Endpoint protection platforms (EPP):

Endpoint protection, or endpoint security, describes cybersecurity services for network endpoints, like laptops, desktops, smartphones, tablets, servers, and virtual environments. These services may include next-generation antivirus software, endpoint detection and response (EDR) for investigation and response, device management, web filtering and data loss prevention (DLP), and other considerations to face evolving threats.

Endpoint protection helps businesses keep critical systems, intellectual property, customer data, employees, and guests safe from ransomware, phishing, malware, and other zero-day cyber attacks. 

Why businesses need endpoint protection:

Criminals are constantly developing new ways to attack networks, take advantage of employee trust, and steal data. Smaller businesses may think they’re not a target, but that couldn’t be further from the truth. In fact, small businesses with 100 employees or fewer face the same risk of attack as a large employee enterprise.

No matter the size, businesses need reliable endpoint security that can stop modern attacks. And since most companies are subject to some form of compliance and privacy regulations, protection for endpoints is 100% necessary to help businesses avoid hefty fines and damage to their reputation due to a security breach.

Steps to secure endpoints in your organization:

1. Outfit employee endpoints with anti-virus software, multi-factor authentication, and automated client management for application updates. These simple protections will go far in securing your client data.
2. Delete unnecessary customer and employee data from endpoint devices. Routine data minimization is not only an industry best practice, it decreases the chances of accidental loss or corruption.
3. Consider implementing an endpoint detection and response solution in order to quickly respond to active threats for incident response.
4. Keep your certifications and technology up-to-date. Ensure your company has implemented routine patches for endpoints, and that all licensing reflects the latest in compliance and regulatory standards.
5. Update your security and recovery plans to reflect the latest additions/changes to your network infrastructure. This is imperative if you have added new mobile, IoT, or on-premises resources.

Learn how CBTS can help protect your organization.

What a Virtual Private Network (VPN) is

Transacting on an unsecured network means you could be exposing your private information. VPN services establish secure and encrypted connections to provide greater privacy than even a secured Wi-Fi hotspot. That’s why a virtual private network, better known as a VPN, should be a must for anyone concerned about their online security and privacy.

Think about all the times you’ve been on the go, reading emails while in line at the coffee shop, or checking your bank account while waiting at the doctor’s office. Unless you were logged into a private network that requires an encryption key, any data transmitted during your online session could be vulnerable to eavesdropping by strangers. Now think of your entire workforce accessing or exchanging private company information while away from the office. Many of us have a full-time remote workforce that does business from a hotel, a local coffee shop, or even from the car or while at a rest stop when traveling. More times than I can count I’ve had to “set-up office” wherever I could find a spot that was somewhat private.

How a VPN protects your privacy

VPNs essentially create a data tunnel between your local network and an exit node in another location making it seem as if you’re in another place. This benefit allows online freedom, or the ability to access and exchange private information while on the go.

VPNs use encryption to scramble data which makes it unreadable. Because your data is encrypted, using a VPN will prevent many forms of Man in the Middle (MitM) attacks. This is particularly true when using public Wi-Fi, hotspots, or open/unsecured networks, because it prevents anyone else on the network from seeing your activity. Even if you’re connected to an “evil twin” hotspot or your information is intercepted using a Wi-Fi packet sniffer, your data will be safe, because the data is encrypted before it enters the data channel of the evil twin hotspot.

A VPN can help protect all of your devices: desktop computers, laptops, tablets, and smart phones. Your devices can be prime targets for cybercriminals. In short, a VPN helps protect the data you send and receive on these devices so hackers won’t be able to watch your every move.

NOTE: If your smartphone’s Wi-Fi is enabled at all times, your device could be vulnerable without you ever knowing it. Everyday activities like online shopping, banking and browsing can expose your information, making you vulnerable to cyber crime.

Learn about how CBTS can help protect your information.

This crisis we are in is not over, and although we have been talking about pandemic response for as long as I have been around security and BCP teams, it is very hard to anticipate, plan for, and react to black swans. The responses to COVID-19 and the structural changes we are going to see in economies throughout the world will be based on good solid leadership, speed/adaptability, innovation, humility, charity, and sacrifice.

Security plays an additional role in a crisis like COVID-19 in protecting an organization’s ability to respond effectively, which sometimes means accepting more risk. Security has to be laser-focused on ensuring a physical or cyber crisis does not impede the organization’s response efforts. It also needs to be a part of the ongoing risk decision-making as the crisis unfolds. Given this, below are my recommendations for additional considerations to your current security and incident response efforts. 

Revisit some risks now. A crisis can take you into uncomfortable territory from a controls and process perspective, so we need to spend time now reassessing some risks and anticipating others as part of crisis management. Revisit threats, likelihoods, and impacts in the context of the bigger picture and help the organization steer clear of the inability to respond effectively to the current crisis and return to the new normal.

Sharpen response to risks. Speed/adaptability and the other aspects of an effective response requires a good command-and-control framework that relies on roles rather than specific people. The right people will always eventually rise to the occasion in a crisis. If not, you’re toast. There are plenty of history lessons where failed command-and-control results in chaos during stress and crisis, which is why it is one of the first things to be attacked by adversaries. Communication strategy is also essential, leveraging technology and agreed-upon protocols for cadence and messaging inside and outside the organization. Lastly, anticipate working outside the norms of your business during a crisis. Helping customers or those who could become your customers with their response usually turns out net positive through a crisis. Generosity and sacrifice often gets rewarded.

Request to speak to an expert

After the smoke clears and we’re all allowed to go to bars again, organizations will be trying to answer a few questions. How well did we deal with this crisis? What have we learned? What changes for us the next time we have a similar crisis? Did what we just experience inform our approach to any other operational issues?

The security team has a particular responsibility in helping to answer these questions. The mission of a security team is to protect a business from risk. The risk of a pandemic eliminating supplies, services, and customers, as well as forcing employees to stay home, etc., probably was not on the radar of most businesses. It is now though.

Risk management forces the business to do three things about where we are, right now, in a heightened state of awareness:

• Anticipate risks. What things could impact our business’ operations? We can brainstorm, we can look at history, we can look at what’s happening to other businesses in our industry or region, we can look at our operations and list the conditions that would be detrimental to their success. All of these activities should be inputs to our risk management effort. We won’t anticipate everything, but we should do our best to be holistic.
• Prioritize risks. We need to answer the question, what risks would be the most impactful to our operations? We make decisions about these, stack rank them using a variety of criteria, and allow that to drive our efforts to deploy countermeasures. Businesses that had a pandemic on their list of risks may not have had it as a high priority before this year. Circumstances will change our view of these things, which is why we also need to…
• Learn. After something adverse happens we examine it and adjust our risk inventory and priorities. We add things that weren’t there before, we knock things off the list or adjust priorities, we update our list of controls when we know something’s very effective—or less effective—than we expected. We’re constantly re-examining our risk and making sure we’re tracking and preparing for the right things.

Every business—even the critical ones that remained open during the quarantine—was impacted in some way by this pandemic. It’s a good time for every business to reexamine their risk management program and get it on track when leadership buy-in is likely to be at an all-time high. Take advantage of the hyper-awareness of risk to move the maturity of your information security program forward.

Request to speak to an expert

Digital Transformation is defined as the process of exploiting digital technologies and supporting capabilities to create a robust new business model which is led by executive management or at the board level. With the onset of the Covid-19 pandemic, we have an opportunity to review cyber risk strategies and align to the desired business outcomes. 

According to IDC (Source – Worldwide CISO Influence Survey 2018), business leaders and CISOs view information security as vital to competitiveness of products and services while protecting the interests of their customers.

Areas an Enterprise Cyber Risk Program should cover

When an organization promises to deliver the value of digital business to customers, it’s often the case that security is not at the table when critical decisions are being made. Without security representation at the right time, organizations are exposing themselves to business critical risks that could severely damage their brand.

As organizations continue to expand their digital footprint, an Enterprise Cyber Risk Program should be an integral part of the plan and should cover the following four areas:

• Understanding and protecting your data.
• Securing your applications.
• Ensuring appropriate access.
• Identifying and responding to incidents.

Questions to consider when building an Enterprise Cyber Risk Program

Here are some questions to consider as you build your program:

1. What is your most critical and sensitive data? Where does it reside and how should you classify and protect it?
2. With 90% of exploits being attributed to code defects in applications, how are you securing what has become the main entry point to your environment?
3. How do you assure that the right people and things have the right access to the right data at the right time?
4. It’s easy to monitor for security incidents that you are looking for, but how do you detect the ones that you have missed and drive them back into your automated detection and response processes?

CBTS can help you

If you would like to discuss in more detail, please email security@cbts.com.

Related Articles:

The key to strong security programs

Create your data breach response plan

Three steps to enhancing security solutions

Request to speak to an expert

The basis for Network Access Control

In the circumstances corporations now find themselves because of the Covid-19 pandemic, network segmentation deficiencies have been spotlighted as an alarmingly weak spot in modern network enterprises.

A recent example was provided by an attacker penetrating an IoT-based HVAC system that ultimately provided the attacker a nearly unrestricted path all the way to the victim corporation’s Point of Sale systems.

While re-architecting many infrastructures to provide more granular and secure segmentation would be an enormous ask, the first part—of low-security IoT devices being able to provide a starting point for a path through the network—is an easier one to address.

How Network Access Control works

Network Access Control, or NAC as it’s commonly referred to, is a process by which before network access is given, a user or a device (or both!) must first authenticate to the network.

What we’re NOT talking about: We’re not talking about logging on to a workstation when you first walk into your cubicle; in this instance your workstation is already connected to the network and you’re just providing your user credentials to log on to, for example, the Windows Domain.

What we ARE talking about: Rather, we’re talking about when you first connect your device—connect your laptop to the wired network, or connect your smartphone to a wireless network’s SSID, as examples—your device must first provide some kind of authentication, be it a MAC address or a certificate, and the network switch or wireless controller authenticates that MAC address or certificate against a centralized source.

Pass this authentication, and the device is allowed onto the network (for example, put into a certain VLAN) and further user authentication can take place from there.

Fail the authentication, and the device is either put into a guest VLAN for Internet-only access, or placed into an isolated VLAN with an explanatory page telling the user how to fix the situation by contacting a certain person or following a certain procedure to get the device properly registered, or else not allowed connection to the network at all.

How NAC solves IoT device vulnerabilities

Taking this concept further into the IoT realm, devices which do not have a user-facing GUI—headless devices like printers, security cameras, thermostats, HVAC systems, “smart-building” alarm sensors, etc.—are notoriously vulnerable via unpatched operating systems or known hardware security flaws, and need to be handled with care.

Devices like these should NEVER have an unrestricted pathway to secure/sensitive internal systems.

Network Access Control solves this by automatically authenticating these types of devices and placing them into cordoned-off zones (VLANs) with access only to their “phone home” destination.

A common misconception about modern NAC solutions

A common misconception is that Network Access Control is only applicable for wireless, or that “it’s that 802.1X thingy that never really caught on, so it’s an ‘old’ technology that is not applicable today.” That latter perception is particularly troubling, because 802.1X as a technology is painted as old/non-applicable because of the lack of quick-start guides and software wizards at the time.

Today’s NAC solutions are nothing like yesteryear’s NAC solutions, the latter of which required almost exclusive hands-on to the command-line configuration of all devices involved.

Setting up a NAC policy in today’s NAC solutions is as easy as following a “Start Here” wizard that quite literally walks you through setting it up, with resulting configuration statements that you install with copy/paste into the end-user-facing switch, controller, etc.

NAC solutions have hybrid configuration capabilities

Network Access Control solutions aren’t an “all or nothing” solution, either.

What a NAC solution is NOT: It’s not like an entire switch or controller is either under NAC control or it’s not, and if it is and the NAC solution isn’t working, the entire population of users connected to that switch or controller are locked out from the network.

What a NAC solution IS: Instead, NAC can be implemented on end-user-facing devices in a hybrid way, where only certain switch ports or certain SSIDs are under NAC control, and as well as being in a “fail-through” configuration where if the NAC doesn’t respond, the switch port or SSID will allow a predefined “default” access.

Naturally, a caution is warranted with a hybrid configuration like this (especially with the availability of the “fail-through” feature), as NAC’s security itself can be eaten away with production connectivity emergencies. One example of this is service ticket troubleshooting where, instead of troubleshooting the user’s reason to need to authenticate to that particular security domain, the “resolution” carves away some of NAC’s security policy and the ticket is closed out, leaving a weakened NAC policy in place.

Granular device visibility and health determination through Network Access Control

Network Access Control also offers improved visibility into the devices connected to the network, via the fact that many/most of them will “profile” the device as it connects to the network.

Profiling can be agentless—where the device’s own communication characteristics on the network are captured and leveraged—or agent-based, where an agent is installed on the device to determine the health before access is allowed.

This profile information is subsequently used for policy determination even before access to the network is given. This is how network segmentation through device type—and how IT devices versus OT (operational technology) devices—can be achieved without having to hardcode switchports, SSIDs, or the devices themselves.

Summary

News headlines of the latest hacks demonstrate not only the need for authenticated network access, but device-specific network segmentation as well.

Network Access Control is just one part of a more-encompassing IT security policy, of course, but an ever more crucial one. And today’s NAC solutions make it easy to implement, which is unusually low-hanging fruit in the information security realm.

The CBTS Security Solutions team has Network Access Control subject matter experts on staff to not only assist with the selection, testing, and implementation of a NAC solution, but also to help build that more-encompassing IT security policy.

Related Articles:

Continuous Penetration Testing critical for security

Three steps to enhancing security solutions

Create your data breach response plan

Request to speak to an expert

While we’re all struggling to deal with the new reality imposed on us by those mean little viral microbes, the world carries on around us. There are a few ways we at CBTS have noticed the Coronavirus impact cybersecurity. Specifically:

Attackers are capitalizing on our fear

Cybercriminals and malware authors always try to find the most effective way to trick users into making poor, risky choices. Fear is an extremely effective mechanism, so in the last weeks we’ve seen this happen with the pandemic. Phishing attacks that purport to carry news about quarantines and lockdowns, infections, vaccines, and “did you see which celebrity tested positive” are on the rise. Mobile apps that claim to help you track the spread of the virus actually introduce malware onto your mobile device. We’ll see more of these in the coming months, and then when the proverbial smoke clears, there will be another round warning people about another crisis that’s even worse.

Company networks are under strain

As the workforce moves from offices to homes, businesses are forced to adopt remote worker practices,often with no experience with this model. This might mean a greater reliance on VPN technology. Of course, if your business isn’t used to monitoring a suddenly-packed VPN appliance, your security monitoring effort might miss unauthorized VPN access from stolen accounts. Make sure you’re using multi-factor authentication for your VPN solution.

Other businesses might give up and expose internal applications to the internet to facilitate greater remote access, but without properly protecting those applications. The right way to make these applications public involves strong authentication, filtering traffic and requests to the app (using intrusion prevention and web application firewall tools), and ensuring sensitive data exposed by the application cannot be accessed by unauthorized users or assets. Make sure your servers and network infrastructure are getting patched, too.

Finally, more company assets might be attached to more untrusted networks than a few weeks ago, mostly home networks. While we’d like to think they’re just as clean and safe as the company network, there might be exposure to a compromised or infected machine. You need a strategy to patch, enforce policy, and update controls and defenses on your workstations wherever they are.

Cloud solutions, a blessing and a curse

We’ve got plenty of customers that have migrated many of their essential applications to the cloud and so find themselves in a good spot. The apps are already broadly accessible from the internet, no need to have folks in the office anyway!

However, we also see plenty of these workloads operating without proper governance. Now might be a good time to look at how data is protected in these workloads, how servers and applications are hardened, and if the security controls in place are actually addressing the business’ risk, or if they’re just a placeholder.

Is that enough to worry about? Our goal isn’t to add to your anxiety, but to relate, and to offer help. Talk to our experts for assistance in dealing with any of these challenges. And stay healthy!

Visit CBTS.com to learn more.

Request to speak to an expert

Just as the planet’s medical practitioners are battling an epidemic, security practitioners also find themselves struggling to prevent the spread of harmful viruses. (How’s that for a timely analogy? Too soon?)

Businesses that run Windows—so, pretty much every company around the world—may be faced with such a situation soon. This morning, Microsoft published a bulletin, about a vulnerability that some researchers have nicknamed “EternalDarkness,” besmirching the name of the excellent 2002 psychological thriller video game for the Nintendo GameCube.

Sorry, back to the vulnerability. The issue is present in Windows services that use the SMBv3 protocol to exchange files and perform administrative functions. If you have a Windows machine, it’s really hard to operate without this service running and available to your local network segment.

An unprecedented vulnerability

This vulnerability is startling for a few reasons. One, there’s currently no patch available, although I’m sure Microsoft is working to develop one as I write this. Two, both SMBv3 servers and clients are vulnerable. You can attack Windows machines both by simply sending unauthenticated exploit code to a listening service, and by convincing a user to open your malicious file share, an unprecedented method of attacking this service.

Three, we just got done telling everyone that SMBv1 and SMBv2 were unsafe for use and that SMBv3 is the best alternative (and to date there’s no SMBv4, sadly). Microsoft has published a workaround in their advisory: disabling compression on SMBv3, which mitigates the server-side issue but won’t address the client-side issue. Note that every Windows machine—workstation or server—runs both the client and server.

We cannot overstate the severity of this issue. While no public exploit code exists yet, it will soon. Once it does, it will be widely distributed and then used by ransomware authors, cyber criminals, and nation-state attackers.

What do we do when there’s no patch?

So what do we do as practitioners when there’s a vulnerability with no patch? We mitigate with compensating controls:

• If you have endpoint protection solutions on your Windows workstations and servers, and they are capable of performing host-based intrusion prevention (for example, filtering malicious network traffic to the machine), ask the vendor to develop a signature to stop this exploit. Once it’s available, immediately distribute the signature to your entire environment.
• Monitor for suspicious traffic at your perimeter.
• Block unnecessary traffic between your network segments.
• Use a host-based firewall to filter SMB traffic (port 445/TCP) between machines that don’t need to talk to each other, like other workstations. Better still, only allow 445/TCP traffic from workstations to necessary servers (such as domain controllers and file servers), and from servers to other necessary servers (application servers that require the protocol to talk to each other).
• Most importantly, patch! Slam that F5 key on the Microsoft advisory website until you see a patch, and then distribute immediately to your environment.

For more information on how CBTS can help keep your business secure, visit: https://www.cbts.com/infrastructure/security/

Just like with COVID-19, with a little discipline, focus, and smarts we can all get through this in one piece!

While an increasing number of CIOs recognize the benefits of implementing standardized, corporate-wide collaboration tools, the top priority for most companies continues to be security.

Yet, the collaboration tools used extensively every day by employees contain some of your company’s most sensitive information, from customer data to logon credentials to details about a proprietary process or an innovation driving a new product offering.

In an environment where mobility is not only valued but mandatory, IT is still responsible for complying with mounting regulatory requirements, including safeguarding all information shared across collaboration platforms.

Collaboration suite vulnerability threats

Threats most often identified as arising from collaboration suite vulnerabilities include:

• Users accessing collaboration tools from the public Internet versus a secure VPN, opening up threats from web-based opportunists.
• Unauthorized individuals breaching logon credentials, allowing them to gather details for accessing proprietary company data, customer information, and even financial records.
• When limited encryption gives hackers an opening, making the organization vulnerable to considerable compliance risks.
• When code-related issues accidentally expose confidential data.
• Third-party integrations into collaboration tools.

To keep security risks to a minimum, enterprises must begin to reign in and consolidate the numerous collaboration tools used by different teams throughout the organization. CIOs can initiate the process by engaging stakeholders to determine functionality crucial to the lines of business, while carefully considering the diverse needs of corporate headquarters, branch, and remote users.

Focus on security makes Cisco Webex a trusted collaboration tool

Cisco Webex® is a proven suite of applications enabling today’s global employees, virtual teams, and remote employees to work side-by-side to achieve objectives, as if in the same room. The security features built into Cisco Webex applications make it a trusted solution for corporations, institutions, and government agencies worldwide.

Get more done with Cisco Webex. Learn how.

CBTS, a Cisco Webex Master Service Provider

Why hire a technology partner to manage implementation, ongoing support, and maintenance of your collaboration tools? Because in-house teams working diligently to meet business goals for encouraging innovation through digital collaboration shouldn’t be burdened with ever-changing security and compliance responsibilities.

With CBTS as your technology partner, IT leaders can integrate new collaboration functionality into the corporate environment while continually addressing security concerns, no matter the location of distributed team members.

Schedule a collaboration security assessment today.

Happy 2020! As a practitioner and consultant I’m excited to see what the year brings in terms of new technology, research, and clever Twitter and blog posts from the security community. To get the ball rolling, here are six security trends to keep your eye on as we start the new year.

Two security trends for home users and consumers:

1. Attacks against smart home products will increase

We will see more discovered vulnerabilities in, and attacks against, so-called “smart home” products, such as smart speakers, security systems, and cameras. Any time we see widespread deployment of technology that is, relatively speaking, in the early stages of maturity, we expect that attackers will pay attention and work to discover ways to circumvent security functions of these devices. In the last few months we’ve seen lasers used to surreptitiously command smart speakers, attackers remotely compromise smart home devices, and the inadvertent disclosure of PII from smart camera owners by the camera’s vendor. Expect attackers to look for, find, and exploit ways to control, obtain sensitive data from, and disrupt these devices.

2. An influx of noise on social media

Because of the 2020 presidential election, we expect that social influence operations will substantially escalate from foreign states that have an interest in our country’s politics. This will include social media “news” posts, activity programmatically generated by computer-controlled (or “bot”) accounts, and an uptick in spam e-mail and robocalls to your phone. There’s also the possibility that attackers will target our voting machines. Stanford University’s Cyber Policy Center published an excellent paper on the risks and some countermeasures and controls to ensure our elections are conducted with integrity and security.

Four security trends for enterprises:

1. Ransomware incidents will continue to shift from opportunistic to targeted attacks.

Opportunistic attacks—those that aren’t focused on a specific individual or organization, but instead sent broadly to the public Internet—are certainly still going to happen, but we are seeing more and more ransomware incidents that are deliberate in nature, with a focused effort on a specific organization (say, the City of Baltimore or New Orleans). Attackers will build phishing and social engineering campaigns designed to exploit human weaknesses, as well as find exposed infrastructure with technical weaknesses and misconfiguration that will allow them a presence on the network. They will use this presence to install ransomware on key systems, attempting to impact the organization’s operations sufficiently to encourage payment.

2. Business e-mail compromise attacks will continue

We also expect to see “business e-mail compromise” attacks continue, as attackers conduct similar focused campaigns to obtain access to trusted e-mail accounts, and use that access to trick employees into providing cash, gift cards, funds transfers, or financial information. It is by far the most common successful “cyber” attack we see in our customer environments, one that’s trivial for an attacker to perform with commoditized tools and methodologies, and susceptible users at nearly every business.

3. Improvements in attacker capability

Attackers will focus research efforts on credential theft, bypass of so-called “next generation” endpoint protection solutions, and defeating multi-factor authentication. We can expect to see new standalone tools, shared code, and malware kits that leverage these advances.

4. The California Consumer Privacy Act went into effect on January 1.

That means if you serve customers in California and (a) make $25M in revenue, (b) possess personal data for more than 50,000 individuals, or (c) sell personal data and make more than 50% of your revenue from that effort, you are subject to the law. You’re required to tell customers what data you’re collecting about them, provide this data to them when requested, and delete it when requested. The EU’s General Data Protection Regulation (GDPR) made this practice more common in 2018, but we anticipate a greater number of US businesses will be looking to add it in 2020.

Related Articles:

Is SMS-based Multi Factor Authentication Secure?

Understanding “Data Breach Safe Harbor” law

Create your data breach response plan