Planning for Network Security In 2014

As we approach the end of the calendar year, a variety of predictions on information security and network security trends for 2014 will take place. While there may be some interesting trends being proposed, what may be more helpful as you prepare for 2014 are the practical ways to plan for network security, particularly network security best practices associated with strategic IT initiatives, how to balance security risks with benefits to the business, and determining the right requirements to look for in vendors.

Let’s start with the IT initiatives that are important for 2014…

Network Segmentation

Planning for network segmentation used to be easy. The bad guys– attackers and hackers– were on the outside of the network. The good guys were on the inside, i.e internal employees connecting to the network and accessing data center applications on managed devices (access was primarily via wired Ethernet connections on IBM PCs remember? Macs weren’t even allowed).

Segmentation in the network generally focused around compliance. For example, ensuring only a subset of employees was allowed to access confidential information such as credit card holder information (PCI). Network segmentation methods included network isolation methods like VLANs and switch ACLs, along with a pair of stateful firewalls that would provide the checklist for the firewalling requirement in PCI-DSS or equivalent. Simple enough, right?

Globalization changed all this by transforming the way we fundamentally do business. It created interdependencies on global supply chains and multinational partners, expanded global economic interactions with many “countries of interest”, and enabled the movement of people, goods and information. Users now consist of mobile employees, partners or contractors on a variety of different devices, doing business with technology and manufacturing partners, collaborating with new acquisitions, and accessing applications that are virtualized in global data centers.

What happens to network segmentation then? The Zero Trust network segmentation architecture– one that inspects and logs all traffic all the time, strictly enforces access control based on a need-to-know basis and ensures all resources are accessed in a secure manner– is the right model. Planning in 2014 will need to focus on how to create distributed boundaries of Zero Trust in a manner that minimizes the impact to the network, but provides the most visibility and protection against next-generation threats.

Cloud and Software Defined “Anything”

I’ve lumped cloud computing and software defined “anything” in the same category, because in many cases the implementation of software defined data centers or software defined networks is intended to deliver dynamic, programmable and more automated networks for application delivery.

In 2014, your cloud computing choices have expanded. The announcement for the general availability of the Google Compute Engine cloud provides additional options for Infrastructure-as-a-Service. However, the Snowden wiki leaks about NSA spying on Google, Yahoo and Facebook servers by tapping into fiber optics lines have dampened public cloud enthusiasm. According to various reports, there is growing reluctance to engage cloud service providers due to Snowden’s leaks about the integrity of U.S.-based data center infrastructures.

The alternative then is to augment public cloud deployments with a robust private cloud, or move towards a private cloud only model. Numerous technologies from VMware and Cisco are available to build private clouds, for example, a software defined data center utilizing VMware NSX network virtualization technologies or a more hardware-centric SDN architecture approach with Cisco’s Application Centric Infrastructure (ACI).

For security-conscious organizations, a hybrid model is possible– where certain applications and services are offloaded to public clouds, but critical services such as internal research and development, financial data and customer data are only allowed to reside within private cloud boundaries.

In 2014, you will need to plan for and evaluate these new approaches to networking and data center design. What are the security features integrated into these architectures? Is it possible to implement a consistent network security framework across private and public clouds?

Mobility and BYOD

Mobility and BYOD continue to be one of the biggest challenges for security organizations worldwide, and increasingly so in 2014. Mobile device use cases are so vast, and the conditions for securing devices on a user or enterprise basis can be so diverse that designing the right enterprise mobile security solution can be very challenging. For the longest time, enterprise mobile security architectures have focused on a range of options –extending legacy technologies like VPN to mobile devices, using technologies like VDI or containers to compartmentalize application and data access, or using technologies like MDM that focus more on managing mobile devices.

In 2014, planning will be focused on architecting a comprehensive, integrated solution that can deliver all the pieces necessary to secure a variety of mobile devices, managed and unmanaged—managing the device, protecting the device and controlling the data. The solution must deliver the balance between what the user wants and what the business needs. It should be balanced towards the applications the user accesses, the data they need, and the user’s acceptance on the levels of security required to access confidential data/applications.

Summary

In a series of articles that follow this overview, I will address each of the strategic IT initiatives outlined above and provide the network security framework for each of them. Did I miss any you believe is important? Send me a tweet @danelleau before my next@SecurityWeek column.

Danelle Au manages data center and service provider solutions atPalo Alto Networks. She brings more than 10 years of product and technical marketing experience in the security and networking market. Prior to Palo Alto Networks, Danelle led the product management and strategy efforts at Cisco for the TrustSec network access control solution and ASA 5500 Adaptive Security Appliance platforms. She was also co-­founder of a high-­speed networking chipset startup. She is co-­author of an IP Communications Book, “Cisco IP Communications Express: Operation, Implementation and Design Guide for the Small and Branch Office” and holds 2 U.S. Patents.

[Source: SecurityWeek]

Risk Management: A Look Back at 2013 and Ahead to 2014

According to Yo Delmar, vice president of MetricStream, 2013 has been witness to extraordinary change. We are living and doing business in an increasingly global, mobile, social and Big Data world, fraught with new risks and complex regulations. As such, individuals and organizations are struggling to keep pace.

In response to greater uncertainty, complexity and volatility throughout 2013, we’ve seen increased convergence and alignment amongst internal teams, including IT, security and the business. As a result, organizations are better poised to provide the context for communicating risks. We’ve also seen the business ecosystem evolve to include geographically diverse vendors and third parties, and as a result, organizations must continue to view these entities as part of the organization itself, and manage them in a more tightly and integrated way.

Organizations have also moved away from doing IT and security operations on an ad-hoc basis, taking on a formal and structured approach that is more aligned with business priorities. Lastly, 2013 saw the continued emergence of new and innovative online, wireless and mobile technologies, requiring organizations and IT departments to get ahead of the bring-your-own-device (BYOD) trend, especially as employees continue to move away from corporate devices with some personal usage, to personal devices with significant corporate usage.

It is important that we reflect on some of these key trends in 2013, especially as we look ahead to 2014. The year ahead will require even stronger risk management, with an increased focus on leveraging social media to drive situational awareness. Organizations will need to focus more of their efforts on continuous monitoring, also leveraging security and risk analytics based on IT and security Big Data.

Organizations that focus their efforts in a thoughtful, methodical and analytical way will be poised to keep pace, and stay ahead of change and complexity in order to drive strong business performance and sustainable value to the organization and its key stakeholders.

Growing convergence among IT, security and the business: The landscape of risk and compliance continues to evolve, as organizations are asked to manage their IT risk and compliance activities far beyond that of basic audit and compliance requirements of the past. As new technologies bring their own set of unique risks, there is a growing disconnect among internal audit, security, compliance and the business on what it means to build, manage and lead a truly safe, secure and successful business.

As a result, we are seeing more focused efforts when it comes to getting these groups on the same page by building a common risk language, as well as a discussion framework to enable cross-functional collaboration. Doing so can set the context for communicating risks in a way that drives more effective governance and decision-making across the board of directors, executive management team and each respective business function.

Focus on managing third-party IT and security risks: Organizations have become even more hyper-extended, and are relying more extensively on third parties, including cloud-based service providers, which form part of their business eco-system, hold sensitive or regulated information, and run critical business processes. Today, organizations can’t afford to ignore these third parties. Lack of strong oversight can result in a security breach or service disruption that can have significant business and reputational impacts on the organization. In 2013, we saw organizations become more proactive in managing their third-party risks, and ensuring that all of their third-party managed data and operations are available, compliant and secure.

Movement toward risk-based security operations management: 2013 saw an increased shift from doing IT and security operations (secops) on an ad-hoc basis, to a more structured approach that is becoming more truly aligned with business priorities. This level of risk-based security management (RBSM) allows secops teams to effectively communicate the context of security risks to senior management, as well as enable a risk-based prioritization of security initiatives to make the most effective and efficient use of resources.

Bring your own device (BYOD) and mobile device risk management: More and more critical businesses and operations are supported by online, wireless and mobile technologies. We are seeing employees moving away from corporate devices with some personal usage, to personal devices with significant corporate usage. The threats that come with this trend include possible corporate data leaks, device thefts and misuse.

Corporate IT departments have begun to understand, plan and build strategies around mitigating and managing these risks so that the benefits of BYOD can be realized. This requires more robust corporate policies, tighter controls in the context of controlling applications and data, and defining user behavior. While many organizations have secured the data on the device, they have not secured the physical device itself. Lingering questions surrounding personal privacy infringement have yet to be answered.

Focus on continuous monitoring in risk management: Security and IT teams understand that near real-time monitoring of threats, vulnerabilities and potential exposures is becoming table-stakes for effective risk management. Many regulations and standards, such as PCI DSS 3.0, ISO 27001, ISO 22301, NERC CIP 5 and NIST CSF have and will continue to be updated with more effective approaches to risk management, based on continuous monitoring. Security and compliance teams need to be prepared for these updates, not only with technologies, but also by driving processes and people skills to another level of maturity in order to effectively implement these new lines of defense.

Security and risk analytics based on IT and security Big Data: Security analytics and metrics are as important to the business as any other key performance indicator such as liquidity, cash flow, or growth in sales or revenue. In 2014, boards of directors and executive leadership teams will demand that key security analytics and metrics be included in the operational risk portfolio. This will put the onus on security teams to provide the analysis and insights that give management the risk intelligence they need to drive better performance.

Leveraging social media to drive situational awareness: Security and business continuity management teams will continue to tap into the power of social media to learn from, and respond more effectively to, unfavorable incidents. Technology solutions can provide the capabilities to mine social media feeds, and to provide crisis updates from a variety of sources such as Google Crisis Maps, Twitter, Facebook and more. This social media intelligence can be further correlated with organizational assets and risks to determine the impact of a crisis on the business. Pre-designed workflows can be triggered based on this analysis in a way that best manages the financial, operational and reputational impact of the incident.

[Source: ITBusinessEdge]

Tip of the Week: Explaining Safe Application Enablement

Key to the Palo Alto Networks story is that our products safely enable network traffic based on applications, users and content. In many of my meetings with customers, I’m asked to explain the difference between safe application enablement and more antiquated security solutions that either let too much in or keep too much out. So, let’s review that difference.

Many legacy security products continue to rely on the same network techniques first introduced nearly two decades ago. In many cases, they are only capable of allowing or blocking entire ports as opposed to individual applications. That means that IT administrators are left with two less-than-desirable choices: they can either say “yes” and allow undesirable applications to operate alongside essential ones, or they can say “no” and block entire classes of applications, many of which might be beneficial to business.

Even products that bolt-on the ability to distinguish individual applications still rely on those old techniques to initially classify traffic — a needlessly complex process with a high potential for configuration errors and performance degradation.

Palo Alto Networks’ approach is a security platform that classifies all applications regardless of the network channel they use, or any bypass techniques they might employ. That information becomes the basis for all policies and inspections that are performed, and because we can identify users, content and data associated with each session, we can also identify “gray-area” applications that might be good or bad depending on circumstance.

Here’s an example: you can write network security policies to allow a group of software engineers in R&D to use specialized development tools to share and collaborate on product specifications and source code amongst themselves. In addition, you can have granular control over which functions of that application your business partners might have access to such types of files that can be exchanges, read-only vs. read write access and more. You can also completely block users from other departments. The beauty of our approach is that you can adjust these policies to be as granular as you want, down to the level of individual functions of an application, a user or a group of users if needed.

What results is the ability to confidently say “yes” to those applications needed to support business processes, without the concern of undue risk, policy management complexity or performance problems.

The biggest malware, security threats in 2013

Summary: According to Malwarebytes’ 2013 Threat report, “assumed guilt” ransomware tactics, mobile device cyberattacks and Mac-based threats are all gifts we had to cope with this year.

Ransomware, mobile device attacks, exploit kits and phone scammers who pose as technology giants — times have moved on from SMS scams and phishing emails telling you you’ve won the Spanish lottery. Sadly, there’s more to come — and we have to educate ourselves about modern digital threats, or run the risk of losing valuable data and our money.

To summarize the year in threats, Malwarebytes has released the2013 threat report, documenting the increasing popularity of malware, kits and scams aimed at fooling the average consumer. As we more often now have an online life filled with our data, financial transactions and the use of the Web as a communication link between companies we associate with, each of these branches are potentially ways for cybercriminals to tap into our lives — and take what they want from us.

But what were the biggest threats we faced this year?

1. Ransomware

Ransomware is a type of malware that locks computer systems and demands either money or, more recently, Bitcoins in order to unlock the system. These software programs often pose as government agencies, such as the FBI, and accuse computer users of committing a number of crimes — and the pressure comes from the belief that they may have done something wrong by accident.

This type of malware is usually spread through exploit kits that can be purchased online.

2. Phone scams

In the same manner as fake antivirus notices that tell a user they have malware which needs to be cleaned up — and you have to pay for software as a result — the next generation of phone scams appears to be rising. In 2013, the research firm has seen criminals pose as Microsoft, law enforcement and BT, and also pretend they can remove Mac-based malware or are an antivirus firm offering services.

3. Android malware

Credit: Malwarebytes

As mobile device use rose, malware to exploit the technology emerged. A large portion of this specific type of malware consists of SMS trojans — malicious software that sends premium cost text messages or makes phone calls without the user’s permission.

Another threat which has appeared is the Perkle crimeware kit. Posing as an authentication measure for a bank, it requires the scan of a QR code which then downloads malware on to the mobile device. The mobile malware then waits for confirmation texts sent by the bank, intercepts the codes and sends them back to the desktop to gain access to the victim’s bank account.

4. The Blackhole Exploit Kit

In 2012 and 2013, the BlackHole Exploit Kit was a popular method of malware delivery looking to set up drive-by cyberattacks. It hosts an assortment of malware including the Zeus Trojan, ZeroAccess Rootkit and Reveton Ransomware. The kit users define which payload was to be loaded (the malware) and what exploit to use, before hosting the file on a compromised site. Visitors then run the risk of finding themselves downloading malware. The exploit kit is often rented to criminals for a fee.

However, after the alleged creator of the kit, “Paunch,” was arrested in October, use of the kit has decreased due to the lack of updates.

5. DDoS attacks against banks

In 2013, a number of baks worldwide were targeted through digital means. The main example that comes to mind took place in August, where a number of U.S. banks were hit with distributed-denial-of-service (DDoS) attacks, in some cases preventing standard service to customers. This also allowed hackers to infiltrate the banking systems and make off with stolen funds.

6. PUPs

PUPs — otherwise known as ‘potentially unwanted programs’ — are usually the less harmful cousins of malware. PUPs may include toolbars and search agents; installing software on your system that you don’t want or need, and consuming high levels of resources. While usually more of an irritant than harmful, a recent PUP toolbar was found to include a Bitcoin miner.

But what about next year? The security firm believes while ransomware begun to make an appearance in past years, in 2014, the true extent of the damage the malware can cause will become apparent. Ransomware is expected to evolve further, going beyond simple psychological games to tapping into the fear of being accused of crimes and creating times in order to apply pressure for us to separate from our money. Malwarebytes said:

“We will see ransomware making more of a presence on previously less targeted platforms, such as OS X and mobile devices.

However, unlike the end of 2012 and early 2013, we will see fewer cyber gangs using ransomware tactics. For example, there were numerous families in the wild, spreading very similar ransomware but different enough and originating from different sources, while 2014 will most likely have fewer sources but more advanced, and therefore dangerous, malware.”

In addition, the company believes that more malicious software and scams will target your smartphones and tablets next year. As mobile devices are now so often used to access the Web, this user trend is unlikely to go into decline. While SMS-based scams are more virulent in countries such as Russia, in the West, we are likely to see a surge in malware that could add your device to botnets for DDoS attacks, or types which save store credentials to purchase apps you do not want.

“In addition, it is not farfetched to think that mobile devices are the next big target for remote access trojans, allowing your phone to become a surveillance camera, microphone and in the case of Bluetooth, a transmission device,” the firm says.

Mac operating systems are also expected to become the targets of more cyberattacks.

However, it is not all doom and gloom. Malwarebytes also predicts that due to the leaks released about the National Security Agency (NSA) and their ability to collect, intercept and decrypt all kinds of electronic communication, this is likely to spur the development of new privacy technologies.

About 

London-based medical anthropologist Charlie Osborne is a journalist, freelance photographer and former teacher.

[Source: ZDNet]

2014 Predictions: Cybersecurity Trends

No longer is cybersecurity only the province of IT and security staff; these days, it has become a topic with implications for every major line of business and market segment. From where we sit at Palo Alto Networks, here are three cybersecurity trends we think will be big in 2014.

1. Cybersecurity will be more than ever a business topic.

I spend a lot of time talking to customers and what I’m hearing in every industry, from healthcare and education to energy, oil and gas and transportation, is that companies need to do a better job evaluating the costs and risks related to cybersecurity threats.

Some companies do this well; over the past year, we’ve seen a more than 100 percent increase in mentions of cybersecurity as risk factors in public company filings, which at least tells you it’s on their list of priorities. Other companies don’t seem to have a clue. A lot of the planning that has to happen depends on the value of a company’s assets and how vulnerable those assets are.

Every business must manage and protect its unique set of industry-specific systems and data, and that’s why we’ll see greater network segmentation and even isolation. With the proliferation of digital assets and connected devices, the topology of any enterprise network has become exponentially complex.

We believe that to regain full visibility and control over the state of their network security and ensure the highest level of security to their most valuable assets, businesses will need to more systematically apply network segmentation techniques across their network to segregate sensitive data and functions from generally accessible information. This is now commonly discussed in healthcare for medical equipment and devices or in critical infrastructure with ICS and SCADA networks.

2. A heightened need for better intelligence and sharing on cyberthreats.

On one hand, this is a perennial need. But the volume of traffic on networks is more or less doubling every year, and that means that the problem of network security is increasing drastically.

As we see it, the new era of network security is based on automated processes and building as much intelligence as possible into network security software. This especially becomes important in industries such as government, education, healthcare and public services, in which staffing shortages are real and not expected to ease. Limited staff need maximum resources – security tools that give them the most visibility into their network traffic and don’t sacrifice business productivity.

3.  Security will meet reliability as attacks target control systems

Companies may be able to apply tight network security to data centers and the information they manage. But if they’re not doing the same for certain data center support systems such as HVAC, cooling and other automated systems that help power, clean and maintain a data center, they’re leaving the whole data center vulnerable.

Data centers are required to meet the highest levels of reliability which cannot be achieved unless all of its components, from uplinks and storage to chillers and HVAC systems, are fully fault tolerant and protected from vulnerability and cyberattacks. Remember what happened in Australia earlier this year when attackers hacked local Google data centers using the building control system. We expect these types of attacks – in which smart hackers target the weakest parts of a data center support infrastructure – to continue.

English
Exit mobile version