jwsecure_blog_imagery_endtoend
23 Sep

Whitepaper: End-to-End Enforcement of Hardware-Based Data Protection

By Dan In Security Strategy, TPM /   No Comments

After decades of hacking, cyberattacks, malware, ransomware, and other data security threats, we still do not have data protection managed by policy and applicable to all devices—from smartphones to servers.

The Trusted Platform Module (TPM) is an example of the kind of hardware-backed data security building block we would like to see. However, TPM has not experienced the uptake necessary to realize this vision. Nevertheless, the typical enterprise server and PC client refresh cycle is finally likely to encounter the option of a TPM-enabled backplane. Plus, while no mass market smartphones expose TPM-like capabilities to third-party app developers, improvements in data loss prevention can be realized by implementing storage and lifecycle policies in software on these platforms, and complementing those protections with other defense-in-depth measures.

In End-to-End Enforcement of Hardware-Based Data Protection, we describe an enforceable system for better data security, including new technology that binds hardware-protected cryptographic keys to environmental measurements such as time and the behavior of the user.

Read More
blogpic_crownjewels
18 Nov

Systematically protecting the crown jewels of enterprise data

By Dan In Security, Security Strategy /   No Comments

The most successful organizations are built on a combination of great people and efficient processes. Information technology teams are no exception: the most effective are those that combine talent and technology in order to become a strategic asset to the business.

IT security is frequently seen as a tax on the business, even by the IT team itself. That attitude presents an opportunity for more competitive organizations. The more timely and seamless access that authorized users have to data, the more effective their decisions can be, and the faster the business can move. The more that the business invests in achieving the right balance of unobtrusive and manageable data loss prevention, the better that data can be utilized in innovative applications and collaboration scenarios.

The most competitive businesses systematically manage critical security controls in order to confidently expose new capabilities to business decision makers. The challenge is that the current internet threat landscape is such that the line between confidence and naiveté is narrow and winding. Nevertheless, there is a body of best practice documentation about how to be both thorough and efficient in securing digital assets. Please see our Practical Guide to Critical Security Controls for more information.

Read More
27 Jan

Security as a Business Enabler: StrongNet Secure Admin

By Dan In BYOD, Cloud Computing, Compliance, Security Strategy, StrongNet, TPM /   No Comments

This post describes how the JW Secure StrongNet Secure Admin solution enables your business by protecting high-privilege network accounts, even on unmanaged mobile computers.

IT Security is a Business Enabler

The bring your own device trend

The “bring your own device” trend allows employees to work when they want, how they want, and where they want. This flexibility increases the speed and quality of business decision making by making data more available. That in turn makes you more competitive and increases employee satisfaction. StrongNet supports BYOD by ensuring that user-managed devices are held to the same high-security standard as IT-managed devices.

Similarly, although a porous network perimeter makes IT security people nervous, the increased accessibility of enterprise computing assets has served to increase demand for those services and to decrease the cost of providing them. StrongNet blocks next-generation threats both on premise and in the cloud.

Finally, DevOps, or the combining of the roles of “software developer” and “IT operations,” has further increased the ability of IT to serve the business. By deploying new services to the cloud at a fraction of the time and cost, line of business software developers are increasing their strategic value. StrongNet is operations- and developer-friendly and stays in the background until a critical threat is detected.

As a revenue enabler, it is incumbent upon IT to protect the business against internal and external threats. Even in ideal circumstances, IT security has become a tough job in the face of well-funded, sophisticated adversaries. However, industry-wide underinvestment in defensive computer security technologies has made the problem harder than it should be. By relying on old standards such as static passwords and traditional antivirus, you are putting your business at risk.

StrongNet Changes the Game

The good news is that the IT security industry is responding to customers that want to protect their business data and revenue streams. There’s now a window of opportunity to jump ahead of the competition – the good guys as well as the bad guys – by protecting your high-value data assets using underutilized hardware security features present in most enterprise-class mobile devices.

StrongNet Diagram

StrongNet integrates secure remote attestation into your existing identity and access systems. This allows you to enforce high-assurance data protection and high-integrity mobile computing, even for sensitive accounts such as system administrators. Enable secure mobile computing by covering the bases:

  1. Continuously enforce security policy in hardware, firmware, and software
  2. Ensure that sensitive data is always encrypted, everywhere
  3. Enable strong authentication of users and computers

In short, StrongNet brings government-class, high-assurance endpoint security to the private sector.

Secret Sauce: Measurement Bound Keys

StrongNet Secure Admin uses patented Measurement Bound Keys to ensure that user and computer credentials are non-exportable and are only valid while the host is compliant with security policy. If the host’s defensive posture changes, then access to existing credentials is immediately lost.

Measurement Bound Keys

Thus, StrongNet protects your IT assets against sophisticated attacks such as Pass the Hash, rootkits, and other advanced persistent threats.StrongNet even ensures that sensitive data and credentials residing on mobile devices stay protected while the device is disconnected or offline.

Interoperability with a range of identity standards, security protocols, and partner solutions ensures that StrongNet deploys seamlessly and has low total cost of ownership.

Information Technology is Strategic

StrongNet greenlight key image

Don’t forget that IT is a strategic asset. Your competitors know this, and well-funded adversaries such as nation-states know it, too, just as they know the value of enterprise data. Use StrongNet to protect the technology resources that make your business competitive.

 

Learn More about Next-Generation Data Protection

To learn more about StrongNet, please reach us at sales@jwsecure.com, or find us at www.jwsecure.com.

Read More
24 Nov

Enterprise security is all about people

By Dan In Newsletter, Security Strategy /   No Comments

When it comes to planning and executing projects to improve enterprise security, I find that IT security practitioners are frequently focusing on the wrong things.

First, don’t focus on computers and network routers when you should be focused on the data that traverses them. For example, are you putting the same amount of effort into protecting sensitive files downloaded on smartphones as you are into securing the backend file storage? It’s easy to be distracted by the latest technology “new toy” and to forget that any component, big or small, may or may not be your weakest security link.

By focusing on data flows and classification, you’re more likely to notice soft spots in your IT security defenses. The bad guys are doing the same thing: identify the valuable data that they want, look at every place that data is accessible, and go for the weakest one. Focus on the data.

Second, don’t focus on data when you should be focused on people. Personnel vetting, onboarding (welcome to the project) and offboarding (good bye) procedures, proper training – these things can all make or break enterprise security , and yet we routinely underinvest in them. Why is that? Well, they’re tough to quantify, and people don’t want to feel like their own organization is lacking trust.

The key is to remember that the whole purpose of file servers and data protection measures is to allow people to do their jobs efficiently and securely. People create and consume the data and are the reason the business has value. User-facing data loss prevention technologies can be implemented efficiently, professionally, and sensitively, given a moderate investment of planning and care.

By the same token that people are the critical asset for a competitive business, they are also the critical asset for enabling secure IT services. Learn more in the JW Secure article, Protect Your Business by Building a Security A-Team.

Read More
15 Jul

Mitigating the Pass the Hash Exploit on Windows

By Dan In BitLocker, Microsoft, Security, Security Strategy, StrongNet /   No Comments

Pass the Hash (PTH) is one of the most potent exploits in the hacker arsenal for gaining system administrator privilege and compromising an entire enterprise network. Why? Because PTH can be successful simply by compromising a single machine.

PTH works by extracting credential information from the computer’s memory. Any credential present on the computer is vulnerable to the attack. Once the attacker locates a credential with sufficiently high privilege on the network, he uses it to hop from system to system, installing root kits and backdoors, compromising additional accounts, and exporting sensitive business data such as trade secrets, pricing, etc.

In this way, the enterprise network environment is only as strong as its weakest link. Consider an unpatched system. Has a user ever logged on from that system to SharePoint or to the network file server? Then that system makes a juicy target. Even juicier is if a network administrator ever logged onto that system, for example, to install a previous patch or to set up the computer in the first place. Thereafter, by default, that administrator credential (password hash) is sitting on that unpatched system waiting for a hacker to come get it.

The good news is that it is possible to mitigate the risk of PTH. How? By hardening your environment.

First, require multifactor authentication (MFA) for all users, particularly system administrators (such as the various Active Directory administrator roles). Unfortunately, MFA is not a panacea, since for compatibility reasons MFA solutions can result in short-term credential information that is still exportable. However, static passwords are totally insecure in any context, and MFA does raise the bar, especially when deployed in tandem with the rest of these mitigations.

Second, for protecting network administrator account specifically, consider using one of the commercial privileged account management solutions. These solutions help mitigate PTH risk by randomizing the administrator account password each time it’s used. That way, a stolen hash is only useful for a short period of time. Don’t forget to enforce MFA for access to the privileged account management solution. Otherwise, it’s doing you no good.

Third, further lock down your administrative environment by disallowing network admin logons wherever possible. For example, domain administrators should only be logging into Domain Controllers (DCs), and only for administrative scenarios that require that level of access. Also, users should not have local administrator access to their computers.

Fourth, lock down your endpoints. For mobile devices, use JW Secure StrongNet to keep out rootkits, enforce disk encryption, and keep unknown devices off the network. For all computers, including servers and workstations, define their workloads and use Security Compliance Manager to create and deploy security baselines. Also, see Patch Management on Business-Critical Servers for our research on how to increase security and decrease server downtime.

Finally, conduct regular threat assessments of your network infrastructure and security posture. This should be done yearly since business needs and software configurations change over time.

Additional references:

Read More
27 Jun

Business Value Proposition for Cloud Identity Management

By Dan In ADFS, Azure, Cloud Computing, Security Strategy /   No Comments

As businesses expand their mobile and cloud services, the increased complexity of identity management represents both development costs and security risks. Each new service costs developer time and requires secure management of that application’s identity concepts. Redundantly implementing identity management strategies also requires excessive maintenance, and each instance potentially introduces flaws which lead to security failures. By adopting patterns which eliminate redundancy and consolidate responsibility for identity management, IT security can decrease exposure to attack and reduce cost of ownership. This presents IT security with the opportunity to increase access while reducing development costs, security flaws and exposure to attack.

For each application server accessing enterprise data, user identities are established when the server has sufficient authenticating information. Not all of this information must be directly exchanged between user and application. Anyone may make claims, or statements about identity whose trustworthiness can be accepted or rejected, about a user or other entity. These claims are packaged into tokens by a Security Token Server (STS) which exchanges this information with other trusted participants.

Having trusted third parties available to make identity claims simplifies the responsibility of establishing identity. Designing applications which accept identity claims from other providers allows applications to rely on unified identities understood by multiple parties, known as federated identities. By using claim data provided by trusted parties, one can centralize the design of authentication methods and increase the flexibility of claims.

Identity management solutions simplify authentication further by assigning a trusted intermediary to establish and interpret user identity information. For this illustration, let’s assume our use case is an employee accessing a cloud service via the web, using identity information stored in an enterprise directory service. An intermediary which translates between web authentication and enterprise domain services is doubly desirable; it acts as both an added security layer for the enterprise and a valuable interpreter of enterprise-specific identity information.

For this use case, an enterprise might use Active Directory Federation Services (ADFS) as an intermediary which accepts authentication requests on behalf of Active Directory and returns usable identity information, which in turn enables access to Windows Azure services. By taking a look at how ADFS and Windows Azure authenticate users and validate claims, we can learn how to create secure multi-user authentication services by assigning the components of identity management to trusted delegates. While AD FS and Windows Azure represent a specific solution, the underlying model can be applied generally to businesses using their enterprise identities to remotely access applications and services.

For a more technical discussion of Windows Azure and ADFS, click here.

JW Secure specializes in strong authentication and federated identity management. Contact us for a free consultation.

Read More
26 Apr

Helping DARPA stay ahead on Cyber Security

By Dan In Defense Tech, JW Secure, Security Strategy /   No Comments

Here’s a short and sweet blog post about DARPA’s need to stay ahead in cyber-security emerging technology. DARPA is the US Defense Advanced Research Projects Agency.

JW Secure is proud contributor to DARPA’s mission to quickly deliver the latest cyber security technologies into the hands of users: our BIOS Integrity Measurements Heuristics Tool for DARPA Cyber Fast Track is now a component of our StrongNet device authorization solution.

Read More
13 Sep

Endpoint Security in an age of BYOD

By Dan In Mobile Computing, Security, Security Strategy /   No Comments

Introduction

The proliferation of smart phones and tablets has created a population of users that have come to expect that they can have immediate access to any data anywhere that they might be. The popularity of smart phones lead to their sales exceeding all PC’s in 2011 and that was before the impact of tablet computing had really taken off. Every public location that encourages users to linger provides WiFi access, otherwise customers look elsewhere for a coffee and a connection.

In the enterprise, the pressure to enable fully mobile access to corporate resources is significant. Enterprise IT needs to get out in front of this trend in order to support mobile access in an orderly and secure manner, since users are inevitably pushing for quicker adoption than can be safely deployed for certain key applications. And we are talking about support across the full spectrum of applications: today’s pressure to enable email and sharing will morph into tomorrow’s demand for mobile access to systems used for SCADA and national defense.

Mobile devices all have limitations that require fundamental rethinking of IT requirements. This post describes the Four Pillars of Endpoint Security as an enablement tool for mobile devices in the enterprise, followed by a list of specific steps that you can take today to be prepared for the pressure to deliver tomorrow.

What kind of mobile devices will IT support?

The US Dept. of Defense found that the mobile communications of their warfighters in the Middle East was badly outclassed by the insurgents using cell phone for both intelligence and triggering bombs. Enterprise IT departments are facing a similar gap between their services and public experience with consumer on-line service. While the consumer driven approach championed by Apple and Android is dominant today, look for enterprise-class security features to be come increasingly important in the coming device generations.

The Four Pillars of Endpoint Security

Every enterprise has compliance criteria that have been imposed by internal or external regulations. The deployment of a new device technology does not free IT from compliance requirements. New devices must be adapted to the existing requirements. Over time we have developed the Four Pillars of Endpoint Security strategy to focus on the best practices for applying controls and achieving compliance.

  • Endpoint Hardening
  • Endpoint Reliability
  • Network Prioritization
  • Network Reliability

For more information on the Four Pillars strategy for BYOD, please see our upcoming September edition of the JW Secure Informer newsletter.

Read More
07 May

Real security is different from compliance

By Dan In Security Strategy /   No Comments

Couldn’t resist doing a post on this table, which makes some excellent points:

clip_image002

However, the axis that’s missing here is customer demand. After all, how “real” can security be if nobody’s buying? Not that customers aren’t buying from both columns – they are. But why should there be this dichotomy, perceived or otherwise, between Compliance versus Real Security? Customers as well as technology vendors (not to mention government) share responsibility for that perception. The industry is better served by products that blur those lines.

Read More