this is the archive page

Now, more than ever, network infrastructures need Network Access Control

The basis for Network Access Control

With the unfortunately-commonplace news highlighting the latest large-scale corporate entity network attack, penetration, and data theft (the instances we hear about, anyway), network segmentation deficiencies have been spotlighted as an alarmingly weak spot in modern network enterprises.

A recent example was provided by an attacker penetrating an IoT-based HVAC system that ultimately provided the attacker a nearly unrestricted path all the way to the victim corporation’s Point of Sale systems.

While re-architecting many infrastructures to provide more granular and secure segmentation would be an enormous ask, the first part—of low-security IoT devices being able to provide a starting point for a path through the network—is an easier one to address.

How Network Access Control works

Network Access Control, or NAC as it’s commonly referred to, is a process by which before network access is given, a user or a device (or both!) must first authenticate to the network.

What we’re NOT talking about: We’re not talking about logging on to a workstation when you first walk into your cubicle; in this instance your workstation is already connected to the network and you’re just providing your user credentials to log on to, for example, the Windows Domain.

What we ARE talking about: Rather, we’re talking about when you first connect your device—connect your laptop to the wired network, or connect your smartphone to a wireless network’s SSID, as examples—your device must first provide some kind of authentication, be it a MAC address or a certificate, and the network switch or wireless controller authenticates that MAC address or certificate against a centralized source.

Pass this authentication, and the device is allowed onto the network (for example, put into a certain VLAN) and further user authentication can take place from there.

Fail the authentication, and the device is either put into a guest VLAN for Internet-only access, or placed into an isolated VLAN with an explanatory page telling the user how to fix the situation by contacting a certain person or following a certain procedure to get the device properly registered, or else not allowed connection to the network at all.

How NAC solves IoT device vulnerabilities

Taking this concept further into the IoT realm, devices which do not have a user-facing GUI—headless devices like printers, security cameras, thermostats, HVAC systems, “smart-building” alarm sensors, etc.—are notoriously vulnerable via unpatched operating systems or known hardware security flaws, and need to be handled with care.

Devices like these should NEVER have an unrestricted pathway to secure/sensitive internal systems.

Network Access Control solves this by automatically authenticating these types of devices and placing them into cordoned-off zones (VLANs) with access only to their “phone home” destination.

A common misconception about modern NAC solutions

A common misconception is that Network Access Control is only applicable for wireless, or that “it’s that 802.1X thingy that never really caught on, so it’s an ‘old’ technology that is not applicable today.” That latter perception is particularly troubling, because 802.1X as a technology is painted as old/non-applicable because of the lack of quick-start guides and software wizards at the time.

Today’s NAC solutions are nothing like yesteryear’s NAC solutions, the latter of which required almost exclusive hands-on to the command-line configuration of all devices involved.

Setting up a NAC policy in today’s NAC solutions is as easy as following a “Start Here” wizard that quite literally walks you through setting it up, with resulting configuration statements that you install with copy/paste into the end-user-facing switch, controller, etc.

NAC solutions have hybrid configuration capabilities

Network Access Control solutions aren’t an “all or nothing” solution, either.

What a NAC solution is NOT: It’s not like an entire switch or controller is either under NAC control or it’s not, and if it is and the NAC solution isn’t working, the entire population of users connected to that switch or controller are locked out from the network.

What a NAC solution IS: Instead, NAC can be implemented on end-user-facing devices in a hybrid way, where only certain switch ports or certain SSIDs are under NAC control, and as well as being in a “fail-through” configuration where if the NAC doesn’t respond, the switch port or SSID will allow a predefined “default” access.

Naturally, a caution is warranted with a hybrid configuration like this (especially with the availability of the “fail-through” feature), as NAC’s security itself can be eaten away with production connectivity emergencies. One example of this is service ticket troubleshooting where, instead of troubleshooting the user’s reason to need to authenticate to that particular security domain, the “resolution” carves away some of NAC’s security policy and the ticket is closed out, leaving a weakened NAC policy in place.

Examples of some of the “Start Here” configuration wizards in a popular NAC product.
Figure 1a: Examples of some of the “Start Here” configuration wizards in a popular NAC product.
More examples of some of the “Start Here” configuration wizards in a popular NAC product
Figure 1b: More examples of some of the “Start Here” configuration wizards in a popular NAC product.

Granular device visibility and health determination through Network Access Control

Network Access Control also offers improved visibility into the devices connected to the network, via the fact that many/most of them will “profile” the device as it connects to the network.

Profiling can be agentless—where the device’s own communication characteristics on the network are captured and leveraged—or agent-based, where an agent is installed on the device to determine the health before access is allowed.

This profile information is subsequently used for policy determination even before access to the network is given. This is how network segmentation through device type—and how IT devices versus OT (operational technology) devices—can be achieved without having to hardcode switchports, SSIDs, or the devices themselves.

Example of the endpoint profiler in a popular NAC solution, showing newly-connected and unknown IoT devices like doorbells and thermostats, with the ability to review a device’s authentication records (bottom-right corner of screen).
Figure 2: Example of the endpoint profiler in a popular NAC solution, showing newly-connected and unknown IoT devices like doorbells and thermostats, with the ability to review a device’s authentication records (bottom-right corner of screen).

Summary

News headlines of the latest hacks demonstrate not only the need for authenticated network access, but device-specific network segmentation as well.

Network Access Control is just one part of a more-encompassing IT security policy, of course, but an ever more crucial one. And today’s NAC solutions make it easy to implement, which is unusually low-hanging fruit in the information security realm.

The CBTS Security Solutions team has Network Access Control subject matter experts on staff to not only assist with the selection, testing, and implementation of a NAC solution, but also to help build that more-encompassing IT security policy.

 

Related Articles:

Continuous Penetration Testing critical for security

Three steps to enhancing security solutions

Create your data breach response plan

The spooky dangers of reusing passwords

How much of your personal and professional life is managed through online accounts? A lot, right?

If you’re like me, you like to spend time binge-watching shows on Netflix or Hulu, do online banking, online shopping, and stay in contact with distant friends and family through e-mail and maybe a social media account or two. With all these usernames and passwords to keep track of, it’s super convenient and easy to use one or two passwords across all your online accounts. But this practice is dangerous and could very well wind up being the end to your online privacy, individuality, and financial security.

In this short blog post, I will highlight some of the dangers of reusing your passwords across your accounts and what you can do to make yourself more secure in an increasingly spooky world.

Why reusing passwords across accounts is dangerous

Guessing passwords is easy

As a security consultant, my job is to assess the security processes and controls of computer networks inside organizations through vulnerability assessments and penetration tests. Part of my day-to-day is spent trying to gain authorized access to accounts and services, most often in the form of guessing passwords.

You may be surprised at how easy it is to guess passwords when considering the hometown of a user, their birth year, or their favorite sports team. The reality is, it’s simply not enough to change the numbers at the end, the season, your favorite four digit number, or substitute letters for special characters.

Your chances of a data breach exponentially increase

Reusing similar passwords across multiple accounts often results in data breaches and account takeovers. In the information security industry, this is known as credential stuffing.

Credential stuffing is an attack where computer hackers will scour data breaches for usernames, e-mail addresses, and passwords, and then use that breached data to gain unauthorized access to your accounts.

You need to do more, and I’m here to tell you what you can do.

How to make your passwords more secure

Identify password reuse attacks by monitoring your e-mail address against data breaching goblins

If you are feeling curious, visit haveibeenpwned.com (it’s safe, I promise) and enter your e-mail address. This website will let you know if your accounts have been exposed during a public data breach. This site also has a notify section that lets you monitor your e-mail address. If your e-mail address later turns up in a data breach down the road, you’ll be notified, and you should promptly generate another strong password.

Treat yourself to a password manager to knock the cobwebs off your passwords

To stop the dangers of password reuse, a nifty piece of software called a password manager can help.

Simply put, a password manager is exactly as it sounds, a manager for your passwords. The idea is to create a virtual vault where you store all of your passwords and sensitive data. Access to that vault is granted only by entering a very strong, unique, and memorable master password.

Now you might be wondering: isn’t using a password manager sort of like putting all your candy in one pillowcase? After all, like candy, passwords are precious. If you’re like me, I treat my passwords like I enjoy my candy bars, all to myself and each bite more delicious and unique than the last.

Here are two excellent reasons why using a password manager is much safer and helps protect your online accounts and digital life:

1. You only have to remember one really strong password. That’s it.

In popular password managers like LastPass, Keypass, or 1Password, incredibly strong and unique passwords are generated for you. This not only protects your accounts from hackers trying to guess your password, but also from data breaches.

Remember, hackers don’t always need to steal your passwords from you. They can locate or generate passwords themselves and use your password against you or somewhere else you’ve used it.

2. A password manager with two-factor authentication provides an additional layer of security.

“All your candy in one pillowcase” is actually a self-imposed fallacy! In addition to using a password manager, you should also use two-factor authentication (2FA) for sensitive accounts and services like your corporate passwords, online bank accounts, primary e-mail, and social media accounts. 2FA is a way to provide additional verification for devices and accounts you treasure.

For example, when I log into my online bank account, I enter my username and password, after which I receive a text message with a 6-digit PIN from my bank. I then use that PIN as my secondary password to get access to my bank account. So even if a hacker somehow gets access to your password, they would not have access to the second form of authentication! 2FA can take different forms too, such as a text message, a hardware security token, or your second password can be generated with secure software.

Wrapping it up: Trick the hackers by not reusing passwords and use a password manager instead

Just as you wouldn’t relinquish all your Reese’s Cups or Snickers bars to a single trick-or-treater, you shouldn’t reuse all your passwords on a single website or online account. Employing the time-tested and bellyache preventive measures of ensuring that each trick-or-treater is only allowed one candy bar per unique costume, a password manager ensures that you only employ one unique password per online account.

If I haven’t convinced you to stop reusing passwords and instead using a password manager and enable 2FA where possible, the following articles may nudge you in the right direction:

 

Related Articles:

Is SMS-based Multi Factor Authentication Secure?

Understanding the “attacker mindset” in security

Create your data breach response plan

Cybertech Midwest 2019 Debrief

We just finished a few days with our friends at the Cybertech Midwest conference in Indianapolis. I try to visit as many information security conferences as I can each year—it’s one way my team keeps up with the latest research, learns about new attack scenarios, new tools, and understands the focal points of the community.

One of my favorite things about conferences like this is getting to hear from practitioners whose day-to-day work is notably different from my own. As a consultant, I spend more time in my clients’ worlds than my own, but that means I miss out on the experiences from industries and geographies where I don’t spend much time.

An area where this is especially true is state-level government here in the United States. We’ve spent time with city/county government, and other CBTS practices have done quite a bit at the state level, but our security practice doesn’t hang out there often, and as a result, I haven’t had a ton of exposure to the challenges and gaps that folks at the state level face.

So it was really exciting to hear from so many folks here that operate at that level – both CISOs and CIOs. What I heard was:

  • Traditional thinking and solutions aren’t effective enough anymore, and not just in terms of technology, but our thinking about solving security problems. Security folks end up very “siloed” as a function of being independent advisors . . . but we need to collaborate better with other teams in the business, for example folks with other areas of responsibility (legal, finance, HR, operations).
  • For some businesses, protecting data collected and used for analytics purposes can be as—or more—important than protecting financial or personal data, as it is the lifeblood of a lot of business operations. Make sure your data protection strategy covers that as well.
  • Business e-mail compromise (BEC) and fraud are still plaguing organizations large and small. At this point, if your business doesn’t operate using gift cards (which most do not), executives in the organization should pass the word to everyone: if you get a request to buy and provide pictures of gift cards to anyone with company money, it’s fake! Report it!

Going to a conference that doesn’t just focus on traditional enterprise security helps my team keep pace with the rest of the industry—and the rest of CBTS. We field every area of IT here, and clients of every stripe, and I best serve my clients and my colleagues when I can speak competently about their worlds as well as mine.

So let me ask you, the reader: where are you advancing your awareness of activities and trends in your field? You can read more about security services from CBTS.

Read more: Justin breaks down Ohio’s Data Protection Act

Connect with our experts



Understanding “Data Breach Safe Harbor” law

Last year, Ohio’s General Assembly passed SB220, referred to as the Ohio Data Protection Act. This legislation takes an interesting approach to cybersecurity regulation. Instead of mandating that a specific set of security controls be implemented, this data breach safe harbor legislation offers an incentive for voluntary compliance with one of several industry-accepted standards.

In short, if your business has a documented formal security program that follows one of these standards, and if a lawsuit is brought against you for a breach of personal data, the data breach safe harbor law allows you to claim an affirmative defense.

A closer look at the data breach safe harbor law

If, like us, you’re not attorneys or legal scholars, some of that might have left you scratching your head. Our good friends at Dinsmore (they’re great lawyers) wrote up a great article on the subject. For the laymen among us, here’s what we think the data breach safe harbor legislation means:

  1. Acme Company has a security program based on the NIST Cybersecurity Framework. They’ve documented and can demonstrate their compliance to each of the approximately 100 requirements of this framework.
  2. Acme suffers a data breach – despite their strong defenses, an attacker is able to access and steal their customer database.
  3. Acme customers whose data is stolen participate in a lawsuit against Acme, claiming negligence on Acme’s part that contributed to the loss of data.
  4. Under the Data Protection Act, Acme can demonstrate compliance to the NIST CSF as a defense in the suit, and if they are successful, cannot be held completely liable.

Sounds pretty groovy, eh?

Law highlights industry-accepted standards

The idea of the data breach safe harbor legislation is to incentivize businesses to develop a security program, adopt a formal security standard as its base, and to actually follow it. The standards mentioned by name in the law’s language are the good ones, too:

And if you’re required to be compliant to PCI-DSS, the HIPAA Security rules, FISMA, HITECH, or GLBA, those  count as well!

Effect of the law uncertain, but customers are intrigued

This is pretty appealing. Many companies have all been targeted in lawsuits by the victims of their data breaches and have had to pay millions of dollars as a result.

Here’s the thing. This data breach safe harbor legislation is new and hasn’t been tested. We don’t know who decides how much compliance is sufficient to actually warrant an “affirmative defense,” or how much impact it will have on the final decisions in these kinds of cases. What we do know is that our customers are intrigued and have been asking for help in determining where the gaps are in their security program, and how to address them.

CBTS helps you navigate the always-shifting security landscape

CBTS has been advising customers on building strong security programs since 2005. We’re well versed in the standards included as a part of this this data breach safe harbor legislation – we talk to customers about them every day. There’s never been a better time to invest in developing this practice in your business – contact us today!

NOTE: We are engineers, not lawyers. This blog post does not constitute legal advice and should not be used as such. If you require legal advice, you should consult a qualified lawyer in your jurisdiction.

Innovative security tools at 2019 RSA Conference

This year’s RSA Conference (RSAC) was bigger than ever – and I don’t mean that in the rote sense of “more exciting! Action packed! Full of more interesting things to see and learn!” I mean it literally – the physical space used by the conference that promises to showcase new innovative security tools covered more square mileage, and what was there was more densely packed. Good thing I brought my walking shoes.

So, does more equal better? Feedback from our customers and peers points towards the negative.

RSA reflects the crowded security solution market

Simply put, the security solution space is overcrowded. It makes sense – protecting your business, data, and assets from online threats is more of a concern now than it’s ever been. And certainly the market has reacted as one would expect, by growing exponentially. Standing shoulder to shoulder, vendors clamor for your attention, nearly every one guaranteeing they’ve got innovative security tools that will provide the assurance you’re seeking.

CBTS offers guidelines to help evaluate innovative security tools

Our team is uniquely positioned in this market. Our role is not to make empty promises to customers, standing between them and cybercriminals with a cape and tights. On the contrary, our customers depend on us to separate the wheat from the chaff, as it were. Customers expect us to point them to the practices and technologies that can materially improve the maturity of their security program. It requires a trained eye, to be sure, to identify these innovative security tools.

So what does CBTS look for in an enormous expo hall like RSAC’s? How do we pick our winners?

Guideline 1: Show me that your solution works; don’t just tell me

Execution is critical. More than what you say you can do, I want to hear success stories from your customers. What did their deployment look like? What other solutions did it displace or complement? What kind of staff does it take to admin and use? What kind of risk did it mitigate, and how? What threats did it stop or detect that couldn’t have been found otherwise?

Guideline 2: Innovative security tools must follow standards

Following standards is a personal big-ticket item for me. I was quite pleased to see how many vendors have adopted the MITRE ATT&CK Framework as a taxonomy to describe the kinds of threat tactics and techniques they can impact. If a vendor starts off the conversation by telling me the CIS Top 20 control category in which they fit, or the NIST 800-53 requirements they satisfy, I’ll be smiling ear to ear.

Guideline 3: Be wary of solutions that promise to solve all of your problems

The vendor that under-promises and over-delivers is valuable in my book. Claims that a product can solve all my security problems, or detect and stop every zero day exploit forever, will make me roll my eyes and move on. I want technology that solves very specific problems, tells me what it can do and what it cannot, and doesn’t try to boil the ocean. No product – no vendor alone, even – can satisfy every security need we have. Realism does the customer and the market a lot of good.

Guideline 4: It all comes down to innovation

Finally, innovation is at the top of my list. I look for technology used in truly new and interesting ways, and occasionally, I’ll find something new under the sun. Today anyone can cook up a fancy dashboard and an attractive, flashy UI. However, most of them are sitting atop the same approach as their conference floor neighbor. If I walk away from your booth and think, “huh, I’ve never seen anything like that before, and I think it could actually work!” that’s a healthy sign.

3 examples of innovative security tools

The SIEM space is a great example of a market segment where we’re starting to see more innovation. Here are three high-profile new offerings we saw announced around RSA:

  • Backstory, the new security analytics app from Chronicle, takes a new approach to log aggregation/correlation and incident investigation. Instead of presenting a simple table of log data from a structured query, analysts enter queries for common investigation-starting indicators – say, an IP address, username, or hostname. Backstory then provides a set of context-driven answers that give the analyst valuable insights immediately.
  • The demo of Azure Sentinel from Microsoft also caught my eye. While the investigation experience was much more reminiscent of a traditional SIEM, the UI presented an easy process to integrate event sources from Azure services, such as Azure SQL and Office 365, as well as sources from a variety of other network, server, and application platforms. An accessible, cloud-ready SIEM may be just what Azure customers are looking for.
  • Cisco’s Threat Response tool is similar – a “SIEM-like” interface that aggregates data from a variety of Cisco security products, such as Umbrella, AMP, and ThreatGrid. It also provides a really slick query/investigation interface to data from all of these tools.

Most interesting, though, were the licensing models for these three products:

  • Backstory is not priced based on log volume or events per second – common models from nearly every major SIEM player in the market – but instead based on number of employees. As a SaaS product hosted by Google, this means that storage is elastic and customers can maintain a virtually endless archive of data.
  • Cisco’s Threat Response may be even more appealing. It is free for use by Cisco customers that use AMP for Endpoints, Umbrella, next-gen firewalls, and ThreatGrid.
  • Microsoft’s Azure Sentinel, in its current preview program, is also free of charge to Office 365 customers.

CBTS wants to hear from you

So the next time you’re elbowing through a mass of people in a conference hall with the swag flying left and right, keep these criteria in mind.

And remember, CBTS has been helping customers leverage innovative security tools since 2005. Please contact us and let us know how we can help your organization.

Create your data breach response plan

Every so often, we get a panicked call from a client that is experiencing an information security breach. The client may have a rampant outbreak of ransomware, a defaced website, or worse … a complaint about lost or stolen data. The client needs to understand what to do next, and they don’t have time for a fancy sales pitch. This scenario is why we’re passionate about helping clients create a data breach response plan.

Resources to help you create a data breach response plan

CBTS consultants have stared down the business end of an information security breach. And when you come out the other side, there’s a lot of learning that needs to be done.

One of the first lessons: Prepare yourself before the next information security breach, and create a data breach response plan. Think carefully about the things you want to do before, during, and after an incident so that the information security breach does not become the end of your company.

CBTS has published a whitepaper based on our experiences with customers, as well as one of the best publications available on the subject: NIST’s Special Publication 800-61r2. The full document is worth a read.

We’ve combined the guts of their recommendations with our experiences to provide a brief, accessible guide for security and IT leaders and practitioners. This guide offers key insights on how to handle an information security breach, which will ultimately inform your data breach response plan. In our whitepaper you will find steps on how to:

  1. Properly and effectively prepare for an attack.
  2. Detect and analyze an intruder.
  3. Contain the attacker, eradicate their presence on your network, and recover the impacted assets
  4. Assess your learnings.

CBTS is ready to serve as your trusted advisor

CBTS recommends partnering with a trusted incident response provider to assist in creating a data breach response plan, especially if your organization has no prior history of performing this function internally. A third party brings expertise and objectivity that are paramount to conducting a sound forensic investigation. We work with services providers in the space and can help gather your requirements and connecting you with a provider that meets your needs.

CBTS Security experts can assist in all areas of maturing your incident response practice. Our consulting group can help assess your readiness to respond to a breach. And our product specialists can help collect your requirements and find best-of-breed solutions to complete your security strategy.

Retail networking solutions support security needs

Network security is a critical issue for retailers and their customers.  CBTS offers retail networking solutions that include data protection services to ensure retailer data is neither lost nor compromised, and we partner with leading security and technology manufacturers to identify vulnerabilities in retail systems.

CBTS offers support 24x7x365

CBTS performs penetration, social engineering, and phishing tests, as well as environment, application, architectural infrastructure, wireless, and technology-specific assessments. These evaluations locate problem areas and recommend retail networking solutions to support your security.

Retailers also must have an extensive network security plan in place, complete with training on how to implement the plan in the event of an attack or breach. CBTS designs, builds, implements, documents, and tests disaster recovery preparedness programs to ensure retailers are covered 24x7x365. Our highly trained experts manage and monitor our retail networking solutions, and react immediately in the event of a threat.

Let CBTS help you address major network security issues

CBTS retail networking solutions address the major network security issues that today’s retailers face. With CBTS Network as a Service (NaaS), anti-malware and perimeter defense technologies protect your mission-critical systems against digital threats that could compromise business and customer data. CBTS NaaS also offers enterprise-grade firewall and security components to shield your network from malicious attacks.

Our NaaS solution works with current payment card industry (PCI) compliance solutions and adds state-of-the-art Intrusion Detection (IDS) and Intrusion Prevention (IPS) Systems. In addition, our Optical Sensor Cameras provide a continuous headcount of visitors while monitoring and recording their behaviors and patterns to provide enhanced visibility of your physical retail location’s security needs.

CBTS retail networking solutions help clients focus on customers

Customers will engage with retailers, and buy their products, if retailers can demonstrate customer data is protected. CBTS retail networking solutions facilitate network security for retailers, so that these businesses can focus on supporting customers.

At CBTS, your business is our priority. With a variety of solutions from data management to cloud serviceswe have what retailers need to increase sales in 2019 and beyond. Contact us today to see what CBTS  can do for your retail environment.

Cloud helps schools secure data infrastructure

Today’s educational industry, both in the public and private sector, face a number of unique challenges when it comes to provisioning and securing data infrastructure.

Educational institutions are continuously confronted with the same explosion of data and mounting demands for faster, more intuitive service offerings as other sectors of the economy. They are also operating with even tighter budgets and less in-house technical expertise. At the same time, regulatory burdens continue to highlight the conflict of maintaining privacy while fostering an open, equally distributed learning experience.

For most organizations, three critical data security issues arise when provisioning and securing data infrastructure:

1. Data value and use

Most modern educational programs rely on data to identify and promote effective teaching and learning strategies. But these programs are highly dependent upon secure infrastructure, both on the physical and virtual levels, to guard against breaches or misuse of data by legitimate users. At the same time, both educators and administrators require better training to ensure the integrity of systems and data, both of which are evolving at a rapid pace.

2. Data governance

Governance policies should encompass both privacy and transparency along the entire data lifecycle, from creation to collection, use, sharing, and archiving. This is the only viable way to build trust among students, parents, faculty, and other stakeholders that data is both accurate and protected, all while ensuring that it is being used to improve the educational experience.

3. Security and privacy

The enormous amount of data being generated these days is only part of the challenge. Equally important are the myriad systems that data traverses throughout the lifecycle. These can range from student information systems, enterprise resource solutions, learning management platforms, library systems, and a wide range of vendor-managed tools. These tools and systems must all be hardened against intrusion and monitored for misuse.

Securing data infrastructure the right way

Educational policymakers play a key role in resolving the educational industry’s challenge with provisioning and securing their data infrastructures. For one thing, they need to recognize the numerous support functions and systems that foster the twin goals of making data systems usable and secure. They also need to recognize that adequate funding is necessary, not just for the various systems and tools but for proper IT staffing and training for the entire knowledge workforce.

To accomplish these goals in an effective manner, it helps to concentrate on the following key elements:

  • A comprehensive implementation plan for effective data use and new systems. A project coordinator should be appointed to oversee execution of the plan throughout institutions and districts.
  • A regular maintenance and upgrade program. To confront the continuously evolving security environment.
  • A streamlined process for staff turnover. Role and permission setups, access to appropriate data systems, training on effective use, troubleshooting, and general technical support for data systems should be included.
  • Mechanisms to address constant changes in technology and regulatory compliance. Particular attention should be paid to the frequent upskilling of IT staff.

Cloud solutions offer multiple benefits

It should be noted that many of these issues can be addressed quickly and at less cost by converting legacy infrastructure to modern cloud resources and services. In the cloud, maintenance and upgrades are done by the provider, while security is often better than in most legacy deployments. At the same time, workloads can scale dynamically in the cloud, so you only pay for what you need. And with adequate mirroring and replication, backup data is better preserved even if primary systems are lost completely, as in a natural disaster.

Education is one of the most important social functions within a modern society, but it is also one of the most expensive and complicated. The cloud can ease much of this burden, allowing schools to concentrate more fully on what they do best: teaching.

Learn how CBTS partnered with a private university to create a comprehensive plan for upgrading wireless and wired network access in residence halls, setting the stage for campus-wide WiFi connectivity.

Learn more about the CBTS partnership with the Dayton Public School District here.

Discover more about how CBTS delivers state-of-the-art technology for today’s schools and universities to keep up with the ever-increasing demands of students, parents, faculty members, administrators, and community stakeholders.

Continuous Penetration Testing critical for security

The rise of sophisticated new hacking tools has presented the modern enterprise with unpredictable and unprecedented security risks. While major attacks from highly sophisticated and sometimes even state-sponsored actors and organized cyber criminals garner most of the headlines, equally disturbing is the prevalence of ready-made hacking code, which can be downloaded and launched against unsuspecting targets with little or no coding skills.

To counter this, today’s enterprise must remain ever-vigilant to emerging threats, which means not only deploying the latest security measures but constantly testing them against real-world conditions.

CBTS helps you defend critical infrastructure

CBTS Penetration Testing (Pen Testing) provides the enterprise with the first step in defending critical infrastructure against malicious attacks. Our top security experts carry out what is commonly referred to as “ethical hacking”; that is, they try to break your security framework through a series of simulated attacks to identify vulnerabilities.

These attacks target key elements, such as:

  • Network infrastructure: Plugging gaps here can prevent intrusions that may cascade throughout the entire IT environment.
  • Critical assets: Facilities, systems, and equipment that can cripple operations if brought down by a cyberattack.
  • Wireless networks: Wi-Fi can often be used as a back door to critical infrastructure.
  • Web applications: 90 percent of all vulnerabilities lie on the application layer.
  • Physical assets: Hardware, software, data, and even personnel are vulnerable to attacks that can do serious damage to operations.

In addition, we conduct research into public vulnerabilities, followed by a staged breach to gauge your response capabilities. Afterward, we provide a detailed vulnerability analysis that includes recommendations for strengthening your security posture.

All of this is designed to find the holes in your data environment and correct them before hackers go rogue within your vital IT infrastructure. Our goal is to test multiple attack pathways without creating unnecessary risk to your network environment. We also work with each client to conduct an expansive assessment of operational processes, documented policies, and existing security controls to create a highly refined security posture, right down to the needs of individual business units, based on the industry-leading NIST Cyber Security Framework.

Deploy cutting-edge solutions with CBTS

CBTS also has the expertise to deploy cutting-edge security solutions for every major business sector. We have established strategic partnerships with leading network and information security vendors to provide exceptional technology and technical support to our clients. Our engineers maintain the highest levels of certification, including CISSP, CISM, CCIE, and many others.

In this day and age, security is not something to be taken lightly. The distributed nature of modern IT infrastructure means that the enterprise can no longer wall itself off behind a firewall and hope for the best. Modern security requires a continuous, proactive approach that strives to keep you one step ahead of those who seek to compromise your IT infrastructure, whether it be to steal your data or shut your systems down.

After all, it is far easier to protect yourself ahead of time than it is to recover after the fact.

Learn more by reading our Penetration Testing infosheet.

 

Related Articles:

Backups vital part of Cybersecurity plan

2018’s Top 5 Enterprise Security Problems

2018’s Top 5 Enterprise Security Problems

It’s the most wonderful time of the year! No, we’re not breaking into song and dragging out the holiday lights …  it’s National Cybersecurity Awareness Month, my favorite month-long holiday where I don’t have to buy gifts.

I hear from customers every day who are concerned about all of the ways attackers might get into their networks and onto their assets. Effectively protecting your organization certainly can feel like a moving target, and yet, when I consider the threat landscape from the past 20 years, some of the same weaknesses are still just as prevalent today as they were in 1998.

So what should keep security leaders and practitioners up at night today?

In assembling this list, my team and I considered the last few years of notable breaches. What are the bad guys grabbing from their toolbox when they start planning an attack? What’s most reliable for them? What can they count on finding when they evaluate a target’s environment?

I hope you’re ready for some acronyms and buzzwords as you read our thoughts on this set of questions:

5. Weak configuration on endpoint systems

We’ve grown a lot as an industry – and so when a modern enterprise operating system rolls out today, it’s had more effort put into ensuring a minimal attack surface than ever before. But your network probably still has legacy operating systems, network devices, and applications. And they’re often less hardened – running older protocols like SMBv1, allowing authentication using older suites like NTLMv1 or even LANMAN, or using services that send credentials, files, and session data in cleartext like SNMP or telnet.

I’ve seen customers embark on a ‘network modernization’ project to resolve some of these issues. They retire older applications and services; update their operational processes; and go through a hardening exercise using benchmarks from the platform vendor or from the Center for Internet Security.

4. Unrestricted cloud storage

In a rush to migrate applications and workloads to hosted infrastructure, we find many developers and architects overlooking basic access controls that restrict the public internet from downloading sensitive data. As a result, we’ve seen millions of records of PII exposed in the last few years.

Often, the culprit isn’t even the organization itself. Many times, a third-party marketing, analytics, or development group was given the data and left it out in the open. This oversight is most certainly what regulatory standards like GDPR are meant to address.

So, check the restrictions on your cloud storage – as well as the practices of the partners to whom you’re giving your data!

3. Unpatched software

Strong vulnerability management is still a challenge, and with more organizations allowing employees to use personal devices to handle company data, ensuring that all assets stay patched is a constant battle.

Patching effectively doesn’t happen by accident – it will take a concerted effort by security and operations staff to make sure patches are identified, tested, and distributed within 30 days of release, and that stragglers are identified and corrected through vulnerability assessments. Missing just one server can make all the difference!

Key to this effort: Know the assets that store and process sensitive data, and that run business-critical applications, and start your rigorous patching cycles there. Then expand to the entire environment in a phased approach. Or, have us do it for you.

2. Weak passwords

Yes, we’re still talking about passwords, despite tech media calling for their death for at least a decade. Face it, we’re stuck with passwords for the time being, and that’s why we still see attackers stealing them, guessing them, and cracking them.

If you’re a security practitioner, you should worry that your employees’ AD passwords are the same as the one that they set on their LinkedIn account that was stolen years ago. Or, that your network admins remembered to change the default password on the Cisco switch in the closet, or the Liebert power unit controlling the power in the datacenter.

Password reuse, easily guessable passwords, and unchanged vendor-default passwords are still juicy opportunities for attackers. Good vulnerability management means auditing enterprise passwords, setting a strong password policy, and for goodness’ sake, using multi-factor authentication for critical applications, privileged accounts, and remote access.

1. Phishing and Social Engineering

You have to try really hard to work in a modern office environment and not know that phishing is a problem. So why do users keep falling for the scams? Because it’s still trivial for the bad guys to recon their targets, cook up an extremely convincing pretext, and slip it past your defenses.

You’ve probably heard of at least one successful phishing attack that led to someone installing ransomware in their environment in the last year. Or, one successful e-mail scheme that had a hapless junior financial staffer wire-transferring emergency funds to someone they thought was the CFO.

A series of controls are required to effectively protect against these kinds of attacks. People must be trained regularly, and you should use a variety of methods to teach them how to spot an attack. Processes and policies must enforce good behavior and hygiene to ensure employees know the consequences of a breach. And technology must protect the business, its data, and customers from ourselves – restricting access to malicious websites and email, stopping malware, and detecting attacker movements inside the network.

Thanks for reading, and enjoy this lovely month of October!

To learn more about CBTS security strategies, read our Ebook on Why your backup solution is crucial to defending your organization from ransomware.

 

Related Articles

Three steps to enhancing security solutions

Understanding the “attacker mindset” in security

Security experts leverage offensive, defensive tools