Lessons learned from the Home Depot breach

You might have forgotten about the massive Home Depot data breach. After all, it happened in 2014. More then 56M customers’ payment card data was exposed as a result of malware being installed on the self-checkout lanes in numerous stores. (While I haven’t been in any store in a while, I do recall those self-checkout lanes to be annoying and spending time rescanning my items.) The malware operated for several months before it was detected and removed. At the time, it was the largest breach on record. The main cause of the breach was stolen third-party credentials. A report that SANS has put together is an excellent analysis of what happened.

The company was fined $17.5M as a result as part of a settlement which was announced this past week with various state and federal officials. Reviewing the press release was quite revealing (for once) because it lists a number of action items that Home Depot had agreed to implement to prevent further breaches. These include:

  • Having a Chief Information Security Officer report to C-level executives and the Board of Directors
  • Providing resources necessary to fully implement the company’s information security program, including a comprehensive security awareness and privacy training program
  • Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, and data encryption controls
  • Regular vulnerability scans of their networks that includes risk assessments, penetration testing, intrusion detection, and vendor account management
  • Appropriate network segmentation of their POS equipment and other sensitive areas

One would hope that in the past six years they have actually done all of these. Yes, our legal system moves quite slowly. But it is a handy reference list for all of us to evaluate the IT security of our own businesses. And it isn’t as simple as turning on all the features of their endpoint protection tool (something that Home Depot didn’t do back in 2014 for some odd reason) but implementing more system-wide efforts that need continuous attention. For example, the POS was running Windows XP, which was outdated and quite vulnerable even in 2014.

IT security isn’t a destination, but an evolutionary process. Take your eyes off the ball and you’ll find yourself in a similar situation to Home Depot.

RSA blog: Endpoints are our new security perimeters

Remember when firewalls first became popular? When enterprises began installing firewalls in earnest, they quickly defined our network’s protective perimeter. Over the years, this perimeter has evolved from a hardware focus to one more defined by software, to where Bruce Schneier officially proclaimed their ultimate death a few years ago.

Part of this evolution is the changing nature of the attacks we experience along with the changing nature of our enterprise networks. Back when everyone was working from well-defined offices, we could definitely state that there was a difference between what was considered “outside” and “inside” the corporate network. But then the Internet happened, and we all became connected. Even before the pandemic, there was little difference. With the advent of the cloud, and definitely since the pandemic began, we are all out. That wise infosec sage Jerry Seinfeld once said this in an opening monologue to his TV series in 1989. We no longer worry about “bringing your own device.” We are all working from home, using devices that aren’t necessarily ones that IT has purchased and sharing them with other family members. As my colleague Scott Fulton wrote about this in 2017, “Once the distinctions between inside and outside have been effectively erased, an outside user would be treated exactly the same as one inside the office.” You could argue that he was talking from the opposite perspective, but with the same result.

This has given rise to the concept of zero-trust networks, a topic that I touched upon in my March 2019 post. In that post, I talk about the shades of grey that are now accepted as part of the authentication process: not only is there no distinction between inside and outside the corporate network, but there is nothing that is fully trusted anymore. As I mentioned in that post, the zero-trust concept is really a misnomer: instead, we should strive for a zero-risk model. RSA CTO Dr. Zulfikar Ramzan has long advocated doing this, because it gets IT staffs to examine what is really important: identifying and securing key IT assets and data, as well as that from third parties.

Once consequence of a zero-risk model is that today the new network perimeter really depends on the integrity of our endpoint devices. The endpoint is the first thing that can fall victim to a phishing lure and it is the first place that attackers look for a sign of an unpatched OS or a smartphone that is secretly running malware. Recent surveys show that the pandemic is making it easier for cybercriminals to target mid-level managers, with various lures such as Covid-related ones to more traditional business impersonations.

That doesn’t mean we need to let a thousand firewalls bloom, but it does mean that endpoint detection and response tools have to do a lot more these days than just scan for malware and compromises. Instead, we need a whole army of protective features that is working for us, to prevent our endpoints from being an attractive place for attackers to try to leverage. The vendors in the endpoint space have risen to meet these challenges, and have added features such as:

  • Ad hoc queries (to search for new compromises),
  • Better security policy enforcement and reporting,
  • Automatic discovery of outliers and unmanaged endpoints,
  • Detection of lateral network movement (for better early attack notifications),
  • Better remediation and deployment tactics (to upgrade large populations of outdated endpoints),
  • Better patch management (ditto), and
  • Integration into existing protective gear such as event and service management tools.

That is a tall order for any security tool to handle. But as we continue to work from home, we need the appropriate protection. As Pogo once said, “we have met the enemy and he is us.”

What endpoint protection solutions are available today (conference talk)

We are experiencing a changing nature of cyberattacks, especially as the world has moved towards more working from home. These attacks have evolved with the changing nature of our enterprise networks. Back when everyone was working from well-defined offices, we could definitely state that there was a difference between what was considered “outside” and “inside” the corporate network. But then the Internet happened, and we all became connected. Even before the pandemic, there was little difference. With the advent of the cloud, and definitely since the pandemic began, we are now all considered out. We are all working from home, using devices that aren’t necessarily ones that IT has purchased and sharing them with other family members. In my talk talk, I want to identify some trends that have changed the endpoint detection and response marketplace, and examine a few of the EDR products and show how they have evolved as well to meet these new collection of threats.

In this talk, which I gave at the Work From Anywhere conference sponsored by 1e in London, I describe some of the challenges and compare 1e’s Tachyon with two other endpoint tools, Tanium and Carbon Black.

SecurityIntelligence blog: Tracking Online Fraud: Check Your Mileage Against Endpoint Data

A recent Simility blog post detailed how it is tracking online fraud. With the help of a SaaS-based machine learning tool, the company and its beta customers have seen a 50 to 300 percent reduction in fraudulent online transactions. This last January, they looked at 100 different behaviors across 500,000 endpoints scattered around the world. They found more than 10,000 of those devices were compromised, and then looked for patterns of similar behavior. They found seven commonalities, and some of them are surprising.

You can read my blog post on IBM’s SecurityIntelligence.com here.

iBoss blog: How to Implement the Right BYOD Program

Once you have decided to implement a bring your own device (BYOD) program, you need to think about how exactly to go about it. Here are a few aspects to consider, such as what you are trying to control, can you manage your devices from the cloud, and what granular level of policies you can create. It’s on the iBoss blog today.

Network World: Ten new generation endpoint security products compared

Endpoint security used to be so simple: you purchase an anti-malware scanner, install across your endpoints, and you were protected. Not anymore. However, the days of simple endpoint protection are over. Scanning and screening for malware has become a very complex process, and most traditional anti-malware tools only find a small fraction of potential infections.  The attackers have gotten more sophisticated, and so too must the endpoint detection and response (EDR) tools, which need to find more subtle exploits, even ones that don’t leave many fingerprints.crowdstrike flow

This week, I review of ten different endpoint detection and response (EDR) tools for Network World magazine. You can read the complete review package here.

I spent several months running Outlier Security, Cybereason, Sentinel One, Stormshield SES, ForeScout CounterAct, Promisec PEM, Countertack Sentinel, CrowdStrike Falcon Host, Guidance Software Encase, and Comodo Advanced Endpoint Protection. From this experience, I came up with a series of broad trends:

Virus signatures are passé. Creating a virus with a unique signature is child’s play, thanks to the nearly automated virus construction kits that have filled the Internet over the past several years. Instead, many of these products tap into security news feeds that report on the latest attacks such as VirusTotal.com and other reputation management services.

Second, tracking executable programs is also so last year. In the old days of malware, exploits typically had some kind of payload or residue that they left on an endpoint: a file, a registry key or whatnot. Then the bad guys graduated to run their business just in memory, leaving little trace of their activity, or hide inside PDFs or Word documents, or would force your Web browser to a phished site that contained Java-based exploits. Today’s hackers have become more sophisticated, using Windows Powershell commands to set up a remote command shell, pass a few text commands, and compromise a machine without leaving much of a trace on an endpoint.

Many products can track privilege escalation or other credential spoofing. Modern attackers try to penetrate your network with a legit user credential that uses a default setting when you installed SQL Server or some other product, and then escalate to a domain administrator or other more significant user with greater network rights.

Insider threats are more pernicious, and blocking them has become more compelling. One of the reasons why traditional anti-virus protection has failed is because attackers can gain access to your internal network and do damage from a formerly trusted endpoint. To block this kind of behavior, today’s tools need to map the internal or lateral network movement so you can track down what PCs were compromised and neutralize them before your entire network falls into the wrong hands.

In addition to insider threats, data exfiltration is more popular than ever. Moving private user data, or confidential customer information, out of your network is the name of the game today. Look no further than Sony or Target to see the harm of making public some of their data as examples of what the EDR tool has to deal with now.

Many tools are using big data and cloud-based analytics to track actual network behavior. One of the reasons why the sensors and agents are so compact is that most of the heavy lifting of these tools happens in the cloud, where they can bring to bear big data techniques and data visualization to identify and block a potential attack.

The variety of approaches is stunning, and worth a closer look at these tools, to see if you can leverage one or more of them to better protect your endpoints.

iBoss blog: Beware of Malware Stealing Privileged Credentials

When it comes to stealing information, hackers know where to look, and it usually is those users who have the most privilege or greatest access to network and system resources. The typical attack is to somehow locate one of your network’s weakly-protected PCs, create a rogue guest account to gain initial access, and then try to escalate this account to an administrator or someone who has more access rights to do more damage or obtain sensitive information. I talk more about this on a recent blog post for iBoss here.

Detecting malware with Sophos XG Firewall and Security Heartbeat

Sophos has developed an interesting and innovative new security product that bridges the gap between its endpoint and network protection products. Called Security Heartbeat, it requires a Sophos XG firewall and any of Sophos’ cloud-based endpoint protection agents. The entry level firewalls start at $300 and larger models can go for ten times that, with support contracts extra.

We tested the Sophos products during November 2015. Sophos is not as well known as other firewall vendors, but the use of the heartbeat is such an obvious benefit and the kind of innovation that you wonder why it hasn’t been done before.

Network World: Centrify tops the group of 7 SSO products

Since we last looked at single sign-on products in 2012, the field has gotten more crowded and more capable. A number of new vendors have come to ply their wares, and a number of old vendors have been acquired or altered their products.

Centrify admin dashbdFor this round of evaluations, we looked at seven SSO services: Centrify’s Identity Service (the overall winner who’s dashboard is pictured above), Microsoft’s Azure AD Premium, Okta’s Identity and Mobility Management, OneLogin, Ping Identity’s Ping One, Secure Auth’s IdP, and SmartSignin. In addition to these products, we also looked briefly at AVG’s Business SSO. Overall, products have expanded their authentication support, moving towards integrated mobile device management,  using more cloud-based solutions, and supporting more apps. You can read here the entire text of my review, published today.

Network World review: Portnox, Extreme lead NAC pack

portnox NAC overview2Remember when network access control (NAC) was all the rage? Remember the competing standards from Microsoft, Cisco, and the Trusted Computing Group? Back around 2006, there were dozens of NAC products, many of which turned out to be buggy and difficult to implement.

But NAC hasn’t disappeared. In fact, NAC products have evolved and improved as well. I reviewed Enterasys/Extreme Networks Mobile IAM, Hexis Cyber Solutions NetBeat NAC, Impulse Point SafeConnect NAC, Pulse Policy Secure, and Portnox NAC. Overall, Portnox (above) was tops.

You can read my full review in Network World here.