The admin can then bring that device into compliance with security policies, or quarantine it until remedial security measures are taken.

Phase 3 – Command & Control Actions and Extraction:
At times, despite having all the right solutions in place, ransomware still gets through. Once this phase is reached, the ransomware is installed and the hacker can take full control of the organization’s system and do with it as he or she pleases. The hacker could freeze the organization’s data and demand ransom to give the access back (“Cryptolocker attacks”) as in some of the major ransomware attacks in the last few years. A new era of “CryptoWorms” is expected to surface as malware writers become more sophisticated and now, more than ever is time to have the right technologies in place to defend the organization’s assets, accessibility and private customer data.

Remediation:
Having a rapid remediation plan in place will not only help prevent further damage or the lateral spread of the attack; it will allow business continuity. Portnox uses the following:
• Automated Patch Updates Across the Network – Enforces necessary patch, anti-virus, operating system and application updates across managed and unmanaged endpoints, located both on and off premise.
• Immediate Incident Response – Contains ransomware events by remotely disconnecting endpoints from the network (no manual touch required). The program drills down to the level of specification: device type, operating system, anti-virus software version, switch location, and more. Finally, it performs automated actions on every device, in all locations, instantly.
• Armed Incident Response Teams – Portnox arms IT professionals and network admins with the ability to remotely take actions on employees’ devices. In addition, with Portnox’s solution, IT professionals can create an effective incident response plan for any device based on network specifications.

In conclusion, ransomware and malware are considered to be the top cyber-security threats of our time. Therefore, it is imperative to significantly increase organizational security so as to be prepared, with the right response and remediation software to such frequent and wide-reaching attacks. Portnox offers network access control solutions that allow organizations to maintain the upper hand in network security, allowing business continuity, securing company assets and avoiding prohibitive financial losses.

Request a DEMO

Tips to Find the Right Risk Management Tools for Your Organization

By | news, Portnox Technology, Threat Detection & Response | No Comments

When choosing which specific risk management tools to use, there are a few key factors to address. Portnox’s CEO and Co-Founder, Ofer Amitai, shares a few tips to follow.

“It is extremely difficult to protect against threats that are not recognized by your risk management tools and not assessed as potential threats,” said Amitai. “Once detection is possible, protection is a viable option.”

Published in IT Business Edge.

Read the full article here.

Network Security Audit

Conducting Network Security Audits in a Few Simple Steps

By | Network Security, Threat Detection & Response | One Comment

What are the steps necessary to defend your organization’s assets in an optimal framework, while cutting costs at the same time?

If you have spent five minutes on our website or blog, you are probably well-versed on the notion that conducting automated and continuous security assessments of your network is the way to go, where pro-active and preventative security measures are concerned, so as to protect any company’s assets. Still, when new clients get started with one of the Portnox solutions, it is advantageous to kick things off with a simple, yet crucial, security audit. When undertaking an initial security audit, it is important to use the most up-to-date compliance requirements to uphold security protocols. This clearly defines what CISOs should be looking at, and helps in shaping and setting up the future of your automated security monitoring and assessments.

 

Step 1: The Scope of the Security Perimeter

The first step in the auditing process is to clearly define the scope of the audit. For most companies and organizations this will include both managed and unmanaged devices and machines. Managed devices will encompass a list of computers, machines, devices and data bases that belong to the company directly, which contain sensitive company and customer data. Additionally, in a world that includes BYOD policies and IoT connected devices and machines, as well as contractors and visiting guests, the unmanaged segment of the audit should be positioned to continuously update visibility of all connected endpoints. Without clear visibility, it is impossible to create segmentation and remediation procedures. Thirdly, the security perimeter must include definitions relating to software that is allowed and not allowed so as to define a software perimeter as well. Finally, the scope should include all access layers: wired, wireless and VPN connections. In this manner, the scope of the audit will ultimately include all software and devices, in all locations, so as to ultimately define the security perimeter for the company.

 

Step 2: Defining the Threats

The next step is to list potential threats to the security perimeter. Common threats to include in this step would be:

  • Malware – worms, Trojan horses, spyware and ransomware – the most popular form of threats to any organization in the last few years.
  • Employee exposure – making sure that employees in all locations change their passwords periodically and use a certain level of sophistication; (especially with sensitive company accounts) as well as protection against phishing attacks and scams.
  • Malicious Insiders – once onboarding has taken place- employees, contractors and guests – there is the risk of theft or misuse of sensitive information.
  • DDoS Attacks – Distributed Denial of Service attacks happen when multiple systems flood a targeted system such as a web server, overload it and destroy its functionality.
  • BYOD, IoT – these devices tend to be somewhat easier to hack and therefore must be completely visible on the network.
  • Physical breaches, natural disasters – less common but extremely harmful when they occur.

 

Step 3: Prioritizing and Risk Scoring

There are many factors that go into creating the priorities and risk scoring.

  • Cyber security trends – working with a network access control system in place that factors in the most common and current threats along with the less frequent, could save you and your CISOs a lot of time and cut costs, while at the same time defending the organization in an optimal framework.
  • Compliance – includes the kind of data that is to be handled, whether the company stores/transmits sensitive financial or personal information, who specifically has access to which systems.
  • Organization history – If the organization has experienced a data breach or cyber-attack in the past.
  • Industry trends – understanding the types of breeches, hacks and attacks within your specific industry should be factored in when creating your scoring system.

 

Step 4: Assessing the Current Security Posture

At this point you should start to have an initial security posture available for each item included in your initial scope definition. Ideally, with the right access control systems in place, no internal biases affect your initial audit or any continuous risk assessments performed automatically later on. Additionally, making sure that all connected devices have the latest security patches, firewall and malware protection will assure more accuracy in your ongoing assessments.

 

Step 5: Formulating Automated Responses and Remediation Action

Establishing a corresponding set of processes designed to eliminate the risks discussed in step 2 includes a few solutions that should be included in this step:

  • Network monitoring – establishing continuous automated monitoring and creating automated risk assessments will lead to improved risk management. Cyber offenders are typically working to gain access to networks. Activating software that automatically takes notice of new devices, software updates/changes, security patches, firewall installments and malware protection is the best way for any organization to protect itself. Ideally your CISOs should be alerted to any questionable device, software, activity, unknown access attempts, and more, so as to be a step ahead of any harmful activity whether it is maliciously done or not. Network Access Controls such as the solutions offered by Portnox offer 24/7 risk control and risk management and use machine learning to identify cyber offenders, while at the same time cutting costs oIoT Ip Cameran employee hours and replacing expensive systems with cloud distributed software, pay-as-you-go and scalable options.
  • Software Updates – Making sure that everyone on the network has the latest software updates and patches, firewalls etc. It is highly recommended to take advantage of this built-in feature in Network Access Control Software that alerts you when those are required.
  • Data backups and data segmentation – relatively simple but crucial steps, because obviously consistent and frequent data back-ups along with segmentation will ensure minimal damage should your organization ever fall to malware or physical cyber-attacks.
  • Employee education and awareness – training for new employees and continuous security updates for all employees to make sure best practices are implemented company-wide, such as how to spot phishing campaigns, increasing password complexity, two-factor authentication and more.

 

Conclusion

If you have completed these simple but crucial steps, you have finished your first internal security audit! Now you can proceed to establishing your ongoing automated risk assessment, management and controls to secure your company’s assets for the short, medium and long terms. Your first security audit, when done properly will serve you well as a touchstone for future risk assessments and self-audits. Monitoring all devices and machines as well as software over time is the best way to control the risks within your device and software security perimeter. The continuous fine-tuning of your controls and processes will maintain ongoing visibility as well as the ability to properly assess your overall preparedness for cyber-threats along with the ability to manage risks and remediate attacks.

Due to the proliferation of wireless networks and mobile devices, through BYOD and IoT, the workplace has become, on the one hand, a more agile and flexible environment, increasing productivity and employee satisfaction, and on the other, a breeding ground for vulnerabilities and cyber risk. As NAC solutions address the needed steps to audit your organization’s security while also providing intelligence into network behavior through various integrations and methods for achieving compliance, they are well suited to help meet and address these risks. For these reasons, NAC, today, is a must-have part of a robust self-auditing security mechanism. By controlling access to the network with a NAC solution, organizations control their exposure to a wide array of emerging digital business risks, keeping their organizational network healthy and secure.

Now that you have completed your initial network security audit, you can focus your attention on keeping your network safe.
A core factor in achieving that is to have full visibility and control of all devices connecting to the network in real time.

Implementing Network Access Control solutions addresses top security concerns and therefore is a crucial step in preparing your network for security audits.
Find out more here:
The Importance of a NAC Solution White Paper

2018 Top Cybersecurity Events Not to Be Missed!

By | Cloud Security, IoT Security, Network Access Control, Network Security, Portnox Technology, Threat Detection & Response | No Comments

You want to stay ahead of the game? The following list of cybersecurity events will help … and they are fun too!

Whether you are a security professional, software developer, security administrator, or any other role in the IT security fields, attending a conference is a great way to network with other professionals and learn about the hottest market trends, new developments, improvements, innovation and information.

Plenty of great cybersecurity conferences are coming up in the months ahead and the Portnox team will attend several of these. We’ve identified these top cybersecurity events that should be on your list. Check them out and update your calendar!

Cybertech Israel

January 29- 31, 2018
Tel Aviv, Israel

The event is positioned as a global meeting place, featuring representatives from organizations of all sizes, from multinational corporations to emerging startups. There will be a special pavilion for startups, as well as a competition in which entrepreneurs will present their ideas to a panel of international judges. Topics under discussion during the conference include the Internet of Things (IoT), big data and Finsec New in 2018 is a sister conference and exhibition, AutoTech, focusing on the future of smart mobility and the automotive.

Oracle CloudWorld

February 16, 2018
New York City, USA

Oracle Cloud World brings together forward-looking professionals responsible for finance, operations, supply chain, human resource, sales, marketing, customer service and IT. Learn how leading companies are leveraging the cloud for competitive advantage. Experience what works, what doesn’t, and identify solutions and approaches to accelerate your innovation.

Gartner Identity & Access Management Summit

March 5- 6, 2018
London, UK

The Gartner Identity and Access Management (IAM) Summit will focus on some of the hottest topics for the coming year, including the role of identity management in securing cloud and mobile apps, the IoT and the importance of privileged access management. For those preparing for the General Data Protection Regulation (GDPR), there is also a focus on the role of IAM as it applies to the privacy regulation.

Infosec World 2018

March 19 -21, 2018
Florida, USA

InfoSec World 2018 Conference & Expo is bringing together CISOs, CIOs, CTOs and other security practitioners who will share hands-on and practical advice on a wide range of security topics. From understanding your adversary to learning about the 0-day exploit market to bridging the gap between the technical and business aspects of security, InfoSec World 2018 will offer a chance for security professionals to learn something new and analyze ideas with peers.

Cloud Security Expo

March 21 -22, 2018
London, UK

Cloud Security Expo is the fastest growing section of the Cloud Expo Europe event series attracting a record-breaking 19,926 Enterprise IT & Security Buyers and Specialists in March this year! Cloud Expo Europe Keynote Theatre hosts foremost international technology leaders, including internationally acclaimed and top-rated visionaries, senior industry speakers and executives driving a global transformative shift towards cloud computing and other disruptive technologies. Speakers will deliver their outlook on the future, plus leading CIOs and senior IT professionals will be sharing their roadmaps to digital transformation, where cloud lives in the heart of the engine room. Cloud Security Expo provides the tools, training & techniques to ensure companies are compliant and secure as they transition their business assets to the cloud.

To register for the event, click here.

RSA
April 16-20, 2018
San Francisco, CA, USA

The largest cybersecurity event in the world today. The RSA Conference USA 2018 is dedicated to information security topics including data breaches, Cyber threats, compliance, social engineering, cloud security, risk management, application security, mobile security, governance, data security, legislation and policy, law, cryptography and identity management. It brings together information security professionals from across the globe working in industries such as Computer Software Development Finance, Banking, Healthcare, Government, Pharmaceuticals, and Manufacturing. Hear from world-class speakers on topics such as “The Most Dangerous New Attack Techniques, and What’s Coming Next”.

Interop ITX
April 30 – May 4, 2018
Las Vegas, NV, USA

Interop ITX combines a trusted Conference program with a vendor-neutral Business Hall and lots of networking events. The event is entering its 32nd year serving the IT community and it is an opportunity to learn about technologies and solutionsץ You may not realize how much the show has evolved during that time, growing from a plugfest ensuring network interoperability to an industry-oriented trade show to its current model: a week-long event centered around its conference program, including educational sessions, long-form tutorials, mainstage keynotes, sponsored content and a business hall showcasing technology.

Our CEO is Speaking! Sign up for his hands-on IoT workshop here.

Gartner Security & Risk Management Summit
June 4- 7, 2018
National Harbor, MD, USA

The Gartner Security & Risk Management Summit 2018 will focus on practices and strategies that will provide cost-effective security and risk programs in order to support digital business and drive the success of your business or organization.

Among the exhibiting companies are IBM, Thales, Cylance, Varonis, Symantec, HP enterprise, Verizon, Sentinel, AT&T.

InfoSec Europe
June 5-7, 2018
London, UK

Infosecurity Europe (Infosec) is the region’s number one information security event featuring Europe’s largest and most comprehensive conference programme and over 400 exhibitors showcasing the most relevant information security solutions and products to over 19,500 information security professionals. Each year this conference features many sessions on NAC. Watch this space!

BlackHat USA
August 4 – 9, 2018
Las Vegas, NV, USA

Black Hat is the most technical and relevant global information security event series in the world. For more than 18 years, Black Hat has provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment. These high-profile global events and training are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors.

Contact us to schedule private product demos (Portnox CORE for on-Premise NAC and Portnox CLEAR for cloud-based NAC) at one of these shows. We look forward to seeing you there and beginning a conversation with you around network security!

 

Portnox’s Predictions for Cybersecurity Trends in 2018

By | Cloud Security, IoT Security, Network Access Control, Network Security, Portnox Technology, Threat Detection & Response | No Comments

2017 was a very busy year for Portnox, yet throughout we aimed to address cybersecurity trends through our product offerings – Portnox CORE and Portnox CLEAR. With the highest number of ransomware attacks on record in 2017, we introduced a Rapid Ransomware Response and Control feature to our on-premise NAC solution, Portnox CORE, as well as the ability to see and control Internet of Things (IoT) devices through the IoT Visibility Radar. Portnox CLEAR, our cloud solution for network access control and risk management, was introduced to the market, and with its features for ensuring business continuity and securing the mobile workforce. The ability of our products to adequately address 2017 received commendation in the form of various industry awards and recognitions from leading publications and security experts.
Looking forward to 2018, the security landscape will shift and focus more heavily on IoT security, blockchain trends, automation and workforce mobility.

Here are some of our insights on what the 2018 cybersecurity landscape will look like:

  1. Extension of Automation: Together with AI and machine intelligence trends, automation will likely take center stage in 2018 as the leading security trend. Microsoft recently announced that it will begin automated anti-virus updates through its Windows Defender, which means that users and organizations will no longer have a choice when it comes to patching endpoints and software. This is good news, because it ensures that more actors have adequate security postures, and it makes sense for modular devices (like IoT) that present difficulties when it comes to firmware upgrades. Yet automation also creates challenges, namely for industries dependent on older versions of software, firmware and operating systems, such as healthcare and finance. Automated security updates could put the business continuity of these organizations at risk, and with potentially life-threatening and economically risky consequences. In addition, automated security updates across the board could actually make it easier for hackers to carry out large-scale attacks that will affect a larger number of endpoints.
  2. Blockchain and the Hacking of Applications: While many believe that the blockchain is “unhackable”, in the last year we have seen an increase in the number of attacks against blockchain-based applications. The vulnerabilities do not arise from the blockchain itself, but rather the applications that run on the blockchain. Social engineering will be used to extract private keys. Another possible blockchain hack, which has already been proven possible, is through other blockchain technologies such as Ethereum, which is an organization that’s committed to being open source for third-party applications. This creates a vulnerability because almost all applications have bugs can be manipulated by hackers as an attack surface.
  3. DDoS Ransomware: Creating a new and more pungent form of blackmail, DDoS and ransomware are joining forces to topple enterprise progress in digital transformation, while reaping monetary benefits. These attacks are made possible by using botnets, or large groups of “zombie” devices – which often happen to be Internet of Things devices, such as webcams – to funnel traffic to a malware-infected web address that, in turn, extract data from the accessing endpoint and demand ransoms for the return of that encrypted data. These attacks are often called “sinkhole” attacks because the DDoS traffic is being directed to sites that contain dangerous malware. With the wide adoption of Internet of Things devices in the enterprise, and the rise in ransomware demands, it’s likely that we’ll be seeing more of these attacks in the next year.
  4. Growing Regulation of IoT Security: Regulations governing IoT security features are beginning to be drafted, but there is still not enough demand from the consumer side to warrant manufacturer investment in security features. This begs a major question in 2018 of whether governments, in similar fashion to the US and EU, will begin issuing security regulations on IoT device manufacturers that protect consumers and companies from digital risk. Together with GDPR and other compliance regulations, we are likely to see more governments and industry authorities stepping up to enforce privacy, safety and security regulations on IoT manufacturers.
  5. Mobility of the Workforce: With more employees working remotely, organizations are enjoying a significant drop in their capital expenditures (many have even given up on the physical office space), while directing operational expenditures at digital transformation trends such as cloud and BYOD. Workforce mobility is a good thing for companies’ balance sheets, but the technological flexibility it affords results in more areas of cybersecurity vulnerability for the enterprise network. Companies that are set on accommodating mobile workforce trends will be investing in more endpoint, network and cloud security solutions that protect access and assets across a variety of locations and in various connected environments.

At Portnox, we will continue innovating our access control offerings to provide solutions to 2018 security trends and challenges, providing our customers with valuable, holistic solutions to protect their networks.
Here’s to a great 2018!

What KRACK Means For Your Wireless Networks

By | Threat Detection & Response | No Comments

Last week, news surfaced of a serious vulnerability with the Wi-Fi Protected Access II (WPA2) protocol that is used to secure the majority, if not most, protected Wi-Fi networks. According to the research, published by Mathy Vanhoef of the University of Leuven, the vulnerability lies in the 4-way handshake that is part of the WPA2 protocol, which can be manipulated to carry out man-in-the-middle attacks on network users, forcing them to reinstall the encryption key. Furthermore, Android and Linux devices can be tricked into reinstalling an all-zero encryption key, making it possible for the hacker to intercept and manipulate traffic from these devices when they are connected to the WPA2 network.

The implications of discovering such a vulnerability are huge as most modern networks are protected through the WPA2 encryption protocol, but there are a few caveats. For instance, in order to carry out a KRACK (Key Reinstallation Attacks), the hacker needs to be in close logical proximity to the Wi-Fi range. In addition, browsing over HTTPS may protect some traffic from interception, as it is protected with an additional level of encryption. Yet, at the moment, it appears that most devices that support Wi-Fi are affected, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and more.

So what are the implications of the discovery of KRACK for the enterprise network?

By manipulating the KRACK vulnerabilities, hackers (or even employees, guests and contractors) within close vicinity of the Wi-Fi network can eavesdrop and alter information being transmitted over the network. While the location caveat does have its benefits for smaller and tighter organizations, for larger organizations with far-reaching networks, it provides little solace.

Though little is still known about how the KRACK vulnerability will be addressed (or when a new secure wireless encryption protocol will be issued), there are a number of steps that enterprise IT departments can take to secure their data.

  1. Install the latest security patches and updates: This is a given, following any vulnerability, and should become standard practice throughout the enterprise. If possible, use a network access control solution to alert IT administrators and employees, when their devices are in need of updates, and enforce those updates by quarantining or blocking non-compliant devices until their security posture is updated. Also, regularly check for firmware updates that address WPA2 vulnerabilities across all connected devices and appliances.
  2. Look out for IoT devices: Direct attention to all connected devices – not just managed and BYOD devices – namely IoT devices that present a challenge as many of them cannot be patched or updated with the most recent firmware. Consider sandboxing IoT devices into a separate part of the network until a larger solution for the WPA2 vulnerabilities is reached. Currently, those organizations that depend on the data processing capabilities of IoT devices should be concerned and take all possible measures to protect and manage the security of these devices.
  3. Maintain consistent visibility into connected endpoints: One of the best ways to identify vulnerabilities is to maintain consistent visibility into connected endpoints. That way, if there is suspicious activity being carried out on the network, or if device specifications have been changed (good indications of a KRACK breach), IT administrators can take actions to control access for the device in question. Consistent visibility makes it easier to establish regular patterns of network behavior, providing important context when it comes to identifying and preventing cyber attacks.
  4. Consider wired networks: While these may seem like a thing of the past, in most organizations, wired internet connections still exist in some form. Encourage employees to connect their managed and professional devices over wired networks where possible, at least until firmware updates are installed and a remediation policy is put in place. For mobile devices and BYOD, ask employees to refrain from engaging in work-related activities over the enterprise Wi-Fi connection until the vulnerability is effectively addressed.
  5. Use WPA2 AES-CCMP as opposed to WEP, WPA/WPA2 TKIP and GCMP: The researchers identified that with WPA-TKIP or GCMP, hackers can not only decrypt encryption keys, but forge and inject new encryption packets. Therefore, it’s better to use a different encryption method until a more concrete solution for secure WPA encryption is reached.

The most important thing to remember about WPA is that there is no use in panicking. Most connected devices and enterprise networks are affected at this point. Mathy Vanhoef and his team at the University of Leuven have done us all a favor by informing us of the vulnerability, giving IT departments and security experts an opportunity to shore up their Wi-Fi security and take measures to prevent data loss.

Ransomware and Internet of Things: Partners in Crime

By | Ransomware, Threat Detection & Response | No Comments

If you’ve been reading cybersecurity publications lately, you’re probably aware that ransomware  and Internet of Things (IoT) are now some of the biggest concerns within the cybersecurity community. Besides all of the relevant scenarios and security products that are presented to prepare for or attempt to prevent ransomware attacks or an IoT breach, there is one scenario that isn’t being talked about – ransomware attacks on IoT devices. This blog will attempt to shed some light on how these factors can work together to put your organization, and even human lives, at risk, as well as suggest ways that such an event can be prevented.

At the recent Black Hat conference in Las Vegas, two cybersecurity researchers, Billy Rios and Jonathan Butts demonstrated how the mechanical arm of an automated car washing machine could be hacked to cause damage to a vehicle, and potentially threaten human life. This is not the first time that Rios and Butts have put a connected device to the test; the team has successfully hacked a pacemaker and a smart car to highlight life-threatening vulnerabilities. They are probably not the only team that has made a point of demonstrating the dangers of IoT malware and ransomware, yet still, manufacturers, organizations and consumers continue to produce, purchase and deploy these inherently vulnerable devices. What makes IoT ransomware a grave security flaw?

Let’s start by stating that all connected devices (not just IoT devices) are potential victims of ransomware attacks because they are connected to the Internet. Ransomware attempts to gain access to mission-critical data on the network, then encrypting that data until the organization or individual pays the ransom (usually in a cryptocurrency), at which point they are provided the encryption key to recover the data. While ransomware is well understood when it comes to more “traditional” devices such as computers, phones, and servers, IoT devices are rarely considered as a point-of-entry, and if they are, there’s no way to patch, protect or install anti-virus software. Really, your best hope with an IoT device is that the manufacturer installed firmware and that there are available upgrades that somehow address ransomware risks. In the majority of cases, these firmware updates simply do not exist.

Then there’s the issue of visibility. When organizations and individuals connect IoT devices to their network, the excitement of deploying a new technology resulting in greater efficiency tends to overshadow precautionary measures to ensure the device is secure. There are a number cases in which organizations were attacked via IoT devices that they didn’t have knowledge of. In addition, many of these devices have default passwords that can be easily discovered through the Shodan search engine, Hydra or other IoT search tools and password generators. In most cases, the username is ‘admin’ and well, the password is the same. Oversight of IoT devices on the network greats a gaping hole for hackers to plant ransomware that, while not directly targeting the IoT device, can reach the mission-critical data they are after by gaining access to the network.

Finally, there is the physical aspect of IoT devices. Usually, these devices are deployed to control temperatures in the HVAC room, or as a smart coffee machine, smart TVs and in industry as part of the movement to connect machinery to the Internet (Industry 4.0). That means that unlike most computers and other “traditional” devices, IoT devices are tied to a physical function that could have real, and potentially dangerous consequences. The demonstration of the car wash hack is a good example, but what about IoT door locks that could trap people in a building or prevent entry, or a smart TV that allows for espionage. At the moment, the majority of these are hypothetical scenarios, but as the Mirai botnet incident demonstrated (what’s known as a pivoting attack), the hacking of IoT devices presents a real threat that should be addressed now, rather than later.

At the moment, IoT manufacturers aren’t doing much to make sure these devices are secure, so what should organizations eager to implement IoT devices do to make sure that they aren’t putting their network at risk?

The first thing that should be done is to find out if the IoT devices you’ve deployed have firmware, and if they do, if that firmware can be upgraded. But, as mentioned, not all IoT devices have firmware, which is why the next step should be to secure the IoT network with firewalls or create a network perimeter. With the devices quarantined in a “safe” part of the network, pivot attacks and access to mission-critical data on other devices are (largely) out of the question. Visibility is key for knowing where hidden threats lie on the network, which is why a solution that discovers IoT devices, their location and characteristics should be an essential part of any security stack. If possible, deploy a network access control solution that will allow for authentication of IoT devices to ensure that vulnerable devices can’t enter the network and gain access. Finally, and as previously mentioned, consistently update the default passwords and manage the security certificate lifecycle (if any).

While we haven’t heard of too many IoT ransomware attacks yet, you can bet that they will be in the news soon enough. Beat the black hats to the chase and shore up your network with IoT visibility, discovery and control tools that will protect against malicious exploits, including malware and ransomware.

Find out more about Portnox’s Rapid Ransomware Control & Response Solutions.

How to Avoid the True Cost of Ransomware

By | Ransomware, Threat Detection & Response | No Comments

Recently, ransomware attacks on enterprise were all over the news. From the massive WannaCry attack in May 2017, which affected 300,000 devices worldwide (if not more), and the Petya (also known as NotPetya) attack in June 2017, it seems that there is no rest for the ransomware wicked. More than ever, businesses are aware that they need to have a ransomware game plan, and fast, because if not, they might find themselves in the headlines, having to take on the enormous costs of the attack aftershock, or worse – losing business due to system downtime and outages.

The wide-reaching effects of ransomware attacks on large corporations such as FedEx, Merck, HBO and Maersk are living examples of why it is important to avoid paying the true cost of ransomware remediation. The US pharmaceutical giant Merck was attacked by the Petya strain in June, yet still the organization is struggling to recover all its information and to account for the damages. The attack cost the organization billions in downtime, not to mention the significant funds required to staff around-the-clock IT experts, lawyers and PR reps to get business back on track. Global entertainment giant HBO was presented with a multi-million dollar ransomware demand this August, wasting billions in ad revenues for the company. These are just two examples that highlight the need for a review of remediation procedures, as well as ways to avoid paying the true cost of ransomware.

One of the easiest ways to avoid paying the true cost of dealing with a ransomware attack is simply not to pay the ransom. This may seem to go against organizational, or even your moral principles, but it has been established that paying the ransom seldom pays off. That’s because it’s unlikely that the hackers will release back all the information, upping the PR costs of dealing with potential media backlash, and, despite paying the ransom, showing a willingness to pay might brand your company as an easy target in the hacker community. But more than that, paying the ransom won’t prevent future attacks, because, in most cases, ransomware is distributed at random to any of the non-patched or vulnerable devices that particular strain is targeting. That’s why it’s a better idea to use the money that would go toward paying the ransom to shore up your cyber defenses, authentication tools and network firewalls.

Then there’s the issue of backups. Many organizations create a ransomware response plan that involves storing critical data on a secure server so that they can quickly bounce back from an attack. Yet while it is a good idea to back-up critical data, it’s possible that the back-up won’t recover all the information that’s in hackers’ hands. This presents threats to the stability and safety of your organization, and creates the possibility of a PR mishap (see the HBO example). In addition, the most recent ransomware attacks are targeting network-connected computers that have access to these back-ups, which means that attempts to fully restore systems are largely futile. So while back-ups are a good practice that should remain part of remediation plans, they shouldn’t be too heavily depended upon to get you back on your feet.

The bottom line: You need a multi-pronged approach to remediation.  If there’s one thing that can be said about ransomware, it’s that it doesn’t discriminate, which is why, more than ever, companies need to have the right remediation plan in place to avoid paying the true cost of ransomware attacks. A good place to start is integrating a solution that will allow IT professionals to remotely disconnect corporate devices from the network. This will help prevent the lateral spread of the attack throughout the organization, on both patched and unpatched devices (because the latest NotPetya strain targeted both). In addition, it’s important to have constant awareness of network areas at risk. This can be done by deploying a network access control solution that provides full visibility into devices, assess their level of digital risk to your business, and controls which devices are allowed on the network, and which aren’t.

To avoid paying the true cost of a ransomware attack, i.e. system and employee downtime, PR brand name damage as well as brand equity loss, and legal efforts and recovering data losses, your organization should consider a multi-faceted remediation approach that integrates a network authentication and endpoint control solution, allowing for business continuity with customers and partners.

Find out more about Portnox’s Rapid Ransomware Control & Response Solutions.