Computer security can be a scary thing. If you just have a quick question, feel free to drop Dan a line.
Many thanks to the organizers of the Cloud Developers Summit and Expo 2014 last month in Austin. The conference was enjoyable and educational. And it’s always a huge bonus when conference content is made availability electronically for posterity.
To that end, the full archive is here. I’m looking forward to the next CDSE!
There are three principles to securing online payment transactions:
The next sections summarize considerations for addressing each principle.
Magnetic stripe cards aren’t cutting it from a security perspective: see the recent incidents involving Target, Home Depot, and PF Chang’s. It’s time to move to chip cards (also known as smart cards). Phones can act like a chip card, as Apple Pay has recently reminded us.
However, using a static password to protect your phone account, or accounts with PayPal or AliPay, is no better security than handing your mag-stripe credit card over to every merchant you encounter. Strong authentication is the only way. (See SmartUtil.)
The larger the electronic transaction, the more important it is to ensure that the computer is acting on behalf of the user, and has not been compromised with the root kit, pass the hash, or other advanced persistent threat. This is especially true for B2B (business to business) transactions, where the B2C (business to consumer) PCI (Payment Card Industry) and government loss limits don’t apply.
It’s in the interest of the account holder to lockdown the client computing environment in order to limit theft. By enforcing device security and compliance from the hardware up through the browser, we prevent the computer from pulling a HAL and initiating transactions unauthorized by the user. (See StrongNet.)
Detecting fraud is as much about protecting the business from malicious trusted insiders as it is about protection from external fraudsters. It is straightforward to model the computer audit of an activity that is expected from a given data center environment under “normal” conditions. The model consists of such detail as: what objects – computers, users, security groups – are expected to show up. (See StrongInsight.)
For additional protection, also model when certain activities are expected, with what frequency, and in what combinations. Then, any deviation from that model must be flagged for follow-up. For each such incident there are three possible outcomes:
One of the bigger network security defense methodology trends over the past couple of years, Lockheed Martin’s Cyber Kill Chain model is useful for analyzing and mitigating Advanced Persistent Threat (APT) attacks in the enterprise. The sequential nature of the chain model expresses how the attack itself is vulnerable to disruption, and hence provides avenues for thwarting the attacker, even when "zero day" exploits are used:
We have developed network security best practices and solutions that complement the cyber kill chain model. For example, employing The Four Pillars of Endpoint Security,
as well as The Four Tenets of Security,
disrupting the kill chain is straightforward.
By hardening network endpoints, we make attack Delivery more difficult, thereby breaking the chain and disrupting the attack. Enforcing user multifactor authentication (MFA) helps in that area as well.
Likewise, enforcing device MFA makes Reconnaissance difficult by blocking unauthorized connections at the network layer. Marrying high-integrity credentials, network security protocol such as IPSEC, and authenticated outbound proxies help disrupt the attack at Command and Control (and earlier in the cyber kill chain as well).
As an aside, Pass the Hash (PTH) is a well-known APT attack building block. Many of the cyber defense mechanisms recommended for PTH, including those implemented by the JW Secure StrongNet solution, apply across the board as best practice mitigations for breaking the APT cyber kill chain.
For more information about assessing and securing your network, please contact JW Secure.
Pass the Hash (PTH) is one of the most potent exploits in the hacker arsenal for gaining system administrator privilege and compromising an entire enterprise network. Why? Because PTH can be successful simply by compromising a single machine.
PTH works by extracting credential information from the computer’s memory. Any credential present on the computer is vulnerable to the attack. Once the attacker locates a credential with sufficiently high privilege on the network, he uses it to hop from system to system, installing root kits and backdoors, compromising additional accounts, and exporting sensitive business data such as trade secrets, pricing, etc.
In this way, the enterprise network environment is only as strong as its weakest link. Consider an unpatched system. Has a user ever logged on from that system to SharePoint or to the network file server? Then that system makes a juicy target. Even juicier is if a network administrator ever logged onto that system, for example, to install a previous patch or to set up the computer in the first place. Thereafter, by default, that administrator credential (password hash) is sitting on that unpatched system waiting for a hacker to come get it.
The good news is that it is possible to mitigate the risk of PTH. How? By hardening your environment.
First, require multifactor authentication (MFA) for all users, particularly system administrators (such as the various Active Directory administrator roles). Unfortunately, MFA is not a panacea, since for compatibility reasons MFA solutions can result in short-term credential information that is still exportable. However, static passwords are totally insecure in any context, and MFA does raise the bar, especially when deployed in tandem with the rest of these mitigations.
Second, for protecting network administrator account specifically, consider using one of the commercial privileged account management solutions. These solutions help mitigate PTH risk by randomizing the administrator account password each time it’s used. That way, a stolen hash is only useful for a short period of time. Don’t forget to enforce MFA for access to the privileged account management solution. Otherwise, it’s doing you no good.
Third, further lock down your administrative environment by disallowing network admin logons wherever possible. For example, domain administrators should only be logging into Domain Controllers (DCs), and only for administrative scenarios that require that level of access. Also, users should not have local administrator access to their computers.
Fourth, lock down your endpoints. For mobile devices, use JW Secure StrongNet to keep out rootkits, enforce disk encryption, and keep unknown devices off the network. For all computers, including servers and workstations, define their workloads and use Security Compliance Manager to create and deploy security baselines. Also, see Patch Management on Business-Critical Servers for our research on how to increase security and decrease server downtime.
Finally, conduct regular threat assessments of your network infrastructure and security posture. This should be done yearly since business needs and software configurations change over time.
Additional references:
Due to the BYOD and cloud computing trends, as well as to the presence of insider threats and sophisticated overseas adversaries, the enterprise network perimeter is a myth. That is, you can’t depend on an internet firewall to protect the critical data that defines a business.
What can you do? Effective data protection requires layers (like an onion, or an ogre). Just like a medieval castle has an outer wall, an inner wall, and a keep, high-value enterprise assets require multiple layers of defense.
Learn more in Keep High-Value Assets in a Stronghold in the JW Secure Informer newsletter.
Big thank you to CARTES America 2014 for hosting my presentation, Using NSA Tradecraft to Protect Data on Mobile Devices. And who doesn’t love visiting Las Vegas before it gets really hot?
All of the slide decks from CARTES America 2014 are available here.
Network security requires both top-down and bottom-up thinking. Read more about securing network endpoints in the 25th edition of the JW Secure Informer.
Reminder to those attending RSA in San Francisco this week: the below session is this morning and is free to Expo pass holders. In addition to the 10am panel, we’ll also be demonstrating the JW Secure StrongNet solution interoperating with a Continuous Monitoring agent from Microsoft Trustworthy Computing.
Consistent with the theme of the TCG sessions this morning, our demo combines several open security standards, including:
Today’s session abstract:
Get Proactive with Security: A Session on Using Trusted Computing to Free Security Resources for the Day-to-Day Fires
Let’s face it. Security is not easy. Every day brings a new wave of announcements for various tools…right alongside a slew of new malware, vicious attacks and holes in existing apps and software. But IT and security teams can implement a number of technologies available in products to provide ongoing, baseline security that will then free them up to fight the daily fires. One of these is the hardware root of trust. Another is transparent data encryption. A third is security automation and endpoint compliance.
Here at RSA, security experts around the industry will talk about these and other widely vetted, open standards can be applied to solve these problems now. Attendees will learn tools and tips – while myth-busting some of these key security options. Following the session, see hands-on demos for real-world implementations of key baseline Trusted Computing technologies including network security, authentication, virtualized systems, cloud security, BYOD and mobile security.
Coming to RSA in San Francisco this year? The conference organizers would like to remind you that there is compelling content on the first day of conference, Monday, February 24, 2014. And an expo pass is enough to get you into these… any you get a free lunch!
I’ll be participating in the following moderated panel session, taking place at 10am in Moscone West, room 2018 (the official title of the session is the subject of this post, above):
“Let’s face it. Security is not easy. Every day brings a new wave of announcements for various tools…right alongside a slew of new malware, vicious attacks and holes in existing apps and software. But IT and security teams can implement a number of technologies available in products to provide ongoing, baseline security that will then free them up to fight the daily fires. One of these is the hardware root of trust. Another is transparent data encryption. A third is security automation and endpoint compliance.
Here at RSA, security experts around the industry will talk about these and other widely vetted, open standards can be applied to solve these problems now. Attendees will learn tools and tips – while myth-busting some of these key security options. Following the session, see hands-on demos for real-world implementations of key baseline Trusted Computing technologies including network security, authentication, virtualized systems, cloud security, BYOD and mobile security.”
After the session, I’ll be demonstrating the JW Secure StrongNet solution, in partnership with Microsoft, in that same room. Anybody who stops by to see the demo gets a free copy of my book, The Four Pillars of Endpoint Security: Safeguarding Your Network in the Age of Cloud Computing and the Bring-Your-Own-Device Trend.
The secret to protecting big data isn’t to put it under a big tarp. Or to guard it with a big dog. No! The secret to protecting big data is encryption. And you don’t even need big encryption. Just regular encryption will do it.
Information security is all about the basics: access control, authorization, confidentiality. And the basics are all you need in order to keep your cloud- and datacenter-stored data secure. Learn more about Storage Appliances and Data Security in the January 2014 edition of the JW Secure Informer.
The Four Pillars of Endpoint Security
Cloud Security and Control
