As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.)
2015 will be a year of transition for security in healthcare where providers and organizations in the ecosystem catch up with other industries regarding the state of their cybersecurity.
In many ways, healthcare is in technology and information overload, with no clear standardization on architecture, delivery or design. When evaluating healthcare security, it’s also important to look at the entire ecosystem, small to large hospitals, healthcare insurers, healthcare application providers, medical equipment manufacturers and to some extent pharmaceutical and bio companies. Why? They all carry information related to patient medical data, and intellectual property tied to healthcare innovation.
With that in mind, here are some 2015 trends to track:
1. Going Back to Basics
You will see healthcare organizations better emphasize visibility visibility and network segmentation, in terms of:
Knowing what’s on the network at all times
Making informed decision on where to invest in security first
Identifying rapidly the areas that are high risk
Methodically and logically starting to remove traffic that does not belong to the business of healthcare
Implementing a better and more systematic approach to patching
2. Driving Better Awareness
We’re starting to see an evolution in the employee culture and decision-making power within healthcare organizations. Security’s awareness among key stakeholder groups – administrative employees, medical staff, patients and visitors and others – will continue to grow.
Culturally speaking, healthcare organizations will hopefully adopt more of a prevention mindset and foster greater collaboration within the broader ecosystem of healthcare providers, payers, pharmaceutical companies and medical device companies.
3. Security Automation
Security automation will become table stakes for security in healthcare because of the high volume of information and the flow of data.
Speaking of healthcare security, Palo Alto Networks will be at the Healthcare Cyber Security Summit next week, December 3 and 4, in San Francisco, and I will be participating in a Breakfast Panel from 8:00-9:00 am PT on December 4, “Even More Future-Proofing: Continuing the Conversation on Healthcare Security Solutions.” Register today with the code HCPA20 and get a 20% discount.
Security in healthcare is among many focus topics at Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.
Passwords can actually represent one of the greatest security risks to an organization due to the combination of constant attacks and human weaknesses. In addition, as IT has become universally accessible, more users are adept at circumventing this basic security tool. Here are 7 tips to help organizations manage their passwords policy and reduce security risk.
1. Know the attacks
Methods of attack on passwords can be categorized into 5 types:
Dictionary attack uses a dictionary file to compare possible password with every word of that file.
Brute force attack tests every combination of characters until the password is broken.
Hybrid attack works like dictionary attack but adds some numbers and special characters.
Syllable attack combines both brute force and dictionary attack.
Social engineering attack uses some ruses to convince people to reveal their password.
2. Define the purpose
Before developing a password security policy, its life cycle should be defined and used as a baseline to identify needs. The password’s life cycle should comprise all phases from creation until the end of life and take into account the critical level of the resource it is assigned to protect. Phases of management may include, but are not limited to, create, send, store, utilize, recover (locked account), renew and dispose.
3. Understand vulnerabilities at all levels
According to the type of account used to access resources, passwords can be classified into four types:
User
Administrator
System
Service
Even if each password associated to a different type of account has its own level of importance according to rights and resource, the level of security risk is the same, because privilege escalation attacks can be used by hackers to get more rights on the same resource or a higher sensitive resource (i.e., admin rights).
4. Ensure password management strategy exists
Strategy for password management should be defined by 2 key factors:
Size of the information system in terms of resources to access and users who access it. The greater the number of resources, the more complex the management is.
Ability of organization to implement this strategy in terms of infrastructure and skills.
Generally, there are two strategies for managing passwords: Centralized vs. Decentralized, each of which has advantages and disadvantages. Once management strategy is adopted, access to resources should be well compartmentalized according to good security practices (e.g., least privilege, segregation of duties, need to know, and continuing user education on security risks related to passwords).
5. Do not make it easy
When talking about password complexity, people think only of its length. But it is not the only element. Other aspects like characters type, guessing probability and ease of memorization can increase complexity. Characters include lowercase and uppercase letters, non-alphanumeric characters, and base 10 digits (0-9). The more complex the password is, the harder it is to remember. As a result, users tend to write their passwords. Users must be educated and trained on how to create and use stronger passwords.
6. Test the security
Password testing checks whether existing passwords comply with the security policy. While it advised to limit weak password at creation, regularly testing the strength of existing passwords is crucial. Several tools exist for online or offline tests.
7. Protect the password
Regardless of the type of password, once it is created, it can be transmitted, stored, or recovered. For each of these operations, it is essential to protect its confidentiality and integrity by making sure it is always encrypted using approved security mechanisms. Honey Encryption is one method to add a level of protection to passwords.
Passwords must not be stored or transmitted in plain text because a hacker could use a sniffing tool to guess them. During the password recovery procedure or resetting (manual or automatic), care must be taken to preserve the security of the password.
Elie Mabo, CISA, CISSP, CEH, CCNA Sec, Security+, Information Security Consultant at CGI in Canada.
We’ve all been there before. Something unforeseen happens that triggers a panic response. More often than not we look back at that response and wish we could have done things differently.
What we’ve all learned along the way is that panic triggers a response that often leads to potentially catastrophic mistakes. Those mistakes come as we grasp for short-term fixes that give us a stronger sense of control, but don’t take long term consequences into account.
On October 14th, Microsoft’s “Patch Tuesday” took on a new sense of urgency as we learned of three new vulnerabilities that were actively being exploited in targeted attack campaigns. Microsoft released 24 patches in total. Oracle also released patches for 154 new vulnerabilities that were discovered. Adobe issued security updates for Flash and ColdFusion. For many this triggered an immediate response to begin the tedious process of upgrading security patches and signatures. Some simply don’t have the resources and will get to the upgrades as soon as they possibly can.
Assuming you weren’t one of the unlucky attack targets, the upgrades should resolve any concerns…this time around. But how many security alerts are you dealing with on a weekly, monthly basis?
For many, patch management has become a sore topic as it’s virtually impossible to stay on top of. But security efficacy takes on many shapes and sizes across the organization and despite it’s pain, patching remains a crucial process in any security operation. Or does it?
If you examine the recent exploits that utilized either an unknown zero-day based vulnerability or a vulnerability that was known but had not yet been patched, you’ll see these exploits share a common set of traits. In order to execute they must follow a very well defined and finite set of exploit techniques in order to compromise the system. In fact at latest count there are only 24 techniques at an attacker’s disposal. And in most cases attackers have to employ three to four of these techniques in succession to exploit a system.
So conventional wisdom says, ‘“If I can figure out a way to disrupt or prevent just one of those steps from being used, the attack itself could be blocked.” And a couple innovative companies are now bringing this approach to market not only for exploits but also malware-driven attacks.
With the news of a fresh round of breaches at Dairy Queen and Kmart, on top of a busy week of security patches, many organizations are falling into the dangerous path of making potentially catastrophic strategy shifts. Partly due to coercion by an industry that’s pushing a very clear agenda around detection and remediation. Backed by alarming statistics of attack dwell times, increasing costs of breaches, they’re creating a picture that prevention is futile and that organizations should shift resources to a new fall back position. Ridiculous!
I’m certainly not going to stand here and say detection isn’t important. But shifting valuable resources away from prevention so that you can more quickly detect and remediate the attack that’s most likely already achieved its objectives is an ill-conceived response that will ultimately lead to catastrophic results.
Prevention isn’t futile; remediation is. Because those companies who come in and charge $20,000 a day over an average of 31 days to clean up and remediate your systems do nothing to get back what was stolen. There’s no Navy Seal team who infiltrates the Russian organized crime team to re-take your stolen credit cards, medical records, or design documents. That’s remediation. Hold your line. Know that prevention isn’t futile.
Take this opportunity to rethink about your overall security architecture. Are you utilizing the next-generation security platforms that now exist? Ones that combine network, cloud and endpoint security. The technology exists to truly prevent these attacks from ever achieving their objectives.
Step back; don’t panic. Take the time to architect a top down approach that reduces your attack surface by safely enabling your applications, users and devices. Implement automation to protect against both known and unknown threats, eliminating the ‘man-in-the-middle’. The capability exists; it’s just a matter of taking a breath and collecting the courage to drive real change across your organization.
Scott Gainey is the VP of Product Marketing and Programs at Palo Alto Networks. He is responsible for formulating the vision, definition and delivery of programs aimed at driving Palo Alto Network’s growth in security, and cultivating opportunities in new and existing markets. Gainey has over 18 years of experience in security, cloud computing, storage systems, and enterprise networking. Prior to joining Palo Alto Networks Scott held leadership positions at Cisco, Xsigo Systems (bought by Oracle), NetApp, VERITAS Software (bought by Symantec), and Sun Microsystems.
As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.)
Recent years have made Industrial Control Systems (ICS) cybersecurity a very dynamic area, and 2014 was no different. While much progress is left to be made, some milestones like the announcement of the release of version 1.0 of the NIST Framework, show the encouraging progress industry has made in making critical infrastructure protection top of mind.
Other milestones, such as the new and sophisticated APT campaigns targeting ICS, remind us that the bad guys are constantly expanding their capabilities in going after critical infrastructure assets. We have also seen more IT-OT integration around mobility and virtualization, technologies that in the past were typically considered too unproven for OT environments.
With the year almost behind us, it is interesting to peer into 2015 to anticipate if and how some of the trends will persist and evolve. Hopefully organizations will consider what kind of security capabilities might be needed to improve control systems security posture as well as operational efficiency. Here then are three predictions I think end users will want to pay attention to in 2015:
1. Projects to Virtualize OT Datacenters Pick Up Steam
Up until early 2014, most OT information systems managers I informally surveyed knew of plans to virtualize the corporate datacenter, but had no plans of their own to do the same for operational data centers. In fact, most organizations were vehement in their position to never virtualize these environments, which house critical applications such as MES, EMS, Historians, SCADA Masters and similar automation servers.
There was quite a bit of nervousness around the stability and performance of applications sitting on multiple virtual machines sharing a hypervisor and hardware resources. But starting in the early part of 2014 I started to hear a different view where virtualization became something organizations were “looking at” and for which they even had pilot programs in the works. To be sure, there are already organizations that have virtualized servers in the automation environment. Manufacturing, for example, where the cost pressures are very extreme, has already begun the transformation and started to reap cost and efficiency advantages. But in 2015, I expect more use of this technology even in critical infrastructure environments such as utilities and transportation.
Many organizations segment their operational datacenters off from other networks/zones within the control center or PCN. With virtualized environments security architects need to now also consider the traffic between virtual machines — the so-called east-west traffic. Maintaining security for virtualized environments could also be quite a burden and organizations need to find solutions that reduce the administrative effort around securing VMs particularly in the effort to ensure that security implementations maintain their integrity as virtual machines get moved around. What’s more, the solution for the virtualized environment should also follow the same framework and management platform as devices for securing the non-virtualized assets.
2. Growing Use of Mobility for HMI and Big-data Applications
Earlier in November, I saw a really cool demo from a vendor of solutions for “Digital Oilfields.” The demo involved the use of augmented reality glasses and a tablet device by onsite field personnel to identify assets in the oil field, monitor processes and adjust the control systems, e.g. tuning set points on PLCs. The immediate access to information and the process was very compelling. It made workers more efficient and reduced the risk of errors.
Besides Oil and Gas, mobility solutions are also appearing in other industries such as manufacturing and utilities. Some service providers are also increasing their push of mobility solutions. While there are some valid security risks, the benefits of mobility in terms of providing on-demand access to important information and the ability to apply controls while on the go are just so compelling that it is only a matter of time before these technologies become widely used.
With mobile technologies on hand several new security considerations come to the surface. Are these mobile devices configured properly and are they being used only in business-related ways? Can threats, even zero day threats, introduced via mobile devices be detected and stopped? These are just a couple of considerations when organizations introduce mobility to the automation environment. A solution must be able to not only extend the fixed-environment security to the mobile environment but also be able to secure the new risk vectors that come with a mobile use model.
3. The Emergence of General Purpose ICS Exploit Kits with Programming Capabilities
Stuxnet already showed that ICS components, e.g. centrifuges, can be damaged via cyberattacks, but that was a very targeted campaign tailored for a specific environment.
But consider the trajectory of a couple of 2014 APTs targeting ICS, including Energetic Bear which used trojanized malware and common ICS protocols, and even Black Energy which used exploits specific to HMI software, and I believe 2015 will bring availability of a general-purpose and commercially-available ICS exploit kit that can be used to control processes, essentially lowering the hurdle for cyberphysical attacks. This will result in some headlines; such a kit would no doubt be used by actors to successfully manipulate an industrial process. As usual, the attack will rely on social engineering techniques and a zero day exploit or two to be successful. With that in place it will then enumerate, monitor and control ICS assets using ICS protocols.
I won’t not feel bad if that prediction doesn’t come to fruition — I certainly hope I’m wrong. The main message here is the bad guys are getting more sophisticated and organizations need to up their game when it comes to defending industrial control systems against these advanced threats. Many operators I talk to still have nothing in place to combat advanced threats and are just not aware of the options. Asset owners really need to revisit their posture to not only detect but also prevent advanced attacks.
Securing ICS in 2015 and Beyond with a Platform
As organizations look to revamp their cybersecurity programs for the new year and beyond, an important question is what kind of capabilities are required to better secure ICS and why? We’ve touched on several requirements already, but there are other important ones not covered. In speaking with Mario Chiock, former CISO of Schlumberger and current executive advisor for next generation security and technology Executive, we felt this question to be so important that we decided to collaborate on a white paper titled “Defining the 21st Century Cybersecurity Platform for ICS”. You can access the whitepaper here today. Here we take a look at several important topics including:
The drivers for improving security in ICS including the nature of advanced threats
The definition of a platform including the 9 key capabilities of a 21st century ICS security platform
Why these capabilities are important as they pertain to improving security and operational efficiency and key things to look for when selecting a platform
How a 21st century security platform helps with implementing the NIST Cybersecurity Framework
A self-assessment checklist for decision makers to review as they plan their next generation ICS security architecture.
I hope you have a chance to check it out.
With that, I’ll leave you with one last thought which is a quote from Mario Chiock who says, “It is impossible to stop advanced threats with legacy security. You need a 21st Century Security Platform to Defend against 21st Century Threats.”
Have a happy, prosperous and secure 2015!
Securing Industrial Control Systemsis among many focus topics at Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.
Recently, we announced the discovery of WireLurker, a new family of malware that abuses app provisioning profiles to install potentially malicious apps on any iOS device, regardless of whether it is jailbroken. Shortly after, FireEye highlighted the Masque Attack, which also relies on malware apps signed by provisioning profiles and had previously been disclosed by Steffen Esser. Both attacks highlight the importance of provisioning profile management in Mobile Device Management (MDM) solutions. In this post, we explain how to protect users from iOS app provisioning profile abuse attacks with Palo Alto Networks GlobalProtect Mobile Security Manager product.
Provisioning Profiles on iOS
As stated in the iPhone Developer Program:
“A provisioning profile is a collection of digital entities that uniquely ties developers and devices to an authorized iPhone Development Team and enables a device to be used for testing. A Development Provisioning Profile must be installed on each device on which you wish to run your application code. Each Development Provisioning Profile will contain a set of iPhone Development Certificates, Unique Device Identifiers and an App ID. Devices specified within the provisioning profile can be used for testing only by those individuals whose iPhone Development Certificates are included in the profile. A single device can contain multiple provisioning profiles.” – iPhone Developer Program
Before we continue, we want to highlight several important facts about the provisioning profiles on iOS devices.
First, provisioning profiles are only intended to be used for internal purposes, either testing or enterprise deployment. If a user only installs apps from the Apple App Store, no provisioning profile needs to be installed on their iOS devices.
Second, if a user installs an app that is not from the Apple App Store that is signed by a provisioning profile, this profile will be installed on the iOS device and can be logged by an installed MDM app.
Third, in an enterprise environment, if there is an app signed by a provisioning profile on a managed iOS device, this provisioning profile should be under the control of the company’s IT department. Again, Apple’s policy requires that these profiles only be used internally.
Therefore, if the IT admin observes iOS devices with provisioning profiles not under his/her management, this should be enough to trigger an alarm and initiate response actions.
MDM on iOS
The MDM interface on iOS is very restricted. From the MDM server, an IT admin can only view a brief summary of the apps installed on every device, along with provisioning profiles. FireEye’s Masque Attack blog states:
The MDM interface couldn’t distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks.
We agree that with such limited information the MDM server cannot build a correlation between the apps and the provisioning profiles. Without correlation, an IT admin cannot distinguish whether an app is malware or legitimate. However, the provisioning profiles themselves can be used to determine whether malware or unauthorized apps have been installed on the device.
Proposed Approach with MDM on iOS
To detect these attacks, we recommend that IT admins maintain a whitelist and blacklist of provisioning profiles.
Under this model, the whitelist contains the provisioning profiles under the company’s management. An example includes a provisioning profile used for internal app development and testing. Managed iOS devices would be allowed to install apps with those provisioning profiles.
The blacklist contains publicly known bad/abused provisioning profiles. We also suggest including any expired or revoked provisioning profiles from previous internal use.
As noted above, an IT admin can use MDM solutions to build a mapping between the provisioning profiles installed and the associated devices. For example, this mapping could be built using the GlobalProtect Host Information Profile (HIP) reports collected from managed iOS devices. If the IT admin observes any provisioning profile not in the whitelist or one that is on the blacklist, that profile would trigger an alarm. Considering the severe risks outlined in the WireLurker and Masque Attack reports, it would be both reasonable and responsible for an IT admin to initiate action on a device with unwanted provisioning profiles.
To help our users to discover potentially malicious profiles, we’ve developed a tool that interacts with the GlobalProtect Mobile Security Manager command line interface to locate unwanted provisioning profiles. This tool allows administrators to identify all profiles deployed on devices they control, blacklist and whitelist specific profiles and display a list of profiles that require additional attention. The tool is available on GitHub here, and includes a full readme with information on prerequisites and usage instructions.
We would like to thank Marc Benoit, Kevin Steves, Rohan Davuluri, Wayne Fiori, Jen Miller-Osborn, Joby Menon and Siu-wang Leung of Palo Alto Networks for their help and efforts in creating this solution and producing this blog.
