New Microsoft Enterprise Cybersecurity Group to Provide Greater Security Capabilities

| April 26, 2016

article image
We’ve worked hard to earn our customers’ trust when it comes to making their data more secure and we recently announced some significant advances in this area. As part of that news, my team’s newly formed Enterprise Cybersecurity Group, provides a significant new cybersecurity asset to Microsoft commercial and public sector customers. Microsoft’s Enterprise Cybersecurity Group will deliver security solutions, expertise and services that will empower our customers to leverage their investment in Microsoft products and services in order to modernize their IT platforms and keep data safe from modern security risks.

Spotlight

IndiaMART InterMESH Limited

IndiaMART is India's largest online marketplace, connecting buyers with suppliers. The online channel focuses on providing a platform for buyers, who can be SMEs, large enterprises as well as individuals. Buyers typically gain access to a wider marketplace; diverse portfolios of quality products to chose from and tap a one-stop-shop which caters to all their specific requirements, thereby aiding the discerning buyer make well-informed choices!

OTHER ARTICLES

New Ransomware hitting Industrial Control Systems like a nuclear bomb

Article | February 10, 2020

Researchers at security firms including Sentinel One and Drago’s have been mystified by a piece of code named Ekans or Snake, over the last month. Drago’s publically released its full report on Ekans Ransomware that has recently inflicted Industrial Control Systems and these are some of the most high-value systems that bridge the gap between digital and physical systems. In the history of hacking, only a few times a piece of malicious code has been marked attempting to intrude Industrial Control Systems. Ekans is supposed to be the first Ransomware with real primitive capability against the Industrial Control Systems, software, and hardware used in everything from oil refineries to power grids. Researchers say this ransomware holds the capability to attack ICS by Honeywell and GE as well.

Read More

Top Three Cybersecurity Threats You Should Mitigate Before It Is Too Late

Article | December 15, 2020

There are three significant and disruptive cybersecurity threats that are catching organizations of all types and sizes by surprise: Ransomware; Cloud misconfigurations; and Supply chain backdoors. Let me explain with recent examples and guide you on what you can do to avoid making other’s mistakes and falling victim to the threats. Let’s start with ransomware. It is one of the most disruptive risks facing your organization today. Why? Because it can literally bring your operations, no matter who you are, to a standstill and inflict significant cost, pain and suffering. Just look at the recent example of one organization. It was infected with ransomware, and IT systems were shut down for several weeks, bringing operations to a standstill. It had to gradually re-start systems over several more weeks. It estimates it will cost around $95 million from lost sales, recovery and remediation, impacting profitability. Also, it announced it will not be able to attain its growth plans for the year. Take another recent example. A three-hospital system was infected and IT systems were shut down and it could not accept any incoming patients for several days. It had to operate using paper, until gradually the IT systems were re-started over several days. Fortunately, in this case, the incoming patients turned away did not suffer any loss of life and were able to be diverted to other hospitals timely, but it could have been tragic. No organization is immune to ransomware and it can rear its ugly head anytime and inflict severe pain. There are many variants and each can be tweaked easily by the attackers to evade the defense. The Ryuk ransomware is an example of one that has already inflicted significant pain to hundreds of organizations this year in the U.S. and across the globe. Previously, the SamSam ransomware attacked a variety of organizations in the U.S. and Canada, and provided over $6 million in ransom payments and inflicted over $30 million in losses. Prior to that, NotPetya ransomware rapidly inflicted hundreds of organizations in various parts of the world, and caused over $10 billion in damages. The attackers are seeing that with ransomware it is quicker and easier to make the intrusion, and encrypt some of the data than try to exfiltrate all of it. They are asking themselves, why take all the time and trouble to look for all of the data and try to steal it, when only some critical systems and data can be locked up, until a ransom is paid? They are seeing that with ransomware there will be immediate adverse impact since the victim will not be able to access critical data and systems, and will not be able to operate. So, there is high probability the ransom will be paid to stop the pain and suffering, especially if the victim has cyber insurance in place. The organization is likely to use the insurance policy to pay the ransom, rather than continue to have its operations disrupted or shut down. They are also seeing that while most organizations have put in place various controls to prevent and detect data theft, they have not placed an equal weight to preventing and detecting ransomware. Most organizations have a lot of data and given all of the data thefts that have occurred and continue to occur and reported in the press, the bias has been to focus on data theft. But ransomware risk cannot be ignored or approached less seriously. Imagine that you are infected with ransomware and your people cannot access documents, files or systems, and operate. All critical files and systems are locked out from the ransomware encryption, and a ransom payment is demanded by the hacker for the keys to unlock the encryption. What if, it will take you days, weeks or months to recover? What impact would it have on your organization? You may think that you will be able to recover quickly from back up files and systems, but are you sure? The new ransomware variants are devised to hunt down and delete or encrypt backup files and systems also, and in some cases, first, before encrypting rest of the files and systems. The organization that was recently infected that estimates $95 million in financial impact from the ransomware thought it had the risk under control, until it was hit with the ransomware and realized it was not prepared to manage the risk. Now, let’s move to the threat from cloud misconfigurations. You are most probably in the cloud completely or partially. Whether you have completely outsourced your infrastructure and services to a cloud provider or are utilizing one partially, remember, ultimately, you own the cybersecurity and that you are responsible for security in the cloud, while the cloud provider is responsible for security of the cloud. While the cloud provider will provide perimeter security, you are responsible for security of your data, IP and other assets in the cloud, and are equally susceptible to attackers in the cloud as you are on the premises. Even if any of the “big six” cloud providers, such as Amazon Web Services or Microsoft Azure or others, provide the cybersecurity, attackers can exploit weak links in the chain, break in and steal data or cause other harm. A common weak link in the chain are misconfigurations of the various systems that the cloud provider makes available as part of its service. You are responsible for all of the configurations, not the cloud provider. So, if your team does not take the time to fully understand all of the configurations that are necessary and complete them timely, security holes will arise and remain open for the attackers to exploit. Just look at the recent example of an organization that fell victim where the data of over 100 million customers was stolen. This organization was using one of the “big six” cloud providers, but missed making all of the necessary configurations. A former employee of the cloud provider, who was familiar with the systems and configurations, discovered a misconfiguration in a web application firewall and exploited it to break in. The attacker then was able to query a metadata service to obtain keys and tokens, which allowed the attacker to query and copy storage object data and eventually exfiltrate it. This was a case where configuration errors in a web application firewall coupled with unrestricted metadata service access and other errors handed the attacker the keys to the kingdom for the theft of 100 million customers data. Other common cloud misconfigurations that create opportunities for attackers to exploit include: Unrestricted in bound access on uncommon ports Unrestricted outbound access Unrestricted access to non-http/https ports Unrestricted metadata service requests Inactivate monitoring of keys and tokens You may think that you do not have any misconfigurations in your cloud environment, but how do you know? The organization that recently lost 100 million customers data thought it had strong security in its cloud infrastructure, until it was hit with the data theft and realized it was not prepared to manage the risk. Now, let’s move to the threat from supply chain backdoors. No matter what type of organization you are or your size, you most probably have a supply chain, comprised of independent contractors, vendors or partners. Each of these could be the weakest link in the chain. In other words, the attackers may find that one of your suppliers may be easier to break into first because of weaker cybersecurity and may have privileged access to your organization, given their role and responsibilities. So why not first attack the weaker supplier, steal their privileged user credentials and use it to break into your organization and eventually attain the ultimate objective, steal data or commit other harm? Or they may find that one of your suppliers has part of your data in order to provide the outsourced service, so they can steal the data simply by breaking into the supplier with the weaker cybersecurity, so no need to attack you directly. There are many examples of supply chain risk, such as with a government agency, where the credentials of a background check vendor were first stolen to access the agency’s systems, then to move laterally and find other unprotected privileged users credentials to access databases and steal data of 21.5 million individuals, including fingerprints data of 5.6 million individuals. But just look at the recent example of an organization that had outsourced billing and collections to a supplier. This is a case where the attackers did not have to attack directly. In this case, attackers broke into the supplier and injected malicious code into the payments webpages managed by the supplier and stole credit card, banking, medical and other personal information, such as social security numbers, of 11.9 million consumers. The attackers had access to the supplier’s system for eight months, during which it skimmed the data being input by consumers on the payments webpages. So, while your cybersecurity may be in good shape, the weakest link in the chain may be one of your suppliers, who may unwittingly provide the attackers the backdoor into your organization or to your data or IP. So, ransomware, cloud misconfigurations and supply chain backdoors are three significant and disruptive threats facing your organization today that you should mitigate. What c

Read More

Work From Home: Cyber Security During Covid-19

Article | April 14, 2020

COVID-19 has significantly affected individuals and organizations globally. Till this time more than 1.7 million people in 210 countries have bore the brunt of this mysterious virus. While this crisis is unparalleled to the past crises that have shaken the world and had lasting impacts on different businesses, economies and societies but the one domain that had remained resilient through all the past crises and is going solid in COVID-19 as well is Cyber security. While most of the sectors globally have been affected, Cybersecurity’s importance to organizations, consumers and home users have not only remained strong but have been increased drastically.

Read More

Zero Trust – Demystified

Article | July 29, 2020

1. Zero Trust – Demystified Everyone seems to be talking about Zero Trust in the security world at the moment. Unfortunately there seems to be multiple definitions of this depending on which vendor you ask. To help others understand what Zero Trust is, this white paper covers the key aspects of a Zero Trust model. 1.1. What is Zero Trust Zero Trust is a philosophy and a related architecture to implement this way of thinking founded by John Kindervag in 2010. What it isn’t, is a particular technology! There are three key components to a Zero Trust model: 1. User / Application authentication – we must authenticate the user or the application (in cases where applications are requesting automated access) irrefutably to ensure that the entity requesting access is indeed that entity 2. Device authentication – just authenticating the user / application is not enough. We must authenticate the device requesting access as well 3. Trust – access is then granted once the user / application and device is irrefutably authenticated. Essentially, the framework dictates that we cannot trust anything inside or outside your perimeters. The zero trust model operates on the principle of 'never trust, always verify’. It effectively assumes that the perimeter is dead and we can no longer operate on the idea of establishing a perimeter and expecting a lower level of security inside the perimeter as everything inside is trusted. This has unfortunately proven true in multiple attacks as attackers simply enter the perimeter through trusted connections via tactics such as phishing attacks. 1.2. Enforcing the control plane In order to adequately implement Zero Trust, one must enforce and leverage distributed policy enforcement as far toward the network edge as possible. This basically means that granular authentication and authorisation controls are enforced as far away from the data as possible which in most cases tends to be the device the user is using to access the data. So in essence, the user and device are both untrusted until both are authenticated after which very granular role based access controls are enforced. In order to achieve the above, a control plane must be implemented that can coordinate and configure access to data. This control plane is technology agnostic. It simply needs to perform the function described above. Requests for access to protected resources are first made through the control plane, where both the device and user must be authenticated and authorised. Fine-grained policy can be applied at this layer, perhaps based on role in the organization, time of day, or type of device. Access to more secure resources can additionally mandate stronger authentication. Once the control plane has decided that the request will be allowed, it dynamically configures the data plane to accept traffic from that client (and that client only). In addition, it can coordinate the details of an encrypted tunnel between the requestor and the resource to prevent traffic from being ‘sniffed on the wire’. 1.3. Components of Zero Trust and the Control Plane Enforcing a Zero Trust model and the associated control plan that instructs the data plane to accept traffic from that client upon authentication requires some key components for the model to operate. The first and most fundamental is micro-segmentation and granular perimeter enforcement based on: Users Their locations Their devices and its security posture Their Behaviour Their Context and other data The above aspects are used to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise. In this case, the micro-segmentation technology essentially becomes the control plane. Per the above section, encryption on the wire is a key component of Zero Trust. For any micro-segmentation technology to be an effective control plane, it must: Enforce traffic encryption between endpoints Authenticate the user and machine based on their identity and not the network segment they are coming from. 1.4. Zero Trust Technologies As stated earlier, Zero Trust is an architecture. Other than micro-segmentation, the following key technologies and processes are required to implement Zero Trust: Multifactor authentication – to enforce strong authentication Identity and Access Management – to irrefutably authenticate the user / application and the device User and network behaviour analytics – to understand the relative behaviours of the user and the network they are coming from and highlight any unusual behaviour compared to a pre-established baseline which may indicate a compromised identity Endpoint security – to ensure that the endpoint itself is clean and will not act as a conduit for an attacker to gain unauthorised access to data Encryption – to prevent ‘sniffing of traffic on the wire’ Scoring – establishing a ‘score’ based on the perimeters above that will then determine whether access can be granted or not Apart from the above key components, the following are needed as well: File system permissions – needed in order to implement role based access controls Auditing and logging – to provide monitoring capabilities in case unauthorised access is achieved Granular role based access controls – to ensure access is on a ‘need to know basis only’ Supporting processes – all of the above needs to be supported by adequate operational procedures, processes and a conducive security framework so that the model operates as intended Mindset and organisational change management – since Zero Trust is a shift in security thinking, a mindset change managed by robust change management is required to ensure the successful implementation of Zero Trust in an organisation. 1.5. Challenges with Zero Trust So Zero Trust sounds pretty awesome, right? So why haven’t organisations adopted it fully? As with any new technology or philosophy, there are always adoption challenges. Zero Trust is no different. At a high level, the key challenges in my experience are: Change resistance – Zero Trust is a fundamental shift in the way security is implemented. As a result, there is resistance from many who are simply used to the traditional perimeter based security model Technology focus as opposed to strategy focus – since Zero Trust is a model that will impact the entire enterprise, it requires careful planning and a strategy to implement this. Many are still approaching security from the angle that if we throw enough technology at it, it will be fine. Unfortunately, this thinking is what will destroy the key principles of Zero Trust Legacy systems and environments – legacy systems and environments that we still need for a variety of reasons were built around the traditional perimeter based security model. Changing them may not be easy and in some cases may stop these systems from operating Time and cost – Zero Trust is an enterprise wide initiative. As such, it requires time and investment, both of which may be scarce in an organisation. 1.6. Suggested Approach to Zero Trust Having discussed some challenges to adopting a Zero Trust model above, let’s focus on an approach that may allow an organisation to implement a Zero Trust model successfully: 1. Take a multi-year and multi-phased approach – Zero Trust takes time to implement. Take your time and phase the project out to spread the investment over a few financial years 2. Determine an overall strategy and start from there – since Zero Trust impacts the entire enterprise, a well-crafted strategy is critical to ensure success. A suggested, phased approach is: a. Cloud environments, new systems and digital transformation are good places to start – these tend to be greenfield and should be more conducive to a new security model b. Ensure zero trust is built into new systems, and upgrades or changes – build Zero Trust by design, not by retrofit. As legacy systems are changed or retired, a Zero Trust model should be part of the new deployment strategy c. Engage a robust change management program – mindset adjustment through good change management 3. Take a risk and business focus – this will allow you to focus on protecting critical information assets and justify the investments based on ROI and risk mitigation 4. Ensure maintenance and management of the new environment – as with everything, ensure your new Zero Trust deployment is well maintained and managed and does not degrade over time. To summarise, Zero Trust is a security philosophy and architecture that will change the way traditional perimeter based security is deployed. A key component of it is the control plane that instructs the data plane to provide access to data. Zero Trust dictates that access can only be granted once the user / application and device are irrefutably authenticated and even then this access is provided on a ‘need to know’ basis only. Micro-segmentation is a key technology component of Zero Trust implementation and this paper has stated other key technology components and processes that are needed to implement Zero Trust adequately. This paper has discussed some of the challenges with implementing Zero Trust which include change resistance as well as legacy systems. The paper then provided an approach to implementing Zero Trust which included taking a phased approach based on a sound strategy underpinned by a risk and business focused approach.

Read More

Spotlight

IndiaMART InterMESH Limited

IndiaMART is India's largest online marketplace, connecting buyers with suppliers. The online channel focuses on providing a platform for buyers, who can be SMEs, large enterprises as well as individuals. Buyers typically gain access to a wider marketplace; diverse portfolios of quality products to chose from and tap a one-stop-shop which caters to all their specific requirements, thereby aiding the discerning buyer make well-informed choices!

Events