Article | February 25, 2020
Matt Newton, senior portfolio marketing manager at AVEVA, discusses how IIoT can best cyber security challenges met through software adoption. According to Gartner’s 2019 Industrial IoT Platforms Magic Quadrant report, by 2023 30% of industrial enterprises will have full, on-premises deployments of IIoT platforms. IIoT platforms and software adoption is rapidly increasing – up 15% in 2019 – and this will undoubtedly continue to grow as we progress through the new decade. From enhancing operational performance to improved business processes, adopting new technology and software capabilities is vital for business success in today’s industrial sector. However, when it comes to adopting software and technology, integrating new systems with existing legacy systems in the industry can be a challenge.
Article | February 25, 2020
1. Zero Trust – Demystified
Everyone seems to be talking about Zero Trust in the security world at the moment. Unfortunately there seems to be multiple definitions of this depending on which vendor you ask. To help others understand what Zero Trust is, this white paper covers the key aspects of a Zero Trust model.
1.1. What is Zero Trust
Zero Trust is a philosophy and a related architecture to implement this way of thinking founded by John Kindervag in 2010. What it isn’t, is a particular technology!
There are three key components to a Zero Trust model:
1. User / Application authentication – we must authenticate the user or the application (in cases where applications are requesting automated access) irrefutably to ensure that the entity requesting access is indeed that entity
2. Device authentication – just authenticating the user / application is not enough. We must authenticate the device requesting access as well
3. Trust – access is then granted once the user / application and device is irrefutably authenticated.
Essentially, the framework dictates that we cannot trust anything inside or outside your perimeters. The zero trust model operates on the principle of 'never trust, always verify’. It effectively assumes that the perimeter is dead and we can no longer operate on the idea of establishing a perimeter and expecting a lower level of security inside the perimeter as everything inside is trusted. This has unfortunately proven true in multiple attacks as attackers simply enter the perimeter through trusted connections via tactics such as phishing attacks.
1.2. Enforcing the control plane
In order to adequately implement Zero Trust, one must enforce and leverage distributed policy enforcement as far toward the network edge as possible. This basically means that granular authentication and authorisation controls are enforced as far away from the data as possible which in most cases tends to be the device the user is using to access the data. So in essence, the user and device are both untrusted until both are authenticated after which very granular role based access controls are enforced.
In order to achieve the above, a control plane must be implemented that can coordinate and configure access to data. This control plane is technology agnostic. It simply needs to perform the function described above. Requests for access to protected resources are first made through the control plane, where both the device and user must be authenticated and authorised. Fine-grained policy can be applied at this layer, perhaps based on role in the organization, time of day, or type of device. Access to more secure resources can additionally mandate stronger authentication. Once the control plane has decided that the request will be allowed, it dynamically configures the data plane to accept traffic from that client (and that client only). In addition, it can coordinate the details of an encrypted tunnel between the requestor and the resource to prevent traffic from being ‘sniffed on the wire’.
1.3. Components of Zero Trust and the Control Plane
Enforcing a Zero Trust model and the associated control plan that instructs the data plane to accept traffic from that client upon authentication requires some key components for the model to operate. The first and most fundamental is micro-segmentation and granular perimeter enforcement based on:
Their devices and its security posture
Their Context and other data
The above aspects are used to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise.
In this case, the micro-segmentation technology essentially becomes the control plane. Per the above section, encryption on the wire is a key component of Zero Trust. For any micro-segmentation technology to be an effective control plane, it must:
Enforce traffic encryption between endpoints
Authenticate the user and machine based on their identity and not the network segment they are coming from.
1.4. Zero Trust Technologies
As stated earlier, Zero Trust is an architecture. Other than micro-segmentation, the following key technologies and processes are required to implement Zero Trust:
Multifactor authentication – to enforce strong authentication
Identity and Access Management – to irrefutably authenticate the user / application and the device
User and network behaviour analytics – to understand the relative behaviours of the user and the network they are coming from and highlight any unusual behaviour compared to a pre-established baseline which may indicate a compromised identity
Endpoint security – to ensure that the endpoint itself is clean and will not act as a conduit for an attacker to gain unauthorised access to data
Encryption – to prevent ‘sniffing of traffic on the wire’
Scoring – establishing a ‘score’ based on the perimeters above that will then determine whether access can be granted or not
Apart from the above key components, the following are needed as well:
File system permissions – needed in order to implement role based access controls
Auditing and logging – to provide monitoring capabilities in case unauthorised access is achieved
Granular role based access controls – to ensure access is on a ‘need to know basis only’
Supporting processes – all of the above needs to be supported by adequate operational procedures, processes and a conducive security framework so that the model operates as intended
Mindset and organisational change management – since Zero Trust is a shift in security thinking, a mindset change managed by robust change management is required to ensure the successful implementation of Zero Trust in an organisation.
1.5. Challenges with Zero Trust
So Zero Trust sounds pretty awesome, right? So why haven’t organisations adopted it fully?
As with any new technology or philosophy, there are always adoption challenges. Zero Trust is no different. At a high level, the key challenges in my experience are:
Change resistance – Zero Trust is a fundamental shift in the way security is implemented. As a result, there is resistance from many who are simply used to the traditional perimeter based security model
Technology focus as opposed to strategy focus – since Zero Trust is a model that will impact the entire enterprise, it requires careful planning and a strategy to implement this. Many are still approaching security from the angle that if we throw enough technology at it, it will be fine. Unfortunately, this thinking is what will destroy the key principles of Zero Trust
Legacy systems and environments – legacy systems and environments that we still need for a variety of reasons were built around the traditional perimeter based security model. Changing them may not be easy and in some cases may stop these systems from operating
Time and cost – Zero Trust is an enterprise wide initiative. As such, it requires time and investment, both of which may be scarce in an organisation.
1.6. Suggested Approach to Zero Trust
Having discussed some challenges to adopting a Zero Trust model above, let’s focus on an approach that may allow an organisation to implement a Zero Trust model successfully:
1. Take a multi-year and multi-phased approach – Zero Trust takes time to implement. Take your time and phase the project out to spread the investment over a few financial years
2. Determine an overall strategy and start from there – since Zero Trust impacts the entire enterprise, a well-crafted strategy is critical to ensure success. A suggested, phased approach is:
a. Cloud environments, new systems and digital transformation are good places to start – these tend to be greenfield and should be more conducive to a new security model
b. Ensure zero trust is built into new systems, and upgrades or changes – build Zero Trust by design, not by retrofit. As legacy systems are changed or retired, a Zero Trust model should be part of the new deployment strategy
c. Engage a robust change management program – mindset adjustment through good change management
3. Take a risk and business focus – this will allow you to focus on protecting critical information assets and justify the investments based on ROI and risk mitigation
4. Ensure maintenance and management of the new environment – as with everything, ensure your new Zero Trust deployment is well maintained and managed and does not degrade over time.
To summarise, Zero Trust is a security philosophy and architecture that will change the way traditional perimeter based security is deployed. A key component of it is the control plane that instructs the data plane to provide access to data. Zero Trust dictates that access can only be granted once the user / application and device are irrefutably authenticated and even then this access is provided on a ‘need to know’ basis only. Micro-segmentation is a key technology component of Zero Trust implementation and this paper has stated other key technology components and processes that are needed to implement Zero Trust adequately. This paper has discussed some of the challenges with implementing Zero Trust which include change resistance as well as legacy systems. The paper then provided an approach to implementing Zero Trust which included taking a phased approach based on a sound strategy underpinned by a risk and business focused approach.
SECURITY AUDIT AND COMPLIANCE
Article | February 25, 2020
There is a saying, ‘you can fool all the people some of the time and some of the people all the time.’ Given the fact that there is no such thing as 100% security and human nature being trusting, this has been the backbone of many cyber security scams over the past 20 years. Cyber-criminals know that they will always fool some of the people, so have been modifying and reusing tried and tested methods to get us to open malware ridden email attachments and click malicious web links, despite years of security awareness training.
If you search for historic security advice from pretty much any year since the internet became mainstream, you will find that most of it can be applied today. Use strong passwords, do not open attachments or click links from unknown sources. All really familiar advice. So, why are people still falling for modified versions of the same tricks and scams that have been running for over a decade or more? Then again, from the cyber-criminal’s perspective, if it isn’t broken, don’t fix it? Instead, they evolve, automate, collaborate and refine what works. Sound advice for any business!
It is possible though to be in a position where you can no longer fool people, even some of the time, because it is no longer their decision to make anymore. This can be achieved by letting technology decide whether or not to trust something, sitting in between the user and the internet. Trust becomes key, and many security improvements can be achieved by limiting what is trusted, or more importantly, defining what not to trust or the criteria of what is deemed untrustworthy.
This is nothing new, as we have been doing this for years as many systems will not trust anything that is classed as a program or executable, blocking access to exe or bat files. The list of files types that can act as a program in the Microsoft Windows operating system is quite extensive, if you don’t believe me try to memorize this list: app, arj, bas, bat, cgi, chm, cmd, com, cpl, dll, exe, hta, inf, ini, ins, iqy, jar, js, jse, lnk, mht, mhtm, mhtml, msh, msh1, msh2, msh1xml, msh2xml, msi, ocx, pcd, pif, pl, ps1, ps1xml, ps2, ps2xml, psc1, psc2, py, reg, scf, scr, sct, sh, shb, shs, url, vb, vbe, vbs, vbx, ws, wsc, wsf, and wsh. As you can see, it is beyond most people to remember, but easily blocked by technology.
We can filter and authenticate email based on domain settings, reputation scores, blacklists, DMARC (Domain-based Message Authentication Reporting and Conformance) or the components of DMARC, the SPF and DKIM protocols. Email can also be filtered at the content level based on keywords in the subject and body text, the presence of tracking pixels, links, attachments, and inappropriate images that are ‘Not Safe For Work’ (NSFW) such as sexually explicit, offensive and extremist content. More advanced systems add attachment virtual sandboxing, or look at the file integrity of attachments, removing additional content that is not part of the core of the document. Others like ‘Linkscan’ technology look at the documents at the end of a link, which may be hiding behind shortened links or multiple hops, following any links in those documents to the ultimate destination of the link and scan for malware.
Where we are let down though is in the area of compromised email accounts from people that we have a trust relationship and work with, like our suppliers. These emails easily pass through most email security and spam filters as they originate from a genuine legitimate email account (albeit one now also controlled by a cyber-criminal) and unless there is anything suspicious within the email in the form of a strange attachment or link, they go completely undetected as they are often on an allow list. This explains why Business Email Compromised (BEC) attacks are so incredibly successful, asking for payments for expected invoices to be made into a ‘new’ bank account, or urgent but plausible invoices that need to be paid ASAP. If the cyber-criminals do their homework and copy previous genuine invoice requests, and maybe add in context chat based on previous emails, there is nothing for most systems or people to pick up on. Only internal processes that flag up BACS payments, change of bank of details or alerts to verify or authenticate can help. Just remember to double-check the telephone number in the email signature before you call, in case you are just calling the criminal. Also, follow the process completely, even if the person you were just about to call has just conveniently sent you an SMS text message to confirm, as SMS can be spoofed.
Not all compromised email attacks are asking for money though, many are after user credentials, and contain phishing links or links to legitimate online file sharing services, containing files that then link to malicious websites or phishing links to grant permission to open the file. To give you an idea of the lengths cyber-criminals go to, I’ve received emails from a compromised account, containing a legitimate OneDrive link, containing a PDF with a link to an Azure hosted website, that then reached out to a phishing site. In fact, many compromised attacks are not even on email, as social media is increasingly targeted as well as messaging services or even the humble SMS text message via SIM swap fraud or spoofed mobile numbers. As a high percentage of these are received on mobile devices, many of the standard security defences are not in place, compared to desktop computers and laptops. What is available though are password managers as well as two-factor authentication (2FA) and multi-factor authentication (MFA) solutions which will help protect against phishing links, regardless of the device you use, so long as you train everyone in what to look out for and how they can be abused.
One area I believe makes even greater strides in protecting users from phishing and malicious links is to implement technology that defines what not to trust based on the age of a web domain and whether it has been seen before and classified. It really does not matter how good a clone a phishing website is for Office 365 or PayPal if you are blocked from visiting it, because the domain is only hours old or has never been seen before. The choice is taken out of your hands, you still clicked on the link, but now you are taken to a holding page that explains why you are not allowed to access that particular web domain. The system I use called Censornet, does not allow my users to visit any links where the domain is less than 24 hours old, but also blocks access to any domains or subdomains that have not been classified because no one within the global ecosystem has attempted to visit them yet. False positives are automatically classified within 24 hours, or can be released by internal IT admins, so the number of incidents rapidly drops over a short period of time.
Many phishing or malicious links are created within hours of the emails being sent, so having an effective way of easily blocking them makes sense. There is also the trend for cyber-criminals to take over the website domain hosting cPanels of small businesses, often through phishing, adding new subdomains for phishing and exploit kits, rather than using spoofed domains. I’ve seen many phishing links over the years pointing to an established brand within the subdomain text of a small hotel. Either way, as these links and subdomains are by their very nature unclassified, the protection automatically covers this scenario too.
Other technological solutions at the Domain Name System (DNS) level can also help block IP addresses and domains based on global threat intelligence. Some of these are even free for business use, like Quad9.net and because they are at the DNS level, can be applied to routers and other systems that cannot accept third party security solutions. On mobile devices both Quad9 and Cloudflare offer free apps which involve adding a Virtual Private Network (VPN) profile to your device. Users of public Wi-Fi can be made secure via a VPN, though it’s preferable to have a premium VPN solution on all your user’s mobile devices, as these can be centrally managed and can offer DNS protection as well.
Further down the chain of events are solutions like privileged admin rights management and application allow lists. Here, malware is stopped once again because it is not on a trusted list, or allowed to have admin rights. There is also the added benefit that users do not need to know any admin account passwords, so as a result cannot be phished for something they do not know the answer to. Ideally, no users are working with full administrator rights in their everyday activities, as this introduces unnecessary security risks, but can often be overlooked due to work pressures and workarounds.
Let’s not forget patch management is also key, because it doesn’t matter how good your security solutions are if they can be bypassed because of a gaping hole via an exploit or vulnerability in another piece of software, whether at the operating system or firmware level, or via an individual application. Sure, no system is perfect and remember there is no such thing as 100% security, which is where the Endpoint Detection and Response (EDR) solutions and Security Information and Event Management (SIEM) solutions come into play. These can help minimize the damage through rapid discovery and remediation, hopefully before the cyber-criminals fully achieve their goals.
By harnessing the power of technology to protect us, layering solutions to cover the myriad of ways cyber-criminals constantly attempt to deceive us, we can be confident that emotional and psychological techniques and hooks will not affect technological decisions, as it is a binary choice, either yes or no. The more that we can filter out, makes it less likely that the cyber-criminals will still be able to fool some of the people all the time. This allows security awareness training to focus on threats that technology isn’t as good at stopping, like social engineering tricks and scams. The trick is to spend your budget wisely to cover all the bases and not leave any gaps, which is no easy feat in today’s rapidly changing world.
Article | February 25, 2020
What’s more, organisations should also keep in mind that prevention alone is not enough; according to IBM, the average breach detection and containment times currently sits in the region of 280 days. In this time, it’s easy for cyber attackers to gain a foothold in an environment and quickly cause damage.
“When developing a cyber security strategy, traditionally enterprises have focused on the threat prevention with little attention given to detection and often none to response,” said Martin Riley, director of managed security services at Bridewell Consulting.