Target Rich Environment
Corporations with valuable intellectual property, utilities with critical infrastructure, and government entities such as national intelligence are all irresistible targets to independent and state-funded computer hackers. Typical attacks start by attempting to compromise an Internet accessible device, such as a web or email server, or a remote user laptop.
Due to the nature of outdated network authentication protocols, the prevalence of static user passwords, and the de-prioritization of IT security spending, a motivated attacker is able to establish a beachhead by finding at least one account or computer with weak security at the target organization. From that beachhead, the attacker moves laterally through the network to other devices using a combination of stolen credentials and hijacked session information. This approach allows the attacker to systematically achieve his or her goal, whether it be theft of intellectual property or sabotage.
The good news is that the building blocks for a robust network defense are available commercially today. Based on our years of security consulting experience, JW Secure has made a significant research and development investment into a solution called StrongNet Secure Admin that provides robust defense against stolen credentials, remote and off-line attacks, and unauthorized lateral movement on the network. To learn more, read on.
Defense in Depth
The purpose of JW Secure StrongNet Secure Admin is to protect high-privilege accounts, such as system administrators and DevOps, against unauthorized use. We do that using a defense in depth approach that includes credential theft mitigation and hardening the computers where those high-privilege accounts are used.
The first line of defense is to protect the network from computers that are infected by rootkits. This is a critical step for a couple of reasons. First, a rootkit undermines the efficacy of any security policy implemented by the computer operating system. Second, rootkits are very difficult for even tech savvy users to detect and eliminate. Third, a rootkit renders the client device untrustworthy from the perspective of other devices on the network.
StrongNet protects the network from rootkits by enforcing UEFI Secure Boot, TPM measured boot, and remote platform attestation. Granular boot policy enforcement allows us to isolate devices with unrecognized components in their boot stack.
The second line of defense is to protect against offline attacks. This is important because, in addition to obvious examples of intellectual property such as documents and email, computers retain traces of user authentication information such as passwords and session state even after they’ve been shut down. Plus, a stolen device can have its hard drive removed, boot data modified, or be subjected to I/O port and DMA attacks.
StrongNet protects against offline attacks by enforcing BitLocker disk encryption and a boot PIN. As a result, data can’t be recovered from stolen drives, and I/O attacks can’t be initiated without knowledge of the PIN to boot the system.
The third line of defense is to protect against attacks on the running system. This is important because, even if the system started securely, the user will inevitably need to run a variety of applications, and access a variety of network locations, in order to be productive. StrongNet monitors antivirus and patching systems to ensure that the host stays protected and up to date. If the host falls out of compliance, StrongNet immediately flushes all cached credentials and authenticated session state.
As part of every StrongNet deployment, JW Secure works with the customer to define what applications are required by the high-privilege user. We create AppLocker policies to ensure that only those applications can be run. We also create web proxy, network policy, and browser settings in order to enable safe use of any must-have line of business web apps.
The fourth line of defense is to bind the user credential to all of the above policies in real-time. The user can authenticate only when the host device is compliant with security policy; there is no lag in enforcement. As soon as the device falls out of compliance, access to the authentication credential is lost.
StrongNet provides real-time enforcement of security policy using our proprietary Measurement Bound Keys. The key, a component of the Secure Admin computer credential, is encrypted (“sealed”) to a specific TPM security chip, on a specific device, in a specific state. The key cannot be exported or used from another device. And, whenever the device boot state changes, or when the device simply reboots, the device must be re-authorized by a trusted remote server before the key can be used again.
The fifth line of defense is ease of integration. Security technologies that are difficult to use end up getting disabled and ignored. StrongNet can protect any Active Directory or PKI aware application or service. This includes simultaneous enforcement of multifactor authentication both of the user and of the host device.
Build a Stronghold
The JW Secure Stronghold model calls for defense in depth by placing the most business-critical assets inside layers of security. The government intelligence community uses the same approach by compartmentalizing, both physically and logically, its most sensitive data. Consistent with the NIST BIOS Integrity Measurements guidelines and the NSA Mobility Program, StrongNet brings the highest level of enterprise network credential protection to the private sector.
To learn more, or to request a demonstration, please contact us at firstname.lastname@example.org.