Posts

Charlie Waters
, ,

Endpoint and Application Security vs The Soft Gooey Middle

Soft, Gooey, What?!

Still no Silver Bullet…

In this article we are going to distinguish between various areas of our defense-in-depth strategy.  If you have read our prior posts, you know security is not a single thing and there is no magic silver bullet, but good security is a combination of layers of defense.  So here is the problem with the traditional approach: much emphasis has been placed on the corporate network with its firewalls, intrusion detection, content filters, hard wired ethernet connections, and encrypted corporate wifi – except there is a paradigm shift toward mobility and this puts our endpoint devices and applications at a disadvantage. 

Safety outside the castle

Access is needed outside of the high castle (corporate) walls where the commoners gather.  Places like Starbucks or the now ubiquitous home office.  These external areas most often do not share the same security features of the traditional workplace network. So, what is “soft and gooey”?  Well, the truth is, even the corporate network is not as secure as we would like to believe.  Yes, it is more secure but with the ever-increasing threats of email phishing, zero-day attacks, and other threats, the constant cat and mouse game of securing the network is often a losing battle.  We still need to address these areas, but even more is needed.  And because of the trend to cut the corporate tether and leverage the advantages of mobility, the current best defense strategy is to assume the corporate network is an unsafe zone and beef up efforts to build security around the endpoint (more and more often a laptop or smart phone/tablet these days) and likewise the application itself.

Endpoint Protection

Not your average antivirus

Endpoint protection is generally reduced to signature-based antivirus.  The flaw is these products are ineffective against new threats that have not yet been cataloged by the software vendor and released as updates.  Also, threats evolve into different variants that are not detected by the antivirus engine and leave your device open to attack.  Installing operating system updates helps but still do not offer protection against unknown vulnerabilities.

More needs to be done.  New “next generation” antivirus products build on the traditional approach by using behavior monitoring and artificial intelligence.  These security products not only block known/cataloged threats but are able to detect unknown threats by looking for malicious behavior by the application running on your device.  Advanced heuristics establish a baseline of “normal” behavior and shuts down activity when a process misbehaves.

Even more is needed

An additional capability involves moving content filtering from the corporate firewall to the endpoint itself.  This can be accomplished with very little additional overhead as the filtering takes place on secure Internet DNS servers (hosted by the security vendor).  This is a valuable security measure when developing a mobility-first strategy.

Who has not seen a VPN commercial these days?!  There seems to be an endless number of companies selling virtual private network technology.  These can be used to extend the corporate network for secure access to on premise and/or cloud-hosted applications. Also, a VPN can be leveraged to encrypt general Internet traffic on an endpoint connected to unsafe/open wireless networks (like Starbucks).

Further, endpoint cloud backup is desirable when there is critical data on a laptop that is not saved frequently to servers. This trend is more common as we rely less on servers and move our data to cloud storage.

Application Protection

C squared = B + HS = I V

Reading a bit like a Phil Mickelson formula to defeat Tiger Woods, the alphabet soup of IT Security can be equally intimidating – we get something like HTTPS+VPN+2FA-MITM = GTG. Much like securing the endpoints in untrusted environments, the applications can be protected from unauthorized access.  Two-factor authentication along with forcing an encrypted connection is a common approach these days.  You will notice most web sites you visit these days use https instead of http.  The former is an encrypted connection while the latter is open to what is called “Man-in-the-middle” (MitM) attacks due to the lack of an encrypted session.  Essentially a hacker can read user passwords and other data sent back and forth over the unencrypted connections while it is much more difficult to do the same thing when the connection is secured using advanced encryption.  Cloud-hosted applications can also use software firewalls to enable many of the same security features traditionally found on the corporate hardware firewalls. 

M365 to the rescue

Microsoft 365 is a good example where application security can be enhanced.  Companies using 365 email have the mail transport encrypted end to end between internal and external parties running on the same Microsoft hosted platform.  Further, anti-phishing and cloud-to-cloud backup can be used to protect the documents and emails stored on the M365 system.  Additionally, Microsoft Teams communications through chat or voice/video calls are encrypted.  There are huge benefits to living within this ecosystem as much as possible as the number of security products needed to protect communication and collaboration can be reduced.  Less complexity also means greater security as there are fewer configurations needed to make the security work.  When combined with Microsoft Azure virtual server hosting, it is now possible to move niche line of business applications and critical company workflows to the secured Microsoft environment.

So What, Now What?

Will legislation force all of our hands?

Responsibility is being placed on the Managed Services Provider to enforce these security measures.  For example, Louisiana Act 117 – Senate Bill 273 requires MSPs that manage infrastructure or end-user systems for “public bodies” to register with the state.  Additionally, MSPs are now required to disclose cyber incidents to the state. 

It is expected for similar legislation to make its way to other states and there will be an increased top-down accountability between regulated organizations and their technology vendors.  This means MSPs will continue to up its security game or be left behind.  Also, managed service providers will become more selective when choosing its clients to ensure there is a closer alignment of operational maturity levels (OML), otherwise there will be constant tension between the MSP obligations versus the organization’s cooperation to improve security.

Follow the leader

The best approach is when a security-minded MSP articulates the reasons behind the need and the client trusts the advice of its technology partner and follows their lead.  For those who refuse to take security seriously, MSPs may be eventually forced to document the opt-out on the client’s part by issuing a legal letter advising of the dangers of not implementing the needed defenses.  This will strain relationships where there is a mismatch of OML or where trust is lacking.  What this means for all of us is the cost of doing business will continue to go up as more products and time will be needed to implement these solutions.  But the risk is too high to ignore the warnings and being wrong about security can result in a higher cost to business due to downtime, stolen data, or potential fraudulent wire transfers.  Be sure your organization has implemented the latest and greatest security tools and services by having a conversation with your trusted security advisor.

/by
m.a.collins

5 Ways to Harden Your CyberSecurity

We’ve all heard the latest security mantra these days: it’s not a matter of if you will face a Cybersecurity event – it’s only a matter of when.  We at TCS have seen a marked increase in the number of successful attacks recently.  Unfortunately, some of them didn’t need to happen.  Very simple things could have been done to mitigate the effectiveness of the attack, and those things were ignored despite our warnings.  Here are a list of things you can do to help secure your business from malicious attacks:

#1:  End User Security Awareness Training

The number one rule in all Cybersecurity is that your users are your #1 security vulnerability.  After all, good businesses usually train their employees to be super helpful and accommodating.  Malicious actors use that good-natured helpfulness to help themselves right into your network. 

Since the #1 security threat is your end user, the #1 thing you can do to is train your users to identify both low-tech and high-tech phishing attacks.

Low-tech phishing attacks:  Using the phone, letters in the mail, or other forms of low technology to attempt to gain information that they can use as an exploit.

High-tech phishing attacks:  Using email, banner ads, social media posts, etc. to dupe unsuspecting users into giving them access to information or systems that they can exploit.

#2:  Multi-factor Authentication (MFA or the older 2FA)

These days multifactor authentication can be built into just about any login.  There are different types of MFA, though.  Some applications of MFA and 2FA in the past have been very cumbersome to say the least.  However, just as with anything, progress has been made over time to streamline some of those historic barriers to MFA.  For instance, now with most MFA applications, you have the option to save trusted devices.  By using trusted devices, end users don’t have to use multifactor authentication every time they login from their trusted device.  The only time MFA is required is if someone tries to login from a new, untrusted device.  This type of scenario would be handy for someone who primarily uses a single device that is secured behind a next-generation firewall in an office with limited access.

Why is this so important, though?  Because phishing attacks have become so convincing that they sometimes get even the most well-educated user.  In this case, even if a malicious actor was able to obtain login credentials, those credentials would only be effective from the single trusted computer.  This provides your next-generation firewall and endpoint security software the opportunity to detect the malicious actions before they can do any harm.  If those actions are taken from a non-trusted computer, the malicious actors will not have the information needed to complete the login process, even though they have the correct username and password.

#3:  Anti-phishing Protection for Your Email Server

While phishing attacks occur through both low- and high-tech media, the easiest and most common is through email.  Having a scanner sitting on your email server that filters out phishing attempts before they get to your end-user’s Inbox is another layer of protection you can employ that doesn’t cost a lot of money.  Most Anti-phishing scanners can also provide banners to warn users of external emails, to raise the end-user’s suspicion of using any links opening any attachments.

#4:  Proper Microsoft 365 Domain and DNS Setup

Most people don’t realize that Microsoft provides several ways to help protect against another common form of attack – impersonation.  A lot of malicious actors have found if they can make their email look like it’s coming from someone from within your organization by impersonating and copying their email signature, mimicking the sender’s name, and sometimes even relaying the email through your email transfer server, that they can trick users into doing things they otherwise wouldn’t.  Properly setting up those Microsoft protections can help you guard against those phishing attempts via impersonation attacks.

#5:  Password Policies

Yes, it’s 2021 and we shouldn’t even have to cover password policies.  However, Nordpass.com (https://nordpass.com/most-common-passwords-list/) reports that the Top 10 passwords uncovered for 2020 were 123456, 123456789, picture1, password, 12345678, 111111, 123123, 12345, etc.  Yes, it’s enough to make the security expert lose all respect for society at large!  But apparently the message hasn’t gotten across yet.  So we’ll keep on saying the same thing we’ve been saying for over 20 years:  stop using simple passwords!

  1. Passwords need to be at least 8 characters long.
  2. Passwords need to include uppercase, lowercase, numbers, and special characters.
  3. Passwords need to be unique across all logins.
  4. Password history needs to be enforced to keep users from recycling old passwords.
  5. Passwords need to be changed at least twice a year and ideally once a quarter.
  6. A little fairy dust and unicorn blood couldn’t hurt, either. No, just kidding – but not kidding about 1-5.

“But I can’t remember all those passwords!”, you might be thinking.  Neither can I.  That’s why we have password managers, like LastPass or Roboform.  Even if you forget your password, there are easy ways to get it reset securely in a matter of minutes using your email recovery options.  You don’t have to actually remember the passwords anymore.

Bonus Tip:  We always try to overdeliver our promises at TCS.  In that vein, here is a bonus tip – employ geo-filtering on your Microsoft 365 accounts!

When I discuss security with business owners, I generally like to ask this simple question:  Do you want your company to be able to communicate with Russia, North Korea, and other countries known for their malicious internet activity?  I already know the answer to the question for 99% of small and medium sized businesses, but I like to ask it for effect.  With our next generation firewalls and advanced configurations within Microsoft 365, we have the ability to block intercommunication with countries known for their malicious actors.  This is often a simple way to render potential attacks ineffective, as many of those attacks are dependent upon some server operating in a remote country.  By limiting your communications only to those countries with which you need to interact, you harden yourself against attacks coming from those countries known for their malicious activity.

Action Item:  Please take a moment to place a reminder on your calendar to address at least one of these tips above within the next week!  Make this article count!

/by
Charlie Waters
,

Silver Bullet or Gatling Gun?

Often labeled as a “gun guy”, it was only a matter of time before a firearms analogy made it from pen to paper.  So, what better material to draw from (the puns write themselves) than the famed Silver Bullet or the iconic Gatling Gun?!  Using Wikipedia as our trusty reference, the silver bullet is described this way: “In folklore, a bullet cast from silver is often one of the few weapons that are effective against a werewolf or witch. The term is also a metaphor for a simple, seemingly magical, solution to a difficult problem.”  We will borrow from the latter part and avoid the complications of debating the efficacy on werewolves and witches for now.  I will excuse you if you thought we were going Lone Ranger and Tonto with the silver bullet reference.

As for the Gatling gun, the image that comes to mind is the scene in The Outlaw Josey Wales where the gun is used to great effect.  Admittedly, any connection to an Eastwood western is the path of least resistance for how my brain is wired.  Inside family joke – I refer to myself along with my brother and sister-in-law collectively (and proudly) as “The Outlaws”, so trust me when I say Clint’s classics run deep with me.  Borrowing from Wikipedia once again, “The Gatling gun is a rapid-firing multiple-barrel firearm invented in 1861 by Richard Jordan Gatling. It is an early machine gun and a forerunner of the modern electric motor-driven rotary cannon.”  The modern implementation is best represented by the flying tank also known as the U.S. Air Force A-10 Thunderbolt II “Warthog” equipped with the 30 mm GAU-8/A Avenger rotary cannon aka BRRRTTTTT (from the sound it makes when fired).

Personal note: As someone who grew up as an Air Force “brat”, I had an up close view of the sacrifices our military men and women (and their families) make to secure our freedoms. I have great respect for our armed forces and consider it a privilege to have planted my family’s roots alongside our military community at Robins Air Force Base. Another honor was to have my first paying (summer) job working for tips at my Dad’s squadron snack bar on Davis–Monthan AFB (He was in EC-130s at the time). It was there that I was able to watch the A-10s fly around the Tucson desert sky, hence my bias for these beasts of the air.

With our firearms references intact, let us consider how our analogy applies to Security.  Many in business wrongly assume there is some solitary “seemingly magical” solution to information security…the silver bullet.  The problem is the silver bullet in security is as imaginary as the ever-elusive werewolf.  It simply does not exist!  To start with, we cannot manage security in a vacuum.  There are three business constraints that must be managed together – Confidentiality, Integrity, and Availability (aka the CIA model).  I often tell clients that I can make their network 100% secure and of course they look at me with a healthy bit of skepticism – even they don’t REALLY believe in a silver bullet it seems.  I simply say, “Let me unplug everything from the network and shut your computers down.”  This is followed quickly by, “VERY SECURE, right?!  But not very available.”  And that is about as close as we can get to a true silver bullet.  With that extreme shot down, what can be done?  Now we can discuss degrees of security, risk tolerance, accessibility and, ultimately, cost.

Instead of thinking about security as a single magical thing, we need to embrace the idea that an effective security strategy incorporates a variety of tools and processes.  We need a Gatling gun approach.  The industry term for this is Defense in Depth.  We must deploy multiple security mechanisms and controls that create a layered defense against the endless barrage of external threats.  These layers may include firewalls, intrusion prevention, endpoint detection and response, network segmentation, least privilege access, encryption, strong passwords, patch management, data recovery, breach awareness, and end-user training.  Unlike the silver bullet, if one system fails, another is in place to potentially stop the threat.  Consider end-user training, an often-forgotten security measure – if a user is trained to properly identify phishing email attacks and avoids clicking on the malicious link, the endpoint security or firewall never have to defend against the threat.  Even better, if there is anti-phishing security around the email service, the user never receives the email in the first place.

Is your organization overconfident in a single security product?  Are the security best practices and product features like reading Greek?  Not quite sure how to balance the C-I-A equation for your business?  Partner with a technology vendor who understands the nuances of security and has the experience to build an effective defense in depth strategy right sized for your business.  So, do silver bullets stop werewolves?  Maybe, maybe not.  Give me a Gatling gun, or better yet, an A-10 with its rotary cannon any day.  BRRRTTTTT!

–Charlie Waters, COO – Total Computer Solutions, Inc.

/by