6 December

Buzzword Translator: Internet of Things (IoT)

Posted

By Paul Hirsch, Senior Technology Strategist

Did you know that there are already more networked devices than people? Did you know that it is projected that by 2020 there will be eight times more networked devices than people? IoT is a HUGE market! Wait, soooooo…. what IS IoT? As with cloud, IoT represents a lot of really useful technologies grouped with a comically vague buzzword. Examples of devices in the IoT category include:

  • Your Internet connected printer
  • Your Internet connected game console or video streaming device
  • Your Internet connected thermostat
  • Your Internet connected security camera
  • Your Internet connected baby monitor
  • Your Internet connected car
  • Your Internet connected Internet connection device
  • Your Internet connected house robot “Jerry”
  • All Internet connected devices produced by Cyberdyne systems, which will gain consciousness on August 29th, 1997 at 2:14 a.m. ET (*They are running a bit behind schedule, but you will know when it happens cause Jerry will be a real jerk)

Can you spot the subtle common thread? Yes: “Internet” (“Cloud” is implied as well, since many of these connect to a cloud service.) With great connectivity comes great responsibility, but many IoT products have fallen into the same traps that servers, PCs, and smart phones have before them. Some of the problems are built in by the manufacturers, but others are caused by customers.  Recognize any of these classics?

  • “I depend on THING for my very existence, so I bought the cheapest WiFi access point I could find, used an Ethernet hub I fished out of a dumpster, and connected everything with Cat1D.” (D is for duct tape)
  • “The security of THING is critical, so I didn’t change the default password. Also, what is a ‘Firewall’?”
  • “I care about being a good Internet citizen, so I have never and will never update the software on THING.”
  • “THING makes me complete and has lights and stuff. I will sell my arm for a new THING. I will not spend a dime on a UPS to keep THING from being fried by lightning.”

Sounds like the same list when dealing with computers, right? That is because IoT devices are just computers. They usually run a Linux derivative or one of a handful of real time commercial operating systems. On that base they add some custom software, sometimes written with little thought given to safe programming practice or basic information security. Then they spit out thousands of them to sit on unprotected networks, never get updated, and generally be neglected. In some cases they are politely asked (using default usernames and passwords) to join a botnet, later being used to help carry out massive DDoS (Distributed Denial of Service) attacks like the multiple record setting DDoS attacks carried out by Mirai botnet controlled cameras in the last months.

The truth is that IoT in a business setting needs all the same things anything connected to the Internet needs: A well designed, secure, reliable, monitored, and managed network built to meet current and future needs. Firewalls, switches, wireless, cabling and infrastructure, power and cooling, physical security, network design, cloud services, and managed services must be considered for every IoT deployment.

IoT devices are computers and must be taken just as seriously. Let that thought be your guide with whatever types of T you want to connect to the I.

3 October

How Much Cybersecurity Is Enough?

Posted

For decades, IT focused on service rollout and fulfillment while security was considered an afterthought. Instead of being baked in from the start, it was bolted on after the fact.

These days, that approach simply will not suffice, because cyber threats are everywhere. Consider that yesterday’s hackers were typically individuals driven by curiosity; or at worst, mischief. Today’s hackers are more likely to belong to criminal organizations driven by profit; or at worst, state-sponsored terrorism.  

Yesterday’s malware was relatively simple stuff—easily recognized, blocked and eradicated. Today’s malware is far more complicated, conceals its own presence and activity using encryption and compression, and sometimes even includes polymorphic capabilities that leave it able to exploit multiple attack vectors in an unpredictable sequence.

Apply security in proportion to business priorities.

Organizations looking to protect against advanced modern threats like this know that security must be more tightly integrated than ever into networks, computational hosts, and the service delivery cycle in general. 

Yet, protection can’t come at the expense of innovation. Business growth, customer satisfaction, market share, and quarterly profits all ultimately emerge from the unique value offered by an organization’s products and services.  

If security compromises that value, the business outcome can’t be good. For instance, if security is applied so rigorously that network services slow to a crawl, customers are likely to turn elsewhere for faster services.  

A smart approach to security, therefore, balances security requirements with business goals. To do this, you need to intelligently allocate resources in proportion to business needs and priorities. This way, the most important assets get the most comprehensive protection.

A good illustration of how that idea might apply in a practical sense is evident in the financial space, via services like online banking. The paramount priority in this context is clearly the area of user validation and authentication: Who can log in; how secure is the log-on process; what can users do once they’re inside; how are financial transactions monitored, logged, and executed?

Customers will clearly have no tolerance at all for an insecure network that allows unauthorized access to critical liquid assets like cash and equities. Any financial institution’s security budgeting should take this into account.

A formal assessment can help.

For many organizations, it’s not quite so black and white how to assign priorities beyond that point. They may  have hundreds of different services with everything from Web hosting and e-commerce to internal communications and collaboration.

Determining how best to prioritize them, allocate resources accordingly, and optimally secure the network against the most dangerous threats, is a complex area in which they might well benefit from a trusted, informed partner. A partner who can perform a cyber threat assessment that can get you the facts — exactly how and where should you invest in more security — then recommend and deploy leading solutions and strategies based on the results. Read more about our approach to security and it's role on business prosperity

19 September

Money Alone Can’t Protect Your Bank From Cyber Risk

Posted

Across all industries, the financial sector has one of the more mature and well-developed approaches to cybersecurity. Yet, despite the banks’ increased investments into cybersecurity, a disconnect remains between spending and risk.

Increasingly digitized environments and the Internet of Things (IoT) are creating an interconnected infrastructure that spans across multiple organizations, data sources, access points and vendors. This creates a complex business and IT environment that’s constantly being exposed to new risks.

Closing the gap between investment and risk requires an intelligence-based approach that can respond and adapt to threats in real time. This approach must take into account how future innovations in digitization will impact cybersecurity over time.

Cyber Threats an Ongoing Concern for Banks

According to a recent report by Bitglass, the number of attacks on banks doubled last year compared to the year before. And so far in 2016, at least five of the 20 top U.S. banks have disclosed data breaches.

Financial services was the third most-attacked sector in 2015, according to IBM. Although this represents an improvement over 2014 when it was in the No. 1 spot, it’s clear that banks are still not able to stay ahead of the threats.

An added challenge is the ongoing U.S. transition to the “chip” (EMV) credit and debit cards. While these more secure cards are expected to significantly decrease counterfeit card fraud in the long run, the transition is forcing bad actors to step up their game and target other areas, such as card-not-present and online fraud.

Security Efforts Must Be Refocused

Although financial institutions are throwing money at the cybersecurity problem, they don’t alway direct resources to the right areas. An intelligence-based approach needs to take into consideration new factors such as insider threats (both malicious and unintentional errors), third-party risk and geopolitical climate, among others. Three recommended areas of focus include:

  • Elevating cybersecurity to C-suite function: Cybersecurity is no longer simply an IT problem. The board of directors and executive leadership need to invest time into understanding how cybersecurity impacts business risk and take an active role in allocating the proper resources and establishing it as a priority across the organization.

  • Treating cybersecurity and business strategy as two sides of same coin: Cybersecurity needs to be integrated into every core function of the business. Cybersecurity assessment and planning must become a critical part of product development and strategic planning. Every project, from design and architecture to usability, should have clear expectations related to information security.

  • Using an intelligence-based approach to cybersecurity: As the transition to digital business models continues to drive the evolution of enterprise networks, banks must adopt innovative network security solutions that are scalable and flexible. These solutions must provide the type of actionable intelligence that’s critical in today’s threat environment, along with a comprehensive, unified approach to physical, virtual and cloud infrastructure.

Knowing this, it's important to utilize a technology partner who can deploy a cohesive “fabric” of best-of-breed security solutions that easily share big-data-driven, real-time threat information to support intelligence-based cybersecurity. Click here to learn more about weaving multiple tools into a single security fabric

8 September

4 Cybersecurity Basics For Your Business

Posted

With stories about cyber attacks making the news almost daily, cybersecurity is top-of-mind for business IT leaders. But cybersecurity and the threat environment is complex. Many times, organizations spend too much time deploying and managing the latest and greatest point solutions and not enough time on the basics—fortifying their environments against both common and targeted attacks. To simplify and better focus your resources we recommend the following four principles for building your cybersecurity strategy courtesy our partner, Fortinet. 

Fortinet’s 4T's of cybersecurity help ensure your cybersecurity strategy protects, mitigates and defends against the latest advanced persistent threats (APTs) and more. They include:

  1. Timeliness: The latest Verizon Data Breach Investigations Report (DBIR) found that 85% of all successful exploits could be traced to the top 10 known vulnerabilities, many of which have had patches available for months and even years. A strong vulnerability and patch management program that checks for new patches and applies them quickly and efficiently can go a long way to shoring up your security posture.

  2. Training: It may sound trite, but people are always the weakest link when it comes to cybersecurity. The DBIR also found that 30% of all phishing messages sent last year were opened and 13% of those ended up clicking on a malicious link or attachment. The only way to prevent and mitigate such attacks is through comprehensive, regular security awareness training covering basics like recognizing phishing emails, creating strong passwords and how not to expose sensitive data outside the company. Automated defenses can also go a long way here, including disabling links and attachments on incoming email.

  3. Technology: Rather than relying on disparate point solutions, a strong security defense weaves together a range of different security tools that can all communicate and collaborate to provide a big picture view of your enterprise security posture, end-to-end. Fortinet calls it a cohesive ‘fabric’ of security and has developed the Security Fabric to integrate cybersecurity technologies and capabilities, including:

    • Next-generation firewalls that can address security across every environment, whether on-premises, in the cloud or virtual.

    • Advanced threat solutions, including sandboxing and web application security.

    • Data center tools designed to perform at high speeds and integrate fully with SDN and other next-generation data center architectures.

    • Cloud-focused tools that provide true visibility across both on-premises and cloud-based applications.

    • Consistent policy enforcement that ensures security policies can be applied correctly and confidently across all networks and topologies.

  4. Testing: Enterprise networks are constantly evolving, and no cybersecurity strategy can be complete without a strong testing regimen designed to uncover security weaknesses as changes occur over time. This should include:

    • Network vulnerability scanning, which helps uncover missing patches or system misconfigurations.

    • Application vulnerability scanning to uncover common coding errors, like cross-site scripting or hard coded passwords.

    • Penetration testing, in which skilled hackers simulate real-world attacks against network services, applications or both. While more expensive than network or application scanning, it is more realistic and can often uncover issues missed by both.

These are just a few examples to get you started on simplifying and focusing your resources in order to fortify your environments against common and targeted attacks. There are many ways to approach your cybersecurity. Read more about our suggestions on mitigating risks from phishing attacks through employee training. 

22 August

5 Ways to Fight Ransomware in Healthcare

Posted

Ransomware incidents in healthcare are on the rise, and it’s really no surprise. It’s an industry where time, attention and money is focused on improving patient outcomes, not cybersecurity.

Attackers know this; however, and view healthcare as a soft target, ripe for ransomware. Recent, highly publicized incidents at hospitals like Los Angeles’ Hollywood Presbyterian and Kentucky’s Methodist Hospital prove that hackers’ instincts are correct. Short of paying ransom, what can other healthcare organizations do to fight back, and reduce their chances of becoming the next victim?

Who are these attackers? 

First, let's try to understand the mindset of these attackers who target healthcare organizations for their enticing mix of sensitive data, vulnerable systems with life-or-death criticality, and a widespread lack of security expertise.

Thanks to the Obama administration’s mandate to adopt EHRs (electronic health records), the healthcare sector went digital. Fast. For instance, the percentage of hospitals using EHRs has jumped to 96.9% from just 9.4% in 2008, all while IT staffing and security budgets remained stagnant at best.

Compared to hardened sectors like financial services and e-commerce, which pour millions into information security defenses each year, healthcare is both easy to breach and more likely to pay. The best defense, then, is to make your healthcare organization both harder to attack and harder to profit from.

What can you do to begin your defense? 

  1. Back up critical data. Hollywood Presbyterian had little choice but to pay a $17,000 ransom to regain control of operations, because it had no backups available when its systems were infected with ransomware. Having regular, tested backups will help minimize downtime during the restoring process. 

  2. Know your data. You should know exactly what your critical data is and where it resides so you can better focus security and staffing resources where they make sense. This type of asset inventory also helps when determining a ransomware response, since less critical data may be more likely to be hit but less likely to require paying a ransom.

  3. Educate users. Most ransomware attacks gain a foothold when an employee unknowingly clicks a malicious link in a phishing email. Educating users to recognize phishing email helps. So does blocking pop ups and whitelisting common websites. Perhaps, the best deterrent is simply to prohibit clicking any email links and train employees to instead copy the URL and pasting into their browser's address bar. 

  4. Keep anti-malware systems up to date. Ensure all endpoints are configured with updated antivirus software and that IDS/IPS signatures and firewalls are maintained regularly.

  5. Partner with the right vendors. Use cybersecurity vendors that can analyze your business, uncover vulnerabilities and help you build a unified approach – across endpoints, networks, web gateways and more – designed to thwart ransomware.

It's important to deploy a cohesive cybersecurity infrastructure that simplifies the sharing and management of real-time threat intelligence across tools — essential to fighting ransomware in complex healthcare network environments. Read more about our approach to security