Year: 2015

Posted on

VLAN Insertion: Become Secure and Compliant with Network Segmentation

In the past when I was architecting/implementing for ICS ecosystems I found out very early that one of the major steps to securing an ICS/SCADA, or any other network, is segmentation. During my efforts to secure these ecosystems, I learned that with network segmentation in place and a little forethought, it is possible not only to secure these environments but also build a scalable and compliant network that is future-proof. Segmentation, in my opinion, could be the single most important thing that a network practitioner can do to protect not only ICS environments but all network components from attacks and/or cross-contamination. Segmentation takes us back to a point where, if needed, a cable can be pulled and a device or network in jeopardy can be completely isolated from the rest of the world until the time and resources are available to correct the situation.

On the IT side of the company, segmentation is a known and accepted best practice and has been for some time. Operating Systems manufacturers have been aware of the need for years and have built tools into their products to help manage these processes. For the enterprise, in many cases, the task of segmenting a network (re-IPing and VLAN creation/assignment) can be done quickly and easily because of the many off-the-shelf solutions available to handle this task. More importantly, enterprise systems are not deterministic like ICS/PCN/DCS, so the possible consequences of changing these systems are not as impactful. Lose an email server and no one is happy; lose your controlling HMI and being unhappy is the least of your worries.

On the OT side of the company, the re-IPing and segmenting of control systems networks is a costly endeavor in both time and resources; and, if done incorrectly or a key system is missed or misconfigured, it can affect production for an extended period of time, resulting in the loss of product and/or revenue and, in worst-case scenarios, life and/or property. It is for these reasons that control systems networks are left as is by many operators. The risk associated with fixing the lack of separation between the enterprise and controls is not worth the possible cost. Instead many opt for solutions that only mask the problems.

The good news is the Palo Alto Networks security platform offers a method to allow operators to segment and separate their critical control systems networks from the enterprise with minimal impact to the control systems network.

The technology is native to the next-generation firewall and is available in every model from the PA-200 to the PA-7080. The name of the technique is called VLAN Insertion. What it does is allow for the logical insertion of one device between two other devices without the need for the physical re-cabling of the original devices or the introduction of additional switches, providing a method to segment a control systems network without the need to re-IP.

Examples of how this technology can be leveraged in a SCADA environment would be the separation of the HMIs from business machines that have been placed on the same network segment or an instance where incident response to a possible breach or contaminated machine has been found within the SCADA ecosystem, but the machine is required to control the system/process. VLAN insertion is a quick and safe method of separating/isolating these systems. However, the best part of this technology is that you can use it to meet compliance mandates.

Besides becoming compliant and secure, the additional gains of using this technique are:

  • High visibility into the network.
  • Converting from stateful firewalls to application-based firewall technology and positive enforcement.
  • Protection of these critical assets with AV/IPS/Malware/URL detection.
  • Ability to scale up or down as needed.
  • Ability to safety migrate to a new IP address structure as time permits.
  • Becoming compliant with internal and government mandates.
  • Access control over these assets, using AD, LDAP, TACACS Plus, etc.
  • Granular control over at-risk protocols and their function codes like MODBUS, DNP3.

What I found, and what I think all network/security practitioners and security architects would agree with, is that this is a crucial tool to have in one’s toolbox.

Watch the How to Architect “Zero Trust” Network Segementation in Industrial Control Systems webcast to learn more about how to use this powerful tool and the ways it can be leveraged in ICS.

[Palo Alto Networks Blog]

Posted on

A Student’s Experience at the CSX North America Conference

As a student working to complete a master’s degree in IT Management and working to advance in my career path, I found many advantages to attending CSX 2015 North America. Exchanging ideas and opportunities, networking with professionals in the cybersecurity field, learning more about the industry, and increasing awareness of new trends are some of the greatest benefits of this professional conference.

I had the pleasure and the honor of being among the 50 students who were awarded ISACA’s CSX 2015 North America Student Scholarship to attend day two of this conference at the Marriott Wardham Park in Washington DC. My essay titled “Risk Assessment and Mitigation in Mobile Application Development” offered me the opportunity to address threats to critical infrastructure and set out recommendations for companies for future actions. I was also given the opportunity to attend day one and day three with the help and support of Affinity Plus Federal Credit Union, where I am currently employed as a Technical Analyst.

I was very happy and fortunate to attend ISACA’s CSX conference because, as anyone working in the field can attest, cyberattacks are fast becoming recognized in the US and globally as a top threat. I really enjoyed the keynote speakers, especially Mike Rogers, John Sileo and Robert Herjavec, and found their presentations to be extremely valuable in both my professional and academic work. The highlight at the opening session was the keynote address by Former US Congressman and CNN National Security Commentator Mike Rogers, who covered the subject of how defending US security is no longer about securing physical borders and increasingly about cyberspace. His words left a deep impression in my mind, most notably the statement “Data breach mitigation plan discussion should be a top priority in every company.”

Keynote speaker John Sileo covered his personal experience of being a victim of social engineering, which resonated strongly with me. I learned a lot of techniques for engaging people in security awareness so that we can better protect our enterprises and our personal identifiable information, and build effective fraud-fighting techniques against the “bad guys.” Each session I attended was informative and engaging, providing insights that are already benefitting me in my day-to-day work.

As a student scholarship recipient, I was welcomed to attend some great presentations such as the Personal Branding workshop covered by William Arruda. William took us through his proven three-step personal branding process “DITCH, DARE, DO” in order to stand out from the myriad others with similar career ambitions, attract the attention of hiring managers, ace the interview, and land our ideal jobs. I learned so much from this personal branding seminar; I was able to align who I am with what I do and where my ambitions are leading in the future. This was an important session for everyone, but especially students, because Arruda taught about how to market yourself and stand out in a labor market that has never been more competitive.

I also enjoyed observing the live CyberLympics World Finals. Congratulations to the “Hack.ERS” from The Netherlands for winning first place in the highly competitive ethical hacking computer network defense game. Being in the room and watching live as these teams from around the world were hacking the network, I knew immediately that this was an event not to be missed.

Lastly, in the exhibit hall I was able to experience the latest cybersecurity technologies, tools and services from the top companies in the IT audit, cybersecurity and governance industries. From a professional standpoint, the expo hall was the place to discover and learn more about the great tools and technologies a company might be looking for to address their cybersecurity challenges.

The three day trip to Washington, DC was meaningful for me, as it was my first time there—not only experiencing the city, but also attending a cybersecurity conference of such size and depth. The knowledge, connections and perspective I found at this conference continue to inform my thoughts and my work as a cyber defendant. It was wonderful to meet and network with new people promoting new ideas, vendors selling new products and experts teaching new cyber defense methods, and I am proud of being part of ISACA, which is such a great organization. The experience of attending this conference will be an invaluable, treasured memory, and the knowledge I have taken away will be useful throughout my career. For those seeking career advice and professional development in cybersecurity, CSX is the conference to attend. I look forward to meeting you in Las Vegas next year!

Yaro Sadek Tahirou
Technical Analyst, Affinity Plus Federal Credit Union

Registration is now open for CSX 2016 North America in Las Vegas. Visit www.isaca.org/cyber-con and click the CSX 2016 tab to reserve your space.

[ISACA Now Blog]

Posted on

Some Clarifications and Commentary on Network Security and Covert Channels

This week, a security researcher posted a blog about the security implications of how next-generation firewalls handle TCP session setups. SC Magazine also published an article that included similar technical claims provided by the security researcher. We’d like to take the opportunity to clarify the content of these articles for our customers and the industry, because both of these writings included some inaccurate claims that may sound concerning.

One claim from the researcher is that next-generation firewalls “…are designed to permit full TCP handshake regardless of the packet destination … bypassing the firewall to any destination on the Internet, regardless of firewall rules and client restrictions” (emphasis in the original).

This claim, as written in the blog and SC Magazine article, is false. Firewall policy is never violated. Before even a SYN is allowed through, the firewall rule base is evaluated to check if a TCP setup should be allowed at all.

After some conversation with the researcher, it appears the actual concern is that if an administrator creates a typical web browsing policy on a next-generation firewall, this allows a SYN (and in fact a complete 3-way handshake) from allowed web clients out to the internet on the standard HTTP service (tcp/80). This is true of any firewall, and anything that does otherwise is a proxy—and only if that proxy happens to already know the host is malicious.

To put this in context, it is helpful to remember that this technique is not new. Information hiding in TCP/IP is nearly as old as the stack itself (see references). This is essentially a covert channel, and as with any covert channel, it requires the adversary to already have control over both ends of the connection. This is simply one example, and in general, covert channels are limited only by the creativity and patience of the adversary. For example, data can simply be carried over normal HTTP payloads to a recently compromised WordPress site (this actually happens every day). Far simpler and more efficient, without bothering with TCP trickery—and nothing about the act of proxying does anything to stop this.

That is why it is important to focus on prevention, a key tenet of the Palo Alto Networks next-generation security platform. The layers of security provided by App-ID, Content-ID, WildFire, Traps, and the complete combination of Palo Alto Networks platform security capabilities are important in denying the adversary access to the network and endpoints at every stage in the attack lifecycle. The game of endless incident response, covert signaling, steganography, and inventorying data lost after a breach is unwinnable.

Palo Alto Networks customers are encouraged to reach out to customer support for any additional questions about this topic or any product security matter.

— Palo Alto Networks product security team

*****

The original researcher blog post is available at: http://www.bugsec.com/news/firestorm/

The SC Magazine article is available at: http://www.scmagazine.com/firestorm-vulnerability-in-firewalls-let-attackers-extract-data-from-cc-servers/article/458817/

T. Handel and M.Sandford., “Hiding data in the OSI network model,” (Cambridge, U.K.), First International Workshop on Information Hiding, May-June 1996. Retrieved from: http://chemistry47.com/PDFs/OSI%20Model/Hiding%20Data%20in%20the%20OSI%20Network%20Model.pdf

[Palo Alto Networks Blog]

Posted on

Palo Alto Networks Researchers Discover Critical Vulnerabilities in Internet Explorer and Microsoft Edge

Palo Alto Networks researchers Bo Qu and Hui Gao were credited with the discovery of three new critical Microsoft vulnerabilities affecting Internet Explorer (IE) versions 7, 8, 9, 10 and 11 and Microsoft Edge. These vulnerabilities are covered in Microsoft’s December 2015 Security Bulletin and documented in Microsoft Security Bulletins MS15-125 and MS15-124

In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclosure of new vulnerabilities and creation of protections from security vendors.

Palo Alto Networks is a regular contributor to vulnerability research and have discovered 80 critical Microsoft vulnerabilities over the past 18 months. By proactively identifying these vulnerabilities, developing protections for our customers, and sharing them with Microsoft for patching, we are removing weapons used by attackers to compromise enterprise, government and service provider networks.

[Palo Alto Networks Blog]

Posted on

Living With the Paradox of PCI DSS

With the next generation of customers embracing the use of new technologies, the use of “dirty money” is becoming less popular. In its place, people are increasingly choosing to use payment cards.

Problem:
This makes for some difficult decisions and consequences for merchants. If they choose not to embrace taking payments by payment card, they likely miss out on customer revenues. If they opt to take payments via payment cards, they have a duty to their acquiring banks, and even more importantly to their customers, to ensure that these payments are as secure as they can be.

However, the experience of trying to ensure that level of security is frequently perceived as extremely complex, difficult to achieve, time consuming, extremely expensive and near on impossible to maintain. Given that the supporting environments are extremely dynamic, it is a “war of attrition” trying to defend against ever-changing attacker tactics and involving multitudes of varying factors (technology, people and processes).

Cause:
The increasing preference for paying for goods and services via a piece of plastic or technology makes for a greater attraction to the criminal underworld, whether from organised crime or the opportunist hacker. If a business has not identified a vulnerability in its payment card business operations, it is very likely that a hostile entity soon will.

Securing the payment card data life cycle becomes increasingly difficult when you consider the potential attack and vulnerability vectors:

Front-end operations:

  • eCommerce web pages
  • Mail order, telephone orders (MOTO)
  • Point of sale (POS) systems
    • PIN transaction security (PTS) devices
    • Contactless
    • Mobile
  • Automated teller machines (ATMs)
  • Receipts
  • Found payment cards

Back-end operations:

  • Networks
  • Systems
  • Storage
    • Databases
    • Files
    • Paper
      • Receipts
      • Chargebacks
    • CCTV
    • Call recordings
    • Backups
  • Transmissions
  • Vulnerability management
  • Change control
  • Software development
  • Access control
  • Data centers
  • Monitoring systems use
  • Security testing

Kinetic (external) attack vectors:

  • Organized crime
  • Opportunist hackers
  • Foreign intelligence services
  • Cyber terrorism
  • Industrial espionage

Non-kinetic (internal) attack vectors:

  • Insider Threats
    • Deliberate actions by authorized persons
    • Negligent actions by authorized persons
    • Accidental actions by authorized persons

When you start adding all these together, plus all the connecting infrastructures of a business’s payment card operations, it becomes instantly apparent just how difficult securing these operations can be. The figure below shows a simplistic overview of how a typical business’s payment card operations might look. However, in reality this is often far more complex.

Actions
To help businesses improve their payment card operations, the card brands and the PCI Security Standards Council have produced a suite of controls that provides a baseline upon which a foundation of secure operations may be forged.

In truth, without prior specialist knowledge and skills, this can be extremely difficult to successfully achieve. This can be likened to expecting anyone to be able to build a house, having given them all the tools and materials they need (sand, cement, water, bricks, tools, etc.). However, in truth, this is rarely the case and, in reality, such a scenario would often lead to the application of expensive underpinning or to even demolish the building and start again.

Consequently, before commencing any sort of improvements to any existing payment card operations, it is essential that businesses familiarize themselves with the latest version of the Payment Card Industry Data Security Standard (PCI DSS) and engage with a reputable and experienced PCI DSS professional (PCI Qualified Security Assessor [QSA]).

Additionally, ISACA has just produced an extremely informative PCI DSS guide A Practical Guide to the Payment Card Industry Data Security Standard (PCI DSS), covering a comprehensive overview of PCI DSS and some of its associated complexities. It provides valuable support for anyone involved in delivering secure card payment operations and meeting the high standards required for PCI DSS compliance.

Net Benefits
It goes without saying that PCI DSS compliance is essential for the protection of a business’s payment card operations and to help safeguard customers’ payment card details. The popularity of paying products and services via a payment card is only going to increase. Consequently, having a well-planned and implemented compliance framework is critical to the success or failure of any such projects.

Having access to ISACA’s useful reference guide and the continued support from a trusted and knowledgeable QSA will help ensure, amongst others, the following benefits:

  • Improved security
  • Improved understanding
  • Informed decision making
  • Better alignment with business strategy
  • Efficiency
  • Timely progress
  • Cost-savings
  • Clarity
  • Success
  • Fines avoidance

James Seaman, CISM, CRISC
Senior Security Consultant, Nettitude Inc.

[ISACA Now Blog]

English
English
Exit mobile version