Month: September 2015

Posted on

Here Are 5 Common Pitfalls in ICS Security – And What to Do About Them

As cyberthreats increase in both volume and sophistication, securing industrial control systems (ICS) becomes that much more challenging. Despite the varied nature of critical infrastructure, however, most weaknesses in current ICS security fall into one or more of five categories.

Let’s look at these ICS security pitfalls and how to address them.

  1. Weak passwords

Where possible you should establish and implement policies that require the use of strong passwords. This could include account lockout policies to reduce the chase of someone attempting brute force attacks though not ideal in a ICS environment, this would be more for a system that has to be internet facing.

If strong password enforcement is not something that can be done without risking safety, look at placing some other remediating factor in place like a firewall or terminal server that can facilitate strong password enforcement without impacting the ICS system itself.

  1. Poor patch management

As we’ve previously discussed, patch management is a tricky endeavor at best. If machines in an ICS infrastructure are properly implemented, all necessary ports and protocols have been identified to allow for proper software functions. In that case, frequent patching usually isn’t necessary because those systems are, for the most part, static in nature.

But that doesn’t mean you can ignore a patch management policy. Your ICS environment requires a plan and process by which apply patches as needed and when possible to help mitigate known vulnerabilities that constitute a threat to your environment. Keep in mind that not all vulnerabilities are a threat to your systems. For example, if you do not run web services on your system, it’s not necessary to patch web services – by doing so, you just increase the risk of damage to your system.

  1. Flat network design and/or unnecessary exposure to corporate resources and Internet.

Looking back, PCN, ICS, SCADA and other control type networks were designed at a time when network connectivity was not a concern. These system had true air gaps, and it was not until recent times that the increased need for data from these systems did necessitated that IT/OT start looking at providing network connectivity to the enterprise.

One important thing is to introduce ISA 62433 or network segmentation to your environment as as soon as possible. This act alone makes for easy of isolation of your critical assets and provides a clearly defined line of demarcation.

Another best practice is, if possible, to keep these systems from facing the Internet. You can minimize network exposure to control systems by locating them behind firewalls and isolate them from all unnecessary the business network services.

If your systems require remote access, look at employing secure methods that will allow for more granular control over access and provide record or log of enter into the system.

  1. No authentication to resources

If you isolate ICS behind a firewall you are able to enforce a higher level of access control. If firewalling the system is not an option, you should look at placing some other form of remediating system or device that requires login access.

  1. Default user accounts with default password

Last but definitely not least, when and where possible disable and or change the default user ID and password for your environment. It is understood that in the controls world safety is paramount and it is understood that when things go wrong you don’t want to have look through a long list of passwords and that you have 50 of these units and they aren’t centrally managed.

Sure, you’re saying: “It will take forever to change all the passwords on the units.” But you should come up with a password for those 50 and change them all, especially on intra/internet-facing assets. The time and energy it takes to make the change in the beginning is a lot less effort than tracking down and dealing with a break, let alone reporting up to C-level why the environment was compromised because of a password issue.

For more on Palo Alto Networks solutions for ICS, head here.

[Palo Alto Networks Blog]

Posted on

Customer Spotlight: How Entsorgung Recycling Zurich Improved Security and Reduced Admin Burdens

Entsorgung Recycling Zurich (ERZ) recycles waste for the city of Zurich, Switzerland, to the tune of 30,000 bags of trash each day, plus cleaning public spaces and wastewater. Responsible for providing critical basic infrastructure services 24/7, ERZ turned to Palo Alto Networks for advanced endpoint security that didn’t require additional resources.

“We’re always looking for new solutions that can automate work and threat prevention, which were taking us a half day of work to manage,” says Julio Lorenzo, Leader, Group Field Infrastructure for ERZ. That meant no recycled solutions: ERZ chose Palo Alto Networks Traps for endpoint security because “we don’t have to babysit and update Traps constantly, and it would still prevent unknown attacks.”

Combined with WildFire to proactively identify and block unknown malware, Zero-Day exploits, and Advanced Persistent Threats, ERZ has both improved overall security and reduced IT administrative burdens. According to Lorenzo, ERZ now has far fewer administrative expenses and a “new level of protection and prevention against unknown and known threats.”

I invite you to read the ERZ case study (in English or German) to learn how ERZ improved security, reduced IT management burdens, and lowered CPU utilization with Palo Alto Networks.

[Palo Alto Networks Blog]

Posted on

Customized Malware—The Game Changer

“How secure is our network from unauthorized access?”

If you are an information security or risk management professional, you have undoubtedly become accustomed to having this question asked of you, likely with increased frequency. Those posing this question, whether a senior manager or an individual serving on your board of directors, are acutely aware of the dramatic increase in cyber attacks and the consequences associated with the unauthorized access of customer information, proprietary corporate data or intellectual property. Given your respective role, it is, therefore, logical that individuals turn to you for reassurance that the organization’s confidential information is adequately protected from the rapidly evolving array of external threats.

The next time that you are asked this question, I urge you to reflect on this article. Before you launch into your practiced response of describing the myriad technical controls you have deployed to secure your network perimeter, a best-in-class firewall, robust anti-virus software and a data loss prevention solution, it is advisable to remember this indisputable fact: customized malware has rendered these technologies increasingly ineffective. If you are performing an information security or risk role, you must recognize that a new generation of prolific hackers are routinely deploying customized malware to successfully penetrate the networks of sophisticated, multinational corporations. Therefore, the traditional approach of combating this threat through a technology centric strategy is obsolete.

Organizations that fail to acknowledge this dynamic, and adjust their approach accordingly, will remain at the imminent risk of a data breach and be exposed to the consequences that accompany these events. This article will discuss and define the evolving threat posed by customized malware and provide a multifaceted approach to mitigate this risk.

Customized malware is malicious software that has been modified, reengineered or altered to evade the detection capabilities of traditional security technologies. Customized malware may be presented as any of the commonly known forms of malicious software, including viruses, worms, Trojan horses, rootkits and ransomware. The most common customized malware delivery method is inbound email, normally by a phishing or spear phishing attack. Given that anti-virus products provide “signature-based detection,” only malware variants whose algorithms have been previously identified are prevented from compromising the intended victim. Whenever a new malware variant is identified, a “patch” that addresses this specific threat is created, distributed and installed. In an enterprise environment, conscientious security administrators ensure that all new patches are installed immediately upon receiving the update from their anti-virus provider. Unfortunately, the period that elapses between identification, analysis and distribution of a security patch is 30 to 90 days. In the interim, organizations are significantly exposed to the risk of a customized malware attack.

Although this form of undetectable threat has been active for several years, the widely publicized attack on Target provided the public with unprecedented clarity regarding how customized malware is used. In the Target breach, the malware that was installed within the company’s network permitted a group of hackers, to perform extensive system reconnaissance and, ultimately, the theft of more than 40 million credit and debit card numbers. In addition to the cardholder data, 70 million customer email addresses, home addresses and telephone numbers were stolen. Finally, in mid-December 2013, an external party informed Target management that the retailer had been hacked and the attack eventually was disrupted.

Upon analysis of the malware used against the retailer, it was determined that this variant had a zero percent anti-virus detection rate. Simply put, this form or malware was undetectable.

Although I use the Target breach to demonstrate the characteristics, capabilities and availability of customized malware, similar attacks are commonplace throughout all sectors and industries. If your executive management team was aware that your current security approach would, at best, prevent only one in 20 attempts to penetrate your network, I suspect that you would be reevaluating your system defense strategy.

The persistent and evasive nature of customized malware requires the implementation of a multi-layered approach to data protection and network security. Given the irrefutable evidence that anti-virus products have become increasingly ineffective in preventing this form of malware from compromising global networks, enterprises can no longer rely solely on security technologies. An approach that combines employee education, threat containment and network monitoring will reduce the risk of a customized malware penetration.

I’ll be discussing this issue, including the mitigation strategy we use with our clients, during the session I am presenting at CSX 2015 in Washington DC, 19-21 October titled, “Customized Malware—Address This Threat.” I hope to see you there.

John Moynihan, CGEIT, CRISC
President and Founder of Minuteman Governance

[ISACA Now Blog]

Posted on

Extending the Next-Gen Security Platform to SaaS

Today we are very excited to announce the availability of Aperture, a new SaaS security offering based on technology we acquired from CirroSecure in May 2015. As the latest enhancement to the Palo Alto Networks Next-Generation Security Platform, Aperture helps organizations safely enable sanctioned SaaS applications, such as Box, Dropbox, Google Drive, and Salesforce.com.

Data residing within enterprise-enabled SaaS applications is not visible to an organization’s network perimeter. Aperture can connect directly to sanctioned SaaS applications to provide data classification, sharing/permission visibility, and threat detection within the application. This provides unparalleled visibility into these applications, allowing organizations to inspect content for data risk violations, and control access to shared data via a contextual policy.

Aperture builds upon the existing SaaS visibility and granular control capabilities of the Next-Generation Security Platform provided through App-IDTM with detailed SaaS-based reporting and granular control of SaaS access. Adding visibility and control within the SaaS applications using Aperture provides a full end-to-end security solution without any additional hardware, software, or network changes required. Thanks to complete visibility across all user, folder and file activity, you’re no longer speculating about what’s happening with these applications. You know exactly what’s happening.

Key features of Aperture include:

  • Complete visibility across all user, folder and file activity – Helps organizations transition from a position of speculation to one of knowing what is happening at any given point in time.
  • Retroactive analysis and control of data and threat exposure – Enforcement dating back to the creation of the SaaS account itself.
  • Deep content inspection and usage analytics – Quickly classify data and determine if there are any data risks or compliance-related policy violations.
  • Granular, context-aware policy control – Drive the enforcement and quarantine of folders and data as soon as a violation occurs.
  • Advanced threat protection – Block known malware, and identify and block unknown malware.

Take the time to learn more about Aperture and see how it can secure your SaaS applications.

[Palo Alto Networks Blog]

Posted on

How to Battle Hackers on an Even Plane

In the movie The Untouchables, a hit man pulls a knife to stab Sean Connery, then Connery pulls a shotgun on the hit man. The lesson from this scene is do not bring a knife to a gunfight.

A lot of corporate IT security staff must not have seen this movie. They are bringing knives to the data security fight while hackers bring guns, cannons, tanks and jet fighters.

With increasingly clever malware and phishing tactics, hackers are snagging users login credentials at a frightening pace and gaining access to networks. It can be as easy as exploiting a security hole in a web browser while the user is surfing the web to seize credentials and access privileged services.

While hackers poke, prod and probe networks every hour of the day looking for weaknesses, most corporate IT staff only review access privileges semiannually, quarterly or, if they are particularly diligent, monthly. The reviews are often perfunctory affairs that do not offer much in the way of detection or prevention.

That is not even bringing a knife to a gun fight; that is like remaining at the scene of the crime until the police arrive. Hackers have little fear of getting caught. The hacker who infiltrated Anthem’s customer database was not caught at all; Anthem did not detect the theft until 7 months later.

All of this responsibility does not necessarily have to fall to the corporate IT function. They are doing the best they can with what they have. If IT had to constantly examine and recertify user access with their current access management systems, they would not have time to do anything else. Their systems are typically a patchwork of manual or minimally automated security functions native to individual applications and databases. They do not exist in an integrated data security framework that enables IT to monitor usage of all key resources.

IT does not stand a chance of preventing more Anthem-level data losses until companies automate and analyze. Automating data extraction and cleansing provides a constant stream of user data. Analytical applications spot orphan accounts and irregular usage as they occur, not 7 or more months later. Arming IT with this kind of access management systems mean they are not going into the gunfight with a knife. It means they are ending the fight because the other side knows it cannot win.

Read Chris Sullivan’s recent ISACA Journal article:
Accelerating Access Management to the Speed of Hacks,” ISACA Journal, volume 5, 2015.

[ISACA Journal Blog]

English
English
Exit mobile version