Watch as CBTS engineer Brennan Klensch describes his top three biggest takeaways from Aruba’s Digital Atmosphere event this year.
this is the archive page
Watch as CBTS engineer Brennan Klensch describes his top three biggest takeaways from Aruba’s Digital Atmosphere event this year.
Today I sat down with Tim Linder, Director of Security Solutions at CBTS. Tim has been in the security industry for 17 years so we thought it would be interesting to get his perspective of the changes in cybersecurity over those 17 years and how he’s grown the CBTS security practice.
I started my career in cyber security with a small information security consulting boutique in late 2003…before it was cool to be in the security world. I joined CBTS in 2006 with a vision of building a team that would be based on delivering value-added benefits to our customers. However, I was the entire team focusing on selling solutions and leveraging partner relationships to deliver services. Within the first year of our existence, we were able to develop trusted relationships with our customers and ended up with approximately $7MM in revenue. As years went by, we added more sales and technical resources as well as more vendor partners. We closed out 2019 with $45MM in revenue and 15 employees which is pretty amazing to me.
How did you get into information security?
Let’s just say it wasn’t planned, as IT and IT Security wasn’t anywhere on my radar. My career started off in telecom as a central office implementation engineer. I was in that role for a number of years learning as much as I could about telecom implementation eventually joining the Telecom Staffing business as a salesman. From 2000 to 2002 the telecom bubble hit terrible lows and I found myself needing a different career path. I took a job at a small security boutique in Cincinnati and began to learn about Check Point firewalls and antivirus. After being there for a short time I was sold on the industry, finding it exciting and rewarding all at once. After three years of learning the industry, I was afforded the opportunity to come to CBTS to develop a security practice.
What were the “top of mind” security topics when you first started at CBTS and how does that compare to what you currently hear from customers?
It’s interesting. We are still dealing with some of the same challenges that we faced in 2003 but with some notable differences. Back in the day, hackers were putting out viruses, worms, etc. for notoriety. They wanted everyone to know who was wreaking havoc in the technology world. In our current world, hackers need to remain anonymous because they’re building attacks to make money. Another major change is back in 2003, workers were in the office on their desktop computer. With the emergence of technologies, remote workers grew, devices changed, and security changed with the endpoint. Customers used to throw gear at a problem without thinking of risk. I think now you will find that everyone is most concerned about the risk associated with certain technical business decisions and therefore take a holistic approach with security.
What do you see as the main value your group offers customers?
I really look at our group as super consultative, which allows us to assist customers by understanding all the requirements of a project…meaning business, technical, and financial requirements. We don’t come into any situation or project with preconceived ideas of how we will tackle their issue. A huge positive about my team is that most of them have defended networks in their career. Whether it was with a large Fortune 5 or a small consulting firm, my team has spent time on the customer side which helps them empathize with our customers, making them more relatable. We also have a vast variety of skillsets on the team, and by working together, we bring a broad base of expertise to our customers.
Security professionals are difficult to find – how are you able to grow such a dedicated team?
You’re so right, good security professionals are so difficult to find but we’ve been blessed to have some of the best and brightest in the industry. Some of the folks on the team are folks that I’ve worked with since my career began, some are from when I first started at CBTS with contacts I made in the industry, colleagues of current engineers, or recommendations from our vendor partners. One of the things we focus on here on my team is integrity. Obviously they need the skillset and the desire to learn more. As for keeping them, I’ve really tried to provide a family atmosphere. What that means is that we are there for each other through thick and thin, helping each other with different tasks, issues, in both work and life. The other major reason we keep our talent and attract new is due to their ability to work such diverse projects whether it’s product related or focused on the consulting business. The vast amount of customers we support and diverse situations the customers put us in keeps the job interesting. The engineering crew eats that up for sure.
You’re responsible for vendor relationship, how do you choose which partners you go to market with?
I am responsible for our vendor partnerships which is now up to 70+ security partners, which can be a daunting task sometimes. There are multiple criteria that go into selecting a security partner here at CBTS. Is the company relevant in the industry, do they fit our strategy, is there demand in the industry, are they innovative, could we potentially offer managed services, and good support, to name just a portion of considerations. A number of our partnerships have spawned from relationships we’ve had for years due to the trust built by the sales and engineering folks. IT is a small enough industry but when you narrow it down even further, cyber security is even smaller. As a matter of fact, most trade shows I go to I refer to them as a family reunion because I see everyone I’ve worked with for the last 17 years.
I also look at the mindset of the company and its employees to see if they align with our same “Customer First, Customer Last” mindset. One of our vendors has this as their tagline and I’ve adopted for our team as well as in selecting partners for CBTS. Our partner’s attitude needs to be one of helping our customers and not just selling product. The ones that do this are the most successful here.
With the new work environment, corporate networks edge has expanded – how has that changed security?
The edge really has expanded from data centers to cloud to remote workers. That has driven the need to be more secure than we ever have. We need to make sure that data in the cloud is just as secure as the data in our data center. We also have to make sure that we make that remote user feel as though he/she is sitting in the office from an experience and security perspective. Can we trust that cloud providers and users are doing enough to protect corporate data? I don’t think so, which means we need to continue to be vigilant in securing data without impacting productivity.
Learn how Tim and the other experts at CBTS can help improve your organization’s security posture.
As businesses across the globe scramble to adapt to the new conditions brought on by the COVID-19 pandemic, a robust and agile approach to information security plays a vital role in any organization’s readiness strategy.
To this end, cybersecurity experts representing CBTS and Cincinnati Bell recently hosted an information security panel to discuss the challenges facing enterprises across various industries, while also answering questions from attendees.
The panel was moderated by Hope Thackery, director of security programs for CBTS, and included Brandon Bowman, VP of strategic services for CBTS; Leo Cronin, VP and chief security officer for Cincinnati Bell; Justin Hall, director of security consulting for CBTS; Ryan Hamrick, principal information security consultant; and Mobeet Khan, national director of IT security practice for OnX Enterprise Solutions. In the interest of sharing valuable information, providing helpful perspectives, and encouraging collaborative communication in these difficult times, the panel experts shared their thoughts on the most pressing information security issues facing enterprises today.
Being prepared for potential security risks is a common tenet in the world of information technology. Still, few were able to predict the effect that COVID-19 could have on the economy, the telecom industry, and the concept of remote work access in general. However, effectively assessing risk ahead of time can help prepare a company for the unexpected, Cronin explained.
“We anticipated pandemic issues, but nothing on this scale whatsoever,” Cronin said. “But, I’d like to say that the framework we put into place has served us pretty well. It’s given us the ability to be flexible, adaptable, and separate out the operational response from what has to be done from the rest of the organization.”
The COVID-19 outbreak required many organizations to find ways to implement remote access capabilities for their employees without compromising information security. Cronin said that in these situations, businesses should lean on their security staff or consultants to help make these pivotal decisions.
Cronin added that basic principles such as agility, flexibility, and close cooperation between security and operations teams could help an organization better prepare and recover from disruptive incidents.
Although businesses are changing the way they operate day to day, phishing, hacking, and malware activities are still a clear and present danger. Even during an enterprise-wide shift toward remote accessibility, organization leaders should keep their guard up for familiar cyber threats, Cronin said.
“We’re concerned with increased phishing scams and malware activity across the environment,” he said. “We’re spending a lot more time monitoring the environment versus focusing on projects to move the security program forward, but haven’t really seen a major uptick in shenanigans out there, but we do anticipate, as this thing moves forward, we’re going to see some more activity that we’ll have to respond to.”
Even now, with meetings moving out of the conference room and into video chat rooms, threats to productivity and information security remain. Hamrick explained that serious intrusions like phishing and social engineering, as well as less impactful disruptions like intruders finding their way into public Zoom calls, are still risks to take seriously. “It’s important to also note that phishing scams are not just performed these days via e-mail. More and more phishing happens via mobile applications and messages,” Hamrick said. “You’ll get a lot of app notifications that would actually be a phishing notification from a somewhat malicious application you may have installed on your mobile device, so it’s important to control that from a mobile device management perspective, as an organization.”
Despite the difficult challenges brought on by the COVID-19 crisis, the global business community is finding an opportunity to learn valuable lessons and evolve standard security practices to fit the “new normal.” The panel shared several examples of what has been effective in their efforts to keep their networks safe during the pandemic.
Cronin recommended multi-factor authentication (MFA) certificates, which can help make a work-from-home transition smoother and more secure. Hall touted the importance of a proactive risk assessment. This means going beyond the baseline considerations of what external factors could cause damage to your organization and seeking input from other members of your industry. It’s crucial to start planning now and to not wait for catastrophe to happen, Hall added.
View the full webinar on COVID-19 information security best practices.
Learn how CBTS can help your organization on their security journey.
Chances are you have just been thrust into the throes of working from home (WFH). If you’re one of the millions in that boat, you may have also just learned the initialism for working from home. As the Coronavirus pandemic remains steadfast, more and more people are working from home and just as many companies are using videoconferencing services to keep the ship afloat. Videoconferencing software and their vulnerabilities are making headlines and bylines—so with all of this going on, I hope to give a quick rundown on some best practices to conduct a safe and secure videoconference for the new virtual workforce.
The time is ripe for attackers to analyze different videoconferencing solutions for vulnerabilities, analyze them, and exploit them to run their code, gain unauthorized access to corporate infrastructure, and conduct additional malicious activity.
So what can you do? How do you do it?
Here are some common features of videoconferencing software to use and be aware of to help protect you and your organization.
Be your own meeting bouncer: To prevent unwanted or accidental attendees from wandering into your virtual meeting, restrict access to the party using defined groups or e-mail addresses. Most platforms give users the option to allow only those attendees with a company issued e-mail address to join the meeting.
Double-check defaults: When creating a new meeting, make sure a password is required to join the meeting. Some applications will randomly generate one for you, and some give you the option of creating your own. Note: If you’re e-mailing a meeting invite, make sure the password is not in the meeting link itself, but rather in the e-mail body.
No cuts, no buts: Make use of a waiting queue and validate your attendees. Meeting hosts and administrators are often given the discretion to approve incoming connections to the meeting. If you find that managing this access by yourself becomes difficult, assigning and delegating this control to multiple trusted parties may help carry the burden.
Encrypt. Encrypt. Encrypt: With the large mix of standalone workstation applications, web-based applications, and mobile applications, enforcing encrypted traffic across all these devices is important. Protect the content of your virtual meetings in the same way you protect your face-to-face meetings. In the same vein, make sure you are staying up-to-date with patches. When known, the tactics attackers are using become public, and vendors push fixes down to your machine, so install those security updates and keep the bad actors from snooping.
Protect your endpoints: Remember you no longer have your traditional e-mail/boundary defenses in place at home. Meeting hosts and administrators usually have the ability to allow certain file types and content to be uploaded to the chat. So restrict known suspicious file types (check your e-mail filtering rules) and move the file sharing to a more secure platform.
Triple check those tabs: And lastly, remember that the Internet is forever, and so are screenshots. When you are sharing your screen, ensure that you are only sharing the application that needs to be shared, that the content you are sharing does not contain any sensitive or private information, and that you close out of out all other applications that are not needed.
Remember: All of these controls work in unison, together on the same team, pedaling in tandem to create a finished, secure product, an information security tenent known as ”defense in depth.”
Remember, at the end of the day, you are not only helping protect the normal day-to-day operations that have moved from personal face-to-face meetings to involving more people with significantly more moving parts, you’re helping to boost and ensure the security posture of yourself, your colleagues, and your organization as a whole.
Learn how CBTS can help keep your organization safe.
Endpoint protection, or endpoint security, describes cybersecurity services for network endpoints, like laptops, desktops, smartphones, tablets, servers, and virtual environments. These services may include next-generation antivirus software, endpoint detection and response (EDR) for investigation and response, device management, web filtering and data loss prevention (DLP), and other considerations to face evolving threats.
Endpoint protection helps businesses keep critical systems, intellectual property, customer data, employees, and guests safe from ransomware, phishing, malware, and other zero-day cyber attacks.
Criminals are constantly developing new ways to attack networks, take advantage of employee trust, and steal data. Smaller businesses may think they’re not a target, but that couldn’t be further from the truth. In fact, small businesses with 100 employees or fewer face the same risk of attack as a large employee enterprise.
No matter the size, businesses need reliable endpoint security that can stop modern attacks. And since most companies are subject to some form of compliance and privacy regulations, protection for endpoints is 100% necessary to help businesses avoid hefty fines and damage to their reputation due to a security breach.
Steps to secure endpoints in your organization:
Learn how CBTS can help protect your organization.
Virtual Private Network (VPN)
Transacting on an unsecured network means you could be exposing your private information. VPN services establish secure and encrypted connections to provide greater privacy than even a secured Wi-Fi hotspot. That’s why a virtual private network, better known as a VPN, should be a must for anyone concerned about their online security and privacy.
Think about all the times you’ve been on the go, reading emails while in line at the coffee shop, or checking your bank account while waiting at the doctor’s office. Unless you were logged into a private network that requires an encryption key, any data transmitted during your online session could be vulnerable to eavesdropping by strangers. Now think of your entire workforce accessing or exchanging private company information while away from the office. Many of us have a full-time remote workforce that does business from a hotel, a local coffee shop, or even from the car or while at a rest stop when traveling. More times than I can count I’ve had to “set-up office” wherever I could find a spot that was somewhat private.
How a VPN protects your privacy
VPNs essentially create a data tunnel between your local network and an exit node in another location making it seem as if you’re in another place. This benefit allows online freedom, or the ability to access and exchange private information while on the go.
VPNs use encryption to scramble data which makes it unreadable. Because your data is encrypted, using a VPN will prevent many forms of Man in the Middle (MitM) attacks. This is particularly true when using a public Wi-Fi, hotspots, or open/unsecured networks, because it prevents anyone else on the network from seeing your activity. Even if you’re connected to an “evil twin” hotspot or your information is intercepted using a Wi-Fi packet sniffer, your data will be safe, because the data is encrypted before it enters the data channel of the evil twin hotspot.
A VPN can help protect all of your devices: desktop computers, laptops, tablets, and smart phones. Your devices can be prime targets for cybercriminals. In short, a VPN helps protect the data you send and receive on these devices so hackers won’t be able to watch your every move.
NOTE: If your smartphone’s Wi-Fi is enabled at all times, your device could be vulnerable without you ever knowing it. Everyday activities like online shopping, banking and browsing can expose your information, making you vulnerable to cyber crime.
Learn about how CBTS can help protect your information.
This crisis we are in is not over, and although we have been talking about pandemic response for as long as I have been around security and BCP teams, it is very hard to anticipate, plan for, and react to black swans. The responses to COVID-19 and the structural changes we are going to see in economies throughout the world will be based on good solid leadership, speed/adaptability, innovation, humility, charity, and sacrifice.
Security plays an additional role in a crisis like COVID-19 in protecting an organization’s ability to respond effectively, which sometimes means accepting more risk. Security has to be laser-focused on ensuring a physical or cyber crisis does not impede the organization’s response efforts. It also needs to be a part of the ongoing risk decision-making as the crisis unfolds. Given this, below are my recommendations for additional considerations to your current security and incident response efforts.
Revisit some risks now. A crisis can take you into uncomfortable territory from a controls and process perspective, so we need to spend time now reassessing some risks and anticipating others as part of crisis management. Revisit threats, likelihoods, and impacts in the context of the bigger picture and help the organization steer clear of the inability to respond effectively to the current crisis and return to the new normal.
Sharpen response to risks. Speed/adaptability and the other aspects of an effective response requires a good command-and-control framework that relies on roles rather than specific people. The right people will always eventually rise to the occasion in a crisis. If not, you’re toast. There are plenty of history lessons where failed command-and-control results in chaos during stress and crisis, which is why it is one of the first things to be attacked by adversaries. Communication strategy is also essential, leveraging technology and agreed-upon protocols for cadence and messaging inside and outside the organization. Lastly, anticipate working outside the norms of your business during a crisis. Helping customers or those who could become your customers with their response usually turns out net positive through a crisis. Generosity and sacrifice often gets rewarded.
After the smoke clears and we’re all allowed to go to bars again, organizations will be trying to answer a few questions. How well did we deal with this crisis? What have we learned? What changes for us the next time we have a similar crisis? Did what we just experience inform our approach to any other operational issues?
The security team has a particular responsibility in helping to answer these questions. The mission of a security team is to protect a business from risk. The risk of a pandemic eliminating supplies, services, and customers, as well as forcing employees to stay home, etc., probably was not on the radar of most businesses. It is now though.
Risk management forces the business to do three things about where we are, right now, in a heightened state of awareness:
Every business—even the critical ones that remained open during the quarantine—was impacted in some way by this pandemic. It’s a good time for every business to reexamine their risk management program and get it on track when leadership buy-in is likely to be at an all-time high. Take advantage of the hyper-awareness of risk to move the maturity of your information security program forward.
Digital Transformation is defined as the process of exploiting digital technologies and supporting capabilities to create a robust new business model which is led by executive management or at the board level. With the onset of the Covid-19 pandemic, we have an opportunity to review cyber risk strategies and align to the desired business outcomes.
According to IDC (Source – Worldwide CISO Influence Survey 2018), business leaders and CISOs view information security as vital to competitiveness of products and services while protecting the interests of their customers.
When an organization promises to deliver the value of digital business to customers, it’s often the case that security is not at the table when critical decisions are being made. Without security representation at the right time, organizations are exposing themselves to business critical risks that could severely damage their brand.
As organizations continue to expand their digital footprint, an Enterprise Cyber Risk Program should be an integral part of the plan and should cover the following four areas:
Here are some questions to consider as you build your program:
If you would like to discuss in more detail, please email firstname.lastname@example.org.
The basis for Network Access Control
In the circumstances corporations now find themselves because of the Covid-19 pandemic, network segmentation deficiencies have been spotlighted as an alarmingly weak spot in modern network enterprises.
A recent example was provided by an attacker penetrating an IoT-based HVAC system that ultimately provided the attacker a nearly unrestricted path all the way to the victim corporation’s Point of Sale systems.
While re-architecting many infrastructures to provide more granular and secure segmentation would be an enormous ask, the first part—of low-security IoT devices being able to provide a starting point for a path through the network—is an easier one to address.
Network Access Control, or NAC as it’s commonly referred to, is a process by which before network access is given, a user or a device (or both!) must first authenticate to the network.
What we’re NOT talking about: We’re not talking about logging on to a workstation when you first walk into your cubicle; in this instance your workstation is already connected to the network and you’re just providing your user credentials to log on to, for example, the Windows Domain.
What we ARE talking about: Rather, we’re talking about when you first connect your device—connect your laptop to the wired network, or connect your smartphone to a wireless network’s SSID, as examples—your device must first provide some kind of authentication, be it a MAC address or a certificate, and the network switch or wireless controller authenticates that MAC address or certificate against a centralized source.
Pass this authentication, and the device is allowed onto the network (for example, put into a certain VLAN) and further user authentication can take place from there.
Fail the authentication, and the device is either put into a guest VLAN for Internet-only access, or placed into an isolated VLAN with an explanatory page telling the user how to fix the situation by contacting a certain person or following a certain procedure to get the device properly registered, or else not allowed connection to the network at all.
Taking this concept further into the IoT realm, devices which do not have a user-facing GUI—headless devices like printers, security cameras, thermostats, HVAC systems, “smart-building” alarm sensors, etc.—are notoriously vulnerable via unpatched operating systems or known hardware security flaws, and need to be handled with care.
Devices like these should NEVER have an unrestricted pathway to secure/sensitive internal systems.
Network Access Control solves this by automatically authenticating these types of devices and placing them into cordoned-off zones (VLANs) with access only to their “phone home” destination.
A common misconception is that Network Access Control is only applicable for wireless, or that “it’s that 802.1X thingy that never really caught on, so it’s an ‘old’ technology that is not applicable today.” That latter perception is particularly troubling, because 802.1X as a technology is painted as old/non-applicable because of the lack of quick-start guides and software wizards at the time.
Today’s NAC solutions are nothing like yesteryear’s NAC solutions, the latter of which required almost exclusive hands-on to the command-line configuration of all devices involved.
Setting up a NAC policy in today’s NAC solutions is as easy as following a “Start Here” wizard that quite literally walks you through setting it up, with resulting configuration statements that you install with copy/paste into the end-user-facing switch, controller, etc.
Network Access Control solutions aren’t an “all or nothing” solution, either.
What a NAC solution is NOT: It’s not like an entire switch or controller is either under NAC control or it’s not, and if it is and the NAC solution isn’t working, the entire population of users connected to that switch or controller are locked out from the network.
What a NAC solution IS: Instead, NAC can be implemented on end-user-facing devices in a hybrid way, where only certain switch ports or certain SSIDs are under NAC control, and as well as being in a “fail-through” configuration where if the NAC doesn’t respond, the switch port or SSID will allow a predefined “default” access.
Naturally, a caution is warranted with a hybrid configuration like this (especially with the availability of the “fail-through” feature), as NAC’s security itself can be eaten away with production connectivity emergencies. One example of this is service ticket troubleshooting where, instead of troubleshooting the user’s reason to need to authenticate to that particular security domain, the “resolution” carves away some of NAC’s security policy and the ticket is closed out, leaving a weakened NAC policy in place.
Network Access Control also offers improved visibility into the devices connected to the network, via the fact that many/most of them will “profile” the device as it connects to the network.
Profiling can be agentless—where the device’s own communication characteristics on the network are captured and leveraged—or agent-based, where an agent is installed on the device to determine the health before access is allowed.
This profile information is subsequently used for policy determination even before access to the network is given. This is how network segmentation through device type—and how IT devices versus OT (operational technology) devices—can be achieved without having to hardcode switchports, SSIDs, or the devices themselves.
News headlines of the latest hacks demonstrate not only the need for authenticated network access, but device-specific network segmentation as well.
Network Access Control is just one part of a more-encompassing IT security policy, of course, but an ever more crucial one. And today’s NAC solutions make it easy to implement, which is unusually low-hanging fruit in the information security realm.
The CBTS Security Solutions team has Network Access Control subject matter experts on staff to not only assist with the selection, testing, and implementation of a NAC solution, but also to help build that more-encompassing IT security policy.