Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Key to the Palo Alto Networks story is that our products safely enable network traffic based on applications, users and content. In many of my meetings with customers, I’m asked to explain the difference between safe application enablement and more antiquated security solutions that either let too much in or keep too much out. So, let’s review that difference.
Many legacy security products continue to rely on the same network techniques first introduced nearly two decades ago. In many cases, they are only capable of allowing or blocking entire ports as opposed to individual applications. That means that IT administrators are left with two less-than-desirable choices: they can either say “yes” and allow undesirable applications to operate alongside essential ones, or they can say “no” and block entire classes of applications, many of which might be beneficial to business.
Even products that bolt-on the ability to distinguish individual applications still rely on those old techniques to initially classify traffic — a needlessly complex process with a high potential for configuration errors and performance degradation.
Palo Alto Networks’ approach is a security platform that classifies all applications regardless of the network channel they use, or any bypass techniques they might employ. That information becomes the basis for all policies and inspections that are performed, and because we can identify users, content and data associated with each session, we can also identify “gray-area” applications that might be good or bad depending on circumstance.
Here’s an example: you can write network security policies to allow a group of software engineers in R&D to use specialized development tools to share and collaborate on product specifications and source code amongst themselves. In addition, you can have granular control over which functions of that application your business partners might have access to such types of files that can be exchanges, read-only vs. read write access and more. You can also completely block users from other departments. The beauty of our approach is that you can adjust these policies to be as granular as you want, down to the level of individual functions of an application, a user or a group of users if needed.
What results is the ability to confidently say “yes” to those applications needed to support business processes, without the concern of undue risk, policy management complexity or performance problems.
Summary: According to Malwarebytes’ 2013 Threat report, “assumed guilt” ransomware tactics, mobile device cyberattacks and Mac-based threats are all gifts we had to cope with this year.
Ransomware, mobile device attacks, exploit kits and phone scammers who pose as technology giants — times have moved on from SMS scams and phishing emails telling you you’ve won the Spanish lottery. Sadly, there’s more to come — and we have to educate ourselves about modern digital threats, or run the risk of losing valuable data and our money.
To summarize the year in threats, Malwarebytes has released the2013 threat report, documenting the increasing popularity of malware, kits and scams aimed at fooling the average consumer. As we more often now have an online life filled with our data, financial transactions and the use of the Web as a communication link between companies we associate with, each of these branches are potentially ways for cybercriminals to tap into our lives — and take what they want from us.
But what were the biggest threats we faced this year?
1. Ransomware
Ransomware is a type of malware that locks computer systems and demands either money or, more recently, Bitcoins in order to unlock the system. These software programs often pose as government agencies, such as the FBI, and accuse computer users of committing a number of crimes — and the pressure comes from the belief that they may have done something wrong by accident.
This type of malware is usually spread through exploit kits that can be purchased online.
2. Phone scams
In the same manner as fake antivirus notices that tell a user they have malware which needs to be cleaned up — and you have to pay for software as a result — the next generation of phone scams appears to be rising. In 2013, the research firm has seen criminals pose as Microsoft, law enforcement and BT, and also pretend they can remove Mac-based malware or are an antivirus firm offering services.
3. Android malware
Credit: Malwarebytes
As mobile device use rose, malware to exploit the technology emerged. A large portion of this specific type of malware consists of SMS trojans — malicious software that sends premium cost text messages or makes phone calls without the user’s permission.
Another threat which has appeared is the Perkle crimeware kit. Posing as an authentication measure for a bank, it requires the scan of a QR code which then downloads malware on to the mobile device. The mobile malware then waits for confirmation texts sent by the bank, intercepts the codes and sends them back to the desktop to gain access to the victim’s bank account.
4. The Blackhole Exploit Kit
In 2012 and 2013, the BlackHole Exploit Kit was a popular method of malware delivery looking to set up drive-by cyberattacks. It hosts an assortment of malware including the Zeus Trojan, ZeroAccess Rootkit and Reveton Ransomware. The kit users define which payload was to be loaded (the malware) and what exploit to use, before hosting the file on a compromised site. Visitors then run the risk of finding themselves downloading malware. The exploit kit is often rented to criminals for a fee.
However, after the alleged creator of the kit, “Paunch,” was arrested in October, use of the kit has decreased due to the lack of updates.
5. DDoS attacks against banks
In 2013, a number of baks worldwide were targeted through digital means. The main example that comes to mind took place in August, where a number of U.S. banks were hit with distributed-denial-of-service (DDoS) attacks, in some cases preventing standard service to customers. This also allowed hackers to infiltrate the banking systems and make off with stolen funds.
6. PUPs
PUPs — otherwise known as ‘potentially unwanted programs’ — are usually the less harmful cousins of malware. PUPs may include toolbars and search agents; installing software on your system that you don’t want or need, and consuming high levels of resources. While usually more of an irritant than harmful, a recent PUP toolbar was found to include a Bitcoin miner.
But what about next year? The security firm believes while ransomware begun to make an appearance in past years, in 2014, the true extent of the damage the malware can cause will become apparent. Ransomware is expected to evolve further, going beyond simple psychological games to tapping into the fear of being accused of crimes and creating times in order to apply pressure for us to separate from our money. Malwarebytes said:
“We will see ransomware making more of a presence on previously less targeted platforms, such as OS X and mobile devices.
However, unlike the end of 2012 and early 2013, we will see fewer cyber gangs using ransomware tactics. For example, there were numerous families in the wild, spreading very similar ransomware but different enough and originating from different sources, while 2014 will most likely have fewer sources but more advanced, and therefore dangerous, malware.”
In addition, the company believes that more malicious software and scams will target your smartphones and tablets next year. As mobile devices are now so often used to access the Web, this user trend is unlikely to go into decline. While SMS-based scams are more virulent in countries such as Russia, in the West, we are likely to see a surge in malware that could add your device to botnets for DDoS attacks, or types which save store credentials to purchase apps you do not want.
“In addition, it is not farfetched to think that mobile devices are the next big target for remote access trojans, allowing your phone to become a surveillance camera, microphone and in the case of Bluetooth, a transmission device,” the firm says.
Mac operating systems are also expected to become the targets of more cyberattacks.
However, it is not all doom and gloom. Malwarebytes also predicts that due to the leaks released about the National Security Agency (NSA) and their ability to collect, intercept and decrypt all kinds of electronic communication, this is likely to spur the development of new privacy technologies.
No longer is cybersecurity only the province of IT and security staff; these days, it has become a topic with implications for every major line of business and market segment. From where we sit at Palo Alto Networks, here are three cybersecurity trends we think will be big in 2014.
1. Cybersecurity will be more than ever a business topic.
I spend a lot of time talking to customers and what I’m hearing in every industry, from healthcare and education to energy, oil and gas and transportation, is that companies need to do a better job evaluating the costs and risks related to cybersecurity threats.
Some companies do this well; over the past year, we’ve seen a more than 100 percent increase in mentions of cybersecurity as risk factors in public company filings, which at least tells you it’s on their list of priorities. Other companies don’t seem to have a clue. A lot of the planning that has to happen depends on the value of a company’s assets and how vulnerable those assets are.
Every business must manage and protect its unique set of industry-specific systems and data, and that’s why we’ll see greater network segmentation and even isolation. With the proliferation of digital assets and connected devices, the topology of any enterprise network has become exponentially complex.
We believe that to regain full visibility and control over the state of their network security and ensure the highest level of security to their most valuable assets, businesses will need to more systematically apply network segmentation techniques across their network to segregate sensitive data and functions from generally accessible information. This is now commonly discussed in healthcare for medical equipment and devices or in critical infrastructure with ICS and SCADA networks.
2. A heightened need for better intelligence and sharing on cyberthreats.
On one hand, this is a perennial need. But the volume of traffic on networks is more or less doubling every year, and that means that the problem of network security is increasing drastically.
As we see it, the new era of network security is based on automated processes and building as much intelligence as possible into network security software. This especially becomes important in industries such as government, education, healthcare and public services, in which staffing shortages are real and not expected to ease. Limited staff need maximum resources – security tools that give them the most visibility into their network traffic and don’t sacrifice business productivity.
3. Security will meet reliability as attacks target control systems
Companies may be able to apply tight network security to data centers and the information they manage. But if they’re not doing the same for certain data center support systems such as HVAC, cooling and other automated systems that help power, clean and maintain a data center, they’re leaving the whole data center vulnerable.
Data centers are required to meet the highest levels of reliability which cannot be achieved unless all of its components, from uplinks and storage to chillers and HVAC systems, are fully fault tolerant and protected from vulnerability and cyberattacks. Remember what happened in Australia earlier this year when attackers hacked local Google data centers using the building control system. We expect these types of attacks – in which smart hackers target the weakest parts of a data center support infrastructure – to continue.
Here’s what I think we’re in for next year when it comes to APTs and the overall threat landscape.
1. The demand for cybersecurity and IR skills will reach new highs.
As advanced threats have become more commonplace, the demands on existing incident response (IR) teams have begun to outstrip capacity, especially in enterprises and government entities where cybersecurity skills are already in short supply. A recent survey by the Ponemon Institute held that only 26 percent of security professionals felt they had the security expertise needed to keep up with advanced threats. Computer science programs will continue to adapt to this trend with more focused training in cybersecurity disciplines.
2. Advanced attackers will move to mobile devices.
A wave of crimeware and fraud has already begun to target mobile devices, which are ripe targets for new malware and a logical place for new threat vectors. Mobile platforms will be uniquely leveraged by APTs thanks to the ability to use GPS location to pinpoint individual targets and the ability to use cellular connectivity to keep command and control away from enterprise security measures.
3. Financially motivated malware makes a comeback, and the lines between APTs and organized crime will blur.
The focus of enterprise security will again be on the attacks where money changes hands. Banking and fraud botnets will continue to be some of the most common types of malware and will continue to have a major impact in real-world dollars.
Meanwhile, attribution of APTs is becoming ever more a focus in the industry, which means that more hacker groups will spend more time attempting to cover their tracks and hide any unique identifiers. To do so, they will attempt to imitate, contract with, or even infiltrate criminally focused hacking organizations to provide cover for their operations.
The growth in public and private cloud adoption made 2013 a big year for the virtual data center, and there’s no question that will continue in 2014. In my 2014 predictions, here are three trends I expect we’ll hear a lot about in the new year.
1. Zero Trust Network Segmentation
Globalization has fundamentally transformed the way we do business. It has created interdependencies between global supply chains and multinational partners, expanded global economic interactions with many “countries of interest,” and enabled the movement of people, goods and information. Enterprises need to enable access to applications and data, not just for employees, but also partners and contractors. They must do business with technology and manufacturing partners and provide access to new acquisition companies, while protecting against intellectual property and confidential data theft.
In 2014, organizations will look toward practical implementations of Zero Trust network segmentation architecture as a means to address these challenges. Implementations will vary widely from enterprise to enterprise, from those that need to create distributed boundaries of Zero Trust to those that focus on data center segmentation. The key network security requirement, however, will be for solutions that can be deployed with minimal impact to the network, while providing comprehensive visibility, control and safe application enablement.
2. Cloud Adoption Growth
Organizations in 2014 will be implementing or planning to implement cloud networks, i.e. moving from virtualized application silos (web, app, database tier) to more flexible cloud architectures that enable the delivery of any application on any server at any time. Most organizations will deploy a hybrid model where certain applications and services are offloaded to public clouds, but critical services such as internal research and development, financial data and customer data continue to reside within private cloud boundaries.
The decision on the applications and services to be deployed in public versus private clouds will depend largely on network security requirements. In particular, with greater concerns about the integrity of US-based data centers, revealed in cases such as the Snowden leaks, greater scrutiny will be placed on the security in cloud service providers. A key consideration for hybrid clouds will be the definition of a consistent network security policy and management framework to be implemented across both public and private clouds.
3. Software Defined “Anything”
Organizations will spend resources and time to understand the emerging technologies of software defined anything—i.e. software defined networks, software defined data centers and various permutations of this new dynamic, programmable, automated network architecture. In particular, in the battle of the titans, VMware and Cisco, will provide vastly differing architectures — a software defined data center utilizing VMware NSX network virtualization technologies or a more hardware-centric SDN architecture approach with Cisco’s Application Centric Infrastructure (ACI).
Organizations will look for tighter integration among network security, virtualization and network virtualization solutions while maintaining separation of duties. Critical network security requirements will include the ability to deal with the new dynamic, services-oriented characteristics of software defined networks.
