April 2016 – Page 12 – Dr. Philip Cao

April 8, 2016

How the New PAN-OS 7.1 Release Empowers Industrial Control and SCADA Systems

Being the ever-vigilant security practitioner for ICS and SCADA, you’ve probably noticed, we recently announced the release of our newest operating system, PAN-OS 7.1. For ICS and SCADA customers, I want to share some ideas about how this new platform could be leveraged in the plant production environment.

Deploy Two-Factor Authentication with GlobalProtect

The need for real-time data to remain competitive is a major element that has ushered in the need for connectivity between ICS environments and the enterprise. This need for connectivity, if not done correctly, could truly come at a premium. Even though most ICS environments have little or no access to the Internet, the established connectivity back to the enterprise places these systems at extreme risk. Oftentimes, lacking segmentation, the systems are easily seen and easily accessible by those who have no reason to access them. Due to the age and nature of these systems, access control is difficult to implement and sustain; therefore, special care and consideration must be taken to ensure access for the mobile workforces that support them. By using the Palo Alto Networks Next-Generation Security Platform and leveraging the extensibility we can provide to end-user devices, we can help ensure that the only people accessing the systems are the ones who need to. Most importantly, we can ensure that their systems are free of infections that could compromise them.

With the release of PAN-OS 7.1, we can secure access to these remote plants and field devices that have simple or weak passwords and non-existent authentication capabilities with GlobalProtect™, which can implement two- factor authentication to the zone where they are located.

As security practitioners, we know that the use of Active Directory (AD), usernames and passwords are not sufficient for allowing remote access to these devices, as they can be compromised by phishing attacks. We also know attackers can use stolen credentials to gain access to these resources and put the control systems at risk. Most organizations mandate two-factor authentication, or 2FA for VPN authentication to safeguard against stolen credentials, and the same should apply to ICS and SCADA PCN.

Common and acceptable options for 2FA are the use of a unique client certificate per client device, in addition to the AD credentials or a one-time password (OTP) with RSA-secure ID.

In PAN-OS 7.1, the GlobalProtect portal can now interface with the enterprise public key infrastructure as a Simple Certificate Enrollment Protocol, or SCEP, client and facilitate secure distribution of unique client certificates. GlobalProtect now has enhancements to cache the result of a successful OTP authentication for subsequent authentications. This will significantly reduce the number of times a user must input the OTP to stay connected to GlobalProtect.

And don’t worry too much about that automation tech who lost their ruggedized device. To mitigate the risk of lost or stolen equipment, just revoke the client certificate or the cached cookie.

Bootstrapping Device Deployment

For owners and/or operators of ICS and SCADA systems in remote locations where there is no personnel with the necessary skills set to configure and deploy equipment or where a third-party provider is needed for the physical deployment of equipment, the new bootstrapping capability of Palo Alto Networks next-generation firewalls will simplify the process of configuration and deployment.

In remote environments, physical firewalls generally require trained personnel to perform the sequence of manual configuration before the firewall is ready for operation. At the very least, a field technician who has a wireless modem connected to a laptop is needed. The laptop must be configured to allow a remote desktop session so that someone at a corporate office can work through that machine. Our new bootstrapping feature helps simplify and automate the process of deployment, whether it’s to replace or upgrade an existing unit or to undergo a completely new installation.

With PAN-OS 7.1, when a firewall is first deployed or has been factory reset, it will look for a configuration package (located on a USB flash drive). Once found, it will automatically load it as part of the boot-up process. Our bootstrapping process is incredibly flexible. The configuration can be as simple as a basic network configuration and a Panorama™ IP address to the latest software versions, content updates, policies and licenses. This new feature will reduce the time required to get remote sites with new deployments live or back online due to site mishaps. Additionally, it can reduce the level of frustration during the deployment or recovery process.

With this new feature, your deployment abilities in remote, disconnected environments could be improved by delivering all the required configurations through the bootstrapping package without the aid of the Internet. When you call the field and request a pair of hands to do the deployment you truly mean just a pair of hands.

Bidirectional Forwarding Detection

It is not uncommon for operators of ICS and SCADA systems to use the dynamic routing capabilities of the Next-Generation Firewall to meet their Layer 3 connectivity needs, especially in situations where space and power are at a premium and network downtime must be kept at a minimum. The need for fast, reliable network convergence in these environments is essential to ensuring the safe operation of these real-time systems. Bidirectional Forwarding Detection, or BFD, in PAN-OS 7.1 allows sub-second failure detection, immediately triggering convergence in routing protocols, such as Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) to re-establish viable paths in traffic flow across the firewall. This helps reduce production network outages. Just think: The device that gets blamed the most for causing communication disruptions is now the device that’s keeping the communication going.

Want to learn more?

Details about what’s new in this release can be found on our PAN-OS 7.1 Technical Documentation page with additional resources available below.

Lionel Jacobs

[Palo Alto Networks Research Center]

April 7, 2016

How to Get C-suite Support for Insider Threat Prevention

If you’re not getting support and adequate funding from the C-suite to address insider threats, a recent report highlights a powerful persuasive tool you may have overlooked: money—as in fines (cha-ching), lawsuits (cha-ching) and credit monitoring services (cha-ching) you’ll have to pay as the result of a data breach.

The IDC report, “Endpoint Data Protection for Extensible DLP Strategies,” cites two health-care groups that paid six figures each in fines for data breaches as a result of improper employee behaviors. Here are even more powerful examples of the price your organization could pay for not addressing insider data security threats:

Target insider breach costs could reach $1 billion
Target may have skirted an SEC fine, but the retailer is still paying a hefty price because cyber thieves were able to access customer credit card data via a subcontractor’s systems. Breach costs included $10 million to settle a class action lawsuit, $39 million to financial institutions that had to reimburse customers who lost money, and $67 million to Visa for charges it incurred reissuing compromised cards. For 2014, Target had $191 million in breach costs on its books; estimated totals could reach $1 billion after everything shakes out.

AT&T fined $25 million for employee breach
In 2015, AT&T paid a $25 million fine to the Federal Communications Commission after three call center employees sold information about 68,000 customers to a third party. The cyber thieves used the information to unlock customers’ AT&T phones.

On top of the fine, AT&T was required to do things it should have done in the first place:

Appoint a senior compliance manager who is a certified privacy professional.
Conduct a privacy risk assessment.
Implement an information security program.
Create a compliance manual and regularly train employees.
File regular compliance reports with the FCC.

AvMed paid $3 million in settlement
While the health plan company avoided a HIPAA fine, it paid $3 million in settlements to 460,000 customers whose personal information was on two stolen, unencrypted laptops. On top of that were costs to reimburse customers’ actual monetary losses.

In addition, the company had to:

Provide mandatory security awareness and training programs for all company employees.
Provide mandatory training on appropriate laptop use and security.
Upgrade all company laptops with additional security mechanisms, including GPS tracking technology.
Add new password protocols and full-disk encryption technology on all company desktops and laptops so that electronic data stored on the devices would be encrypted at rest.
Upgrade physical security to further safeguard workstations from theft.
Review and revise written policies and procedures to enhance information security.

The lesson here should be obvious. It’s far cheaper to act now—by implementing available endpoint protection technology and instituting a security-aware culture—than to wait for a breach that forces you into action.

As security expert Philip Lieberman noted in the AT&T case, the penalty cost AT&T much more than the steps it should have taken to prevent the insider breach: “The C-level staff will have to explain this to the board as to why they did not implement a control when the cost would be trivial.”

To learn more about “Endpoint Data Protection for Extensible DLP Strategies” get the IDC analyst report.

By Susan Richardson, Manager/Content Strategy, Code42

[Cloud Security Alliance Blog]

April 7, 2016

Hack on Ukranian Power Grid Highlights the Urgency for Accelerated Threat Intelligence in Industrial Control Systems

Recent and more conclusive reports on the cyberattack of a Ukrainian power grid, such as the article reported in Wired Magazine, confirmed the level of sophistication of this campaign. The net result of a mass power outage for hundreds of thousands of people is mind-blowing, but the highly coordinated events leading up to the outage were, perhaps, even more so. If one could call advanced persistent threats artists, this campaign would be up there as one of the hacking community’s best masterpieces to date.

Considerations for the Operational-Technology Attack Phase

The components of the OT portion of the combined IT-OT “pivoted” attack (which was the pathway used in the German steel mill hack of 2014) were precisely integrated and serve as evidence of the attackers’ deep knowledge of OT and this particular utility’s infrastructure. From the use of stolen credentials to access remote management applications (e.g., SSH) over VPN, to the use of quietly commandeered SCADA hosts to issue ICS protocols in an effort to open relays and corrupt firmware on serial-to-ethernet converters to the debilitation of remote SCADA systems via the KillDisk malware, all of these cyber components were pretty much unprecedented, at least in terms of a publicly disclosed and successful attack leading to a mass outage.

Reports indicate the utility did have a firewall at the IT-OT perimeter. Questions are raised if there was any more granular segmentation beyond the edge, and whether the firewall logs were being proactively monitored and analyzed. However, an important question is: Just what kind of firewall was this? If it was only a stateful inspection firewall, then it would not be too surprising that the attackers went undetected, given the rudimentary port and IP visibility offered by such legacy technology. Next-generation firewalls, on the other hand, provide visibility (and access control) at the application, protocol, user and content levels while simultaneously applying built-in threat prevention (exploits, viruses, C2 traffic). Perhaps it might have been helpful to identify and stop the OT-specific attacks, which used stolen accounts to maliciously utilize a range of business, remote management, and ICS protocols, and to deploy malware, like KillDisk, during its attack. Maybe. Maybe not. But is this the right area of focus for the post-mortem analysis?

Nip it in the Bud – Stopping the IT Attack Phase

What wasn’t clear in the reports was how quickly the OT portion of the operations was conducted. Given how skilled and knowledgeable these attackers were, it wouldn’t be a surprise if it happened over weeks or days (hours would be really impressive) in terms of the time from the initial OT breach to the time of the outage. What’s interesting is that the campaign seems to have started back in the spring of 2015 with social engineering activities to the IT infrastructure of the utility and its business partners. In other words, the attackers were running their reconnaissance operations for months before actually enacting the physical part of the attack. Rather than talking about how the OT portion of the attack could have been prevented, a more forward-thinking question is: What could have been done to prevent the attackers from breaching the IT network to begin with, and stop the theft of the credentials used to breach the OT?

What made the initial attack of this campaign very evasive was that the attackers used very effective social engineering and zero-day malware, repurposing old-school methods (trick the user to start embedded malicious macro) and pre-existing root kits (BlackEnergy) to successfully establish a beachhead into the utility organization. The simple fact that this particular malicious attachment had never been fingerprinted by host-antivirus or network-antivirus products allowed it to quietly circumvent existing security provisions. It is this zero-day element that many organizations are not capable of addressing because they don’t have the tools that can address attacks never seen before in the wild.

Given the rising ICS advanced-threat landscape and severe consequences involved with a breach to ICS (as was the case here), there is a strong argument to be made that operators of critical infrastructure need to make sure they can address similar campaigns, such as this, in the future, and develop more sophisticated security capabilities.

Accelerating Threat Intelligence in IT and OT with PAN-OS 7.1

We already covered in an earlier blog post how our WildFire and AutoFocus technologies help in detecting and preventing the zero-day threats, including BlackEnergy. With our latest PAN-OS 7.1 release, we are pleased to say that we have made these capabilities even more powerful.

WildFire, the service that allows the user to quickly identify zero-day threats and deploy protective measures has been beefed up with the ability to do these important functions 70 percent faster than before. Users can now detect and prevent zero-day attacks in as little as five minutes. In addition, its capabilities in stopping the universe of unknown threats has been improved with new machine-learning algorithms, which instantly stop variations of known malware, even if they have never been seen by WildFire. These algorithms also reduce analysis time for Personal Executable (PE) variants of known malware.

The new release of AutoFocus received an upgrade, which tightens its integration with PAN-OS 7.1 and Panorama. The new capabilities essentially bring more advanced-threat context to the entire organization, simplifying response efforts for the most critical attacks in a single, easy-to-use console. This puts the largest collection of unknown malware data at your fingertips, allowing you to automatically turn analysis efforts for unique, targeted attacks into proactive protections by blocking malicious domains, IP addresses, and URLs with AutoFocus and PAN-OS dynamic block lists. AutoFocus also adds the ability to bring threat intelligence into your existing security operations workflow with an improved API and support for the STIX information-sharing standard.

Learn More

Advanced network security via a next-generation firewall is necessary; but to combat the more sophisticated threats that utilize zero-day attacks, one needs equally sophisticated capabilities. The threat intelligence cloud component (utilized by the WildFire and AutoFocus services) and Advanced Endpoint Protection of our Next-Generation Security Platform were designed to prevent attacks from such threats with as much automation as possible.

Learn more about our platform capabilities by reading this whitepaper on 21^st Century SCADA Security and by visiting the resources below.

Del Rodillas

[Palo Alto Networks Research Center]

April 7, 2016

The Privacy Landscape in 2016

Privacy has made headlines for years now, and the rise of social platforms like Facebook has brought the issue into focus. In 2016, I expect privacy to remain at the forefront of technology news, especially with increasing digitization and technology innovations like Smart Cities, digitized transport and the Internet of Things (IoT). These technologies are generating amounts of data previously unknown. IT analysts International Data Corporation (IDC) state that by 2020 the IoT will account for 10% of all the data generated on Earth.

One of the most impactful changes in recent years, which affects privacy gravely, is the massive increase in data theft. Since 2013 there have been a staggering 3.7 billion records stolen. This heady mix of technology innovation, data generation and sophisticated cyber threats is creating new challenges for the privacy agenda.

Here are the key privacy issues emerging or consolidating in 2016:

Blurred Lines: Data and the Corporation
The lines between data ownership are blurring. Personal data under the corporation umbrella become a corporate asset, yet they are still owned by the individual, and there can be serious impacts on that individual if the data gets into the wrong hands. And data are valuable to all interested parties, from the original owner, to the corporation that can potentially use or sell those data, to the cybercriminal who can extort money from the data through the black market. The privacy implication of this triad of interests is clearly complex, creating blurred lines of responsibility and ownership.

The way privacy is addressing these complexities in 2016 and beyond involves technology, visibility, laws, regulations and guidelines.

Corporate Obligations and the Privacy Policy
Obligations are most often set out in a privacy policy. However, the issue of privacy policy creation has been in flux for years, creating confusion amongst the general public. The evolution of the privacy policy has greater importance as data sharing has increased with social platforms. This evolution took off in 2008 when the Patient Privacy Rights (PPR) Trust Framework was developed. The PPR Framework gave a working set of guidelines, which could be applied to privacy policies to create a clear, user-accessible policy.

Since then, platforms such as Facebook and Google have pushed the limits of privacy policy politics to the nth degree, and much debate within the technology and legal communities has ensued. The Federal Trade Commission (FTC) has instigated a number of legal actions against technology platforms, including Google, for misuse of users’ data. These actions have been partly responsible for a more respectful view of user data by the likes of Facebook and Google, who are starting to take heed and create better privacy policies which, at least on paper, make the companies look like they take user privacy seriously.

While the US continues to have no overarching privacy law, relying instead on a mosaic of federal and state laws, the humble privacy policy remains a very important legal document for redressing privacy violations. In 2016, more than any time in history, the privacy policy needs to be a means of privacy respect and control, as it sets corporate obligations and practices. However, privacy policies issues go beyond words on the page. There should be a user-centric approach to privacy policy engagement that ensures the user understands what the policy covers and how their personal data may be used.

Privacy Laws and Regulations
As I said, the US lacks a holistic privacy legal framework. A number of industry specific guidelines and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA) and the Americans with Disabilities Act (ADA), can be used to develop privacy approaches within a given context, but no single law exists. It will be interesting to see how recent events, such as the Snowden episode and the Apple vs. FBI privacy battle, shape the privacy landscape. The time feels right for a single US privacy law, and the work done in California might be the template. The state of California is setting standards across the board in privacy, including the handling of personal data by online services and online protection of minors.

It looks like 2016 will be the year where at least EU-US communications and privacy will have some positive outcome. The infamous Safe Harbor collapse of last year left EU-US data communications in flux, affecting many companies on both sides of the Atlantic. However, the announcement on 29 February by the European Commission of the EU-US Privacy Shield, which will replace Safe Harbor, is good progress. This agreement sets out the obligations and mechanisms needed to guarantee safety and privacy respecting EU-US data transmissions.

Privacy Challenges Ahead
Visibility of data: As data generation increases, we need to understand where these data are stored, between whom they are transmitted and the end points being used. Data visibility is one of the keys areas that we need to be aware of to plan for privacy. For example, according to a recent IDC report, around 60% of all data generated by the IoT were duplicate data. Without understanding the data life cycle and where data flow, you can’t begin to truly protect an individual’s personally identifiable information.

The jurisdiction challenge: The differing approaches to privacy, by jurisdiction within the USA, are a challenge that needs to be met in 2016. Bringing together a common law to manage public expectations is long overdue. The alignment of the planets, such as social media, increased public awareness of privacy, mass data generation and increased cyber threats, is bringing this need to the fore. The US government is taking cyber security threats seriously, with the introduction of the Cyber Intelligence and Protection Sharing Act (CISPA). Perhaps it is time for a similar action to protect privacy across the board.

Desai will speak on Data Privacy at the 2016 North America CACS Conference in New Orleans, 2-4 May.

Avani M. Desai CISSP, CISA, CIA, CIPP, Executive Vice President, Schellman & Company, Inc.

[ISACA Now Blog]

April 7, 2016

Ignite 2016: Conquering the Cyber Range

The biggest and best Ignite Conference yet is in the books. Our heartiest thanks to everyone who made it so!

Watch this space over the next few days for more from Ignite 2016, from behind-the-scenes photos and video to lots more action from the breakout rooms, exhibit hall and the late night festivities.

For now, however, we’re pleased to highlight this week’s Cyber Range exercises, which took place on Tuesday and Wednesday at Ignite and were sponsored by The Wall Street Journaland The Economist. Each day featured teams of Palo Alto Networks customers going head to head as they were tested on a network generating live traffic and real world malware, honing their skills with the Palo Alto Networks Next-Generation Security Platform.

Congratulations to the Cyber Range Day 1 and Day 2 winners!

Save the Date

Believe it or not, we’re already looking ahead to our next get-together. Join us at Ignite 2017 in Vancouver, British Columbia, June 12-15, 2017

Stay Social

You can continue to follow Ignite activities on @Ignite_Conf and using hashtag #igniteconf16. Over the next few weeks we’ll be adding general session and breakout session videos as well as some of the great conversations captured with our customers onsite in Las Vegas. Don’t forget to check out our Facebook gallery for the latest snaps from the show. We’ve shared a few below as well as what our attendees are saying about their time at Ignite 2016: