this is the archive page

Cybertech Midwest 2019 Debrief

We just finished a few days with our friends at the Cybertech Midwest conference in Indianapolis. I try to visit as many information security conferences as I can each year—it’s one way my team keeps up with the latest research, learns about new attack scenarios, new tools, and understands the focal points of the community.

One of my favorite things about conferences like this is getting to hear from practitioners whose day-to-day work is notably different from my own. As a consultant, I spend more time in my clients’ worlds than my own, but that means I miss out on the experiences from industries and geographies where I don’t spend much time.

An area where this is especially true is state-level government here in the United States. We’ve spent time with city/county government, and other CBTS practices have done quite a bit at the state level, but our security practice doesn’t hang out there often, and as a result, I haven’t had a ton of exposure to the challenges and gaps that folks at the state level face.

So it was really exciting to hear from so many folks here that operate at that level – both CISOs and CIOs. What I heard was:

  • Traditional thinking and solutions aren’t effective enough anymore, and not just in terms of technology, but our thinking about solving security problems. Security folks end up very “siloed” as a function of being independent advisors . . . but we need to collaborate better with other teams in the business, for example folks with other areas of responsibility (legal, finance, HR, operations).
  • For some businesses, protecting data collected and used for analytics purposes can be as—or more—important than protecting financial or personal data, as it is the lifeblood of a lot of business operations. Make sure your data protection strategy covers that as well.
  • Business e-mail compromise (BEC) and fraud are still plaguing organizations large and small. At this point, if your business doesn’t operate using gift cards (which most do not), executives in the organization should pass the word to everyone: if you get a request to buy and provide pictures of gift cards to anyone with company money, it’s fake! Report it!

Going to a conference that doesn’t just focus on traditional enterprise security helps my team keep pace with the rest of the industry—and the rest of CBTS. We field every area of IT here, and clients of every stripe, and I best serve my clients and my colleagues when I can speak competently about their worlds as well as mine.

So let me ask you, the reader: where are you advancing your awareness of activities and trends in your field? You can read more about security services from CBTS.

Read more: Justin breaks down Ohio’s Data Protection Act

Connect with our experts



Understanding “Data Breach Safe Harbor” law

Last year, Ohio’s General Assembly passed SB220, referred to as the Ohio Data Protection Act. This legislation takes an interesting approach to cybersecurity regulation. Instead of mandating that a specific set of security controls be implemented, this data breach safe harbor legislation offers an incentive for voluntary compliance with one of several industry-accepted standards.

In short, if your business has a documented formal security program that follows one of these standards, and if a lawsuit is brought against you for a breach of personal data, the data breach safe harbor law allows you to claim an affirmative defense.

A closer look at the data breach safe harbor law

If, like us, you’re not attorneys or legal scholars, some of that might have left you scratching your head. Our good friends at Dinsmore (they’re great lawyers) wrote up a great article on the subject. For the laymen among us, here’s what we think the data breach safe harbor legislation means:

  1. Acme Company has a security program based on the NIST Cybersecurity Framework. They’ve documented and can demonstrate their compliance to each of the approximately 100 requirements of this framework.
  2. Acme suffers a data breach – despite their strong defenses, an attacker is able to access and steal their customer database.
  3. Acme customers whose data is stolen participate in a lawsuit against Acme, claiming negligence on Acme’s part that contributed to the loss of data.
  4. Under the Data Protection Act, Acme can demonstrate compliance to the NIST CSF as a defense in the suit, and if they are successful, cannot be held completely liable.

Sounds pretty groovy, eh?

Law highlights industry-accepted standards

The idea of the data breach safe harbor legislation is to incentivize businesses to develop a security program, adopt a formal security standard as its base, and to actually follow it. The standards mentioned by name in the law’s language are the good ones, too:

And if you’re required to be compliant to PCI-DSS, the HIPAA Security rules, FISMA, HITECH, or GLBA, those  count as well!

Effect of the law uncertain, but customers are intrigued

This is pretty appealing. Many companies have all been targeted in lawsuits by the victims of their data breaches and have had to pay millions of dollars as a result.

Here’s the thing. This data breach safe harbor legislation is new and hasn’t been tested. We don’t know who decides how much compliance is sufficient to actually warrant an “affirmative defense,” or how much impact it will have on the final decisions in these kinds of cases. What we do know is that our customers are intrigued and have been asking for help in determining where the gaps are in their security program, and how to address them.

CBTS helps you navigate the always-shifting security landscape

CBTS has been advising customers on building strong security programs since 2005. We’re well versed in the standards included as a part of this this data breach safe harbor legislation – we talk to customers about them every day. There’s never been a better time to invest in developing this practice in your business – contact us today!

NOTE: We are engineers, not lawyers. This blog post does not constitute legal advice and should not be used as such. If you require legal advice, you should consult a qualified lawyer in your jurisdiction.

Innovative security tools at 2019 RSA Conference

This year’s RSA Conference (RSAC) was bigger than ever – and I don’t mean that in the rote sense of “more exciting! Action packed! Full of more interesting things to see and learn!” I mean it literally – the physical space used by the conference that promises to showcase new innovative security tools covered more square mileage, and what was there was more densely packed. Good thing I brought my walking shoes.

So, does more equal better? Feedback from our customers and peers points towards the negative.

RSA reflects the crowded security solution market

Simply put, the security solution space is overcrowded. It makes sense – protecting your business, data, and assets from online threats is more of a concern now than it’s ever been. And certainly the market has reacted as one would expect, by growing exponentially. Standing shoulder to shoulder, vendors clamor for your attention, nearly every one guaranteeing they’ve got innovative security tools that will provide the assurance you’re seeking.

CBTS offers guidelines to help evaluate innovative security tools

Our team is uniquely positioned in this market. Our role is not to make empty promises to customers, standing between them and cybercriminals with a cape and tights. On the contrary, our customers depend on us to separate the wheat from the chaff, as it were. Customers expect us to point them to the practices and technologies that can materially improve the maturity of their security program. It requires a trained eye, to be sure, to identify these innovative security tools.

So what does CBTS look for in an enormous expo hall like RSAC’s? How do we pick our winners?

Guideline 1: Show me that your solution works; don’t just tell me

Execution is critical. More than what you say you can do, I want to hear success stories from your customers. What did their deployment look like? What other solutions did it displace or complement? What kind of staff does it take to admin and use? What kind of risk did it mitigate, and how? What threats did it stop or detect that couldn’t have been found otherwise?

Guideline 2: Innovative security tools must follow standards

Following standards is a personal big-ticket item for me. I was quite pleased to see how many vendors have adopted the MITRE ATT&CK Framework as a taxonomy to describe the kinds of threat tactics and techniques they can impact. If a vendor starts off the conversation by telling me the CIS Top 20 control category in which they fit, or the NIST 800-53 requirements they satisfy, I’ll be smiling ear to ear.

Guideline 3: Be wary of solutions that promise to solve all of your problems

The vendor that under-promises and over-delivers is valuable in my book. Claims that a product can solve all my security problems, or detect and stop every zero day exploit forever, will make me roll my eyes and move on. I want technology that solves very specific problems, tells me what it can do and what it cannot, and doesn’t try to boil the ocean. No product – no vendor alone, even – can satisfy every security need we have. Realism does the customer and the market a lot of good.

Guideline 4: It all comes down to innovation

Finally, innovation is at the top of my list. I look for technology used in truly new and interesting ways, and occasionally, I’ll find something new under the sun. Today anyone can cook up a fancy dashboard and an attractive, flashy UI. However, most of them are sitting atop the same approach as their conference floor neighbor. If I walk away from your booth and think, “huh, I’ve never seen anything like that before, and I think it could actually work!” that’s a healthy sign.

3 examples of innovative security tools

The SIEM space is a great example of a market segment where we’re starting to see more innovation. Here are three high-profile new offerings we saw announced around RSA:

  • Backstory, the new security analytics app from Chronicle, takes a new approach to log aggregation/correlation and incident investigation. Instead of presenting a simple table of log data from a structured query, analysts enter queries for common investigation-starting indicators – say, an IP address, username, or hostname. Backstory then provides a set of context-driven answers that give the analyst valuable insights immediately.
  • The demo of Azure Sentinel from Microsoft also caught my eye. While the investigation experience was much more reminiscent of a traditional SIEM, the UI presented an easy process to integrate event sources from Azure services, such as Azure SQL and Office 365, as well as sources from a variety of other network, server, and application platforms. An accessible, cloud-ready SIEM may be just what Azure customers are looking for.
  • Cisco’s Threat Response tool is similar – a “SIEM-like” interface that aggregates data from a variety of Cisco security products, such as Umbrella, AMP, and ThreatGrid. It also provides a really slick query/investigation interface to data from all of these tools.

Most interesting, though, were the licensing models for these three products:

  • Backstory is not priced based on log volume or events per second – common models from nearly every major SIEM player in the market – but instead based on number of employees. As a SaaS product hosted by Google, this means that storage is elastic and customers can maintain a virtually endless archive of data.
  • Cisco’s Threat Response may be even more appealing. It is free for use by Cisco customers that use AMP for Endpoints, Umbrella, next-gen firewalls, and ThreatGrid.
  • Microsoft’s Azure Sentinel, in its current preview program, is also free of charge to Office 365 customers.

CBTS wants to hear from you

So the next time you’re elbowing through a mass of people in a conference hall with the swag flying left and right, keep these criteria in mind.

And remember, CBTS has been helping customers leverage innovative security tools since 2005. Please contact us and let us know how we can help your organization.

Create your data breach response plan

Every so often, we get a panicked call from a client that is experiencing an information security breach. The client may have a rampant outbreak of ransomware, a defaced website, or worse … a complaint about lost or stolen data. The client needs to understand what to do next, and they don’t have time for a fancy sales pitch. This scenario is why we’re passionate about helping clients create a data breach response plan.

Resources to help you create a data breach response plan

CBTS consultants have stared down the business end of an information security breach. And when you come out the other side, there’s a lot of learning that needs to be done.

One of the first lessons: Prepare yourself before the next information security breach, and create a data breach response plan. Think carefully about the things you want to do before, during, and after an incident so that the information security breach does not become the end of your company.

CBTS has published a whitepaper based on our experiences with customers, as well as one of the best publications available on the subject: NIST’s Special Publication 800-61r2. The full document is worth a read.

We’ve combined the guts of their recommendations with our experiences to provide a brief, accessible guide for security and IT leaders and practitioners. This guide offers key insights on how to handle an information security breach, which will ultimately inform your data breach response plan. In our whitepaper you will find steps on how to:

  1. Properly and effectively prepare for an attack.
  2. Detect and analyze an intruder.
  3. Contain the attacker, eradicate their presence on your network, and recover the impacted assets
  4. Assess your learnings.

CBTS is ready to serve as your trusted advisor

CBTS recommends partnering with a trusted incident response provider to assist in creating a data breach response plan, especially if your organization has no prior history of performing this function internally. A third party brings expertise and objectivity that are paramount to conducting a sound forensic investigation. We work with services providers in the space and can help gather your requirements and connecting you with a provider that meets your needs.

CBTS Security experts can assist in all areas of maturing your incident response practice. Our consulting group can help assess your readiness to respond to a breach. And our product specialists can help collect your requirements and find best-of-breed solutions to complete your security strategy.

Retail networking solutions support security needs

Network security is a critical issue for retailers and their customers.  CBTS offers retail networking solutions that include data protection services to ensure retailer data is neither lost nor compromised, and we partner with leading security and technology manufacturers to identify vulnerabilities in retail systems.

CBTS offers support 24x7x365

CBTS performs penetration, social engineering, and phishing tests, as well as environment, application, architectural infrastructure, wireless, and technology-specific assessments. These evaluations locate problem areas and recommend retail networking solutions to support your security.

Retailers also must have an extensive network security plan in place, complete with training on how to implement the plan in the event of an attack or breach. CBTS designs, builds, implements, documents, and tests disaster recovery preparedness programs to ensure retailers are covered 24x7x365. Our highly trained experts manage and monitor our retail networking solutions, and react immediately in the event of a threat.

Let CBTS help you address major network security issues

CBTS retail networking solutions address the major network security issues that today’s retailers face. With CBTS Network as a Service (NaaS), anti-malware and perimeter defense technologies protect your mission-critical systems against digital threats that could compromise business and customer data. CBTS NaaS also offers enterprise-grade firewall and security components to shield your network from malicious attacks.

Our NaaS solution works with current payment card industry (PCI) compliance solutions and adds state-of-the-art Intrusion Detection (IDS) and Intrusion Prevention (IPS) Systems. In addition, our Optical Sensor Cameras provide a continuous headcount of visitors while monitoring and recording their behaviors and patterns to provide enhanced visibility of your physical retail location’s security needs.

CBTS retail networking solutions help clients focus on customers

Customers will engage with retailers, and buy their products, if retailers can demonstrate customer data is protected. CBTS retail networking solutions facilitate network security for retailers, so that these businesses can focus on supporting customers.

At CBTS, your business is our priority. With a variety of solutions from data management to cloud serviceswe have what retailers need to increase sales in 2019 and beyond. Contact us today to see what CBTS  can do for your retail environment.

Cloud helps schools secure data infrastructure

Today’s educational industry, both in the public and private sector, face a number of unique challenges when it comes to provisioning and securing data infrastructure.

Educational institutions are continuously confronted with the same explosion of data and mounting demands for faster, more intuitive service offerings as other sectors of the economy. They are also operating with even tighter budgets and less in-house technical expertise. At the same time, regulatory burdens continue to highlight the conflict of maintaining privacy while fostering an open, equally distributed learning experience.

For most organizations, three critical data security issues arise when provisioning and securing data infrastructure:

1. Data value and use

Most modern educational programs rely on data to identify and promote effective teaching and learning strategies. But these programs are highly dependent upon secure infrastructure, both on the physical and virtual levels, to guard against breaches or misuse of data by legitimate users. At the same time, both educators and administrators require better training to ensure the integrity of systems and data, both of which are evolving at a rapid pace.

2. Data governance

Governance policies should encompass both privacy and transparency along the entire data lifecycle, from creation to collection, use, sharing, and archiving. This is the only viable way to build trust among students, parents, faculty, and other stakeholders that data is both accurate and protected, all while ensuring that it is being used to improve the educational experience.

3. Security and privacy

The enormous amount of data being generated these days is only part of the challenge. Equally important are the myriad systems that data traverses throughout the lifecycle. These can range from student information systems, enterprise resource solutions, learning management platforms, library systems, and a wide range of vendor-managed tools. These tools and systems must all be hardened against intrusion and monitored for misuse.

Securing data infrastructure the right way

Educational policymakers play a key role in resolving the educational industry’s challenge with provisioning and securing their data infrastructures. For one thing, they need to recognize the numerous support functions and systems that foster the twin goals of making data systems usable and secure. They also need to recognize that adequate funding is necessary, not just for the various systems and tools but for proper IT staffing and training for the entire knowledge workforce.

To accomplish these goals in an effective manner, it helps to concentrate on the following key elements:

  • A comprehensive implementation plan for effective data use and new systems. A project coordinator should be appointed to oversee execution of the plan throughout institutions and districts.
  • A regular maintenance and upgrade program. To confront the continuously evolving security environment.
  • A streamlined process for staff turnover. Role and permission setups, access to appropriate data systems, training on effective use, troubleshooting, and general technical support for data systems should be included.
  • Mechanisms to address constant changes in technology and regulatory compliance. Particular attention should be paid to the frequent upskilling of IT staff.

Cloud solutions offer multiple benefits

It should be noted that many of these issues can be addressed quickly and at less cost by converting legacy infrastructure to modern cloud resources and services. In the cloud, maintenance and upgrades are done by the provider, while security is often better than in most legacy deployments. At the same time, workloads can scale dynamically in the cloud, so you only pay for what you need. And with adequate mirroring and replication, backup data is better preserved even if primary systems are lost completely, as in a natural disaster.

Education is one of the most important social functions within a modern society, but it is also one of the most expensive and complicated. The cloud can ease much of this burden, allowing schools to concentrate more fully on what they do best: teaching.

Learn how CBTS partnered with a private university to create a comprehensive plan for upgrading wireless and wired network access in residence halls, setting the stage for campus-wide WiFi connectivity.

Learn more about the CBTS partnership with the Dayton Public School District here.

Discover more about how CBTS delivers state-of-the-art technology for today’s schools and universities to keep up with the ever-increasing demands of students, parents, faculty members, administrators, and community stakeholders.

Continuous Penetration Testing critical for security

The rise of sophisticated new hacking tools has presented the modern enterprise with unpredictable and unprecedented security risks. While major attacks from highly sophisticated and sometimes even state-sponsored actors and organized cyber criminals garner most of the headlines, equally disturbing is the prevalence of ready-made hacking code, which can be downloaded and launched against unsuspecting targets with little or no coding skills.

To counter this, today’s enterprise must remain ever-vigilant to emerging threats, which means not only deploying the latest security measures but constantly testing them against real-world conditions.

CBTS helps you defend critical infrastructure

CBTS Penetration Testing (Pen Testing) provides the enterprise with the first step in defending critical infrastructure against malicious attacks. Our top security experts carry out what is commonly referred to as “ethical hacking”; that is, they try to break your security framework through a series of simulated attacks to identify vulnerabilities.

These attacks target key elements, such as:

  • Network infrastructure: Plugging gaps here can prevent intrusions that may cascade throughout the entire IT environment.
  • Critical assets: Facilities, systems, and equipment that can cripple operations if brought down by a cyberattack.
  • Wireless networks: Wi-Fi can often be used as a back door to critical infrastructure.
  • Web applications: 90 percent of all vulnerabilities lie on the application layer.
  • Physical assets: Hardware, software, data, and even personnel are vulnerable to attacks that can do serious damage to operations.

In addition, we conduct research into public vulnerabilities, followed by a staged breach to gauge your response capabilities. Afterward, we provide a detailed vulnerability analysis that includes recommendations for strengthening your security posture.

All of this is designed to find the holes in your data environment and correct them before hackers go rogue within your vital IT infrastructure. Our goal is to test multiple attack pathways without creating unnecessary risk to your network environment. We also work with each client to conduct an expansive assessment of operational processes, documented policies, and existing security controls to create a highly refined security posture, right down to the needs of individual business units, based on the industry-leading NIST Cyber Security Framework.

Deploy cutting-edge solutions with CBTS

CBTS also has the expertise to deploy cutting-edge security solutions for every major business sector. We have established strategic partnerships with leading network and information security vendors to provide exceptional technology and technical support to our clients. Our engineers maintain the highest levels of certification, including CISSP, CISM, CCIE, and many others.

In this day and age, security is not something to be taken lightly. The distributed nature of modern IT infrastructure means that the enterprise can no longer wall itself off behind a firewall and hope for the best. Modern security requires a continuous, proactive approach that strives to keep you one step ahead of those who seek to compromise your IT infrastructure, whether it be to steal your data or shut your systems down.

After all, it is far easier to protect yourself ahead of time than it is to recover after the fact.

Learn more by reading our Penetration Testing infosheet.

 

Related Articles:

Backups vital part of Cybersecurity plan

2018’s Top 5 Enterprise Security Problems

2018’s Top 5 Enterprise Security Problems

It’s the most wonderful time of the year! No, we’re not breaking into song and dragging out the holiday lights …  it’s National Cybersecurity Awareness Month, my favorite month-long holiday where I don’t have to buy gifts.

I hear from customers every day who are concerned about all of the ways attackers might get into their networks and onto their assets. Effectively protecting your organization certainly can feel like a moving target, and yet, when I consider the threat landscape from the past 20 years, some of the same weaknesses are still just as prevalent today as they were in 1998.

So what should keep security leaders and practitioners up at night today?

In assembling this list, my team and I considered the last few years of notable breaches. What are the bad guys grabbing from their toolbox when they start planning an attack? What’s most reliable for them? What can they count on finding when they evaluate a target’s environment?

I hope you’re ready for some acronyms and buzzwords as you read our thoughts on this set of questions:

5. Weak configuration on endpoint systems

We’ve grown a lot as an industry – and so when a modern enterprise operating system rolls out today, it’s had more effort put into ensuring a minimal attack surface than ever before. But your network probably still has legacy operating systems, network devices, and applications. And they’re often less hardened – running older protocols like SMBv1, allowing authentication using older suites like NTLMv1 or even LANMAN, or using services that send credentials, files, and session data in cleartext like SNMP or telnet.

I’ve seen customers embark on a ‘network modernization’ project to resolve some of these issues. They retire older applications and services; update their operational processes; and go through a hardening exercise using benchmarks from the platform vendor or from the Center for Internet Security.

4. Unrestricted cloud storage

In a rush to migrate applications and workloads to hosted infrastructure, we find many developers and architects overlooking basic access controls that restrict the public internet from downloading sensitive data. As a result, we’ve seen millions of records of PII exposed in the last few years.

Often, the culprit isn’t even the organization itself. Many times, a third-party marketing, analytics, or development group was given the data and left it out in the open. This oversight is most certainly what regulatory standards like GDPR are meant to address.

So, check the restrictions on your cloud storage – as well as the practices of the partners to whom you’re giving your data!

3. Unpatched software

Strong vulnerability management is still a challenge, and with more organizations allowing employees to use personal devices to handle company data, ensuring that all assets stay patched is a constant battle.

Patching effectively doesn’t happen by accident – it will take a concerted effort by security and operations staff to make sure patches are identified, tested, and distributed within 30 days of release, and that stragglers are identified and corrected through vulnerability assessments. Missing just one server can make all the difference!

Key to this effort: Know the assets that store and process sensitive data, and that run business-critical applications, and start your rigorous patching cycles there. Then expand to the entire environment in a phased approach. Or, have us do it for you.

2. Weak passwords

Yes, we’re still talking about passwords, despite tech media calling for their death for at least a decade. Face it, we’re stuck with passwords for the time being, and that’s why we still see attackers stealing them, guessing them, and cracking them.

If you’re a security practitioner, you should worry that your employees’ AD passwords are the same as the one that they set on their LinkedIn account that was stolen years ago. Or, that your network admins remembered to change the default password on the Cisco switch in the closet, or the Liebert power unit controlling the power in the datacenter.

Password reuse, easily guessable passwords, and unchanged vendor-default passwords are still juicy opportunities for attackers. Good vulnerability management means auditing enterprise passwords, setting a strong password policy, and for goodness’ sake, using multi-factor authentication for critical applications, privileged accounts, and remote access.

1. Phishing and Social Engineering

You have to try really hard to work in a modern office environment and not know that phishing is a problem. So why do users keep falling for the scams? Because it’s still trivial for the bad guys to recon their targets, cook up an extremely convincing pretext, and slip it past your defenses.

You’ve probably heard of at least one successful phishing attack that led to someone installing ransomware in their environment in the last year. Or, one successful e-mail scheme that had a hapless junior financial staffer wire-transferring emergency funds to someone they thought was the CFO.

A series of controls are required to effectively protect against these kinds of attacks. People must be trained regularly, and you should use a variety of methods to teach them how to spot an attack. Processes and policies must enforce good behavior and hygiene to ensure employees know the consequences of a breach. And technology must protect the business, its data, and customers from ourselves – restricting access to malicious websites and email, stopping malware, and detecting attacker movements inside the network.

Thanks for reading, and enjoy this lovely month of October!

To learn more about CBTS security strategies, read our Ebook on Why your backup solution is crucial to defending your organization from ransomware.

 

Related Articles

Three steps to enhancing security solutions

Understanding the “attacker mindset” in security

Security experts leverage offensive, defensive tools

Three steps to enhancing security solutions

For enterprise organizations, security transcends the day-to-day defenses against attacks.

Large companies often have to simplify, unify, and modernize security systems and security solutions that have grown complex and ineffective. In a merger, corporate security teams must reconcile a range of competing hardware and software configurations. At some point, most enterprises bring in security consultants to help make sense of their challenges and manage the most complex security tasks.

CBTS recently helped a global corporation grapple with these challenges. Here’s a look at three things we had to accomplish so that our client can manage the security threats coming at them from all directions.

1. Streamline your security solution.

Our client has factories, offices, and other facilities in the United States and overseas. Over the years, individual business units acquired a vast array of security technologies that became increasingly difficult to manage.

When the company merged with another global enterprise, it faced a major challenge in hardware and software complexity, which left the company vulnerable. Meanwhile, persistent intrusions and malware attacks exposed weaknesses in the client’s ability to identify intruders and neutralize them before they reached sensitive data.

The company contacted CBTS to help them bring all of their security solutions under the umbrella of a unified security platform. We partnered with a top Silicon Valley security technology provider to implement next-generation firewall hardware and intrusion-detection software.

These new tools allow security experts to sandbox malware code, fend off zero-day attacks, and detect evidence of advanced persistent threats.

2. Centralize security management.

A company with locations around the world needs a central platform for all of its security operations. The Panorama platform from Palo Alto Networks helped us ensure every site views their security status through a single pane of glass that provides in-depth insights on network activity and security threats.

Panorama helps IT admins:

  • Manage multiple devices and data sources through a common interface.
  • Create a common rule base for firewalls, IPS, URL filtering, and other functions.
  • Set group hierarchies to separate devices into subgroups that match the company’s organizational structure.
  • Create templates to automate security configurations.

The result is much better visibility of the entire network system and all the security tools within it.

3.  Partner with an IT security solutions expert.

Our global manufacturer needed a partner with two kinds of expertise:

  • Direct internet security experience, knowledge, and training across a wide variety of industries and markets.
  • Managed services capabilities in on-premise, hybrid, and public cloud infrastructures.

The company needed an IT security provider with extensive experience. CBTS security experts have comprehensive training and deep expertise in highly sensitive security environments.

We also have a managed-services division specializing in security. This service delivers 24x7x365 monitoring, intrusion detection, and advanced perimeter defense.

Find out more in our free case study

Our combination of deep expertise and partnerships with world-class enterprise security vendors ensures we can match clients with the provider that best solves the client’s unique IT challenges.

Our global manufacturing client now has a robust security apparatus—racks of firewall hardware supported by the most advanced cyber defense software on the market.

Download our free case study to see how we did it.

 

Related Articles:

Security experts leverage offensive, defensive tools

Understanding the “attacker mindset” in security

2018’s Top 5 Enterprise Security Problems

Is SMS-based Multi Factor Authentication Secure?

The latest “religious war” brewing in the information security community seems to center around whether or not SMS text messages should be used to deliver one-time passwords (OTPs) as a method of multi-factor authentication. Oh, for the days of emacs and vi!

Two recent news stories have contributed to the increased chatter around this issue. Google claims that they’ve seen no successful phishing attacks against their 85,000 employees since early 2017 when they migrated away from OTPs as a second authentication factor and switched to physical security keys. And, forum website Reddit recently discovered a breach and claims that the attacker was able to steal administrative credentials by intercepting the administrator’s OTP that was sent via SMS.

Opponents of SMS-based MFA believe that this act – obtaining OTPs sent via SMS – is trivial in 2018. Let’s examine some of the methods that attackers can employ to accomplish this.

How Attackers Steal SMS-Based OTPs

The most common method of attack is called “SIM jacking”. An attacker can contact the target’s cell provider, claiming to be the target, and convince the provider to switch the target’s phone number to a new SIM card, one that’s loaded in a phone the attacker possesses. They are then able to receive the target’s text messages and phone calls. Similarly, a “porting” attack involves contacting a different cell provider than is used by the target, and asking the provider to port the target’s number to that service.

A more complex attack can be conducted against the Signaling System 7 (SS7) infrastructure used by different telcos to interact with each other. An attacker with access to this infrastructure – not an easy feat by any stretch – could intercept text messages and record phone calls.

Finally, malware loaded on a mobile device that can intercept SMS messages, and deliver them to the malware’s operator, has been around for years. Often it is distributed as a part of a legitimate-looking application, as was the case with the Perkele and Pincert malware families.

Should You Be Using SMS For OTPs?

If you’re an individual concerned about protecting access to your accounts, should you be worried?

Somewhat. Certainly, there are ways to intercept SMS messages. Most require concerted effort by a human attacker, though, and while this obviously occurs, it’s far from as likely as the opportunistic attacks that we see most individual home users dealing with. Put simply, most people won’t find themselves targeted specifically for this type of attack, unless there’s a cybercriminal or nation-state dedicated to gaining access to their data and systems.

(For my own personal security, I trust SMS-based OTPs for some websites and applications that don’t handle my financial information or any personal information beyond my email address. For all others, I use stronger controls, such as physical keys and authenticator apps that generate OTPs only I can see.)

How SMS-Based OTPs Affect Enterprise Security

Enterprises have a different set of use cases, though, than individuals. Tasked with protecting access to business-critical applications, sensitive data sources, and privileged accounts, enterprises must make different risk calculations than home users. Deploying MFA in the enterprise requires the rollout and administration of authentication applications, management of keys for individual users, and integration with existing directories and user-facing services like the helpdesk.

Security teams in these circumstances may consider a mix of tools and products. One of our guiding principles in designing security architecture is that the complexity of a given security control is likely to grow in proportion with the criticality of the asset being protected, or the severity of the risk in question (or both). Applied here, the simplicity of using SMS 2FA may not outweigh the risk of a targeted attack that would expose SMS-based OTPs, and therefore would not be sufficient to protect access to critical applications or elevated privileges. While managing hardware keys adds overhead and complexity, it does reduce the risk of compromise of credentials by guaranteeing a more effective second factor.

A variety of solutions beyond SMS-based OTPs and hardware keys exist, though. CBTS partners with vendors like Duo Security, Microsoft, and RSA to help sort out the right approach for enabling MFA in an enterprise. We’d love to help you figure out the most effective path forward.

 

Related Articles

The Ten KRACK Commandments

The key to strong security programs