Posts

Are you Prepared for a Rise in Nation State Attacks and Ransomware in 2020?

Once you know what you’re up against, keeping your business safe might be easier than you think. In this blog, we’re going to look at two kinds of cyber threats: nation state cyber attacks and ransomware. Neither is a new concern, but both are increasing in sophistication and prevalence. Many businesses feel powerless to protect against these events, and yet a list of relatively simple steps could keep you protected in the event of an attack.

Staying Vigilant Against Nation State Actors

According to the 2019 Verizon Data Breach study, nation state attacks have increased from 12 percent of attacks in 2017 to 23 percent in 2018.

One of the most important things to recognize about nation state attacks is that it is getting harder to ascertain where these attacks are coming from. Attackers learn to cleverly obfuscate their attacks through mimicking other state actor behavior, tools, and coding and through layers of hijacked, compromised networks. In some cases, they work through proxy actors. This makes the process of attribution very difficult. One good example is the 2018 Olympics in Pyongyang, where attackers launched the malware Olympic Destroyer. This took down the Olympic network’s wireless access points, servers, ticketing system, and even reporters Internet access for 12 hours, immediately prior to the start of the games. While at first, metadata in the malware was thought to attribute the attack to North Korea, this was actually down to manipulations of the code. Much later, researchers realized it was of Russian origin.

These ‘false flag’ attacks have a number of benefits for the perpetrators. Firstly, the real source of the threat may never be discovered. Secondly, even if the correct attribution is eventually found, the news cycle has died down, the exposure is less, and many people may not believe the new evidence.

This has contributed to nation state actors feeling confident to launch larger and more aggressive attacks, such as Russian attacks on Ukrainian power grids and communications, or the Iranian cyber-attack APT 33, that recently took down more than 30,000 Saudi oil production laptops and servers.

Ransomware often Attacks the Vulnerable, including Local Government and Hospitals

State sponsored attacks have the clout to do damage where it hurts the most, as seen by the two largest ransomware attacks ever experienced, WannaCry and NotPetya. These were created using what was allegedly a stolen US NSA tool kit called EternalBlue, as well as a French password stealer called Mimikatz.

This strength, combined with the tight budgets and flat networks of local governments and healthcare systems, is a recipe for catastrophe. Hospitals in particular are known for having flat networks and medical devices based on legacy and end-of-life operating systems. According to some estimates, hospitals are the targets of up to 70% of all ransomware incidents. The sensitive nature of PII and health records and the direct impact on safety and human life makes the healthcare industry a lucrative target for hackers looking to get their ransom paid by attacking national infrastructure.

As attackers become increasingly brazen, and go after organizations that are weak-placed to stand up to the threat, it’s more important than ever that national infrastructure thinks about security, and takes steps to handle these glaring gaps.

Shoring Up Your Defenses is Easier Than You Think

The party line often seems to be that attackers are getting smarter and more insidious, and data centers are too complex to handle this threat. It’s true that today’s networks are more dynamic and interconnected, and that new attack vectors and methods to hide these risks are cropping up all the time. However, what businesses miss, is the handful of very achievable and even simple steps that can help to limit the impact of an attack, and perhaps even prevent the damage occurring in the first place.

Here’s what enterprises can do:

  • Create an Incident Response Plan: Make sure that anyone can understand what to do in case of an incident, not just security professionals. Think about the average person on your executive board, or even your end users. You need to assume that a breach or a ransomware attack will happen, you just don’t know when. With this mindset, you’ll be more likely to create a thorough plan for incident response, including drills and practice runs.
  • Protect your Credentials: This starts with utilizing strong passwords and two-factor authentication, improving the posture around credentials in general. On top of this, the days of administrative rights are over. Every user should have only the access they need, and no further. This stops bad actors from escalating privileges and moving laterally within your data center, taking control of your devices.
  • Think Smart on Security Hygiene: Exploits based on the Eternal Blue tool kit – the Microsoft SMB v1 vulnerability, were able to cause damage because of a patch that had been released by Microsoft by May 2017. Software vulnerabilities can be avoided through patching, vulnerability testing, and certification.
  • Software-Defined Segmentation: If we continue the mindset that an attack will occur, it’s important to be set up to limit the blast radius of your breach. Software-defined segmentation is the smartest way to do this. Without any need to make infrastructure changes, you can isolate and protect your critical applications. This also works to protect legacy or end-of-life systems that are business critical but cannot be secured with existing modern solutions, a common problem in the healthcare industry. Also unlike VLANs and cloud security groups these take no physical infrastructure changes and take hours not months to implement.

Following this Advice for Critical Infrastructure

This advice is a smart starting point for national infrastructure as well as enterprises, but it needs more planning and forethought. When it comes to critical infrastructure, your visibility is essential, especially as you are likely to have multiple platforms and geographies. The last thing you want is to try to make one cohesive picture out of multiple platform-specific disparate solutions.

It’s also important to think about modern day threat vectors. Today, attacks can come through IP connected IoT devices or networks, and so your teams need to be able to detect non-traditional server compute nodes.

Incident response planning is much harder on a governmental or national level, and therefore needs to be taken up a notch in preparation. You may well need local, state, and national participation and buy-in for your drills, including law enforcement and emergency relief in case of panic or disruption. How are you going to communicate and share information on both a local and international scale, and who will have responsibility for what areas of your incident response plan?

Learning from the 2018 Olympics

Attacks against local government, critical infrastructure and national systems such as healthcare are inevitable in today’s threat landscape. The defenses in place, and the immediate response capabilities will be the difference between disaster and quick mitigation.

The 2018 Olympics can serve as proof. Despite Russia’s best attempts, the attack was thwarted within 12 hours. A strong incident response plan was put into place to find the malware and come up with signatures and remediation scripts within one hour. 4G access points had been put in place to provide networking capabilities, and the machines at the venue were reimaged from backups.

We can only hope that Qatar 2022 is already rehearsing as strong an incident response plan for its upcoming Olympics, especially with radical ‘semi-state actors’ in the region such as the Cyber Caliphate Army and the Syrian Electronic Army who could act as a proxy for a devastating state actor attack.

We Can Be Just as Skilled as the Attackers

The attitude that ‘there’s nothing we can do’ to protect against the growth in nation state attacks and ransomware threats is not just unhelpful, it’s also untrue. We have strong security tools and procedures at our disposal, we just need to make sure that we put these into place. These steps are not complicated, and they don’t take years or even months to implement. Staying ahead of the attackers is a simple matter of taking these steps seriously, and using our vigilance to limit the impact of an attack when it happens.

Want to understand more about how software defined segmentation can make a real difference in the event of a cyber attack? Check out this webinar.

4 Insights about the Salesforce Outage

On May 17th, Salesforce announced a significant outage to its service, resulting in customers losing access to one of the most critical applications being used daily. The issue was acknowledged by Parker Harris, Salesforce’s chief technology officer and a co-founder, while the company worked together to try to resolve the critical outage as soon as possible.

At the center of the disaster was a faulty database script that was deployed in the production environment. Salesforce announced that “a database script deployment inadvertently gave users broader data access than intended.” This affected Salesforce customers who use Salesforce Pardot, a b2b marketing CRM, as well as any customers who have used Pardot in the past. The inadvertent access allowed users to both read and write permissions to restricted data.

Salesforce took initial steps to mitigate the problem by blocking access to all instances that contained impacted customers, and by shutting down other Salesforce services. This heat map below shows the extent of the blackout for Salesforce customers.

Salesforce outage map

The essential nature of the Salesforce application is self-evident, so these outages were extremely significant. Users who need Salesforce on a daily basis as part of their job found themselves idle, forcing many businesses to simply send them home.

As a data center company, focused on protecting the most critical applications, here are our essential four insights following the crisis:

  1. Think Further than Cyber-Attacks
    Always remember that cyber-attacks are not the only threats on your data center. When evaluating your data-center risks, it is important to take into account internal “threats” and implement the right controls that will protect your “digital crown jewels” – the most critical business applications and processes. For example, separating your production and development environments is foundational for strong security, ensuring that testing scripts cannot run in your production environment, even in the case of human error.
  2. Always Consider the Cloud
    Companies are increasing their presence on the cloud, for reasons such as a positive impact on cost, maintenance efforts, and flexibility. However, security needs to be considered from the outset of your cloud strategy. Some companies are unaware that cloud apps have a greater exposure to different threats due to lack of visibility and the difficulty to introduce policy and controls. On the cloud, your business is at greater risk in the case of a breach or an outage.
  3. Zero Trust
    You cannot trust your single point of configuration to control and isolate your environment. Best practice is to criticize your controls and simulate the situation of failures. Zero Trust, the approach of “never trust, always verify,” can be focused on lateral movement and breach detection attempts in internal vs. external networks. However, it can also be relevant for any security controls that are being used or updated. In many cases, your business is in danger from internal threats, misconfigurations, and innocent mistakes, all of which can be as catastrophic as a malicious cyber-attack. The zero trust approach helps to limit the damage.
  4. Be Ready for a Crisis
    Distributed controls are your strongest weapon to ensure that you are prepared for any eventuality. These will allow you to act quickly against the unexpected, especially in hybrid cloud environments where you need to manage multiple clusters and control planes. Make sure that you have the visibility and control of your entire environment that allows you to instantly isolate any affected environments. This will give you time to put your incident response plan into place, and protect your critical assets until a solution has been found.

The Salesforce outage shows that mistakes can happen to anyone, and the best protection is always going to be preparation. Start by separating your environments, limiting the exposed surface, and then move on to using the zero trust model to keep your most critical assets safe from harm, even in a hybrid-cloud infrastructure. Remember that without adequate segmentation, you are exposing your applications to internal threats as well as external ones. With strong data center security, you are one step ahead at all times.

Want to learn more about micro-segmentation in the cloud? Read our white paper on how to secure today’s modern data centers.

Download now

Are you Protected against These Common Types of Cyber Attacks?

The types of cyber-security attacks that businesses need to protect themselves from are continually growing and evolving. Keeping your company secure means having insight into the most common threats, and the categories of cyber attacks that might go unnoticed. From how to use the principle of least privilege to which connections you need to be monitoring, we look at the top types of network attacks and how to level up your security for 2019.

Watering Hole Attacks

A watering hole attack is an infected website, where vulnerabilities in software or design can be leveraged to embed malicious code. One well-known example is MageCart, the consumer website malware campaign. There are at least half a dozen criminal groups using this toolkit, notably in a payment-card information skimming exploit that has used JavaScript code on the checkout pages of major retailers to steal credentials.

Last year, Guardicore Labs discovered Operation Prowli, a campaign that compromised more than 40,000 machines around the world, using attack techniques such as brute-force, exploits, and the leveraging of weak configurations. This was achieved by targeting CMS servers hosting popular websites, backup servers running HP Data Protector, DSL modems and IoT devices among other infrastructure. Consumers were tricked and diverted from legitimate websites to fake ones, and the attackers then spread malware and malicious code to over 9,000 companies through scam services and browser extensions. This kind of attack puts a whole organization in jeopardy.

More effective watering hole attacks can be achieved if an attacker homes in on the websites that you and your employees use regularly. On top of this, always make sure that your software is up to date so that attackers cannot leverage vulnerabilities to complete these types of cyber attacks. Lastly, ensure you have a method in place to closely watch network traffic and prevent intrusions.

Third-Party Service Vulnerabilities

Today’s surge in connectivity means that enterprises are increasingly relying on third party services for backup, storage, scale, or MSSP’s, to name a few examples. Attackers are increasingly managing to infiltrate your network through your connection with other businesses who have access to your data center or systems. According to the Ponemon Institute, more than half of businesses have suffered a breach due to access through a third-party vendor, one example being the devastating Home Depot breach where attackers used a third-party vendors credentials to steal more than 56 million customer credit and debit card details.

As well as current suppliers, businesses need to be aware of previous suppliers who might not have removed your information from their systems, and breach of confidentiality where third-parties have sold or shared your data with another unknown party. As such, your company needs visibility into all your communication flows, including those with third-party vendors, suppliers, or cloud services, as well as in-depth incident response to handle these kinds of attacks.

Web Application Attacks

When it comes to categories of cyber attacks that use web applications, SQL injection is one of the most common. An attacker simply inserts additional SQL commands into a application database query, allowing them to access data from the database, modify or delete the data, and sometimes even execute operations or issue commands to the operating system itself. This can be done in a number of ways, often through client-server web forms, by modifying cookies, or by using server variables such as HTTP headers.

Another example of a web application attack is managed through deserialization vulnerabilities. There are inherent design flaws in many serialization and deserialization specifications that means that systems will convert any serialized stream, into an object without validating its content. At an application level, companies need to be sure that deserialization end points are only accessible by trusted users.
Giving web applications the minimum privilege necessary is one way to limit these types of cyber-security attacks from breaching your network. Ensuring you have full visibility of connections and flows to your database server is also essential, with alerts set up for any suspicious activity.

What Can Attackers Do Once They Have Access to Your Network?

Ransomware: Attackers can use all types of network attacks to withhold access to your data and operations, usually through encryption, in the hope of a pay-out.
Data destruction/theft: Once attackers have breached your perimeter, without controls they can access critical assets such as customer data. This can be destroyed or stolen causing untold brand damage and legal consequences.
Crypto-jacking: These types of cyber attacks are usually initiated when a user downloads malicious crypto-mining code onto their machine, or by brute-force using SSH credentials, like the ‘Butter’ attacks monitored by Guardicore labs over the past few years.
Pivot to attack other internal applications: If a hacker breaches one area, they can leverage user credentials to escalate their privileges or make lateral moves to another more sensitive area. This is why it’s so important to isolate critical assets as well as take advantage of easy and early wins like separating the production arm of your company from development.

The Most Common Types of Cyber-Security Attacks are Always Evolving

With so many types of cyber attacks risking your network, and subtle changes turning even known quantities into new threats, visibility of your whole ecosystem is foundational for a well-protected IT environment.

As well as using micro-segmentation to separate environments, you can create policy that secures end points and servers with application segmentation. This helps to stop a breach from escalating, with strong segmentation policies that secure your communication flows with the principle of least privilege.

On top of this, complementary controls that include breach detection and incident response with visibility at their core ensures that nothing sinister can fly underneath your radar.

A Deep Dive into Point of Sale Security

Many businesses think of their Point of Sale (POS) systems as an extension of a cashier behind a sales desk. But with multiple risk factors to consider, such as network connectivity, open ports, internet access and communication with the most sensitive data a company handles, POS solutions are more accurately an extension of a company’s data center, a remote branch of their critical applications. This being considered, they should be seen as a high-threat environment, which means that they need a targeted security strategy.

Understanding a Unique Attack Surface

Distributed geographically, POS systems can be found in varied locations at multiple branches, making it difficult to keep track of each device individually and to monitor their connections as a group. They cover in-store terminals, as well as public kiosks and self-service stations in places like shopping malls, airports, and hospitals. Multiple factors, from a lack of resources to logistical difficulties, can make it near impossible to secure these devices at the source or react quickly enough in case of a vulnerability or a breach. Remote IT teams will often have a lack of visibility when it comes to being able to accurately see data and communication flows. This creates blind spots which prevent a full understanding of the open risks across a spread-out network. Threats are exacerbated further by the vulnerabilities of old operating systems used by many POS solutions.

Underestimating the extent of this risk could be a devastating oversight. POS solutions are connected to many of a business’s main assets, from customer databases to credit card information and internal payment systems, to name a few. The devices themselves are very exposed, as they are accessible to anyone, from a waiter in a restaurant to a passer-by in a department store. This makes them high-risk for physical attacks such as downloading a malicious application through USB, as well as remote attacks like exploiting the terminal through exposed interfaces, Recently, innate vulnerabilities have been found in mobile POS solutions from vendors that include PayPal, Square and iZettle, because of their use of Bluetooth and third-party mobile apps. According to the security researchers who uncovered the vulnerabilities, these “could allow unscrupulous merchants to raid the accounts of customers or attackers to steal credit card data.”

In order to allow system administrators remote access for support and maintenance, POS are often connected to the internet, leaving them exposed to remote attacks, too. In fact, 62% of attacks on POS environments are completed through remote access. For business decision makers, ensuring that staff are comfortable using the system needs to be a priority, which can make security a balancing act. A straightforward on-boarding process, a simple UI, and flexibility for non-technical staff are all important factors, yet can often open up new attack vectors while leaving security considerations behind.

One example of a remote attack is the POSeidon malware which includes a memory scraper and keylogger, so that credit card details and other credentials can be gathered on the infected machine and sent to the hackers. POSeidon gains access through third party remote support tools such as LogMeIn. From this easy access point, attackers then have room to move across a business network by escalating user privileges or making lateral moves.

High risk yet hard to secure, for many businesses POS are a serious security blind spot.

Safeguarding this Complex Environment and Getting Ahead of the Threat Landscape

Firstly, assume your POS environment is compromised. You need to ensure that your data is safe, and the attacker is unable to make movements across your network to access critical assets and core servers. At the top of your list should be preventing an attacker from gaining access to your payment systems, protecting customer cardholder information and sensitive data.

The first step is visibility. While some businesses will wait for operational slowdown or clear evidence of a breach before they look for any anomalies, a complex environment needs full contextual visibility of the ecosystem and all application communication within. Security teams will then be able to accurately identify suspicious activity and where it’s taking place, such as which executables are communicating with the internet where they shouldn’t be. A system that generates reports on high severity incidents can show you what needs to be analyzed further.

Now that you have detail on the communication among the critical applications, you can identify the expected behavior and create tight segmentation policy. Block rules,with application process context, can be used to contain any potential threat, ensuring that any future attackers in the data center would be completely isolated without disrupting business process or having any effect on performance.

The risk goes in both directions. Next, let’s imagine your POS is secure, but it’s your data center that is under attack. Your POS is an obvious target, with links to sensitive data and customer information. Micro-segmentation can protect this valuable environment, and stop an attack getting any further once it’s already in progress, without limiting the communication that your payment system needs to keep business running as usual.

With visibility and clarity, you can create and enforce the right policies, crafted around the strict boundaries that your POS application needs to communicate, and no further. Some examples of policy include:

    • Limiting outgoing internet connections to only the relevant servers and applications
    • Limiting incoming internet connections to only specific machines or labels
    • Building default block rules for ports that are not in use
    • Creating block rules that detail known malicious processes for network connectivity
    • Whitelisting rules to prevent unauthorized apps from running on the POS
    • Create strict allow rules to enable only the processes that should communicate, and block all other potential traffic

Tight policy means that your business can detect any attempt to connect to other services or communicate with an external application, reducing risk and potential damage. With a flexible policy engine, these policies will be automatically copied to any new terminal that is deployed within the network, allowing you to adapt and scale automatically, with no manual moves, changes, or adds slowing down business processes.

Don’t Risk Leaving this Essential Touchpoint Unsecured

Point of Sale solutions are a high-risk open door for attackers to access some of your most critical infrastructure and assets. Without adequate protection, a breach could grind your business to a halt and cost you dearly in both financial damage and brand reputation.

Intelligent micro-segmentation policy can isolate an attacker quickly to stop them doing any further damage, and set up strong rules that keep your network proactively safe against any potential risk. Combined with integrated breach detection capabilities, this technology allows for quick response and isolation of an attacker before the threat is able to spread and create more damage.

Want to learn more about how micro-segmentation can protect your endpoints while hardening the overall security for your data center?

Read More