Archive

Archive for the ‘Security’ Category

Cybersecurity: Safety and Cost Equilibrium

October 21, 2019 Leave a comment

by Dean Chester

Cybersecurity has been a hot topic for quite a while and it’s not likely to change any time soon.

Equilibrium

“Equilibrium” by Guido Sorarù is licensed under CC BY 2.0

Every new day brings more data breaches and more online scams. No single entity is completely safe, it seems: hackers target both private individuals and companies. The size of an organization doesn’t matter either because the security of even the largest of them such as Yahoo and eBay can become compromised.

Not all cybercriminals are ambitious enough to go after corporate giants. Sadly, some also have smaller businesses covered. And when the security of those gets breached, the losses may look negligible to companies that deal with billions of dollars. For a small, family-run enterprise, such losses often become insurmountable and lead to it going out of business.

One of the main reasons why small companies are such an attractive target for hackers lies exactly in their size. Because of it, these businesses can’t afford to spend a lot of money on their Internet security. They can’t afford large teams of security specialists that – for all the owners know – may never actually prove useful. Obviously, such an idea is wrong, but as long as there are no apparent breaches (which situation can very well be a result of the said specialists’ work), it’s hard for some people to see value in supporting such a team.

It’s possible, of course, to find free or low-cost solutions and to save on one’s cybersecurity. But is it a responsible thing to do?

It’s been said time and again that when something is free, it’s because you are the product. Money spent on providing that free solution must come from somewhere, after all.

There are a few ways in which money can be made off of customers who use free cybersecurity software:

  • They can be shown ads coming from third-party vendors. The frequency of it can vary from “relatively unobtrusive” to “all the time”.
  • Speaking of advertisers, the customers’ private info can be sold to them to expand their bases of people to target. This is especially true for shadier providers of free services such as virtual private networks and the like, that is, services that have access to the users’ Internet activity. The information gathered by such a “free” service can be then used to better understand what ads to show to their client base.
  • As a more extreme example of the above, free users’ Internet bandwidth is known to have been sold to a third party that used it for its own purposes, and those purposes weren’t benign. In fact, they included creating a botnet and conducting DDoS attacks on certain websites.
  • Pestering free users with ads has another purpose as well: it’s easy to get tired of such an inconvenience so much that getting a paid version of the same service will seem like a cheaper option.
  • Related to the last one, free versions of antivirus and other computer security software most often do not have all the features that the paid ones do, making their users consider investing money into them.

Besides that, there are definite concerns about the levels of security and protection that those free solutions can provide. As they are free, it’s somewhat unreasonable to expect them to have the best technology available.

If it’s a private individual we’re talking about, it’s obviously up to them to decide if they want to skimp on their security or not. However, as far as companies are concerned, things are more complicated.

If a business becomes a target of a data breach, it doesn’t only endanger that business. Its clients’ personal data may also be obtained by the perpetrator, and that’s bad news for both the clients and the company’s reputation.

That’s why I don’t think it’s the best decision for a business to rely exclusively on free cybersecurity software. It may be enough to protect it but the chances are not terribly high.

However, the question of money still stands. Yes, in the case of a breach the company is going to lose even more, but it doesn’t make the wherewithal to get professional security tools just magically appear. So what can be done?

  • Reinforcing the weakest link of cybersecurity: to make sure employees won’t click any suspicious links or tell anyone their passwords is supremely important. It can be done by anyone with a good grasp of IT security, really, but ideally, it should be entrusted to professionals.
  • System penetration testing: while it should be performed regularly, it doesn’t require having permanent staff and can be done\by a security company.
  • Getting cybersecurity tools at a discount: almost all major software manufacturers hold a sale from time to time, allowing small businesses to save quite a lot if they’re buying many copies at once.
  • Getting a data breach insurance: if a breach does happen, this can help with covering the losses and subsequent expenses, including those inflicted by reputation damage.

Although finding the balance between security and keeping costs neutral is not an easy task for smaller businesses, it is necessary to take care of it. In the long run, the potential price of negligence is going to be much higher than spending on protection.

Dean Chester is a cybersecurity expert and author. He is absorbed in online security and takes all measures to ensure that non-tech-savvy users can be protected on the Internet.

What the Juniper Revelation Means To You

December 23, 2015 Comments off

The Sixth FlagPete Kofod, December 22, 2015

Juniper Networks, a leading networking equipment vendor, announced on December 17, 2015 that they had discovered “unauthorized code” in their ScreenOS software.

ScreenOS is the operating system used to run their widely deployed firewall and VPN equipment.   The software appears to have been surreptitiously inserted, granting attackers full access to the firewall and the ability to read encrypted traffic.

To make matters worse, it appears this intentional “back door” has been a part of the ScreenOS since 2012.  Given how much sensitive traffic is protected by Juniper equipment, the consequences will likely prove to be disastrous.

Juniper is the firewall vendor of choice for the Unites States Department of Defense as well as for the banking sector.    Consequently, this vulnerability impacts virtually every government agency, Fortune 100 Company as well as the broad technology sector including social media firms and their customers.  In other words, everybody is impacted.

While Juniper and their customers go about analyzing the extent of condition and remediation, we should also consider this to be a teaching moment and an opportunity to review our assumptions about how we secure systems.

Defense In Depth is Not Enough

Most IT professionals, and certainly all security professionals, are familiar with the concept of Defense In Depth.  The principle states that security functions should be layered, forcing adversaries to successfully compromise multiple layers before successfully reaching a network’s “inner sanctum.”

Security LayersWhile this is certainly a worthy security guideline, there are good reasons to believe it may not fully meet its intended mark.  Defense in Depth historically is a network as opposed to application concept.  Simply, it is classic network security involving access lists on border routers, packet inspection by firewalls and restrictive routing policies inside the perimeter.

Unfortunately we have seen that many applications do not include detailed, multi-layered application security, choosing instead to rely on external resources (“the security team”) to save them, except the point and mandate of Defense in Depth is that each layer should include relevant and effective security.

This trend has only become more pronounced as application development has converged around web services.  Vulnerability exploitation has followed the trend and moved “up the stack.” This makes the security engineer’s responsibility far more challenging as applications, including exploits and attacks, are moving communications to HTTPS.

Defensive technologies such as Web Application Firewalls have stepped into the gap in an attempt to mitigate such attacks, but clearly they are not always successful and should not be considered the sole or even primary remedy.  Security is everybody’s responsibility, especially application developers and owners.   In addition to Defense in Depth, technologists should consider adopting cell structure approach to security.

Importance of the Cell Structure approach to Security

Cell Structure Security is the idea that the impact of system compromise can be sufficiently mitigated regardless of which system is affected.

The term traces back to how clandestine resistance groups organize themselves.  In a resistance movement organized in a cell structure if a member of a cell is captured and compelled to spill the beans, the compromise does not go beyond the individual or, at worse, the members of the cell.

To be clear, Cell Structure Security does not ask the question of whether a system can be compromised, it assumes compromise can and will occur at any level and therefore focuses on limiting the damage post-failure.

In a world of directory services and central authentication, this may seem like a tall order but analyzing the feasibility of implementing such an architecture is a worthwhile exercise nonetheless.

In the context of the current mess, it is all but certain that organizations have seen elevated credentials traverse their Juniper VPN connections completely unprotected.  The extent of condition for Juniper’s customers is still largely unknown but it should be assumed that the impact reaches far beyond just patching the Juniper systems.  In fact, the skunk may  well still be inside the walls as internal systems are likely to have been targeted based on the attackers’ reconnaissance of compromised VPN traffic.  The collapse of a single system has compromised the entire enterprise.

Premise is NOT inherently more secure than public cloud

Security remains a persistent concern for organizations considering the public cloud as a software and infrastructure platform.  Whether restricted by cultural or regulatory considerations, events like the Juniper incident should force technology managers to assess whether premise-based systems offer more effective security.

Public Hybrid PrivateWorries have understandably been fueled by well-publicized security breaches of cloud application vendors, but even a cursory review shows lax software and system design were more often than not to blame as opposed to inherent structural flaws of the cloud.

The truth is that the public cloud, in the hands of a responsible and security conscious team should be seen as an asset that can strengthen, as opposed to weaken, system security.  Top cloud service providers offer rich security functionality, but it is up to the software vendor and client to avail themselves of it.

An interesting exercise for technology leaders to undertake is to consider the architectural differences between premise and cloud-based systems.  Odds are that if they are both well-designed, the differences are not going to be significant and the public cloud may in fact offer security features such as 2-factor authentication and web application firewalls at a fraction of the cost of premise-based solutions.

Technology teams should also challenge themselves to answer the following question:  “If we were to move all systems to the public cloud, how would we do it in a manner that is consistent with our security objectives?”  After doing that, the team should compare the move with maintaining their existing premise-based architecture.

If the team finds itself implementing security measures in the cloud, which have not been currently implemented on premise, the team should ask why that is the case.

Conclusion

While the full impact of Juniper’s security lapse will not be known for some time, it should serve as an urgent opportunity for technology teams to question fundamental security assumptions, not just vendor selection.  What happened to Juniper can happen to anybody, vendor and customer alike.  IT leaders need to spend more time guiding their teams in evaluating consequences of security failures.

While vendors tend to define problem narratives in terms of known solutions, customers should not confine themselves to following that path.

About Pete Kofod

Pete Kofod has over twenty years of technical and leadership experience in Information Technology, including the development of secure hosted services for the transportation industry as well as designing and managing networks in the utility and defense sectors. Pete is Principal of Raleigh-based Datasages Consulting Group LLC, a firm he founded in 2008 that is dedicated to providing enterprise management services to industrial and transportation customers. Pete is often called upon to lend expertise to large-scale transportation projects. He has been a material contributor to the implementation of Positive Train Control in the United States, particularly as it applies to security and availability in a hosted environment.  Pete is also cofounder of The Sixth Flag, Inc. He can be reached at pete@thesixthflag.com

Experimental Film Fest

A refuge for art house, avant-garde, experimental, exploratory, and silent cinematic creations

False Pretense Films

Films with a Twist

I'm Just Trying to Help

Helpful Hints, Tips, Tricks, and Info

5K a Day 2017

Our 2017 fitness goal

The securityNOW Podcast Show

Cybersecurity News and Interviews

LoneStarFreedomPress

Phoenix Republic - The Lone Star Gambit / Sovereign's Journey

%d bloggers like this: