For enterprise organizations, security transcends the day-to-day defenses against attacks.

Large companies often have to simplify, unify, and modernize security systems and security solutions that have grown complex and ineffective. In a merger, corporate security teams must reconcile a range of competing hardware and software configurations. At some point, most enterprises bring in security consultants to help make sense of their challenges and manage the most complex security tasks.

CBTS recently helped a global corporation grapple with these challenges. Here’s a look at three things we had to accomplish so that our client can manage the security threats coming at them from all directions.

1. Streamline your security solution.

Our client has factories, offices, and other facilities in the United States and overseas. Over the years, individual business units acquired a vast array of security technologies that became increasingly difficult to manage.

When the company merged with another global enterprise, it faced a major challenge in hardware and software complexity, which left the company vulnerable. Meanwhile, persistent intrusions and malware attacks exposed weaknesses in the client’s ability to identify intruders and neutralize them before they reached sensitive data.

The company contacted CBTS to help them bring all of their security solutions under the umbrella of a unified security platform. We partnered with a top Silicon Valley security technology provider to implement next-generation firewall hardware and intrusion-detection software.

These new tools allow security experts to sandbox malware code, fend off zero-day attacks, and detect evidence of advanced persistent threats.

2. Centralize security management.

A company with locations around the world needs a central platform for all of its security operations. The Panorama platform from Palo Alto Networks helped us ensure every site views their security status through a single pane of glass that provides in-depth insights on network activity and security threats.

Panorama helps IT admins:

• Manage multiple devices and data sources through a common interface.
• Create a common rule base for firewalls, IPS, URL filtering, and other functions.
• Set group hierarchies to separate devices into subgroups that match the company’s organizational structure.
• Create templates to automate security configurations.

The result is much better visibility of the entire network system and all the security tools within it.

3.  Partner with an IT security solutions expert.

Our global manufacturer needed a partner with two kinds of expertise:

• Direct internet security experience, knowledge, and training across a wide variety of industries and markets.
• Managed services capabilities in on-premise, hybrid, and public cloud infrastructures.

The company needed an IT security provider with extensive experience. CBTS security experts have comprehensive training and deep expertise in highly sensitive security environments.

We also have a managed-services division specializing in security. This service delivers 24x7x365 monitoring, intrusion detection, and advanced perimeter defense.

Find out more in our free case study

Our combination of deep expertise and partnerships with world-class enterprise security vendors ensures we can match clients with the provider that best solves the client’s unique IT challenges.

Our global manufacturing client now has a robust security apparatus—racks of firewall hardware supported by the most advanced cyber defense software on the market.

Download our free case study to see how we did it.

Related Articles:

Security experts leverage offensive, defensive tools

Understanding the “attacker mindset” in security

2018’s Top 5 Enterprise Security Problems

The latest “religious war” brewing in the information security community seems to center around whether or not SMS text messages should be used to deliver one-time passwords (OTPs) as a method of multi-factor authentication. Oh, for the days of emacs and vi!

Two recent news stories have contributed to the increased chatter around this issue. Google claims that they’ve seen no successful phishing attacks against their 85,000 employees since early 2017 when they migrated away from OTPs as a second authentication factor and switched to physical security keys. And, forum website Reddit recently discovered a breach and claims that the attacker was able to steal administrative credentials by intercepting the administrator’s OTP that was sent via SMS.

Opponents of SMS-based MFA believe that this act – obtaining OTPs sent via SMS – is trivial in 2018. Let’s examine some of the methods that attackers can employ to accomplish this.

How Attackers Steal SMS-Based OTPs

The most common method of attack is called “SIM jacking”. An attacker can contact the target’s cell provider, claiming to be the target, and convince the provider to switch the target’s phone number to a new SIM card, one that’s loaded in a phone the attacker possesses. They are then able to receive the target’s text messages and phone calls. Similarly, a “porting” attack involves contacting a different cell provider than is used by the target, and asking the provider to port the target’s number to that service.

A more complex attack can be conducted against the Signaling System 7 (SS7) infrastructure used by different telcos to interact with each other. An attacker with access to this infrastructure – not an easy feat by any stretch – could intercept text messages and record phone calls.

Finally, malware loaded on a mobile device that can intercept SMS messages, and deliver them to the malware’s operator, has been around for years. Often it is distributed as a part of a legitimate-looking application, as was the case with the Perkele and Pincert malware families.

Should You Be Using SMS For OTPs?

If you’re an individual concerned about protecting access to your accounts, should you be worried?

Somewhat. Certainly, there are ways to intercept SMS messages. Most require concerted effort by a human attacker, though, and while this obviously occurs, it’s far from as likely as the opportunistic attacks that we see most individual home users dealing with. Put simply, most people won’t find themselves targeted specifically for this type of attack, unless there’s a cybercriminal or nation-state dedicated to gaining access to their data and systems.

(For my own personal security, I trust SMS-based OTPs for some websites and applications that don’t handle my financial information or any personal information beyond my email address. For all others, I use stronger controls, such as physical keys and authenticator apps that generate OTPs only I can see.)

How SMS-Based OTPs Affect Enterprise Security

Enterprises have a different set of use cases, though, than individuals. Tasked with protecting access to business-critical applications, sensitive data sources, and privileged accounts, enterprises must make different risk calculations than home users. Deploying MFA in the enterprise requires the rollout and administration of authentication applications, management of keys for individual users, and integration with existing directories and user-facing services like the helpdesk.

Security teams in these circumstances may consider a mix of tools and products. One of our guiding principles in designing security architecture is that the complexity of a given security control is likely to grow in proportion with the criticality of the asset being protected, or the severity of the risk in question (or both). Applied here, the simplicity of using SMS 2FA may not outweigh the risk of a targeted attack that would expose SMS-based OTPs, and therefore would not be sufficient to protect access to critical applications or elevated privileges. While managing hardware keys adds overhead and complexity, it does reduce the risk of compromise of credentials by guaranteeing a more effective second factor.

A variety of solutions beyond SMS-based OTPs and hardware keys exist, though. CBTS partners with vendors like Duo Security, Microsoft, and RSA to help sort out the right approach for enabling MFA in an enterprise. We’d love to help you figure out the most effective path forward.

Related Articles

The Ten KRACK Commandments

The key to strong security programs

Hurricanes impact everyone from Houston to Miami to Manhattan—especially people running IT operations often times without a disaster recovery as a service (DRaaS) solution.

The push for digital transformation presses this point home during hurricane season which starts in June and runs through November. Organizations depend on constant access to data, networks, sensors, and servers like never before.

There’s plenty to worry about in Hurricane Alley and population-dense areas of the Eastern Seaboard. High winds knock out power lines in the storm’s path. Heavy rains flood cities and towns hundreds of miles inland for days after a hurricane makes landfall. Evacuations clog highways and separate people from their homes, offices, and workplaces.

The hazards became all too evident in 2017. Hurricane Harvey hovered off the coast of Houston in late August, delivering pounding rains that swamped vast swaths of the city and inflicted $125 billion in damages, the worst since Hurricane Katrina. In the days and weeks to come, Hurricane Irma menaced South Florida and Hurricane Maria devastated Puerto Rico.

Moreover, few IT professionals can forget the impact of Hurricane Sandy in 2012, when high winds and flooding punished organizations that lost their data centers and their backups. If your organization requires always-on IT access, you can’t afford to ignore even remote risks of hurricane-related outages.

How DRaaS reduces hurricane risk

One way to mitigate hurricane hazards is to partner with experts in DRaaS, which has four core advantages:

• Distance: IT operations can be hosted in data centers beyond the reach of powerful storms.
• Real-time failover: Replication and virtualization technologies allow your DRaaS provider to create a redundant version of your critical systems, holding downtime to a minimum and protecting your business reputation.
• Cost: You don’t have to invest millions designing, configuring, and managing a redundant data center that goes unused for months or years at a time. Your DRaaS provider takes care of everything. You pay a predictable monthly fee based on usage.
• Expertise: Replicating all your IT services is an incredibly complex prospect, requiring deft design, careful implementation, precise documentation, and thorough testing. Typically, it’s more efficient to hire experts than it is to spend months learning all the facets of disaster recovery yourself.

At CBTS, we have extensive experience with data centers, replication technologies, and system design. Our DRaaS experts have set up these kinds of systems for a broad range of industries and marketplace requirements. Our expertise arrived just in time for a South Florida company in 2017.

Case study: Wittock CPA

CBTS helped an accounting firm keep its operations online during Hurricane Irma in 2017. Wittock CPA was working with a large volume of data related damage claims from the 2010 Blackwater Horizon oil spill. The company required a 15-fold jump in staff to handle the claims and could not afford the prospect of days or weeks of downtime from a hurricane.

CBTS implemented a cloud-hosted environment with high-availability data centers hosted in the Midwest, far from the hazards of storm-related downtime. When Hurricane Irma made landfall, employees had access to their data, and all critical systems remained online. CBTS support staff helped resolve employees’ questions as they came up.

“I’ve had a long career in the IT industry and know what it takes to protect a rapidly growing firm like Wittock CPA from simple incidents to much larger threats like a hurricane. Irma would put any organization to the test, but because we took the preemptive steps to implement business continuity and cloud hosting with CBTS, it was business as usual from an IT perspective.”

– Craig Turner, Director of IT and Continuity, Wittock CPA

To find out more about how CBTS helped this company dodge a disaster, download our free case study.

Related Articles

Azure creates a powerful DRaaS environment

CBTS: We have you cloud covered

Justin Hall is Director – Security Services for CBTS. In the last post of this 3-part series, Justin discusses ways to learn the tools used by security practitioners. In Part 1, Justin discussed the process of developing a background in enterprise IT. Part 2 focused on how to better understand the “attacker mindset.”  

An understanding of the purpose and operation of commonly used security tools not only gives you practical capabilities, but helps to shape that mindset we discussed last time – the attacker’s goals and how they plan to technically accomplish them.

It’s a common theme in security to cut the industry in half and call one side “offense” and one side “defense.” Offense is the practice of compromising a network, while defense is about protecting a network against those efforts.

Every time I speak to a group of students looking to get into the security industry and I ask what excites them about the field, invariably a few of the students respond: “We wanna hack things for a living!” I can’t say I blame them. It’s certainly been one of the more entertaining elements of my career. In that vein, many folks assume that learning the tools used by security practitioners means only the offensive tools.

Offensive tools in security

Learning offensive tools is rewarding on many levels: Gaining practical experience, solving problems when the tools don’t work as expected, and exposing your brain to the approaches taken by an attacker. Probably the most common path is to grab a collection of tools in a package like Kali Linux (built around penetration testing) or SamuraiWTF (built around web application testing) … but then what next? We recommend trying some “capture the flag” (CTF) exercises where you can actually attempt common goal-based attacks in a safe environment. You can also participate in live CTF competitions at security conferences. You might also play around with purpose-built virtual machines and applications that are built solely to practice offensive techniques.

Defensive tools in security

Defensive tools might not be as exciting, but are equally valuable from a learning and career preparation perspective. As they’re typically commercially sold products, we recommend grabbing free versions of some of the more popular tools, such as:

• Splunk, the log management platform. Splunk also offers a great add-on module (a “Splunk app”) called Security Essentials that’s meant solely for learning how to build, run, and use the product as a security monitoring and incident response tool.
• OpenDNS, the DNS/web security product. I use this on my home network to filter malicious and adult traffic, and it’s a great, low-impact project to deploy and maintain a fairly simple but incredibly effective security control.
• Immunet, an endpoint security product. If you use Windows, you can certainly learn a bit about endpoint protection by messing with the configuration of the built-in Defender antivirus product, but Immunet goes a step beyond by leveraging threat intelligence gathered automatically from infections caught by other deployed Immunet clients.
• Nessus, a vulnerability scanner. Use this to scan your home or lab network for vulnerabilities, and then read up on what it discovered, and fix them. Nessus is free for use in the home for up to 16 hosts.

Understanding common IT applications

Security practitioners don’t just use tools that are designed for security work. It is just as important to learn the role played by common applications that IT professionals sit with every day. Some examples:

• Active Directory and Group Policy. In a Windows environment, these applications control system configuration, authentication, role-based access, service interoperability … and yet many security practitioners have no fundamental understanding of how these tools work and are used.
• I love Chris Campbell’s description of Powershell as Microsoft’s post-exploitation language – most security folks think of this tool solely as a mechanism to attack a target system and not get caught, while IT ops folks think of it as a powerful scripting platform that can automate a ton of functions. Either way you see it, if you’re in IT or security in 2018, it’s worth the effort to gain fluency.
• Prefer Linux? Get to know the shell you use (probably bash) and common GNU command line tools like grep, sed, and awk. The Command Line Kung-Fu blog is an excellent resource. Learn regular expressions and bpf while you’re at it.

I’ll put down the firehose for now and encourage you to start anywhere in this list of topics – any and all of them will be helpful to get you moving in your journey to a security career, and build off the other components as well as your existing knowledge. We’re looking forward to having you. Good luck!

Read more about Security offerings from CBTS.  And read this case study to learn how CBTS helped an enterprise client form  a security strategy to advance their maturity, increase their risk management capabilities, reduce the attack surface for each business line, and improve their overall corporate security posture.

Justin Hall is Director – Security Services for CBTS. In Part 2 of this 3-part series, Justin discusses how to better understand the “attacker mindset.”  In Part 1, Justin discussed the process of developing a background in enterprise IT.

Practitioners in the security industry are charged with protecting organizations and their assets – their computing environment, data, employees, and customers. Understanding the threats against which you are defending is critical to this protection effort. What are they after? How do they achieve their goals? What can you expect when you face them? What countermeasures and strategies are effective to employ?

The best defenders of a network are used to thinking like an attacker. So how does one develop this mindset?

Plenty of folks in our industry started as so-called “black hats” – those who attack, disrupt, or compromise computer systems for financial gain, to back a political or social cause, or to cause havoc. While this is certainly an effective approach, it’s usually not legal.

I’ve found that listening to industry veterans and seasoned practitioners, as well as former black hats, is a much better option. In that vein, try attending security conferences and events where you can listen to these folks speak and provide formal training. There’s also a good opportunity to learn about the ever-changing threat landscape, new attack techniques, and new tools.

Hundreds of security conferences take place all across the United States and other countries – look at a list and find one in your area. A way to meet local practitioners, especially ones that might be interested in providing you guidance and mentoring, is to find a Security BSides conference, which are assembled and executed by volunteers. And if you can’t make it to a security conference, most nowadays are recorded and posted online.

We can also learn to stop attackers by looking at the best practices agreed upon by experts from the security community, regulatory bodies, and technology vendors. Dozens of these standards have been used by practitioners for years and make excellent reading material if you’re looking to get ready for the industry:

• The NIST Cyber Security Framework. As mentioned in a previous post, the CSF is a guide to developing a formal security program. Their publication 800-53r4 is also the “gold standard,” as it were, for security controls – the fundamental people, processes, and technologies you need to have in place to protect your organization.
• The Center for Internet Security’s Top 20 Critical Security Controls. If NIST 800-53r4 is too wordy, the Top 20 is a consolidated and far more approachable standard. It’s also much more frequently updated and is shaped by feedback from the security community at large (and not just NIST).
• The MITRE ATT&CK Framework. MITRE’s goal with this resource is to document common attacker actions and tactics, along with methods of detection on a variety of popular computing platforms.
• The Open Web Application Security Project. A group that oversees many community-based application security standards-development projects. One of their most popular is the Top 10 Common Web Application Security Risks, an often-referenced list of the issues in web applications that developers need to consider when writing secure code.

Lots to read and watch! Come on back soon for part 3.

Read more about Security offerings from CBTS.  And read this case study to learn how CBTS helped an enterprise client form  a security strategy to advance their maturity, increase their risk management capabilities, reduce the attack surface for each business line, and improve their overall corporate security posture.

Justin Hall is Director – Security Services for CBTS. In Part 1 of this 3-part series, Justin discusses how  a core knowledge of enterprise IT is critical in order to effectively protect networks.

For several years I’ve been going back to my alma mater, the University of Cincinnati, to speak to groups of undergrad and graduate students about the information security industry. My goal is to demystify security and inspire them to consider a career in one of a dozen security disciplines.

Invariably during these talks I am asked a very common question: “How do I get a job in the security industry?” In response, I’ll share my own 20-year story, starting in PC repair and sales, moving to tech support, systems administration, and running an IT department, before jumping into a security career – first as an engineer, architect, and consultant, and then running a security team.

I’ll also share three essentials to successfully landing a security job, which I’m going to cover in this blog series. There’s no single path to the industry, to be sure. In order to develop a foundation that can land an entry-level job and provide an arc to a long-term career, it’s worth looking into these fundamentals.

Core knowledge of enterprise IT

Today, we’ll cover number one: a core knowledge of enterprise IT. This is perhaps a bit obvious – certainly someone needs to be technical and understand how a computer works to survive in security, right?

The depth required goes beyond CPU, RAM, and a hard disk. To effectively protect any company network, one needs to recognize the critical components – servers, workstations, network devices, applications, and security defenses. How do they interact? In what network segments do they typically sit? What products or solutions are commonly used in each of these categories? At a high level, what are the essential configuration best practices for each?

For example: Imagine a network used by a physician’s office. Think about the variety of computing devices in use there: Beyond traditional workstations, multi-function printers, and laptops, you might see connected medical devices, credit-card processing machines, and surveillance cameras. Servers would run authentication systems, file management, accounting and finance, ERP, messaging, and electronic medical record apps. Some may be running from local servers, and some may sit in the cloud. Network devices will include switches, routers, wireless access points, and firewalls.

Now imagine a software company. What types of assets would be the same as the physician’s office? What would be different? How would their IT needs be similar/different? What about a retailer or bank? What happens when you add multiple sites/locations? Imagine scaling up to the size of a multinational conglomerate. Think about the pieces and parts that need to change, duplicate, or scale.

Enterprise IT involves depth and breadth

This scope of understanding is what I mean by “knowing enterprise IT.” There’s a level of depth in addition to the breadth, though. Defending an environment with Windows workstations and servers, for example, means understanding the fundamentals of what makes Windows tick – the filesystem, registry, Group Policy, configuration, and the like.

How does one acquire this knowledge?

• Build it yourself! A home lab is a great place to get hands-on experience with enterprise IT. You could grab an old PC and install free versions of VMware’s vSphere or Microsoft’s HyperV, and deploy eval copies of Windows Server and workstation OS’s, Linux, or a variety of prebuilt VM appliances. Tons of great tutorials exist – I like this one from Paul Braren on building a VMware ESX lab.
• You could also use free or inexpensive tiers of service offered by IaaS providers like AWS, Azure, or DigitalOcean to build VMs quickly, install and configure applications, and build virtual networks.
• If you’re serious about improving your enterprise IT knowledge, and want to invest your time and money, find a local university or online school that offers IT courses or degree programs.
• Finally, take the plunge and find a systems or network administration job. Without a formal education in security, it’s rare to be able to jump right in without doing the so-called “grunt work” needed to acquire real-world experience. A few years building, breaking, and fixing some enterprise networks is sure to cement your ability to operate with comfort in the industry.

Thanks for reading! Stay tuned for part two.

Read more about Security offerings from CBTS.  And read this case study to learn how CBTS helped an enterprise client form  a security strategy to advance their maturity, increase their risk management capabilities, reduce the attack surface for each business line, and improve their overall corporate security posture.

Congrats are in order for the folks over at the National Institute of Standards and Technology! A few weeks ago, a new version of their Framework for Improving Critical Infrastructure Cybersecurity (which we call the Cyber Security Framework, or CSF) was released.

The CSF, as with most other NIST Special Publications around security, receives regular updates to keep pace with the changes in the threat landscape, the security product market, and new regulatory compliance requirements in a variety of industries. I talk often to customers who are facing the challenge of protecting their data and systems, but find it hard to adjust as those factors change year to year, and they feel there isn’t sufficient organizational focus on practicing good security.

What is a security program?

You may have heard the term “security program” before – you’d certainly hear me mention it in these conversations with customers. Maybe it’s why you clicked on this article. What is a security program? What’s so magical about it that I need it in my organization?

When I describe a security program, I’m talking about the collection of individuals, teams, and their efforts to protect their organization from a variety of threats. I’m talking about the policies, standards, and guidelines they enact to formally document roles, responsibilities, actions, and behaviors of employees, users, third-parties, and anyone else that might have a role in this protection effort. I’m talking about the management efforts to advance the maturity of the organization’s protection effort, and to mitigate risks to the business.

It’s a team, led by a leader or group of leaders, much like many other teams in your organization. Yours will look similar to other teams … and also very different. There’s no one right way to build a security program (but certainly plenty of wrong ways). What helps is a guide – and the NIST CSF is a fantastic, free guide built just for that purpose.

It defines five Functions for which the security program is responsible: Identify, Protect, Detect, Respond, and Recover. It details how to build a security program, and grow it over time, to achieve this goal. And it provides a way to measure your capability and the success of the program and how to tell if it is meeting its goals.

JD Rogers, the CISO of Great American Insurance, did a fantastic talk last year on how he and his team used the CSF to develop a strategy to grow and measure the success of their security program.

CBTS will help you with security

If your organization doesn’t have a security program today, and you might be a person considered responsible for security in that organization, the NIST CSF is absolutely worth a read. It may seem daunting, but Rome (and its security program) wasn’t built in a day. You may be able to look back a few years later, after beginning these efforts, and see real change that’s been affected because of this practice. You might even sleep better at night!

If you’re interested in seeing how you stack up to the NIST CSF, or if you’d like help with those critical first steps of building your security program, come and talk to us. We’ve helped many businesses in many industries with this process and we’d love to help you.

Read more about Security offerings from CBTS. 

The impending enforcement of the European Union’s General Data Protection Regulation (GDPR) will lead to challenges for nearly any business that operates on the internet. The sweeping privacy reforms demand a new standard in handling personal information.

There’s a good chance it leads to improved protection of personal information for everybody – simply because the technical requirements to only implement the regulations for EU citizens may outweigh just developing the capability for all of a company’s customers or users. 

What should I know about the GDPR?

If you’re unfamiliar with the GDPR, I suggest spending a few minutes watching this excellent primer from Habitu8. In short: 

• The GDPR redefines personal information broadly, including any data that can uniquely identify an individual or the computer they’re using.  
• If you collect, store, or “process” this kind of information about EU citizens, you’ll be required to outline the ways you do so, and obtain the explicit consent for these actions from your EU users. 
• If you pass this information to another organization – say, someone who processes it for you – you must obtain consent from EU users, as well as develop an agreement with the other organization outlining exactly how the data must be stored, used, and destroyed. 
• EU users have the right to request a copy of the personal data you have on file for them, and it must be provided in a format that’s portable. EU users can also request that you stop using their data and destroy your copy. 
• Most organizations operating in the EU will need to appoint a Data Protection Officer (DPO). This individual will oversee the handling of personal data in the organization, ensure compliance with the GDPR, and field any complaints or issues that arise from EU users. 
• If you experience a data breach, you have 72 hours from the time of discovery to report it to the supervisory authority. 

The GDPR takes a firm stance on privacy by default – you must obtain consent for any collection, storage, or use of a user’s personal data – instead of assuming you can use it in any manner you like without asking. 

How do I know if the GDPR affects my business?

Perhaps you’re a small business that doesn’t operate in the EU. Why bother with the GDPR at all? Well: 

Do you operate on the internet? Allow users to sign up for an account? Unless you’re explicitly restricting access from certain geographic locations, if an EU user creates an account with you, you’re required to abide by these regulations as it pertains to their personal information – including name, address, username, email address, and yes, even the IP address you log for their session with your servers, or the cookie you issue to their web browser. 

If you don’t do business in the EU now, but you plan on expanding across the Atlantic in the future, this will end up impacting you, and you may be asked to build the processes required before you start work in that locale. It might be better to start considering implementation sooner rather than later. 

Finally, you might start seeing pressure from third parties to conform to these kinds of regulations even if the third party isn’t in the EU. Companies and consumers are all looking for ways to better protect their personal information and you might be asked to start providing similar protection or risk losing some business. 

Where can I learn more about the GDPR?

The European Data Protection Supervisor’s website has some great practical resources for starting down the path of implementation. Their legal notice on handling of personal data could be useful to duplicate for your own website, for example. They also publish the details of their own DPO’s roles and responsibilities which may act as a guide for the creation of the role inside your organization. 

If your hands are a little more damp now than when you started reading this post, that’s understandable! Let us know if we can be of assistance in navigating your GDPR challenges.

You may have heard some buzz about a vulnerability in the Wi-Fi protocol WPA2. Of course, it’s got a cute, marketable name (Key Reinstallation AttaCK, or KRACK). It’s fairly serious, despite the clever title – the researchers that discovered and published the details of the vulnerability say in their paper:

“An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted.”

The security community is alarmed, and rightfully so: every wireless access point and client device, including laptops, phones, tablets, and so-called smart devices, is vulnerable to this attack, if they support WPA2. The details of the attack vector are heavily technical and require an understanding of how wireless cryptography works. Briefly, an attacker uses a previously unknown weakness in the WPA2 protocol to force a Wi-Fi client to reinstall a key used to encrypt its wireless network traffic. In the process of doing this, some of the cryptographic data used to calculate the key are reset to a value that’s known by the attacker. The attacker can then decrypt the client’s wireless session data going forward, exposing the contents of the session to the attacker.

While we haven’t seen attacks demonstrated against every client or network device platform yet, we feel the attack is fundamentally sound and is likely to be exploited widely in the years to come.

The CBTS security team has been in the game for years. We’ve got recommendations to ensure your wireless communications are safe going forward – a step-by-step booklet, as it were.

1. Patch your workstations. Ensure Windows, Mac, Linux, and ChromeOS machines are updated as soon as the operating system vendors issue security updates, and keep them up to date regularly.
2. Patch your smartphones and tablets – any device with iOS, Android, or Windows / Blackberry. Watch out for Android, especially, as the WPA2 implementation in some Android versions (specifically Android 6.0) have been shown to allow not just traffic decryption, but actual crafting of traffic from the attacker.
3. Patch your access points. This one’s a little tougher; you will need to log into your access points / routers regularly to see if there are updates from the vendor and apply them, which will likely require you to reboot the device.
4. Use caution connecting to suspicious wireless networks. If your client warns you when you connect to a network you’ve never used – or one that you typically do not have any problems connecting to – make sure you ask the owner of the network if everything’s kosher.
5. Beware of devices that might not get updates for this vulnerability, such as so-called “smart devices” or “internet of things/IOT” devices. More and more devices are shipping with “connected” capabilities, and while these features are sometimes useful, some devices may eventually be abandoned by their manufacturer. That may mean that they aren’t updated when serious issues like this come up, and they become unsafe to use.
6. Always VPN if you can. Even if your Wi-Fi session – between your device and the wireless access point – becomes compromised, if you send your traffic in a VPN session over top of the wireless connection, you will continue to protect some of your data. Use your company VPN if you’re logging on using a company asset.
7. Don’t conduct sensitive business over public Wi-Fi. This means online banking, shopping, stock trading, etc. If you or your company do not own or operate the wireless network, stick to the unimportant stuff. Never let no one know how much dough you hold!
8. Report any funny business. Getting strange errors using your company wireless network? Abnormally slow traffic? Warnings going to websites that are typically fine? Let your IT department know.
9. For IT Teams: Look for rogue wireless access points. Set up a wireless IDS to identify access points that are using the same MAC address/BSSID as yours, possibly trying to spoof your APs.
10. For IT Teams: Force clients to use only trusted WLANs. You can configure most client OS’s to only allow connections to WLANs and SSIDs you trust, in case your users are apt to hop onto whatever open public wireless networks are around them.

Follow these rules and… you’ll be much safer surfing on Wi-Fi. Good luck, and spread love, it’s the Brooklyn way!

Related Articles

Is SMS-based Multi Factor Authentication Secure?

The key to strong security programs

Security starts with enterprise IT knowledge