Win Big by Securing DNS: How to Secure the Cloud

 

Adoption of cloud based technology and the proliferation of remote working is driving a new approach to security that needs to be omnipresent providing the highest practical levels of cyber security for the user, the network and the data.

 

We reviewed some of the features that were needed for this new security approach and the risks/challenges that needed to be addressed. Security analysts such as Gartner and IDC have a new security term that is relevant to this emerging security environment and have coined it the Security Internet Gateway. The principle function of the Secure Internet Gateway is to secure the cloud environment in the same way that we secure the on-premises environment.

 

Implementing a security platform in the cloud will break the limitations and constraints of centralised solutions. The security must be flexible in line with user access, virtualised to deliver security wherever it is needed and extend beyond just securing web protocols such as http and https. Most security vendors now offer cloud based security solutions and in many instances what they have done is taken a conventional security component such as Anti-Virus or Web Proxy services and deployed it in the cloud. While this may be a good start, a range of other technologies need also to be included in the security stack deployed to protect users and data.

 

When users connect to the web they must immediately undergo inspection and policy enforcement to ensure their connection is being done in a secure manner. These may include but not limited to;

 

  • Visibility and enforcement of policy on or off VPN
  • Security against threats from all ports and protocols
  • Inspection of web traffic and file inspection including behavioural sandboxing
  • Live threat intelligence from global internet activity with near real time updates
  • Visibility and control of SaaS applications

 

Clearly no single solution can provide all of these components, but a Secure Internet Gateway correctly specified could go a long way to providing many of these security measures. Secure DNS must be a major component of the functionality of Secure gateway because of its ability to stop a large swathe of attacks before they reach the user or the data.

 

We have outlined in previous blogs the pivotal role that DNS plays in almost all web based communications, yet DNS is not understood by most users. DNS is involved but not necessarily exploited in 92% of cyber attacks and therefore it can be used in a secured manner to block most attacks. Some examples are that 100% of organisations interact with known malware sites. If these are known to the DNS servers, they could block access with no impact on the user or performance.

 

Once a device is infected with ransomware it will need to make a command and control call to get the key needed to encrypt data. Again secure DNS could prevent this connection and thus block the attack in its track until the key is downloaded, the data cannot be encrypted. Deploying a cloud security solution that includes secure DNS is a quick way of effectively managing the risk of ransomware and stopping the execution of malware once a device is infected.

 

In our next episode, we will provide more details about how secure DNS works and how some of the other Secure Internet Gateway features can be implemented and employed.

Trial Cisco Umbrella for 14 Days, completely free and no obligations!

If you have read the last few updates you should now have a deeper understanding of Cloud Security, that’s great! But what can YOU do about it?

We are offering a 14 day trial of Cisco Umbrella, the industry’s first Secure Internet Gateway in the cloud.

Cisco Umbrella provides the first line of defence against threats on the internet. Because Umbrella is delivered from the cloud, it is the easiest way to protect all of your users in minutes.

It takes no time to install and you don’t have to provide any payment details (or even have a phone call).

So what have you got to lose?

Click here to start your trial! 

See how easy Umbrella is to instal: watch this video 

Covering the Cloud: How to Secure the Cloud

We have discussed the changing IT landscape as the age of digitisation gains traction and growth in connectivity continue apace. The cyber attack surface is increasing and so is the scale and sophistication of attacks as identified by Cisco in it’s latest annual cyber security report.

Security breaches will continue to happen because there is too much going on in the organisations’ systems to provide complete protection especially with the growing sophistication of threats. The approach to security needs to embrace an approach that provides not only for known but also unknown threats. The approach needs to address cyber security before, during and after a cyber attack.

Some of the key features that need to be addressed with this new cyber security approach include;

Visibility Control

Users will try to use whatever they can to get the job done. Organisations need visibility and control of what applications are being used in the cloud and remotely, especially with the growth of new SaaS applications. Visibility enables an understanding of what is being used in line with policy, what is out of policy and what is a threat. Visibility is the first step to controlling and securing the organisations environment based on what services should be provided.

Securing Cloud applications

As SaaS applications are increasingly being deployed in public clouds such as Amazon Web Services and Azure, it is vital to ensure that the cloud platform is secure. Even though the cloud providers will deploy their own security solutions, organisations also need to implement independent security systems to secure the user and the data as this is not the responsibility of the cloud provider.

Extend protection to the edge

As remote connectivity and branch networking trends increase in popularity, the security solution should be adaptable to extend the necessary features such as firewalling, threat management and anti-malware capabilities to the edge of the network as opposed to the current centralised deployment.

Virtualise the security architecture

The need for security is now pervasive at the client, the branch, the HQ as well as public and private clouds where SaaS applications are located. This necessitates the capability for a virtualised security architecture where the panoply of security functionality can be deployed easily at any location.

Threat intelligence

Most organisations deploy security components from multiple vendors. An intelligent approach to securing information and systems in the emerging environment must make use of threat intelligence. This is the ability to take intelligence feeds from other sources such as other security vendors feed and make context based threat assessments relating to your organisation and what it means for you. This assessment can naturally feed into automated protection mechanisms.

This roundup of security requirements and features is a summary of what we need to look for in our security approach as we hurtle towards digitisation and a predominantly cloud based environment. In our next installment, we will discuss some practical solutions and explain what is now being termed the Secure Internet Gateway.

 

Change is the new norm: How to Secure the Cloud

As we consider how best to address cloud security, it is important to understand some further context around our changing IT landscape and its implications for effective cyber security protection.

 

In it’s most recent annual cyber security report, Cisco has identified that the scale and sophistication of cyber attacks have increased over the past year. Indeed you may recall attacks such as Nyetya and WannaCry which were global in scale and almost brought the NHS to a standstill. The scale and pace of cyber attacks are likely to increase because of the growing appetite for all things to be connected is accepted in many quarters as a business imperative. The actual facts, as well as analysts predictions, bear this out. Smartphones have now surpassed computers as the predominant type of device being used to access the Internet. The Internet of Things is a reality with expectations that 10 billion devices will be connected to the Internet by the end of this year.

 

In our previous blog, we discussed the proliferation of remote working alongside the growth in cloud adoption. The net result of these trends is that the target area or attack surface for cyber attacks is getting bigger. If the traditional methods of protection are adopted, the chances of a successful attack increases. It’s not as simple as upscaling or upgrading the cyber security defences. Leading enforcement agencies such as the FBI state that cyber attacks will be a reality for all organisations, it’s not a case of if but when.

 

We are working a new age, the age of digitisation where change, transformation and business process upheaval is the norm. Underpinning this business transformation and acting as the agent of change is technology. To support the change, technology needs to be agile, scalable and resilient and in many instances, information needs to be instantly accessible to stakeholders and most importantly customers. The security that is necessary to support digitisation out of necessity needs to be agile, adaptable to a changing threat landscape, omnipresent at all touch points of interaction and insightful.

 

Cyber security defence is not just about protecting against known threats but it is also about the unknowns, to coin a phrase from former US Defence Secretary Donald Rumsfeld. Our approach to cyber security defence needs also to address the threats that we have no knowledge about today. It needs to have the intelligence to understand normal behaviour for an organisations IT and distinguish abnormal behaviour upon which defensive action and alerting is taken.

 

A simple example of this is if we have low data volumes with a hosted application and volumes suddenly start to spike, that would be a good indicator that this unusual behaviour is a potential cyber attack, which our automated defence should respond to. Another big challenge is skilled personnel, there is an estimated 1m+ global shortage of cyber security professionals.

 

As we continue our blog in the coming days we will review some practical approaches and solutions to the address the challenges outlined above.

 

Insightful Video

Anatomy of an IoT Attack

Connected devices are increasingly being used for cyber attacks.

 

They often lack critical device protections and organizations fail to segment their networks in order to reduce the attack surface.

 

This 3 minute video explores how simply it can be for hackers to attack connected devices. Watch the video here.

How To Secure The Cloud – The Here and Now

In our series exploring the changing IT security landscape, we look at the drivers behind cloud adoption and some of the challenges it presents.

 

Cloud adoption has gathered pace to become the dominant form of user access with Software as a Service (SaaS) applications becoming the norm. This growing trend means that direct branch access to the Internet is more common as organisations try to reduce barriers to good user experience and increased efficiency. In many instances organisations also seek to save money by replacing expensive WAN circuits in favour of direct Internet access.

 

Another trend that is also shaking up the provision of IT services and is the major benefit of cloud proliferation is the adoption of remote working. The flexibility that anytime anywhere access provides for both staff and business is well understood. Remote working does however pose its own significant security challenges. Surveys have indicated that over 80% of remote workers disable their VPN client in order to be able to surf the web without the restrictions of corporate policy. There is also the threat of people using compromised USB devices or connecting via unsecured public Wi-Fi.

 

There is a natural assumption that cloud application providers have secured their applications and therefore no additional security may be necessary as organisations migrate applications to the cloud. The reality is that there will always be the potential for cloud services and applications to be breached. Cloud applications are run on similar platforms and operating systems to those on premises, therefore many of the vulnerabilities still apply in the cloud environment.

 

 

Businesses need to approach cloud security with the same level of diligence that should be applied to corporate on premise IT services. The same type of protection for users and their devices is necessary wherever they are working.

 

What’s different about a cloud environment is that organisations are moving away from a HQ centric model where protection was centralised to include perimeter security such as firewalls, anti malware protection and maybe web or email security. The new cloud centric model is decentralised and virtualised which means our traditional approach is no longer valid.

 

In the next part of this blog we will discuss some of the other factors that need to be considered as we look ahead at how we address security in the new cloud environment.

Want a Quick Win? Secure your DNS

 

Ransomware is currently the number one form of cyber attack due to its profitability and simplicity in execution. It is now evolving as a business model where any ‘Joe Bloggs’ can buy ransomware code for a monthly fee – ransomware as a service. Ransomware thrives partly because of bitcoin and the associated anonymity of attackers who get paid via an untraceable cryptocurrency transaction. The stages of a typical ransomware attack include;

 

  • Stage 1 – Infection

Ransomware always starts with some host infection of malware via phishing attacks, or a website hosting malware

 

  • Stage 2 – Command and control setup stage

This handles the key exchange process to encrypt the files on the infected host

 

  • Stage 3 – Extortion stage

Payment of the ransom and then ‘hopefully’ getting the key to decrypt the encrypted files.

 

Ransomware is constantly evolving and not being breached yet is no guarantee that it won’t happen in the future.

 

Many organisations are using hope and anonymity as a risk mitigation strategy against ransomware – assuming they are small and have not been attacked yet. The fact is that the supply chain is now an increasing focus of malware attacks as a means of accessing valuable data through the back door of larger enterprises.

 

 

Anti-Ransomware Best Practices

 

As with every effective security approach you need a policy and a risk assessment of the threats so this is a given before we get into the type of approach and solutions that need to be in place. Please see some of our previous blogs or check out the NCSC website for some invaluable resource.

 

Phishing can be very sophisticated making it hard to tell if a link is bad or not. Effective protection cannot rely solely on end users, it must be engineered into the system with the right protection mechanisms correctly configured.

 

To start off with you need good anti-spam, anti-phishing and web controls to control the Internet traffic, this could be incorporated into a good endpoint protection solution. Use an email and malware analysis gateway to inspect executables for malware. The gateway should be configured to block files if there is any doubt about it’s authenticity. It is better to stop/delay web downloads so that they can be inspected and properly classified than to run the risk of infection.

 

78% of attacks exploit phishing so it is a good thing to correlate known exploits to the vulnerabilities in your organisation and prioritise patching based on known exploits.

Use network analysis and visibility tools to analyse traffic on the network so you can see what is changing and be alerted to abnormal behaviour.

 

If you do get infected, have effective Backup and DR policies and processes, and ensure that the recovery procedure has been tested and works.

 

DNS Security is the Quick Win

 

92% of cyber attacks make use of DNS at some stage or another through the execution of the attack. DNS is therefore the greatest opportunity to secure your network while having an immediate impact.

 

What if your systems know that a website url a client is trying to access via DNS resolution is a bad site, hosting malware. You could just block it and prevent any interaction with the malware in the first place. This form of protection can be immediate with no impact on client or application performance.

 

A web based infection is usually a 2 step process –  which redirects your web browser to another domain created using an exploit kit which finds a vulnerability in say Flash or Silverlight. The malware will then do a command and control (CnC) call back using DNS resolution to get an encryption key. Until the CnC connection happens there is no damage created.

 

Analysis has shown that most ransomware does a DNS call back, ransomware payment notification also uses DNS. The ability therefore to block a malware connection via DNS security at one or another step of the malware execution process can therefore prove to be the most effective way to implement malware protection.

 

An effective DNS security protection control can have the ability to identify the endpoints attempting the malware connection and therefore feed into the clean-up and mitigation plan.

 

An important service in addition to the above is the ability to query domains and file hashes from a central intelligence platform that has up to the  minute data on the bad domains so that your security incident response team has the ability to conduct intelligent investigations independently of any infections. For instance if you keep doing a DNS query for a site in Russia and you don’t have any business relationship in Russia, that’s something that you should query.

 

Another challenge is the decentralised nature of organisations due to remote working and the increasing importance of branch offices. Mobile devices such as laptops are the primary devices where user changes could compromise security. Around 80% of remote workers disable their VPNs when they browse the web. A DNS based security mechanism can help to maintain the security posture where these remote workers able to still make use of this form of protection even when they disable their VPNs. DNS security can protect any device including IoT, guest devices and roaming clients.

 

Correct implementation of DNS security could make it the first line of defence even before a connection is established by checking the DNS request and blocking bad sites. This will help the IT teams by freeing them up from a large number of alerts that would be generated if the malware had been downloaded.

Cyber Security Awareness Month

For the EU, the U.S., and many countries around the world, October is Cyber Security Awareness Month, a time to broaden awareness and expand the conversation on staying safe and secure online. This time of year presents an opportunity to reflect on the state of cybersecurity.

 

The Era of Exponential Connectivity

We live in ultra-connected digital world where people, processes, data, and things are connected in ever more imaginative ways. The digital age has spawned an era where 30 million new devices are connected to the Internet every week. IoT devices create almost 300 times the data that people create and that number will increase exponentially as we connect more devices. Mobility, cloud computing, smart devices, and our ability to connect globally in real time are so pervasive today that we already take them for granted.

Recent Cisco research forecasts that there will be at least 50 billion connected devices by 2020. By 2018, 78 percent of all computing will be done in the cloud. By 2025, 1 million new devices are projected to be connected to the Internet every hour. Global mobile data traffic will reach 11 exabytes (EB) per month by year’s end, and 49 EB per month by 2021. To put that in perspective: 1 EB is equivalent to 1 billion gigabytes; 5 EB equals all the words ever spoken by human beings.

Who could have anticipated this level of connectivity and growth even a decade ago?

 

Preparing for Tomorrow

So how can we prepare today for tomorrow’s threats? To be successful in the age of digital disruption, we need to commit to cybersecurity that enables as a critical foundation. To capture the benefits of this digital age, cybersecurity must be sewn tightly into the fabric of every business and it’s processes. It has to be a mindset that permeates governments, businesses, education, and our lives.

According to the National Association of Corporate Directors’ Handbook on Cyber-Risk Oversight, “some estimates predict that between $9 and $21 trillion of global economic value creation could be at risk if companies and governments are unable to successfully combat cyber threats.”

Cyber and financial controls need to be on par, businesses must ensure the protection of their customer’s as well as their own information.

With the imminent enforcement of GDPR across the EU and having global reach, businesses obligations now exceed protection against a breach. It extends to disclosing the risks companies face from cyberattacks and revealing more readily and quickly when a breach occurs.

Businesses need to approach cybersecurity as a strategic business imperative, not a defensive necessity. Cybersecurity needs to be a cornerstone of our digital strategy and the business strategy.

 

Skills Gap is a Big Challenge

Looking to the future one of the greatest hindrances to executing a comprehensive security strategy is a growing skills gap. With more than 1 million global cybersecurity jobs unfulfilled there is an urgent need for diverse thinking, diverse candidates, and a diverse workforce to fill these roles.

While globally women hold about half of the nontechnical positions, they account for only 25 percent of computing-related jobs, and 11 percent of the information security workforce. We can’t possibly meet the needs of the Digital Age if only one in four STEM professionals are women, and less than half of them are focusing on security.

Building a culture of cybersecurity is critical for any organization as is creating advocates in functions beyond the security team. Industry and government can help by partnering with learning institutions to raise awareness and promote available opportunities to train IT and security professionals, as well as the general public. Educators must continuously develop creative new training approaches that will prepare the next-generation workforce for the cybersecurity needs of the future.

 

The Future is Still Bright, Despite These Challenges

Every individual with an online presence must get involved. Stay informed, apply the appropriate security controls, share what’s working and work on what needs to improve. Help one-another to be cyber resilient and raise our collective security posture. Safe web, email, and social media habits, patching and updating systems, and better password management are actions we can all take today.

October is a time to lean in and engage. Learn new techniques and share your insights with your colleagues, family, friends, and us. The European Cyber Security Month, as well as other cybersecurity advocacy programs around the globe offer tremendous resources.

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Ransomware 101 – How To Combat It

Ransomware has grown to become the most popular cyber attack method on the Internet today. Growing at a rate that will see it become a $1 trillion dollar industry within a few years.

It is imperative that every business develop and execute a comprehensive ransomware defense strategy to ensure the survival of their business. An invaluable tool to help with this plan is provided by Cisco in the form of flipbook aimed at combating Ransomware.

The flipbook includes;

  • An overview of Ransomware
  • Infection methods
  • How to prevent infections
  • Detecting and containing infections
  • Learning lessons after an attack
  • Elements of a multi-layered defense

We know you will find this resource highly valuable and well worth investing a little of your time.

Click to view the Flipbook

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

5 Top Tips to Secure Your Business from Cyber Attacks

Security is a topic that can cover many volumes so treat the list below as just snapshot quick-fire summary. Nothing will substitute doing the hard work necessary to put together a comprehensive security policy and operational procedures to underpin it.

  1. Have a security strategy with executive level backing

It is a fundamental requirement for executives to define what the valuable assets hence what needs to be secured above everything else. The strategy will then underpin the protection of these assets via policies, procedures and governance.

  1. Design your systems with security at the core

Security has traditionally been tagged on business systems as an afterthought. As security threats are pervasive so must security mitigation. Hence security design needs to be incorporated into all elements of a business; clients, networks, services, applications and people. Some basic design techniques are listed below.

  • Segment your network into logical system based zones so you can segregate critical systems and apply network security controls to them.
  • Protect your Internet Edge but also internal traffic (east-west), cover the most used vectors of attack (email, web).
  • Pay special attention to wireless connectivity – use strong authentication based on individual credentials or personal certificates, strong encryption (AES) and proper guest/BYOD access.
  • Plan carefully home and remote users access – they should have equal security controls as users on the office network.
  • Have a central point for system monitoring (SIEM) that is integrated within your environment and provides a single point that holds all relevant logs and events for your systems.
  • Design for secure management and physical access to your IT assets.
  1. Protect your endpoints/servers

Once endpoints are compromised they can be used to propagate threats throughout the business. It is therefore critical to constantly protect endpoints and isolate that quickly if they become compromised. Endpoint protection tips include;

  • Create and maintain and policy for patching and updates – keep up to date with patches and security updates
  • Create a maintain a hardware and software repository – know what you have in your network
  • Limit user rights to do changes to endpoint
  • Access to sensitive information should be done in a secure manner and data encrypted in transit and at rest.
  • Use endpoint protection mechanism (Anti-Virus, Anti-Spyware, Software Firewalls, which support centralized management and can be integrated with your network security controls and monitoring tools
  • Regularly do backup of important data in a safe manner (encrypt and secure data in rest in motion) – mitigates the effects of ransomware attacks
  1. Train your personnel

Security is as good as its weakest link which often times are people working in the business.

Users should be made aware of the importance of security measures in place, what threats are out there and triggers that should raise their suspicion – simple things like:

  • unsolicited emails with strange hidden links – aka think before you click
  • file attachment with general but well-sounding names

Users should be given Social Engineering training and be aware of the techniques used. The training and education of personnel should be an ongoing process not a one-time thing

  1. Test, test and test!

The only way to really know your security level is to regularly test it!

Security tests should cover all parts of your environment and should be performed on procedures/processes, network equipment, endpoint systems and personnel. The range of test should include;

  • Formal security audits that would look at procedures and if they are being followed/enforced
  • Automated vulnerability assessments – usually performed every 2-3 months and done internally
  • Penetration tests – external annual security tests that usually give the most accurate information for the company’s security posture and effectiveness of all security measures deployed
  • Social engineering tests on personnel – attempts to get employees to discard sensitive information to none-authorized people either via phone or in person or to get physical access to company restricted areas

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Cyber Report – Detection time reducing to 4 hrs

Once Malware breaches a business, it goes about whatever activity it has been programmed to undertake to be that CnC, file encryption or just general reconnaissance and infection of other devices and networks. The longer the malware remains undetected, the more potential damage it can do.

Cisco’s inception the Cisco Security report has tracked the time to detection of malware. Time to detection, or TTD, is the window of time between a compromise and the detection of a threat. The industry average for 20 known malware was a staggering 100 days and while it has fallen this year, it still means that for 20 known malware types, cyber attackers have on average a vast amount of time to probe and create maximum damage. Cisco research base on telemetry contained with it’s globally deployed devices has steadily seen it’s own detection time reduce to 3.5 hours as of April 2017.

Increases in the median TTD indicate times when cyber attackers introduce new threats. Decreases show periods where defenders are identifying known threats quickly. Since the summer of 2016, the ongoing tug-of-war between attackers and defenders has been less dramatic, with the latter taking back ground quickly after each attempt by adversaries to gain—and maintain—the upper hand.

Developments in the cyber threat landscape, especially within the past six months, show that cyber criminals are under even more pressure to evolve their threats to evade detection and devise new techniques.

The figure below shows the median TTD for the top 20 malware families by percentage of detections that researchers observed from November 2016 to April 2017. Many of the families that Cisco products are detecting within their median TTD of 3.5 hours are industrialized threats that move fast and are widespread. Old and prevalent threats are also typically detected below the median TTD.

Many malware families can still take a long time for defenders to identify even though they are known to the security community. That’s because the attackers behind these threats use various obfuscation techniques to keep their malware active and profitable. Some of these malware families include —Fareit (a remote access Trojan or “RAT”), Kryptik (a RAT), Nemucod (a downloader Trojan), and Ramnit (a banking Trojan)—use specific strategies to stay ahead of defenders.

Many malware families can still take a long time for defenders to identify even though they are known to the security community. That’s because the attackers behind these threats use various obfuscation techniques to keep their malware active and profitable. Some of these malware families include —Fareit (a remote access Trojan or “RAT”), Kryptik (a RAT), Nemucod (a downloader Trojan), and Ramnit (a banking Trojan)—use specific strategies to stay ahead of defenders.

Their methods are effective: As the Figure above shows, all these families were outside the Cisco median TTD window of 3.5 hours— Kryptik significantly so. Even Nemucod, the most frequently detected among the top families shown, takes longer to identify because it evolves so rapidly.

In many instances, businesses are using outdated modes of protection against these threats and may typically fall in the industry average which days not hours. Many businesses are still dependent on Anti-Virus software and Firewalls rules as their principle means of protection.

Given the evolved nature of threats and their ability to easily evade traditional methods of detection, the traditional approach is akin to using a colander to catch water.

A more sophisticated approach to cyber threat defences involving a combination of adaptive, integrated detection techniques with automated protection is necessary for business today.

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.