Month: October 2015

Posted on

Your Not-So-Typical Cybersecurity Awareness Tips

“We tend to focus on the shiny technology when, in fact, actually, humans are the weak link in cybersecurity.”
— Michael Daniel, cybersecurity coordinator, Executive Office of the President

As a nation, the US will be recognizing cybersecurity awareness throughout the month of October. The Department of Homeland Security and likely every vendor that sells cybersecurity products or services will be sounding the ‘awareness alarm’, offering tips and tricks for users in an effort to promote safer online practices and better cyber hygiene.

But for those of us in the cybersecurity profession, awareness should not stop at educating users. As leaders in our field, the term must invoke a determination to address a workforce in crisis.

No one can truly understand what we are facing as a profession unless they are actually in the profession. Security managers are struggling to find qualified staff to run the security operations center; system administrators are bustling to keep pace with patching demands; incident responders are trying to catch a breath in between back-to-back breach timelines.

In recent years, it has been said that we are suffering from a ‘human capital crisis,’ a term recognized by both lawmakers and leaders in the public and private sectors. The very core of this crisis is characterized by a widening gap between supply and demand for workers. The(ISC)2 2015 Global Information Security Workforce Study (GISWS) forecasts that this workforce gap will only continue to widen and will reach 1.5 million professionals worldwide by 2020 due to the insufficient pool of qualified candidates.

Among U.S. federal government GISWS survey respondents, 60% said that they do not have enough personnel to meet the demands of their mission, and that this is one of the key factors working against them. While both public and private sectors have dedicated significant resources to programs in an effort to fix this problem, we have found no silver bullets. As it goes, practitioners in this field are working in an environment with the odds stacked against them – and with very little relief in sight.

During the month of October, I would like to challenge those in our field to promote a different type of awareness. My challenge is for us to pull together and inspire whomever we come in contact with to consider a career in cybersecurity.

The impact of growing the cybersecurity workforce with trained and skilled personnel will be far reaching, and will ultimately benefit the users at the central focus of this month’sNational Cyber Security Awareness Month activities.

How can we promote such awareness? I, for one, intend to promote careers in cybersecurity whenever I get the chance to address students and their parents such as later this month when speaking to MITRE employees as part of (ISC)2 Foundation’s Safe and Secure Online program. Here are some suggestions for my cybersecurity colleagues and others as you go about your day-to-day activities during the month of October:

  • Look for opportunities to speak with children about cybersecurity. Check out your neighborhood school’s calendar of events to identify career days and rally your colleagues to get involved.
  • Educate yourself on the many scholarship opportunities for those seeking careers in this field and encourage students entering college to apply.
  • Know a veteran who is transitioning to civilian life? Provide him/her with information about the many programs that assist with cybersecurity career training and support.
  • Your friends who are either unhappy in their current role or temporarily out of a job might see cybersecurity as a chance to transition onto a rewarding career path. Not sure how to get them started? Find an (ISC)2 member or contact us directly.
  • Are you a member of (ISC)²? If so, you can volunteer to teach parents, children, teachers and seniors about online safety through the (ISC)2 Foundation’s Safe and Secure Online program, which also offers an opportunity to pique student interest in a cybersecurity career at a young age.
  • Feed a student’s interest in cybersecurity by guiding them to one of the many cyber camps, challenges and competitions within our community.

Certainly, the goal of cybersecurity awareness is to inspire users to maintain a daily regimen of sound cyber practices. Let’s not stop at ‘shiny technology’. Instead, let’s get the message out that fortifying the workforce is essential in establishing and maintaining a safe and secure cyber world.

Dan Waddell, CISSP, CAP, PMP, (ISC)2 managing director, North America Region and director of U.S. Government Affairs, was lead author of this peer-reviewed post.

[InfoSecurity Magazine]

Posted on

The Channel Scoop – October 16

Welcome to the Channel Scoop, a new weekly blog highlighting the key items you need to know to maximize your channel partnership with Palo Alto Networks.  We’ll be publishing a new blog every Friday moving forward. For now, just sit back, relax and let us give you the channel scoop.

  • Next week is Breach Prevention Week (Oct. 19-23). The lineup of speakers is impressive and the topics are relevant. The best part? You don’t have to travel anywhere to participate. This webinar series is unrivaled in the industry, and our kickoff webcast (Oct. 19) will feature Palo Alto Networks CEO Mark McLaughlin. Click here to see the full lineup of webinars and to register.
  • Looking for a way to strengthen your trusted security advisor status with your customers? The new Lifecycle Security Review is your answer. Rebuilt from the ground up, the Security Lifecycle Review allows you to show your customers what applications, SaaS-based applications, URL traffic, content types, and known and unknown threats are currently traversing their network, and specifically highlight where potential risks exist. And the best part, you can now customize the Review with your company logo and information. Click hereto login to the Partner Portal and learn more about the Security Lifecycle Review.
  • It’s back! The Customer Care Upgrade Program was a successful incentive program we ran roughly a year ago to help fuel the conversion of our customer install base. The program provides customers with financial incentives in the form of hardware discounts and subscription/support credits to move from a PA-4000 Series to a PA-5000 Series or from a PA-2000 Series to a PA-3000 Series. The program will run until March 31, 2016. Click hereto learn more and to access all the necessary materials from our Partner Portal.
  • Did you miss it? In Q1 we hosted our first NextWave Huddle, a global partner, quarterly webcast. This webcast is part of Ron Myers’ FY16 commitment to deliver more clear and consistent communications to you, our partners. Click here to listen to the replay.
  • On Sept. 15, Palo Alto Networks extended its proven history of safely enabling applications to SaaS applications with the launch of Aperture, a new security-as-a-service offering to help organizations safely enable and strengthen security for sanctioned SaaS applications, such as Box, Dropbox, Google Drive, and Salesforce. Click here to learn more about Aperture.

What topics would you like the scoop on next? Let us know by commenting on this post.

Finally, make sure you are following us on Twitter @NextWavePartner for real-time channel news and information.

[Palo Alto Networks Blog]

Posted on

Connecting the Dots in Cyber Threat Campaigns, Part 1: Domain Name WHOIS Information

There tends to be some mystery around how to properly analyze infrastructure used in cyber attacks. It is a bit of an art, often involving educated guesses to tie components together. However it is important to note the use of the term “educated guesses,” as they’re bound by solid data. An educated guess is defined as “a guess based on knowledge and experience and therefore likely to be correct.” Intelligence analysis is akin to taking a bunch of puzzle pieces and figuring out where each belongs. The pieces of different puzzles are often jumbled together, so part of the analysis is determining which piece belongs to which puzzle and then where in that puzzle. From there an analyst has to establish what the whole puzzle most likely looks like, as analysts never have all of the pieces for any given puzzle.

If it sounds difficult, it often is. These missing pieces are often the most challenging part for threat analysts, but thorough research, analysis, and experience can often fill in the gaps. This series of blogs is intended to explain how analysts tie together attacker infrastructure. We’ll start with what is often the first step – domain name WHOIS information.

One of the easiest correlations to make can be the information used to register a domain. Each name in the domain name system is registered with the entity responsible for maintaining the registry for a particular top-level domain (TLD). The rules for what information is required and the level of validation of that information varies from TLD to TLD, but it typically contains at least the registrant’s name, e-mail address and other contact data.  The WHOIS protocol allows individuals to look up this registration data for a given domain. WHOIS data is also available through various websites, but the WHOIS protocol should provide the most recent information available.

When an attacker wants to set up a domain for his or her command and control server, they normally need to supply some identifying information to their registrar. Some actors re-use all or some of this information across multiple domains when they register them. When a domain passes from one owner to the next (either due to a sale or due to a lapse in registration) the WHOIS system is updated with new information about the domain.

When inspecting WHOIS information, analysts must be sure to check all of the historical WHOIS information, paying particular attention to when it was used maliciously. The WHOIS protocol only allows for requesting the current registration information for a domain, but historical WHOIS information is available from companies like DomainTools.

It’s important to know that the registrant information does not have to be legitimate. Registrants are free to forge much of the information included – it isn’t uncommon for the only legitimate component to be the email address, as that’s required so the actor can control the domain.

The reason analysts must correlate WHOIS information and time of malicious domain use is that the information can change for a number of reasons. Malicious domains can be revoked from the registrant after complaints are filed with the registrar or expire and be re-registered by someone else. Some campaigns will use a registrant service and purchase the domains after someone else has registered them, updating the registrant information prior to use. Some campaigns also utilize registrant services where the WHOIS information does not reflect the end user (Domain Privacy), in which case the WHOIS data is less useful to an analyst. We will discuss in future blogs other data points analysts can explore to get around this limitation.

Below is an example of WHOIS information.

Registrant Name: Bad Guy
Registrant Organization:  We Hack Stuff
Registrant Street: 1 Bad Guy Way
Registrant City: St. Arkham
Registrant State/Province:
Registrant Postal Code: 66386
Registrant Country: DE
Registrant Phone: +86.68949396951
Registrant Phone Ext.:
Registrant Fax: +86.68949396851
Registrant Fax Ext.:
Registrant Email: badguy@bad.net

An analyst can and should search on each component in this listing:

  • Does the person’s name appear real? The company? The physical address? The email address?
  • Did searching on any of them return interesting hits?
  • Did those validate this as legitimate information or invalidate it? How so?
  • Does it look like the same information was used to register other domains? How many?
  • Does searching on the new domains return any hits on other malicious activity (whether open source or within databases with limited access)?
  • Does it appear to be related to the original activity?

By answering these, an analyst starts to piece together the puzzle. In some cases this allows analysts to spider out from the first figure below, to the second.

Figure 1. Where the analyst started.

Figure 2. New data the analyst was able to uncover.

Another overlap in the images is the theme and domain name re-use. It’s rather common for malicious actors to have themes within the domains they use. The themes can vary, but the use can aid analysts into identifying additional malicious infrastructure, as that is another pattern they can trace.

There is a caveat to researching these data points– this is usually more effective for APT campaigns than crimeware or other high volume malicious activity. APT campaign infrastructure tends to include a lot of human interaction, and humans are creatures of habit. Crimeware and other very large malicious campaigns will often use tools to randomly auto-generate malicious domains that are only used for very brief periods, creating such a high volume with rapid turnover it’s often not worth analyzing using the methods just described. However, some researchers at Palo Alto Networks have published research on automated methods they’ve found can often predict those domains at rate where blocking them is useful.

I hope this blog has helped explain how analysts research and connect malicious domains via WHOIS registrant information.  In Part 2 we’ll explore using passive DNS resolution to analyze all the IP addresses to which malicious domains resolved to try to identify new domains.

[Palo Alto Networks Blog]

Posted on

AWS re:Invent Recap: WAFs Protect Web Applications, We Protect Networks

Palo Alto Networks was on the scene at re:Invent, the annual gathering of Amazon Web Services (AWS) users and experts, and the energy felt from the 19,000 or so attendees was palpable. Rightfully so, given that AWS is operating at roughly a $7 billion run rate, as stated in the keynote by Andy Jassy, SVP, Amazon Web Services.

We participated as a sponsor, demonstrating our VM-Series for AWS to many customers and new contacts alike. What was great to see was the number of current customers who came by to say “hello” and give us an update on where they are, relative to public cloud. Many are just getting started; however, several were fully deployed, using both our hardware appliances on their network and the VM-Series in the public cloud. Here are some of the comments we heard:

  • A financial services customer: “We have an IPSec VPN set up between the data center and our AWS presence. Within AWS we have multiple VPCs with IPSec VPNs in between them.”
  • A data analysis customer: “The VM-Series for AWS solved numerous problems for us. It works like a charm.”
  • A financial services customer: “We love your hardware firewalls and will use you in AWS as well.”

As with any exhibit, there was a commonly asked question. In the early days of doing these events, it was, “Are you in Palo Alto?” At re:Invent , it was “Are you a WAF?” Or, “How are you different from a WAF?” These questions arose because of the AWS WAF announcement made by Amazon. The answer is that no, we are not a web application firewall (WAF). In fact, we are very different from one.

We protect networks

Sometimes, the easiest way to highlight the differences is to keep it simple. Our CMO, René Bonvanie can be credited with the best summary of those the differences: we are designed to protect your network as a firewall, using positive security rules to allow the applications you want to allow (regardless of type or port) and deny all else; then, apply threat prevention to the allowed applications, blocking known and unknown threats.

They protect web applications

A WAF is focused solely on protecting HTTP or HTTPs applications, typically public-facing ones, and ignoring any other traffic. Each WAF implementation will be customized for the application it is protecting. Not all enterprises will need a WAF, whereas all enterprises need a network firewall – be it physical or virtualized. To learn more about the differences between our next-generation firewall and a web application firewall, check out this one pager.

To learn more about the VM-Series for AWS, take our one-hour test drive.

[Palo Alto Networks Blog]

Posted on

Managing Shadow IT

“Shadow IT,” or solutions not specified or deployed by the IT department, now account for 35 percent of enterprise applications. Research shows an increase in IT shadow spend with numbers projected to grow another 20 percent by the end of 2015.

Experts agree that shadow IT is here to stay, particularly the growing tendency to use cloud services for collaboration, storage and customer relationship management.

Enterprise organizations can’t afford to bypass the productivity and profitability that comes with a happy and enabled mobile workforce. However, the utilization of SaaS that IT has not vetted and approved may expose regulated or protected personal data, which a business is responsible for remediating.

California leads the way in the privacy arena with the Security Breach Notification Law and Online Privacy Protection Act. The Federal Trade Commission is the primary U.S. enforcer of national privacy laws, with other national and state agencies authorized to enforce additional privacy laws in vertical industries such as banking and health care.

Sanctions and remedies for non-compliance with FTC data protection laws include penalties of up to US $16,000 for each offense. The FTC can also obtain an injunction, restitution to consumers, and repayment of investigation and prosecution costs. Criminal penalties include imprisonment for up to ten years. In 2006, a data broker agreed to pay US $15 million to settle charges filed by the FTC for failing to adequately protect the data of millions of consumers. Settlements with government agencies can also include onerous reporting requirements, audits and monitoring by third-parties. A major retailer that settled charges of failing to adequately protect customer’s credit card numbers agreed to allow comprehensive audits of its data security system for 20 years.

So, what is the answer? How do you start to get a handle on shadow IT?

Ask.
Ask employees which cloud services they are using. You might also need to utilize a combination of automated and manual discovery tools to get a complete picture of what programs employees are using and what data is hosted and shared in provider clouds. These “cloud consumption” dashboards can monitor and assess cloud usage and detect encryption tools at each host.

Protect your data.
Implement automatic backup of all endpoint data in the enterprise to capture a real-time view of where employee data lives, when and where it moves and who has touched it—even as it moves to and from non-approved clouds.

Act fast when the inevitable happens.
The reality is a breach may be inevitable, but you can recover. With continuous and automatic endpoint backup, IT can quickly evaluate the content of files believed to have been breached and act in good faith to lessen the impact. Additionally, understanding what was stolen allows a company to make an accurate disclosure and manage consumer confidence issues.

For CIOs and IT staff accustomed to maintaining complete control over their digital ecosystems, relinquishing even a bit of this control can be terrifying—even in the name of productivity. And yet, with a security strategy that focuses on complete data visibility, they can empower mobile workers while minimizing the risks associated with the dark side of shadow IT.

Rachel Holdgrafer, Business Content Editor, Code42

[Cloud Security Alliance Blog]

English
English
Exit mobile version