Tag Archives: RSA

March 18, 2013

Situational Awareness For Cyber Threat Defense

Aamir Lakhani did a great post on Situational Awareness. The original post ca be found HERE

Problem

Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.

Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.

Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)

Image Source: Cisco Identity Services Engine

Cisco Identity Services Engine provides true network identification, profiling, and access controls.

Combined as a center piece for Cisco’s TruseSec Solution, Cisco ISE creates a secure ecosystem treating security as a holistic solution.

Federal Cyber Initiatives

New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.

Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”

Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).

RSA NetWitness Logo

Image Source: RSA

How To Solve The Problem

I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.

What Is Network Visibility?

According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:

Network reconnaissance
Network interior malware proliferation
Command and control traffic
Data ex-filtration

Lancope Stealwatch provides network visibility

Understanding trends, anomalies, and threats of the network

Image Source: Lancope

Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like. Continue reading →

Rating: 0.0/5 (0 votes cast)

Protect Your Communication Using Free Tools: Secure E-mail and Hiding Messages with Steganography

Is There More To This Image?

How we communicate has become extremely easy in today’s digital society. Most mobile devices offer software that integrates with social networks, business applications and e-mail. People share anything from where they are eating to what they are about to eat in near real-time (personally I find it annoying). This convenience makes securing communication more difficult since most digital messages leave a digital fingerprint as well as usually transmitted over nonsecure sources. My team has demonstrated how hackers can steal data in transit using man-in-the-middle attacks with tools like the Pine Apple (more HERE), BeEF (more HERE), and compromising mobile devices to pull up old text messages and e-mails.

How can you protect your communication? Best practice is investing in multifactor authentication to trusted systems, VPN technology for communication outside of a secure network, data loss prevention monitoring what data is permitted to leave a secure network, internal network security products and host based security to stop key loggers and other threats. Communication solutions should offer a mix of confidentiality (protecting the information), integrity (can’t modify the message), availability, authenticity (message is genuine) and non-repudiation (guarantee sent and received).

Meeting best practice typically requires investments in multiple technologies however what about the average user looking to send a sensitive message? There are methods to send messages securely using free tools. One option is using a secure e-mail solution. Hushmail offers free PGP-encrypted e-mail and file storage. If you look at the image below, you will see the checkbox for encrypting the outgoing message as well as how Hushmail enforces a strong passphrase promoting secure e-mail standards. The downside of Hushmail is it doesn’t offer some of the flashy features other e-mail services include such as chat or customizable backgrounds.

Setting up a Hushmail account

Sending Encrypted E-mails Continue reading →

Rating: 0.0/5 (0 votes cast)

7 Comments

Filed under Data Loss Prevention, General Security

Tagged as Access Control, authenticity, Cisco, communicate, communication, Compliance, confidentiality, Data Loss Prevention, DLP, encryption, end point management, hidden message, hide message, Home, hushmail, image steganography, Invisible Secrets, iPad, iPhone, Joey, Joey Muniz, joseph, joseph muniz, LanCope, mobile, mobile device, mobile device management, Mobilefish, Muniz, network access control, network security, non-repudiation, RSA, secure passwords, secure-email, securing communication, Security, spam, spammimic, Steganography, Symantec, wireless security

December 18, 2012

Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Most Security solutions leverage a combination of signature and behavior based technology (more HERE). This worked in the past however today these solutions are not good enough regardless if you layer multiple products that are built upon similar scanning methods. There are many ways to bypass point Security products such as throttling behavior and masking the known fingerprint of the attack code. A example of a technique used to hide malware from popular Anti-Virus packages is leveraging Dynamic Obfuscation software.

Obfuscation software was designed to protect source code from piracy by making the original code more complicated to read while retaining functionality. There are commercial obfuscation software packages available for programmers looking to hide their source code which is also obtainable for malware developers. This is bad for anti-virus vendors responsible for developing methods to fingerprint malicious code.

Malware producers can make things even more difficult for Anti-Virus vendors by adding dynamic elements that randomizes malicious code and encryption keys on the fly. For example, a victim accessing a malicious website could see a different variation of the same exploit each session. Dynamic obfuscation provides an endless number of variants making it almost impossible for signature based Security to identify the threat.

There are dozens of examples for commercial Java obfuscator packages. Some common packages are Zelix KlassMaster, Dash-O, ProGuard, Smokescreen, Thicket and Allitori. Popular penetration toolsets such as Metasploit also include malware obfuscating modules such as the VoMM module. Research on VoMM from a few years ago can be found HERE .

Examples of Java Obfuscation Software Continue reading →

Rating: 0.0/5 (0 votes cast)

Building a Active Identity HID Global Two-Factor Card Authentication Lab : ActivID CMS Overview

Many of our customers are investing in multi-factor authentication solutions. The multi-factor industry offers a range of options such as physical cards, certificates and tokens that represent “Something you have” mixed with a pin, password or security phase that is “Something you know”. A upcoming multi-factor technology is biometrics representing “Something you are” however its not as common as having and knowing something. DoD has standardized on Common Access Cards or CAC while civilian agencies tend to use Personal Identification Verification or PIV cards for accessing systems and secured areas. Both card solutions use similar smart card technology however things like the Certificate Authority and what is printed on the cards are different between organizations.

Customers request my team to provide security demonstrations and often ask if the solution being showcased is CAC / PIV / smart card capable. There are a few players in the CAC / PIV / smart card market. One we like is Active Identity (now part of HID Global). Active Identity offers many multi-factor authentication solutions including CAC / PIV and smart card packages that range from the HID reader to the card management system. Active Identity’s flagship card management solution is ActivID CMS, which is a web-based application using Apache Tomcat and IIS. Active Identity does not provide a Certificate Authority (CA) for generating certificates or Hardware Security Module (HSM) for storing master keys however a lab can work without these.

For those who want to build a CAC / PIV / smart card lab, go to Active Identity’s demo download page found HERE and download the latest ActivID CMS. I’m running ActivID CMS in my lab using VMware workstation on a standard windows laptop. There are a lot of steps in the install guide so make sure to download that as well. To summarize the installation steps, you will need to do the following: Continue reading →

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Physical Security

Tagged as Access Control, Active Identity, ActivID, ActivID CMS, authentication, CAC, CAC enable, card management system, certificate authority, Common Access Card, end point management, Hardware Security Module, HID, HID Global, HID Omnikey, Home, Joey, Joey Muniz, joseph, joseph muniz, logical access, multi factor authentication, Muniz, network security, Omnikey, Personal Identification Verification, Physical access control, physical security, PIV, PIV enable, RSA, Security, Smart cards, Smartcard, Something you have, Something you know, two-factor, World Wide Technology, world wide technology inc., wwt

July 25, 2012

RSA NetWitness: An Anatomy Of An Attack

Here is a post from my friend Aamir Lakhani’s blog about RSA NetWitness. The original can be found at Cloud Centrics (http://www.cloudcentrics.com/). Really good post on NetWitness.

RSA NetWitness

RSA NetWitness is a unique solution that captures, store and analyze network data traffic. This gives you the able to see exactly what comes in and goes out of the network in real time . In simple terms, RSA offers to you a Network CCTV. Not only that, NetWitness also allows you to see the traffic in action as it reconstructs the data that flows through the network into its original format according to its own type or application. This helps you strengthen your security measures by taking appropriate action. On top of that, since all traffic is captured and stored, you will be able to go back to a particular period of time and conduct historical data analysis. Nothing escapes undetected.

RSA NetWitness delivers an innovative fusion of hundreds of log data sources with external threat intelligence to enterprises; enabling extraordinary broad and high-speed visibility into the critical information needed to help detect targeted, dynamic and stealthy attack techniques.

Why is it important?

NetWitness records all network activity. The benefits of this forensic analysis cannot be matched by any other product. NetWitness will truly allow you to investigate what happened on the network.

More importantly, since NetWitness sees and records everything on the network, it is very easy for the product to detect threats as they are occurring. This gives administrators an opportunity to stop attacks before they cause damage on the network.

Recording all network activity with forensic accuracy and analyzing current threats in real time provides situational awareness and insight for threats on existing infrastructure devices. Typically, when systems are discovered to be compromised, the systems are imaged, and software is reinstalled. However, many people don’t actually figure out the root cause of the problem. How did the system originally get compromised and what measures should be used to prevent it from happening again? In addition, if one machine is compromised, chances are high that others will be as well.

Why are these attacks difficult to detect? The answer is that these threats originate from the inside, or trusted areas of the network. The most common network threats involve a failure in internal security. This includes APTs, Botnets, Phishing attacks, social network information leakage, and product patches.

Security fails and systems get breached because many people do not take the threat seriously or make an effort to learn about it. It takes a proactive approach to be secure and protected against threats.

Furthermore, many organizations have processes in place that actually do more harm than good. These procedures that are supposed to help an organization’s security posture degrade it instead. This is partly to do with people and attitude, but also partly to do with outdated ways of thinking about security mixed with inadequate technologies.

Anatomy of an attack

Here is an example: Zeus was a popular attack last year that stole and spread through internal networks. Zeus is a Trojan horse that steals banking information by Man-in-the-browser, keystroke logging and Form Grabbing. Zeus spread mainly through drive-by downloads and phishing schemes.

Zeus was successful because it was a well-crafted phishing attack. Victims received an email that looked interesting to them. They were instructed to download a report from what appeared to be a legitimate website. In reality, the report was a Trojan horse that allowed attackers to control the victim’s system. The hosting website was in China.

A capture (report) from NetWitness showed that the originating server of Zeus went to a command and control server in China. The program that the user downloaded allowed attackers from the Chinese server to have control of the users’ system. From that point on, it was trivial for them to exploit other systems on the users’ network.

Most anti-virus agents did not detect Zeus. Later, Zeus disabled anti-virus agents using a variety of schemes – mostly by redireiting anti-virus updates to a 127.0.0.1 IP address.

Since NetWitness recorded all network traffic, it recorded what systems were compromised, communications with systems in China, and what was being transferring. When internal systems initiate a connection and transfer files, NetWitness captures that traffic.

NetWitness is the only security tool that provides complete visibility on a network. It shows when attacks are occurring in real-time and gives an organization the ability to detect and stop those attacks.

Rating: 5.0/5 (2 votes cast)

3 Comments

Filed under Security Management & Analysis

Tagged as Aamir Lakhani, advanced persistent threat, APT, botnets, CCTV, Cloud Centrics, Compliance, Continuous Controls Monitoring, continuous monitoring, Continuous Monitoring Architecture, Continuous Monitoring Solution, Data Loss Prevention, data traffic, DLP, EMC security, end point management, forensics, Home, http://www.cloudcentrics.com/, information leakage, Informer, Investigator, Joey, Joey Muniz, joseph, joseph muniz, keyloggers, lan security, malware, malware defense, Muniz, NetWitness, NetWitness Investigator, network forensic, network forensics, network security, nextgen, pen testing, Penetration Testing, phishing, phishing attack, phishing defense, RSA, Security, Security Information And Event Management, SEM, SIEM Technology, siemlink, SIM, Spectrum, trojan horse, visualize, World Wide Technology, world wide technology inc., wwt

July 20, 2012

Defending Against Distributed Denial Of Services DDoS Attacks

If you are internet facing, you are vulnerable to Distributed Denial of Services or DDoS attacks. Attacking network services is on the rise as the price for computing power decreases and people become more dependent on technology. Studies from leading service providers show DDoS attacks have grown from 9 to 500 Gbps in the last five years. Botnets are becoming an underground commodity that can be rented for as low as 10 dollars an hour to launch strategic DDoS attacks. Governments are investing in military strategies based on the ability to interrupt enemy computer services through targeted DDoS attacks. These attacks are indeed a weapon of mass disruption.

Most customers who survive a DDoS attack will experience serious downtime and lost revenue. Older DDoS attacks primary involved saturating bandwidth and network services with bogus traffic. The latest trend of DDoS attacks are targeting applications, which are harder to detect and require less computing power to execute. Some DDoS attacks focus on security tools (example overloading TCP state tables) so the security defenses become bottlenecks and eventually the source of network failure. Other DDoS attacks target key infrastructure such as DNS or other critical services. The area of risk for DDoS is pretty much your entire network.

Companies tend to point blame at their service provider for external DDoS attacks. Service providers offer limited protection due to regulations and unable to deal with data once it leaves their control. There are companies such as Neustar, Prolexic and VeriSign that provide 24/7 DDoS monitoring services and help leading service providers battle DDoS attacks. While monitoring services is a good option, the best approach is to invest in your own DDoS defenses against insider threats, external flooding and targeted application attacks.

Advanced insider threats are difficult to identify. Standard security solutions leverage signature and behavior based technologies however most attackers have knowledge of these defenses. To bypass these solutions, attackers develop day zero targeted threats that throttle their activity to stay under the radar. One way to catch this behavior is leveraging NetFlow using tools like Lancope (more found HERE). Another way is monitoring packets on the wire using tools like NetWitness (more found HERE). Security Information and Event Management (SIEM) tools are a popular way to view events from multiple security solutions so administrators can quickly identify an attack (more found HERE). Best practice is monitoring the wire along with leveraging a management system aggregating events from all internal security devices.

External threats such as targeted DDoS attacks are tougher to deal with. Large vendors like Junipor and Cisco have partnered with the leader for this space, Arbor Networks to address the DDoS landscape (Example Cisco and Arbor released “Clean Pipes” explained HERE.) Arbor offers perimeter and cloud based solutions that address flooding and application attacks. They also offer correlation between their products, cloud updates from their security center and reputation scoring from their large client base. Their flagship solution is Prevail (see screenshots). Prevail makes it easy to understand traffic patterns, identify threats and react to attacks by switching from low to high interrogation of traffic for specific protection groups. Check out their website for more information on their solutions.

MAIN DASHBOARD

Viewing Protection Groups

Viewing Top Talkers

DDoS is a serious threat vector since standard security solutions focus on Integrity and Confidentiality but not Availability. My expectation is there will be a lot more DDoS attacks in the news. Hopefully it’s not your organization on the front page.

Rating: 5.0/5 (1 vote cast)

1 Comment

Filed under Internet Defense, Security Management & Analysis

Tagged as Access Control, advanced persistent threat, application attacks, APT, arbor, Arbor networks, ASERT, ATF, ATLAS, attackers, behavior, bogus traffic, Botnet Threat Mitigation, Cisco, Clean Pipes, Cloud Signaling, Compliance, cyber, DDoS, denial of service, Distributed Denial Of Services, DoS, EMC, EMC security, external attack, flooding, hacker, hackers, Home, Investigator, isp, Joey, Joey Muniz, joseph, joseph muniz, LanCope, mass disruption, Muniz, netflow, NetWitness, NetWitness Investigator, network security, Neustar, Peakflow, pravail, prevail aps, Prolexic, RSA, saturating bandwidth, Security, service provider security, signature, Spectrum, VeriSign, volumetric, World Wide Technology, world wide technology inc., wwt

July 2, 2012

Enforcing Network Policy Internally, Remotely And To Mobile Devices

Many corporations fail to establish and enforce a network policy. A network policy is a set of conditions, limitations, and customized settings designed to control how authorized subjects use network resources. Common examples of a network policy are controlling access to adult, gambling, hacking, blacklisted and other website categories that violate human resource (HR) and security standards. Network Policy requirements can change based on device type, time of day and user role. Its key that network policy is automatically enforced rather than something end-users choose to abide by or most likely will fail when most needed.

Users are the weakest link in any network. Hackers know this and target the majority of attacks at this vulnerability. I constantly hear customers complain about phishing attacks (users clicking a link in a email) or users bringing devices infected with malware most likely obtained while surfing websites that violate network policy. Its also common to see users violate security controls if it impacts their work flow. I had one audit identify internal users VPNing from their workstations to bypass internal network policy due to lack of controls for remote users. Poorly enforced policies will impact your security, reduce workflow and become very costly as a result of failed audits and compromised systems.

Common solutions for enforcing network policy are layer 7 / application layer firewalls, content filters and bolt-on technology such as cloud applications or agent technology that control network traffic from end-points. I wrote a post about the concepts behind web-gateway solutions HERE. The standard offering provides content categories (Gambling, Social Networks, Hate, Sex, etc.) that can be denied, limited or monitored. The more advanced solutions include security components such as anti-virus / anti-malware, layer-4 monitoring, website reputation scoring and other features.

The problem with these solutions is scalability. Most content filers require either user devices to be configured inline (hardcoding proxy settings) or routing traffic to the device (example WCCP). These solutions become difficult to enforce outside of the internal network as well as on devices that are not cooperate assets such as mobile devices.

ScreenShot2012 06 04at92743PM Enforcing Network Policy Internally, Remotely And To Mobile Devices

(Cisco’s Web-Security Portfolio)

A common solution that addresses external devices is VPNs routing traffic through network policy enforcement solutions (example Cisco AnyConnect with Ironport or ScanSafe). An alternative is using sandbox-based methods such as remotely controlling internal machines (example Citrix). Sandboxes work well however may encourage the wrong user behavior such as emailing information to a g-mail account to bypass the sandbox. One solution I like is Cisco’s OEAP which extends the internal network (including corporate SSIDs) to my home office. ScreenShot2012 06 30at110329PM Enforcing Network Policy Internally, Remotely And To Mobile Devices

Agent and cloud based technology can enforce network policy for laptops and desktops however fail for most mobile device types such as androids and apple devices. The reason is most mobile device manufactures give power to the end-user meaning users can opt out of security (more on this HERE). Some MDM vendors such as Zenprise offer the ability to force network traffic through a VPN tunnel, which is great when devices are managed by a MDM provider but fail when the MDM agent is not present. The only protection that can be applied for mobile devices not using MDM is controlling access to sensitive data through data loss prevention, sandbox sessions or encryption technology. I personally like the MDM enforced by Access Control technology approach.

Network policy can be enforced many ways but must meet your overall business goals and extend to all devices regardless of location. The technology is available however requires investment from leadership to properly build a policy and purchase the necessary tools to enforce it. Most failures in network policy are caused by a lack of focus from leadership.

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security, Host And Mobile Device Security

Tagged as Access Control, anyconnect, audit, Cisco, cisco cx, citrix, Compliance, content filer, continuous monitoring, Data Loss Prevention, DLP, Home, Identity Services Engine, ironport, Joey, Joey Muniz, joseph, joseph muniz, mobile, mobile device, mobile device management, monitoring, Muniz, NAC, network access control, network monitoring, network policy, network security, OEAP, palo alto, phishing, phishing attack, phishing defense, phone home, remote work policy, RSA, sandbox, scan safe, scansafe, Security, security audit, ssl, Symantec, Telework, Teleworker, virus, VPN, vpn technology, web security, web washer, websense, wireless security, World Wide Technology, world wide technology inc., worm, wwt

January 26, 2012

Change Your Default Password: Or Get Hacked! iPhone Spoofing / Breaking Into Wireless Networks

The most successful attacks by hackers typically are not technical. Hackers take advantage of the human element, which is usually caused by laziness or being unaware of a vulnerability. A prime example of this is people not changing their default passwords. Here are two examples of password vulnerabilities you should be aware of.

1 – Hacking a mobile devices (example iPhone):

Your mobile device is a database of your LIFE. Most people don’t want what’s on their mobile devices to become public. Look at all the embarrassing celebrity photos posted in popular magazines such as US today. How do you think those pictures are captured? In many cases, it’s through celebrity mobile devices. If you leave the default password on your voicemail on your mobile device, YOU ARE VULNERABLE to being compromised. Here is the hack and how to fix it.

HACKING A iPhone via Spoofing:

1) Go to spoofcard.com and sign up for the spoofing service
2) Enter the phone number of the target
3) Choose the phone number that will be displayed when you call the target
4) Call and get their voicemail.
5) If they haven’t changed their default password for their voicemail or changed auto access the voicemail, you will access their phone’s records

*Note: Most wireless carriers maintained direct dial numbers to their voice mail management systems. If known these numbers can be used to bypass a call being placed to the mobile device. Resulting in no missed call being registered.

What this means: This is one method of exposing information such as Voicemail, Photo’s, Messages, and browser history.

Fix: Change your default voicemail password. Also change the feature on some voicemails to not auto login into the system. Here is a link to change iPhone Voicemail passwords. http://support.apple.com/kb/ht1687 . Look up your models voicemail password settings and change it from the default.

2 – Hacking a wireless router (example Linksys):

HACK: I find this problem on many networks regardless of size (home to enterprise). Basically connect to a wireless network and look at the IP address provided. Open a web browser and type in the IP with a .1 ending (example 192.168.10.1). Most wireless routers offer a web GUI and default access is usually .1. Open a second screen and Google what the default login is for the device (example admin cisco123).

What does this means: I can own your network. I can see where you browse, what is on your network, etc.

Fix: Change the default password on your wireless network management GUI. You can also change the web GUI interface IP from .1 to something else.

CHANGE YOUR DEFAULT PASSWORDS!!!!

Credits to Aamir Lakhani, Tim Adams and Joseph Muniz. Posting is also HERE

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Host And Mobile Device Security, Penetration / Hacking, Wireless Topics

Tagged as .1, Access Control, Cisco, Compliance, Data Loss Prevention, default login, default passwords, DLP, end point management, hacking phones, hacking routers, Home, iPad, iPhone, Joey, Joey Muniz, joseph, joseph muniz, linksys, mobile, mobile device, mobile device management, Muniz, NAC, network security, passwords, RSA, Security, spoofing, voicemail hack, wireless router, wireless security, World Wide Technology, world wide technology inc., wwt

December 15, 2011

Addressing Bring Your Own Device (BYOD): How to manage and secure mobile endpoints

The majority of today’s workforce uses multiple devices such as laptops, tablets and smartphones (IE brings their own device or BYOD). Leadership from most industries is being asked to permit these devices on the network in some limited or full fashion. Common BYOD questions are “how do I support growth for users with multiple devices?”, “what type of access should guest and employees use for mobile devices?”, “how do I provision corporate mobile devices?”, and “what security vulnerabilities am I exposed to by permitting mobile devices?”. All are good questions and can be addressed by focusing on three core BYOD concepts: Infrastructure, Access Control and Device Management.

The first thing to consider for BYOD is if your wireless network can support growing from one device per user to potentially 2-4 devices. The best way to find out is by performing a wireless assessment to verify capabilities and potential risks caused by obstacles and nearby rouge networks (IE Starbucks using a similar RFID channel). Security features such as wireless intrusion detection and prevention (WIDS /WIPS) as well as controlling the number of permitted associated devices per user should be considered for BYOD to guarantee scalability and service.

Another common area of concern for BYOD is provisioning access to employees and guests. The first BYOD question typically asked is “should all mobile devices be handled by a separate network or should employee owned mobile devices share the same core network while guest devices use another network?”. However you plan to permit mobile devices, best practice for BYOD is to automate the process based on multiple factors such as device type, user authentication and risk status. Policies permitting employee access using personal devices should have a process to register and track those devices (IE web registration page like in hotels) rather than an “employee wireless password” that could get compromised and not associated to a device. Many solutions such as Cisco Identity Services Engine (ISE) offer self-registration to eliminate the need for employee or guest users to deal with an IT member to gain network access. Solutions that leverage profiling technologies can automatically assigned specific access types based operating system, device type and other details (IE provide different access for iPhones and Androids) so you know who and what is on your network. “Knowing is half the battle”, GI JOE

The final piece to the BYOD puzzle is device management. Most mobile hardware vendors give power to device owners meaning Apple, Android, etc. device users can take themselves out of compliance at anytime (blackberry is the only exception). Solutions such as Mobile Iron and AirWatch provide methods to assess devices for high risk factors such as jailbreaking or using unapproved applications which is crucial for BYOD. Application based endpoint management solutions verify devices and either permit or deny corporate services such as providing email based on policy status (IE no email service while angry birds is installed). Common BYOD policies are enforcing the use of passwords, remote locking devices, denying hacked devices, provisioning specific applications and having the ability to remote wipe only corporate data. The mobile security market leaders offer a breath of operating systems and hardware options as well as easy methods to communicate when end users fall out of compliance.

Addressing Bring Your Own Device (BYOD): How to manage and secure mobile endpoints

Industry leaders for security are focusing on BYOD by developing solutions for mobile devices. RSA and Symantec recently released data loss prevention (DLP) for mobile devices to deny sensitive information such as social security numbers from moving to or from mobile devices. Network vendors such as Cisco are partnering with mobile manufactures to address BYOD by offering VPN technology that encrypt traffic from mobile devices while off the corporate network. There are many options for endpoint security when looking at BYOD, which the investment for mobile security should match protecting laptops and desktops regardless if the employee owns the asset.

Rating: 5.0/5 (1 vote cast)

5 Comments

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security, Network Admission Control

Tagged as 802.1x, Access Control, ACS, ACS5.0, ACS5.1, ACS5.2, air watch, Airwatch, android, angry birds, anyconnect, bring your own device, bring your own technology, byod, BYOT, Cisco, Cisco Identity Services Engine (ISE), Cisco NAC, Clean Access, Data Loss Prevention, DLP, end point management, endpoint management, Good Technology, Guest Server, Identity Services Engine, Infrastructure, iPad, iPad2, iPhone, iphone 4, iphone 4s, ISE, ISE1.0, jailbreaking, jailbroken, Joey, Joey Muniz, joseph, joseph muniz, mobile, mobile device, mobile device management, mobile endpoints, Mobile Iron, Muniz, NAC, NAC appliance, network access control, network security, Profiler, remote password lock, remote wipe, RSA, Security, Symantec, VPN, WIDS, WIPS, wireless security, work from home, World Wide Technology, world wide technology inc., wwt

November 25, 2011

Test The Strength Of Your Security

Many agencies spend millions on security each year. Security investments range from firewalls to contractors, which spending is typically based on weighing risk of loss against cost to protect. Sometimes it’s difficult to evaluate the return on investment for security since the desired end result is not being compromised rather than a particular outcome that can be measured. Studies show regardless of the level of spending for security, the majority of IT management doesn’t know how effective their defenses are against today’s threat landscape. Here are some ways to evaluate the strength of your security.

Secure all access points to your network

* Security is as strong as your weakest link. Make sure all access points are secured or you will eventually be compromised. The common access points are Email, Web, LAN, Wireless, VPN, Data Center, Endpoint (laptops, desktops, etc.) and Mobile Devices.

Scan desktops and servers for vulnerabilities

* Tools are available for penetration testing such as Saint, Tenable, Core Impact and Rapid 7. The concept is simple … test for the same vulnerabilities hackers use to access your network. Penetration tools look for open ports, unpatched servers and other means hackers could use to compromise your equipment. The industry leaders typically can test all network nodes and include recommendations for remediation.

Evaluate network traffic for malicious intent

* Network forensic tools are available for capturing and categorizing network traffic (Example HERE). You will not know you are compromised if none of your security devices are triggered. Looking at traffic at the packet level can identify unknown communication through unrecognized ports, traffic with foreign entities or other red flags that indicate you have been compromised. Typically forensic skillsets are required to identify threats however manufactures like NetWitness offer great tools for simplifying packet level analytics.

Include failsafe security solutions that rate your existing toolsets

* Best practice is to test the effectiveness of your existing security toolsets. The most popular method is placing honeypots on your network with the goal of luring hackers who bypass your security into highly monitored systems. Other toolsets are available for testing your signature and behavior based tools such as Spectrum by NetWitness that can flag if specific threats could bypass your security. Another interesting tool is by FireEye that runs threats in a virtualized honeypot to identify malicious behavior.

Standardize and monitor your network device configurations

* Enforce a baseline template for all network devices to avoid vulnerable configurations and software. Network management tools by SolarWinds, Cisco, EMC, etc. can enforced standardized code and configurations as well as monitor if changes are made. I personally like 360GRC’s ConfigScan for evaluating configurations for vulnerabilities specified by industry standards.

Profile all devices on the network.

* Use a profiling tool such as Cisco ISE or Greatbay to identify what types of devices are on your network based on how they communicate. You may be surprised to find a few Xboxes hidden in a corner office.

Categorize Sensitive Data.

* Data Loss Prevention (DLP) leaders such as RSA and Symantec offer various tools that locate and categorize sensitive data. Make sure sensitive data is controlled and protected.

Test your staff with social engineering attacks.

* People will always be your weakest link. The only way to improve this is through training. I’ve seen customers use social engineering attacks on their users and show the results as a means of training. There are many online forums that can assist with developing your social engineering training strategy.

Periodically audit your network.

* Use unbiased consultants to help you understand how vulnerable you are.

Rating: 0.0/5 (0 votes cast)

4 Comments

Filed under General Security, Security Management & Analysis

Tagged as 360GRC, Access Control, ATP, audit your network, Categorize Sensitive Data, Cisco, Cisco Network Compliance Manager, ConfigScan, core impact, Data Loss Prevention, DLP, EMC, EMC Voyence, end point management, fireeye, Greatbay, honeypot, Identity Services Engine, ISE Profiling, Joey, Joey Muniz, joseph, joseph muniz, mobile, mobile device, mobile device management, mobile device security, NAC, NCM, NetWitness, NetWitness Investigator, network access control, Network Compliance Manager, network forensic, network security, Opsware, rapid 7, RSA, Saint, Security, security audit, Security investments, social engineering, Spectrum, Symantec, Tenable, test security, Voyence, vulnerabilities, wireless security, World Wide Technology, world wide technology inc., wwt

Tag Archives: RSA

Situational Awareness For Cyber Threat Defense

Protect Your Communication Using Free Tools: Secure E-mail and Hiding Messages with Steganography

Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Building a Active Identity HID Global Two-Factor Card Authentication Lab : ActivID CMS Overview

Enforcing Network Policy Internally, Remotely And To Mobile Devices

Addressing Bring Your Own Device (BYOD): How to manage and secure mobile endpoints

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll