Posts

Is Your IT Security Strategy Aligned with Your Business Requirements

Triple-A ratings are normally associated with chief financial officers keeping a tab on John Moody’s bond credit rating. In the world of IT however, how can a chief information officer or information technology decision maker (ITDM) rate the efficiency of an IT security implementation?

IT security is one of the main concerns for ITDMs with attacks such as Venom, Shellshock or Heartbleed and others affecting organizations globally. Therefore ITDMs are taking steps to protect the corporate network from threats of all sizes. However, as it stands security is still at risk from internal and external stand point.

How can ITDMs know when they have reached a level of security that will protect from cyber-attacks while still empowering employees to do their job better? A comprehensive security approach should encompass three factors, it should be adaptive to threats, business requirements and also the ever evolving use of the internet within the corporate network, have adapted to meet the specific requirements of an organization and have been adopted fully by end users.

These factors can be summarized as a Triple A security approach, that could help you with your overall security posture and grant your organization a Triple A security rating.

Adaptive:

IT infrastructures are constantly changing. In the past we had static IT infrastructures, however, we are moving towards a world of convergence. Therefore, security infrastructures need to adapt in order to be effective. An adaptive security architecture should be preventative, detective, retrospective and predictive. In addition, a rounded security approach should be context-aware.

Gartner has outlined the top six trends driving the need for adaptive, context-aware security infrastructures: mobilization, externalization and collaboration, virtualization, cloud computing, consumerization and the industrialization of hackers.

The premise of the argument for adaptive, context-aware security is that all security decisions should be based on information from multiple sources.

Adapted:

No two organizations are the same, so why should security implementations be? Security solutions need flexibility to meet the specific business requirements of an organization. Yet despite spending more than ever to protect our systems and comply with internal and regulatory requirements, something is always falling through the cracks. There are dozens of “best-of-breed” solutions addressing narrow aspects of security. Each solution requires a single specialist to manage and leaves gaping holes between them. Patchwork solutions that combine products from multiple vendors inevitably lead to the blame game.

There are monolithic security frameworks that attempt to address every aspect of security in one single solution, but they are inflexible and extremely expensive to administer and organizations often find that they become too costly to run. They are also completely divorced from the business objectives of the organizations they’re designed to support.

Instead organizations should approach security based on simplicity, efficiency, and connectivity as these principals tie together the splintered aspects of IT security into one, integrated solution, capable of sharing insights across the organization.

This type of security solution ensures that the security approach has adapted to meet the specific requirements and business objectives of an organization, rather than taking a one size fits all approach.

Adopted:

Another essential aspect to any security approach is ensuring that employees understand and adopt security policies. IT and security infrastructure are there to support business growth, a great example of this is how IT enables employees to be mobile, therefore increasing productivity. However, at the same time it is vital that employees adhere to security policies and access data and business applications in the correct manner or else mobility and other policies designed to support business growth, in fact become a security risk and could actually damage the business.

All too often people think security tools hamper employee productivity and impact business processes. In the real world, if users don’t like the way a system works and they perceive it as getting in the way of productivity, they will not use it and hence the business value of having the system is gone, not to mention the security protection. We have solutions that allow for productivity and security.

“We have tight control over the network nowadays and can manage bandwidth per application using the firewall. The beauty of our SonicWall solution is that we can use it to create better store environments for our customers.” Joan Taribó, Operations and IT Manager, Benetton Spain.

By providing employees with training and guides around cyber security, this should lead to them being fully adopted and the IT department should notice a drop in the number of security risks from employee activity.

Triple A

If your overall security policy is able to tick all of the three A’s, then you have a very high level of security, however, the checks are not something that you can do just once. To protect against threats, it is advisable to run through this quick checklist on a regular basis to ensure that a maximum security level is achieved and maintained at all times. It is also important to ensure that any security solutions implemented allows your organization to grow on demand; as SonicWall says: Better Security, Better Business.

Ten Tips for Protecting POS Systems from Memory Scraping Malware

In the recently published 2015 SonicWall Security Threat Report, one of the observations on the evolution of attacks on POS systems is the rise in popularity of malware that uses memory scraping to steal sensitive data. No matter how many layers of encryption are applied to sensitive payment data and how carefully this encryption is deployed, at some point the primary account number and other sensitive information must exist in an unencrypted form in order to be useful. The moment that payment data is decrypted for processing, it ends up in the memory of the POS machine, creating a perfect window of opportunity for an attacker to snag this data. Advanced malware can use multiple techniques to access and scan contents of this temporary storage and look for patterns that resemble raw payment data. This data can then be used, for example, to clone cards for fraudulent purchases. This is exactly what happened in some of the high profile retail breaches of 2013 and 2014.

The ultimate goal of RAM scraping malware is exfiltration of the unencrypted data stolen from memory of the infected machine. Therefore, this malware will be very well hidden and it will attempt to remain as invisible as possible in order to access as much data as possible. Mitigating the risks of being hit with such malware falls into two categories: Pre-infection best practices to avoid infection and post-infection best practices to detect and control the attack.

Pre-infection best practices

Protecting yourself from new advanced attacks must always be done on top of executing on the basics which serve to reduce the risk of getting critical systems such as POS systems infected by any malware.

  1. Keep the OS and applications on POS systems fully patched. Most patches are security related, so ignoring them only opens up a larger window of opportunity for attackers.
  2. Firewall off the POS network from the rest of the network with strong (i.e. bare minimum access) access policies as well as with Intrusion Prevention and Anti-Malware.
  3. Use strong, non-default and not shared, passwords.
  4. Deploy and enforce endpoint anti-virus as a last measure of defense.
  5. Encrypt traffic VPN tunnels.
  6. Enable protection against MAC spoofing within the POS network and for critical systems with which the POS terminals communicate.
  7. Lock down remote access to pin-point level of access. Do not allow full L3 tunnels into sensitive networks and use remote access tools that allow verification of remote host integrity before granting access.

Post-infection best practices

A good to approach in evaluating your network security stance is to assume that you will be infected at some point in the future and design processes to allow you to detect and control the infection. In the context of memory scraping malware, the ultimate observable behavior will be communication with non-trusted hosts on the internet. It may not be immediate and it may not be in bulk, as the attacker may want to put time between the act of infection and the act of data theft. However, sooner or later, the attacker will need to get the stolen data from the POS systems into his or her possession. This may happen naively via direct communication, or via more sophisticated methods such as using another compromised system outside the POS network, but with a connection to the POS network, as a gateway. That system may reside in a network that is less strictly observed than the POS network on which may not raise alarms at communication with random servers on the internet.

There are several key technologies that can help you detect or neutralize this data exfiltration:

  • Don’t allow direct communication with the internet from the POS network. This will lock down allowable communications and will block and detect naïve approaches at data exfiltration. For processing purposes, payment data can be sent via an encrypted tunnel to another trusted server(s) on the network (outside the POS network) and then via another encrypted tunnel to the processing server. Communication between these systems should be whitelisted by the firewall via ACLs, with all other traffic (besides perhaps management and updates) blacklisted.
  • Deploy Geo-IP and Botnet filtering detection on all networks. Lock down communication from sensitive systems only to locales that they need to communicate with (if your processor is in the US, why would your POS data need to have access to and from Europe, Asia, LATAM, etc.?)
  • Configure DLP and SSL Decryption to detect Credit Card type data leaving the network in plaintext or inside of SSL tunnels to internet hosts that are unknown. In other words, only allow such data to flow to CC processing servers known to you. Communication of such data to any other system on the internet should be intercepted, logged and investigated. Deny any SSL communication from sensitive networks that does not lend itself to inspection by not accepting your NGFW SSL inspection certificate.

Firewalls occupy an extremely valuable piece of real estate on any network since all Internet bound traffic must go through them. When properly deployed, next-generation firewalls play an important role in reducing the risk of advanced malware infection and data theft in POS networks. To find out more about the capabilities of state of the art NGFWs from SonicWall, read the eBook “Types of Cyber-Attacks and How to Prevent Them.” Follow me on Twitter: @threadstate.