What is zero trust?

The term zero trust is becoming more commonplace, with virtually every vendor claiming their products support a zero trust architecture (ZTA) or zero trust network architecture (ZTNA).

Much of the buzz is driven by Executive Order 14028, which tasks the Cybersecurity and Infrastructure Agency (CISA) and other agencies with boosting cybersecurity across industries and protecting software supply chains.

This undertaking involves defining ZTA and demonstrating to security experts that adopting zero trust principles benefits enterprises by significantly reducing the risk and impact of data breaches.

The zero trust philosophy is driven by the need to replace the historical perimeter with an in-depth defense and a more granular model appropriate for today’s hyper-connected world. In other words, rather than the previous “castle-and-moat” defense model, where cybersecurity is “hard on the outside, but soft on the inside,” the ZTA model bolsters internal security to equitable levels with external protection. The benefits of investing in a zero trust framework are transformational for enterprises.

In a zero trust world, all actions require explicit authorization and authentication. You are not granted access just because you are on the corporate network or connected to the corporate VPN. In the virtual data center, mutual TLS protocol is used extensively, all data is encrypted (at rest and in transit), and network access is both segmented and controlled.

Access authorizations are dynamic and based on continuous policy evaluation or risk assessment using contextual information, such as (but not limited to):

• End-user device type.
• Health of the device.
• Data sensitivity.
• The individual.
• Location.
• The current threat environment.

Learn more: Build a strong cybersecurity plan that includes zero trust

The benefits of zero trust

Organizations benefit from adopting zero trust architecture in three broad ways:

1. 1. Reduced risk

   The risk of compromise is greatly reduced by imposing more granular access controls and improving protection and detection capabilities for applications, data, devices, and networks.

   In this model, identity is the new boundary, compared to the historical model of network access controls providing the exterior perimeter. This strategy decreases risk and improves business continuity planning when designed correctly.

2. 2. Improved user experience

   By making applications Internet-accessible, companies can simplify the corporate network architecture and reduce operational expenses.

   Many organizations embark on this change as part of a strategy to depart the corporate data center and move to the Cloud. Like how users can access Gmail, Outlook, or Facebook on a web browser, this “Software-as-a-Service model” lets employees access mission-critical applications online. As an added benefit, employees may work remotely and securely from anywhere in the world with a reliable Internet connection.

3. 3. Increased compliance

   Government regulations are changing, requiring increased security controls that effectively require ZTA for all federal agencies and their subcontractors.

The CBTS ZTNA experience

CBTS operates across domains such as security, enterprise architecture, and product architecture to create a zero trust roadmap for your business. This roadmap is a cohesive strategy that reduces risk and outlines each step in implementing your zero trust framework to achieve maximum benefits.

To achieve this, we have several core offerings that can be tailored to your individual needs. This process guides customers through a phased approach, as described below.

Architecture and planning

This professional service engagement takes the CISA zero trust architecture model and maps function to resources and vendor products. This phase is tailored to maximize the enterprise’s existing investments in IT systems, services, and processes. Additionally, CBTS can include budgetary cost forecasts for all or part of the roadmap implementation.

Implementation services

Our team of professional services engineers and security architects can provide a turnkey implementation or augment your own architects and engineers to guide and assist in the implementation process.

Managed services

Our cloud and security operations teams can support a subset of the vendor offerings required to run a ZTNA delivery model. This includes our managed detection and response (MDR) capabilities, which are often used by smaller clients who cannot afford or do not want to establish a 24x7x365 security operations capability.

Read more: CBTS’ commitment to outstanding IT service delivery drives success

Begin your journey to zero trust with CBTS

At CBTS, we know all enterprises will benefit from a move toward a zero trust architectural and delivery model. The strategic investment reduces cyber risk, improves the end-user experience, and reduces cost and network and infrastructure complexity.

CBTS has over 30 years of experience guiding customers through every aspect of digital strategy. From communications to cloud migration and application modernization to cybersecurity, the experts at CBTS have you covered.

Get in touch to start your journey to zero trust architecture.

Every business has a mission statement, at least every business I have been involved with over the last 30 years. At CBTS, for example, our mission statement is “To deliver unparalleled products, services and experiences to customers, where they work and live.” And to deliver on that mission with the commitment to “Make it simple, do it fast, and do it together.” Delivering on this mission and commitment is ultimately what makes us a profitable and thriving business.

But guess what? Business departments and divisions each have their own mission statements too! And when security and IT departments are tasked with creating a cybersecurity plan that limits and minimizes the risk to the entire organization, commitments to do things “simple, fast and together” don’t sound very secure. So how do you deliver on your mission, whatever it is, and keep the organization and its most valuable assets secure? In business today, security is top of mind for executive leadership. Security threats have advanced and evolved, and attacks by criminals and threat actors have negative implications on the financial strength and brand trust of every company. Even with these threats, we still HAVE to deliver on the mission, whether that mission leads to selling more widgets, saving lives, building more products, providing financial services, or delivering the best entertainment.

What is essential to a strong cybersecurity plan?

Many computer security architectures have evolved to meet these threats. An example of this evolution is zero trust network access (ZTNA), which allows you to design your cybersecurity plan with an architecture that is customized to your business. Each industry and every business in each industry is unique in how they create, sell, and deliver their products, services, and solutions. In turn, the security architecture you design and build for an organization must be customized to fit into the unique structure and culture that makes that particular business successful and secure.

Zero trust security architectures—at the highest level—change the focus from trusting anyone and any device initially, to requiring users and the devices they use, to prove that they are who they say they are. Sometimes this is thought of as “trust no one” on both the internal network and external network. It is a new mindset, or a framework, where an organization grants employees access based on authentication policies only to the company data and resources needed to do their job.

Read up on the fundamentals of a cybersecurity plan for the supply chain: Enhanced supply chain security and optimization through cloud computing

What are the benefits of ZTNA?

There are many use cases where zero trust allows you to balance your business objectives and execute your cybersecurity plan.

The first and most common use case regards remote workers or remote offices. These employees are not directly on the HQ network but still require access to company data and information.

Certainly, customer/client access to company data or systems is becoming a requirement for many businesses as a way to differentiate from the competition. In many cases this information can be sensitive or confidential data that must be secure.

Similarly, giving third parties—like business partners and contractors—access to your network is very common in today’s dynamic business environment. With unemployment at an all-time low, companies are relying on business partners and contractors like never before to provide support and augment staff. How do you make sure that you have provided these trusted third parties the minimum access required to help your business? Using a zero trust framework, you can implement a network that provides access to third parties in a safe and secure manner.

Another common zero trust use case is multi-cloud instances. Increasingly businesses have applications and data across multiple clouds. Implementing zero trust gives users the ability to access resources securely across multiple clouds while providing the organization visibility into their cloud security. Read more about the risks and benefits of moving to the Cloud.

CBTS has the know-how to create a ZTNA-fortified cybersecurity plan

To help you create your cybersecurity plan using a zero trust architecture, CBTS needs to clearly understand specific criteria about your business and confirm fundamental questions about who requires access to information in order for them to contribute to the business. We would need to know what devices are being used to access your company data, like laptops, tablets and smart phones, as well as the network devices utilized, like the routers and switches that enable access. Once we know the business workflows and processes, we can design and implement a zero trust network with the policies for the users and devices to make your organization securely successful.

In today’s active business environment, a cybersecurity plan with a zero trust network is critical to keeping your organization and data secure. Think of the many ways employees, vendors, partners, and clients access information right now. Your customers and partners want to access your data and services whenever and wherever they are. Building a zero trust architecture will help keep your data and information secure. FOCUSING on your business while building a zero trust architecture will secure your assets AND allow you to complete your mission.

Contact our team today to get started on your cybersecurity plan.

When your company starts to think about a digital transformation, they must consider how they will secure the data that is critical to the business. The strategic benefits of a digital transformation can quickly be lost if the data you are storing in the Cloud or on mobile devices is lost, stolen, or compromised.

Just as the move from mainframes to minis to PCs transformed how businesses operated in the 80s and 90s, the opportunity to enhance and upgrade your business using the best technology platform can transform your business and prepare it for exponential growth. At the same time, using the best security technology during a digital transformation ensures that you can focus on that growth and not persistent threats to your data and systems.

What does it mean to go through a digital transformation?

For most companies, digital transformation has three main components—resiliency, scale, and speed to market—and involves re-writing, re-architecting, and re-platforming legacy and traditional applications into cloud-native modern apps. These new applications allow for a mobile-first design that pushes data and security out to the edge device.

A sample of transformative steps a company can take are:

• Transform and move back-office processes to a cloud-hosted solution.
• Shift to a mobile-first philosophy and leverage IoT devices.
• Allow your products or services to be consumed on a subscription basis.
• Move to an agile software development process focused on the customer.
• Permit staff to work from anywhere, on any device.

To ensure success of these steps and the value they can bring, information security must be part of the discussion as key strategic decisions are made. Furthermore, knowing the exact location of the data on which these systems rely can help protect your company’s data and long-term health of the organization.

Digital transformation security will require a culture change

As companies compete with innovative ideas and first-to-market tools, the security team supporting these advances also must adapt and change. However, a sticking point for innovation is the ongoing support of legacy applications. A report by Deloitte in 2020 noted that the average IT department devoted 50% of their budget to maintenance and only 19% to innovation. A 2020 survey conducted by the Ponemon Institute reported that 82% of the respondents believe their organization experienced a data breach because of the company’s digital transformation. Clearly, innovation and security must happen simultaneously.

CIOs investing in a digital transformation strategy know that integrating a new culture of security at the beginning of the digital transformation will create a sound foundation for a transformed company. No single security tool or policy or procedure can protect all the data. What will protect the data is a mindset that says, “I am as responsible for security as much as the CISO is.”

Ultimately, it is all about the data

Before a digital transformation, information security teams could expect to have firewalls at the edge to protect the internal network. All work was conducted on company-owned hardware connecting to the internal network where centralized data centers protected the crown jewels of your data 24×7.

As legacy systems are transformed and updated, however, new security tools and controls are needed to protect and monitor who can access the data and what they can do with it. Accordingly, security tools need to move up the stack with legacy security tools that are focused on the network and host moving up to the application layer to focus on the data. The goal is to protect the data, not the device or the network.

The four must-have modern security areas for your digital transformation security plan

Zero Trust Network Access

Zero Trust Network Access is not a product or an SKU you can buy, but a mindset that starts with the expectation that no device is trusted, and no user is trusted. Instead, trust must be demonstrated and verified before access is granted to an object or system or service. Read more about ZTNA here: https://www.cbts.com/blog/zero-trust-networks/

Third-party risk management

When you move applications to a cloud-hosted solution, you are trusting your data and systems to a third party. You now need to manage the risk that exists with that third party on a regular basis and confirm that the provider you are using has the same, or better, security posture as your own. Learn more about ZTNA: https://www.cbts.com/blog/how-do-you-ensure-the-security-of-your-supply-chain/

IoT device management

During a digital transformation, a myriad of devices will interact with your systems and data. While your transformation will initially focus mobile devices with people making the requests, you also want to design for IoT devices—like Alexa or Siri—and how they can interact with your cloud-hosted applications, and what security concerns arise. See how IoT impacts the medical field: https://www.cbts.com/blog/digital-transformation-in-healthcare-begins-in-the-cloud/

Cloud security controls

As your new cloud-native applications are brought into production, your security team will need to use cloud security controls, like CASB, CSPM, and CWPP. Cloud access security brokers (CASB) are cloud-native security tools that ensure users in your environment can access only the cloud services that they are allowed to access. Cloud security posture management (CSPM) monitors your cloud environment and alerts you when security permissions are not set correctly for a system or data. Cloud Workload Protection Platform (CWPP) is a security tool that makes sure that the applications running in your cloud environment are protected from malware and viruses. Read more about these controls: https://www.cbts.com/blog/cloud-security-controls-mitigate-risk/

In conclusion

Plainly, security must be part of the conversation as you plan your digital transformation. Whatever plan you make, security is at least as important as the reasons your company pursues its transformation. If you have questions about how to integrate security into your plan, contact our security team.

The need for supply chain security

Managing supply chains has never been more complicated. There are numerous threats to fragile supply chains. Cyber attacks and malware are growing in number and complexity, seemingly daily. Supply chains are an attractive target because they offer a backdoor into dozens or hundreds of companies’ systems that are a part of the chain. To combat the eventuality of these events and bolster supply chain security, Disaster Recovery as a Service (DRaaS) furnishes backups of mission-critical data.

Beyond the external threats are the internal ones: aging infrastructure, poorly optimized data, lack of flexibility and scaling, and no backup plan. These variables limit business agility, and modern supply chain demands that companies must be able to pivot on a dime with little notice. Cloud technology has risen to meet the challenges of maintaining fluid supply chains. AI and machine learning tools grant insights into existing data streams while best-in-class security systems actively monitor and seek out evolving malware threats. This blog will examine how cloud computing provides supply chain security and optimization solutions.

Supply chain optimization

Optimizing a supply chain entails getting the most out of your data flows and securing said data through backups and security measures. Cloud-native predictive AI tools can help you analyze trends and stay ahead of supply chain disruptions. IoT devices and monitoring tech such as RFID tags track products during each step of the journey from manufacturing to purchasing to fulfillment. The Cloud allows for greater visibility and security across the supply chain.

Cloud systems also offer more opportunities for automation and simplification of supply chain management. APIs can simplify integrations across platforms and are valuable tools for creating complex automation workflows. Automatic backups are one of the core advantages of utilizing the Cloud.

Advanced security is another advantage of using the Cloud in supply chains. Public clouds, such as Google Drive and Microsoft OneDrive, have some of the best minds in security working around the clock to stay ahead of cyber criminals. However, many supply chains implement a multi-cloud environment. Smaller cloud providers may not have as robust security as industry leaders and may leave backdoors open to hackers. Multiply this by the number of companies and systems linked via a supply chain, and the potential for vulnerabilities explodes.

Data must be secured in all locations — onsite, in the Cloud, on third-party systems, and via a separate DRaaS solution.

Learn more: How do you ensure the security of your supply chain?

Scaling and flexibility

Maintaining national or global supply chains comes with a great degree of uncertainty. Responding to shortages, overstock, or even crises is vital to modern supply chains so corporations must scale and pivot as needed.

A cloud environment is an ideal resource for scaling in near real time. You pay for storage or services as needed. With the mass adoption of serverless computing and microservices, you can drill down and develop the exact tools you need when you need them and deploy them across platforms. Additionally, AI keeps you agile by flagging potential issues. Your data works harder by providing invaluable business intelligence that translates into informed strategic decisions.

Data protection and recovery

DRaaS experts are vital to your supply chain because malware is always evolving and may eventually be able to target cloud backups.

How malware works now

While familiar tactics like phishing or spear phishing are still around, dangerous new ploys threaten supply chain security. For example, malware can now be implanted directly in documents and images. Another approach is to lock the disk drive itself rather than individual files. One particularly insidious assault uses malware with a timer that may remain dormant for months or even years. Hackers know to target older systems that may have more vulnerabilities.

Protection through DRaaS

Increasingly, companies must contend with climate change-fueled disasters that may damage business locations and devastate vital systems. Properly setting up DRaaS is a safeguard against both malware and catastrophic events. A DRaaS system should be a secondary, offsite cloud backup system and even though cloud vulnerabilities exist, a DRaaS can be made inaccessible to hackers and bad actors through expert setup.

Maintaining supply chain security now and into the future

Managing and securing supply chains remains one of the most significant business challenges. CBTS can help you optimize and secure your supply chain. Our experts craft custom solutions to address security, backups, and supply chain data insights through cloud-based solutions.

With decades of experience under our belts, CBTS helps our clients make sense of supply chain management. We partner with industry-leading technology providers, and our thousands of certified engineers and project managers make navigating evolving technology a breeze.

Get in touch today to learn how to optimize and secure your supply chains with cloud technology.

For many organizations, multi-factor authentication—or MFA—is the first line of defense against the chance that an employee’s credentials have been compromised. If one of those credentials is compromised, the unauthorized user will fail subsequent tests and be blocked from spaces both physical and digital. Organizations do not usually create this system and instead rely on products like Cisco Duo to manage MFA for them.

Remember that multi-factor authentication is based on the rules of authentication: Something you know (your password), something you have (your cell phone or mobile device), and/or something you are (like your fingerprint or other biometric). Ideally, if you can’t provide or authenticate through one of these as required, your access request is denied. At the same time, a single one of these items that is stolen or compromised should not permit unauthorized entry into company systems.

MFA is a critical piece of other security measures, like zero trust networks. Read more: Zero Trust Networks (ZTN): what are they and how do I implement one?

Attackers take advantage of human weakness to create MFA fatigue

Flaws can emerge in any good process. In this case, the weakness is MFA fatigue, which can be a real problem for companies trying to improve their cybersecurity programs. Several corporate breaches have occurred due to an employee approving an MFA request despite the fact that they are not actively authenticating into an application or computer system. The threat actor or criminal attacker can attempt to bypass MFA by first repeatedly sending SMS text messages or Authenticator push requests to a compromised account where the attacker knows the username and password.

Duo, probably the most popular MFA vendor, has provided Duo Push for years as a secure method for authentication. Attackers exploit Duo Push from a social engineering perspective, repeatedly sending requests that eventually coerce the end user into approving an illegitimate request. The attacker is counting on the fact that the end user will approve one of the authentication requests to make the requests stop. This attack exploits a weakness of human nature—giving in when fatigued—to bypass the MFA security control. In response, MFA vendors have come up with some very interesting approaches to counteract this weakness in MFA.

Duo Push requires equal effort for the end user to approve or deny the transaction. If you are faced with a dozen or more push requests and denying each one keeps presenting another push challenge, eventually the end user—who is becoming irritated seeing this over and over—is going to press “approve” to see if they get a different outcome. After all, one of the definitions of insanity is doing the same thing over and over again but expecting a different outcome.

How did Duo strengthen its MFA offering?

To combat this, Duo has released the Verified Push feature, which is currently in public preview and will be available to all license levels of Duo. This is a helpful feature and one I think any Duo customer should consider testing, if not deploying.

Instead of just allowing an “approve” or “deny” single tap response characteristic of MFA, Duo Verified Push requires the end user to enter a three-digit code that pops up on their phone screen as part of a push notification in order to approve the authentication request. The end user must take an action and actively participate in the approval process by entering the three digit code. Incidentally, you can increase the code from three to up to six digits.   

I think this approach will work because we are all being trained to be more suspicious. Imagine the attacker sends multiple MFA requests hoping to fatigue an end user who is configured for and expecting verified pushes. The actual legitimate user must enter the three-digit code on one of those requests in order to approve the request. What’s more, it takes less effort for the legitimate end user to deny the fraudulent requests if they know they are not currently trying to access an application. If you are being harassed with pushes, why would you make the extra effort to enter in the code? Your security team can also follow up with training that under no circumstances should an end user enter the code unless they are actively authenticating to an application, device, or operating system. That can actually be laid out in the acceptable use policy for your organization along with threat of termination for violation.

Read up on other critical security training your organization needs now: The value of phishing simulation in a strong security program.

Duo takes a big step toward overcoming weakness in MFA

One step up from verified push is Risk-Based Authentication (RBA) from Duo, another new feature in public preview right now that is part of their arsenal to address MFA fatigue and continuous trusted access. Unlike Verified Push, the RBA feature will not be available in all Duo offerings, which has three feature license tiers: MFA, Access, and Beyond. You’ll find the RBA feature only in the higher level Access and Beyond license tiers.

RBA takes a different approach to MFA fatigue. RBA changes the acceptable authentication methods based on the perceived risk at that point in time for that account. For example, RBA can step up the MFA requirement to a Duo Verified Push if multiple standard Duo Pushes are being denied, which indicates that an attacker is trying to fatigue an end user into supplying an approval.

RBA also now leverages enhancements in Remembered Devices to determine changes in risk. For instance, if a user turns on their corporate issued device while within the office walls the Remembered Devices policy in Duo would generate a secure device token that allows that user seamless access in  that office environment. If the user then accessing those same resources remotely, Duo would detect the location change and require the device re-authenticate. Subsequently, if that location has never been seen before, Duo could force a Duo Verified Push and over time learn the user behavior of successful logins. RBA then eliminates the need to use more aggressive verification methods until the next high-risk authentication request is received.

RBA strengthens a system of authentication types

Duo supports a large number of authentication types. Secure authentication types available in RBA include Duo Verified Push, WebAuthn security key, a platform authenticator such as Touch ID, or an OTP (one-time password).  RBA allows you to determine which authentication methods are acceptable once Duo has identified a specific MFA request with more associated risk than a standard MFA login, overcoming weakness in human nature with a process that attackers can’t plan for.  RBA is a welcome addition to balance more aggressive authentication method requirements with end user ease of authenticating. It only steps up the requirements when a risk is perceived, which addresses potential pushback from the user community if more aggressive methods were standard authentication mechanisms.

Get more information on RBA, including RBA’s enhanced Remembered Devices functionality: https://duo.com/docs/risk-based-auth

If you are a Duo customer, the CBTS security team would be happy to consult with you how to best implement these Duo features and fight the MFA fatigue that is likely growing among your users. If you are looking for an MFA solution, then you definitely need to consider Duo. CBTS would love the opportunity to show you how it works and recommend other managed security services.

When talking about information privacy, some people think it’s the same thing as information security, but for security professionals, they are not the same thing.

If you talk about privacy, you are really talking about confidentiality.

When talking about keeping information —or data—secure, information security professionals focus on three key things: Confidentiality, integrity, and availability, also known as the CIA triad, which is the foundation of any organization’s security program.  If you think about it visually, it would look like this:

Privacy focuses on how personal data is used and controlled. The graphic puts privacy in that circle of how companies collect personal information, how they use that personal information in an authorized manner, and how they ensure the information is accurate.

Security focuses on keeping the data safe from unauthorized access and use, making sure the data reliable and accurate, and ensuring the data is available for use when needed.

Let’s look at examples to show the difference between privacy information and security

We’ll start with Amazon, an entity that touches almost everyone’s information in some way, shape, or form.

Amazon and privacy

If you buy products online from a vendor like Amazon, you expect that they will keep the information you share with them confidential. This information includes things like where you live (shipping information), how you are paying for your purchases (credit card or debit card), what you buy (shampoo, jewelry, clothing, personal items), and how often you buy things (once a week, once a month, etc.). All this information that Amazon has stored about you is related to information (data) that you would most likely want to keep private.

Note that none of your order information is personally identifiable information (PII), except for your method of payment.

In this example, you shared personal information with Amazon with certain expectations: For starters that Amazon will keep that information private and not disclose it to just anyone; and secondly, that only authorized people at Amazon can see your personal information.

Despite all the questions this suggests, today we won’t go into how Amazon makes money from selling your information to various companies. The terms of use of your information is in the privacy terms between you and Amazon.

Amazon and security

From Amazon’s the point of view, the focus is the CIA triad and ensuring that:

1. The information they are storing about you stays confidential (e.g., it’s not stolen by a competitor or criminal gang).

2. This data maintains its integrity, that is, it is not changed in some way by someone (e.g., your order is changed from 1 pair of socks to 10, or the price is changed from $10 to $1); and  

3. The data is available, so that you can see your order anytime, day or night, from anywhere on any device.

Equally important to Amazon is that this data is available to them when they want it so they can pick the right quantities, ship it to the right address, charge the right credit card, etc.

In this example, Amazon keeps the information you share confidential and available, and at the same time ensures that it hasn’t been modified and has maintained its integrity. For more on privacy, review how SD-WAN answers the challenge of remote workforce networking.

How do financial institutions treat information privacy and security?

As a consumer, one of your primary concerns is the trustworthiness of the business that takes care of your hard-earned money.

Your bank and privacy

Your bank or credit union has a lot of sensitive information about you, much of which is personally identifiable information, or PII. They know your name, address, age, social security number, and bank account numbers; the balances of your credit card, mortgage, savings and checking accounts; and the amount of your paycheck and how frequently you are paid. You most definitely want this data to remain private and confidential.

Not surprisingly, your bank also wants to keep your information private, particularly according to Federal regulations regarding PII and PCI (credit card). At the same time, your bank wants you to feel like you can trust them with this very private, very personal information.

Incidentally, banks also sell your information based on the privacy agreements that you agreed to when you opened the account, but this is a topic we also won’t address in this blog post.

Read up on how CBTS UCaaS services are PCI compliant.

Your bank and security

Banks also want to keep your information secure, and also follow the CIA triad. They make sure your information is kept confidential, so that only the appropriate people can see your PII and other bank-specific information.

To prevent your account balances from being not manipulated in some way, the integrity and accuracy of your account information is essential to your bank or credit union. Your bank also makes your account information (your data) available so that you can check your balances and access your money any time, from anywhere. Like Amazon, the bank works to keep your information confidential and available and maintains the integrity of the data so that it is used appropriately and according to the privacy terms you agree to when you opened the account (see the privacy terms for US Bank).

Are you all clear on information privacy and security now?

Hopefully these examples help clarify the difference between privacy—keeping your sensitive data private—and security—which ensures that your data is kept confidential and available in a way that maintains its integrity.

If you want to limit what any business—like Amazon or your bank—knows about you, find and review the data sharing policies with the companies you use. Also, some companies provide options for limiting how your personal information is shared with other companies. Those details are in the company privacy policies which you can typically and easily find online. Security doesn’t just happen. Learn why you should do information security awareness and training.

Absolutely EVERYTHING!

As an attack vector, the computer supply chain is attractive one and attacks on it continue to rise. Most people view a supply chain attack as something that affects only hardware. A typical scenario would involve a malicious actor working in a factory. This bad actor installs chips into the hardware that allow some kind of remote access once the system is booted or, alternatively, pre-install malware on a hard drive before the computer ships. But these days this can also include a “software” supply chain.

The hardware world has long had a complete list of components shipped as part of a system delivery known as a “Bill of Materials.” This BOM provides the customer with a detailed inventory of all the parts and pieces of a box, usually down to the types of memory installed, the processor model, everything. On rare occasions, this would include at least a starting firmware/software version, whatever the OEM put into the system itself.

A software bill of materials (SBOM) is the software equivalent of the hardware version: a list of all the components used to build an application, including any open-source or commercial components in addition to whatever code is original to the vendor. SBOMs, though, have not been quite as standard as their hardware counterparts.

Read more: How do you ensure the security of your supply chain?

Why is a software bill of materials important?

Not surprisingly, the information in a bill of materials can help determine how to fix something on whatever system to which the BOM is referring. On the hardware side, serial numbers, component specifics, and overall product identification numbers are essential when replacing a hard drive, motherboard, memory module, or any other hardware item.

Think of a software bill of materials (SBOM) in the same context. Wouldn’t it be simpler to fix a software bug if you had a list of all the additional software components in an application? Wouldn’t you sleep better at night knowing that your application consumes a specific Python library for input and output? What about your logging components? And—I’m just spitballing here—wouldn’t it be great to know for sure that you didn’t have a vulnerable version of a logging component for some, oh, I don’t know, web server like Apache?

Yeah, I know: it seems so far-fetched that something like that would ever be a threat, right?

Not only is it important to know where your software comes from, it’s also important to know what software components and shared libraries you have running on your devices or inside your applications. That’s where the concept of a software bill of materials comes into play.

With an inventory of all the software components used in an application or on a deployed device, your organization can finally figure out if you use Open Source Software library A, or custom software library B, and then which asset has which version!

Certainly, that would make those late-night calls over winter vacation much easier to take, as the solution to the question “do we run this?” would be right at your fingertips!

More on avoiding late-night, vacation-time emergencies: Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Aren’t software bills of materials already standard procedure?

Unfortunately, no.

The good news is that the National Telecommunications and Information Administration (NTIA) has been thinking about this concept since 2018! They’ve put together a site for practitioners to use and learn about SBOMs, and have written up some FAQs and consumable documents that help guide anyone new to this concept. Additionally, the Cybersecurity and Infrastructure Agency (CISA) has created weekly workstream meetings to share information with anyone interested, based on different topics. You can find the workstream events listed here.

What to do in the meantime

Ultimately, either generating your own software bills of materials or asking your vendors to supply them will substantially increase your ability as an organization to answer those age-old questions:

1. Are we vulnerable to this new zero-day vulnerability?
2. Where exactly are we vulnerable to it?

If you find yourself needing to create the SBOM yourself, be sure to visit that NTIA site, which also offers guides to creating SBOMs, evaluating the many online resources to help you out, and dispelling misconceptions about SBOMs (for example, they are not really a roadmap for hackers; the benefits to you are far greater than to a hacker who has so many other exploits available).

Taking time and care to catalog your software components correctly (and update that catalog frequently!) will help you and your leadership sleep better at night. For the most part.

Sleep even better with help from our security team! Contact us today with your security needs.

Read up on things you can do right now to strengthen your security posture:

Why should you do information security awareness and training?

Car parts and cybersecurity: what is Google dorking?

The value of phishing simulation in a strong security program

Improve your cybersecurity defense with centralized logging

I am a shameless promoter of information security awareness and training (A&T).

If I could get people to take three or four minutes of training on information security every week, I would do it.

I want everyone to be able to detect phishing emails and fake text messages quickly and easily.

I hear some of you groan in frustration and say, “Why bother? It doesn’t work!”

I strongly disagree.

I don’t agree that end users are the “problem,” that they can’t learn how to protect themselves and their data.

I see end users as normal human beings who want to do the right thing, to do their jobs and not make mistakes. In the same vein, the bad guys out there are working very hard at their job to trick our users, our friends, and our family.

The bad guys spend hours and hours learning what people will click on in an e-mail, identifying the exact words that trigger the urge to help out and click the link in that malicious e-mail. Or call that fake 800 number to fix a problem. Or quickly answer a request from the president or CFO or CIO.

Without a doubt, the potential consequences of that click, call, or answer are exactly why information and security awareness belongs on your list of infosec priorities.

Read more: Essential security practices to protect your business

So who needs information and security awareness training?

Everyone!

Absolutely everyone in your company or organization needs regular A&T. From the CEO and CFO, the CIO to the admin at the front desk, everyone, all the way down the line. A&T that starts at the top is the most effective. If the CEO believes that A&T is valuable and worth doing, then the program will be significantly more effective.

Ok, tell me more about this training 

First, it’s both awareness and training. If you make your users aware of the risks, the threats that are out there, and why they need to be on guard or on alert, then the training will be more effective. At the same time, you don’t want to go down the FUD route (fear, uncertainty, and doubt). Be honest with your users and let them know that they are targets.

There are criminal organizations that do nothing but gain access to companies and organizations. These organizations are called access brokers. They are the groups that send out a blizzard of e-mails aimed at stealing credentials. These access brokers then sell that access to the ransomware groups who do the damage and encrypt or steal the data and demand the ransom. The threats to you and your company or organization are real, and they are persistent, and they evolve.

Second, be aware that people retain information and learn new skills differently, so your training will need to be adaptive. Some people like written instructions with short quizzes at the end to test what they learned. Some people like roleplay training or training wrapped in a short video (either animated or live action). Some like classroom-based training where they sit down—with others—and hear someone talk about a security topic (think brown bag sessions). They want to be with others in order to learn the material. The good thing is you have options for providing training for your users.

Alright then, when and where do you do this training? 

All year long, not just once a year. People need regular awareness and training just like computers need monthly patching.

Training—like patching—should happen monthly, or even weekly, to get the best bang for your buck. We live in a complex world with active threats that continue to evolve. Your training has to be frequent and needs to evolve as the threats evolve.

Those of us in information security preach the gospel of monthly vulnerability scanning and monthly patching. But often, we don’t preach quite so much about monthly awareness and training.

A&T helps, and I know that firsthand, as a preacher of the Gospel of Training, chapter 1, verse 1: “Train your users regularly.”

As for where to do the training, do it wherever people will take it. . You might do monthly lunch–and-learns, either face to face or online or computer-based training that is designed for mobile devices or PCs. We are far enough into this decade that you can find companies that offer computer-based training or other kinds of training that will fit your budget and needs.

The benefits of information security awareness training 

Besides potentially decreasing the number of incidents that your company or organization experiences in a given year, a good information security awareness and training program can:

• Help lower your cyber insurance premium.
• Help you meet regulatory compliance requirements.
• Help better protect your employees on the job and at home.

What’s more, what you spend on a good A&T program can be offset when you factor in the benefit of recovering from fewer incidents and lower cyber insurance premiums. It is money well spent. What do you do for ISAT? Please feel free to e-mail me with comments or questions.

Read more from John Bruggeman:

Why test patches before deploying to production?

Cloud security controls that help mitigate risk

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

The future (and arguably the present) of networking belongs to the Cloud. Legacy WAN networks deployed on aging MPLS systems can no longer handle the sheer amount of data, processing power, and security needed to keep businesses competitive. The resources required to maintain legacy networks are becoming increasingly untenable. More and more, we find on-prem data centers reaching the end of their lifespan, requiring migrations to a cloud-based network. Software-defined wide area network (SD-WAN) is a robust methodology that shifts the burden of data flow from hard-line MPLS networks to the cloud.

SD-WAN deployment benefits include increased network speed, less downtime, and increased efficiency across the board. Additionally, it expands data real estate. Companies need real-time access to their applications, mobile data, at-home devices, and data from IoT devices. As a result, the number of points of presence (PoP) for many companies, especially those in the healthcare field, has grown exponentially. Because of this, the number of potential vulnerabilities for cyberattacks has grown to match. As such, the future of SD-WAN will hinge on current and cutting-edge security tools such as SASE, ENI, and specific deployments of machine learning (ML) and AI.

What is SD-WAN?

In a nutshell, SD-WAN architecture shifts the control of a wide area network for a company and its branches from an onsite data center and hardware to cloud-based software. This software controls connectivity, data management, and the flow of information from headquarters to company branches and remote workers. SD-WAN connection endpoints—branches, data centers, cloud platforms, or corporate offices—are referred to as the SD-WAN edge. As we’ll discuss in more detail later in the post, securing the edge network is a core issue vital to the future of SD-WAN.

According to a study conducted by Gartner with CBTS, the drivers of SD-WAN adoption are the need to:

• Improve networking speed and agility.
• Minimize or eliminate downtime.
• Reduce costs and make predictable capital expenditures.

Optimize performance for end users and administrators.

Also read: Key SD-WAN advantages your hybrid work-from-home model needs

The future of SD-WAN

Cyberattacks continue to grow in volume and complexity. In 2021, an attack with an instance of 17 million requests was recorded from a botnet three times larger than any previously registered attack. The rate and escalation of cyberattacks are not slowing down. A second attack later that year—an attack of 22 million requests per second—dwarfed the first attack. Experts predict that another attack will take place soon that surpasses 30 million requests per second. Fortunately, cybersecurity measures continue to evolve as preventing cybercrime becomes a focus for enterprises and government agencies.

SASE

Secure Access Service Edge (SASE, pronounced “sassy”) is an architecture that utilizes SD-WAN via an encompassing cloud-native framework. First defined in 2019 by Gartner, SASE is a philosophical approach to cloud security instead of a set of tools or a specific technology. The SASE model merges networking and security to reduce hardware, simplify operations, and minimize security risks.

SASE engages with five core technologies:

• Integrated SD-WAN
• Cloud access security
• Firewall as a Service (FWaaS)
• Secure web gateways
• Zero trust network access (ZTNA)

SASE is a borderless approach to networking, meaning it can support globally distributed teams and customers. Global environments allow employers to embrace a modern, work-from-anywhere mentality. Migrating to SASE PoPs optimizes where data lands in the network by combining software apps and data storage. Additionally, the integration of FWaaS refines and maximizes security measures for data centers. SASE reduces latency and results in a higher performing network by adding PoPs globally, so data doesn’t have to travel as far. These gateways provide the functionality, reliability, and access that teams and customers need.

ENI

Edge network intelligence (ENI) allows enterprises visibility of their end-user and IoT devices. ENI creates a complete view of the entire data plane for each user (wired and wireless). This allows IT teams to home in on issues such as latency via automatically generated issue tickets. ENI also proactively engages in self-healing for the network after problems have been identified. Another feature of ENI is integration with AI-empowered Network as a Service (NaaS) such as Cisco Meraki or Juniper Mist.

Learn more: Thinking big on future of networking

AI/ML

ENI uses machine learning algorithms to detect, monitor, and interact with end-user devices across a client’s data estate. SASE providers also deploy AI to scan for threats and block attacks proactively.

But in terms of potential, AI and ML are just beginning to scratch the surface. AI/ML will be integral to the future of SD-WAN.

Other innovations

Beyond security advancements offered by SASE, ENI, and other AI solutions, other innovations will continue to trend as SD-WAN moves into the future. Those innovations revolve around:

1. Operational simplicity.
2. Automation.
3. Reliability.
4. Scalability.
5. Solutions with flexible business models.

Given the movement of most industries, it also seems highly likely that future iterations of SD-WAN technology will work well with multi-cloud platforms and help to streamline those environments.

Strategic roadmap for the future of SD-WAN

Legacy MPLS architecture is nearing the end of its lifespan in many cases. Compounded with the surge of data streams from mobile, at-home, and IoT devices, networks are primed to falter in the immediate future without SD-WAN solutions. Replacing traditional networks in favor of SD-WAN will allow for greater agility, simplicity, and performance on every level of business operations.

CBTS is at the forefront of SD-WAN conversion for our clients. The flexibility of SD-WAN means that delivery is potentially borderless, with service in over 60 countries. Often, we can utilize existing MPLS networks to deploy SD-WAN quickly and efficiently. Our suite of managed services—including networking—are best-in-class and a valuable way to offload burden from IT teams.

Get in touch to learn more about future-proofing your business with our managed SD-WAN, networking, or security services.

What do the search for old car parts and cyber reconnaissance have in common? Google dorking. Before you head off this page to check out life hack videos, let me explain.

I have been using Google search, Google cache, and the Internet archive for years now to help me find parts and information to support my classic car habit. . It just so happens that many of the techniques that I use are extremely effective in doing reconnaissance on your enterprise. What’s more, they are free and—while not well known by most—they are certainly used by attackers. Since I began this blog talking about car parts, clearly I own a couple of classic cars. Anyone who has ever owned a classic car knows that you spend as much time looking for parts and repairing classic cars as you do driving them.  (Sure, I can get replica parts more easily but they are not always available and are often outrageously expensive. Besides I would miss out on the thrill of the hunt.) Google dorking is what allows me to spend a little more time driving, just as it could give bad actors a little more time and information to attack your network.

Ok, so what is Google dorking, besides something that sounds super-nerdy?

Basically, Google dorking is taking advantage of advanced search techniques to ferret out information and uncover vulnerabilities that you wouldn’t otherwise find with a typical search.

There are a couple of basic search operators you can use with Google. Many know about the Boolean operators or the “ “/in quotes operator, but there are several more that can be quite interesting to use. For example, site:syntax. If you start your Google query with site:www.yourenterprise.com, Google will return only the results within the pages contained at www.yourenterprise.com. Very handy. You can extract everything you might want to know at a specific site without having to wade through all the other non-relevant results. For instance, I use this operator to extract all the data about a specific car part out of an entire forum.

The more search terms you use, the fewer results from that specific site. Let me show you how I use that to my advantage.  Let’s say I search all the Craigslist sites across the country using the following syntax: site:*.craigslist.org post id: Datsun 14″ rims. Evidently, I am looking for Datsun 14” rims. The “post id:” is specific to only allow results where someone is selling something rather than returning a listing of offers from each of the Craigslist sites. As you probably guessed, the * is a wild card and will return results for all Craigslist sites across the country. How does this affect my enterprise security?

Now that you know how that you don’t need anything special to taking advantage of Google dorking, you likely won’t be surprised that the site:syntax technique I described above could be used to query every server in yourenterprise.com to look for literally anything. Another useful syntax along the same lines is intitle:index.of name size, which  will return directory file listings that have been left accessible to the public on the Internet. Combining this method with the site:*.yourenterprise.com above would list all the Internet-facing directory listings at all servers in the yourentrprise.com domain—with a single query.

Read more: Essential security practices to protect your business

Syntax is not the only way to do what Google dorking does

Two other similar tools make reconnaissance even easier. The first is Google Cache, which keeps a cached copy of web pages that are no longer available and keeps those web pages cached for about 90 days. The second is the archive.org Wayback Machine, which stores copies indefinitely. I mention both of these because companies believe they can remove what they deem sensitive information off of their websites so it can’t be uncovered for reconnaissance.  If the information was publicly accessible there is a reasonable chance that it never goes away thanks to the Wayback Machine. I use the Wayback Machine to look up web pages from 20 years ago that detail how to modify a particular part so it can be used today. With the Wayback Machine, you can use those orphaned links in forums that go nowhere, and access the content they pointed to 10 or 20 years ago.  Similarly, bad actors can access old web pages that companies believed they had made inaccessible, scrape potentially sensitive information, and create problems that you never anticipated.

Read more: Cybersecurity guidance from the top

Google dorking is anything but dorky

In conclusion, by no means are these the only Google dorking or tool options available to search for reconnaissance data within your organization using Google. They do, however, show you how easy it is to learn much more about your organization than they should be able to. True, it is one more thing to learn in order to improve your security posture, but it will pay to become alert and familiar to what can be done with Google dorking.

If you need any help addressing questions about your enterprise security, please feel free to reach out to the CBTS Security Team.

Continue reading: Software bill of materials (SBOMs): what is it good for?