The days when IT managers used different security products to protect their on-premises and cloud infrastructures are happily coming to a close. There’s a growing awareness that migrating virtual workloads to new IT infrastructure requires different levels of protection with security mechanisms built-in.
In this story for TechTarget’s SearchSecurity, I talk more about this trend and some of the products (such as Catbird’s shown above) that can be used to protect your cloud-based resources.
Sophos has developed an interesting and innovative new security product that bridges the gap between its endpoint and network protection products. Called Security Heartbeat, it requires a Sophos XG firewall and any of Sophos’ cloud-based endpoint protection agents. The entry level firewalls start at $300 and larger models can go for ten times that, with support contracts extra.
We tested the Sophos products during November 2015. Sophos is not as well known as other firewall vendors, but the use of the heartbeat is such an obvious benefit and the kind of innovation that you wonder why it hasn’t been done before.
ATMs have long been targets for thieves; there was the Tyupkin malware, which could control cash drawers, reported on last fall. But a more popular form of attack is carried out via ATM skimmers, which are typically overlays attached to the outside of the ATM unit. When you insert your card into the machine, these skimmers capture your account number and PIN, which will be used later to clean out your account.
ATM Skimmers Threaten Travelers
PC Magazine has a long list of suggestions about how to recognize these skimmers, as well as how to take care when you are getting cash in a new location to ensure you’re accessing the legitimate ATM service. This is especially a problem now that many ATMs are being made by private vendors and are situated in non-banking areas such as bodegas and bars. That could be an issue, especially with the rise of more sophisticated ATM skimmers. It is hard enough to obtain foreign currency from a legit machine, given language and other issues. Now you have to worry if you are just giving your identity to the bad guys
As ATMs become more popular, the crooks are paying more attention and getting more sophisticated in compromising operations. With that in mind, it’s worth reading a series by security analyst Brian Krebs that he posted in September. Earlier this year, he was invited to come down to Mexico and see the problem firsthand. He managed to find at least 19 different ATMs that all appeared to be hacked and retrofitted with tiny, sophisticated devices that store and transmit stolen data and PINs via Bluetooth technology. These ATM skimmers could have been installed by compromised employees bribed to open up the machines and insert the necessary circuit boards to trap customer data.
As Krebs wrote in one blog post, “Stolen card data can be retrieved from the Bluetooth components wirelessly: The thief merely needs to be within a few meters of the compromised ATM to pull stolen card data and PINs off the devices, providing he has the secret key needed to access that Bluetooth wireless connection.”
Unlike the more traditional ATM skimmers, there is no way to immediately know if a machine has been tampered with other than by analyzing the Bluetooth signals coming from the machine. In fact, Krebs found one such machine coincidentally at his own hotel! Despite meetings with the hotel security staff, he wasn’t able to get the ATM disabled.
Are Fake ATMs a Concern?
After more gumshoeing, Krebs was able to zero in on a company that is apparently producing these devices and masquerading as a legit ATM manufacturer. A fake ATM? Hold on, can that really be possible? Krebs described how it could work by generating canceled transactions. “For example, if the transaction is canceled before it reaches the processing switch of the customer’s bank, there would be absolutely no record of the customer using the ATM, despite the card data and PIN being compromised,” he wrote. This would make it harder for the banks to track down the compromised ATM, particularly if these canceled transactions were spread around the country.
Krebs mentioned that the problem isn’t unique to Mexico: Back in the U.S., a Connecticut fraudster was arrested in 1993 for placing fake ATMs across the state. The tipoff? These fakes never contained any actual cash to dispense.
Given these exploits, there are a few suggestions you should remember the next time you need get to cash. First, follow the PC Magazine suggestions on being aware of the kind of ATM you are about to use. Second, when abroad, use a bank-owned machine whenever possible and not a private, third-party ATM; the ATM skimmers that Krebs found were all from private parties.
If you do travel abroad frequently, make use of a special debit card that has a limited balance in case it does get compromised. Finally, examine your bank statements and reconcile all of your account activity as soon as possible after you return to ensure your account hasn’t been compromised.
Blended threats and improvements to man-in-the-middle exploit kits have made malware more available to a wider audience of less-skilled cybercriminals. These bad actors can now launch drive-by attacks with just a few mouse clicks. At the same time, increases in state-sponsored hacking and the growing complexity of keeping modern browser plug-ins up to date have made the number of threats facing the enterprise network more numerous, sophisticated and pernicious. And even that old chestnut of social engineering has been made easier, thanks to the popularity of social networks that enable criminals to pose as co-workers or friends, mistakenly build trust and use that trust to steal credentials and assets from the unwitting.
You can read my post on SearchSecurity here on these and other trends in the threat landscape.
The Security Operations Center (SOC) may be going the way of the dodo bird as security professionals outsource their protection to managed and cloud services. While many large organizations still have SOCs, smaller enterprises are finding that new technologies and better security architectures lessen the need to assemble large teams. This combination can make an IT team more proactive in protecting their infrastructure even without having a formal operations center.
Many organizations are finding that they don’t really need a SOC, and instead have outsourced its function to cloud or hosting providers. Running these operations centers can be costly, both in terms of employing staff members with a high level of experience available 24/7 and with purchasing all the various tools that have to be maintained and monitored.
“Mostly, we still see them in very large organizations,” said John Joyner, director of product development at Arkansas-based managed services provider Clearpointe. “A large enterprise needs a big security analysis team that can actively engage in fighting incidents and security issues. But smaller organizations can avoid this if they have implemented a cloud-based architecture and liberally employ encryption and protection technologies.” Additionally, they should rely on their hosting partners as a first line of defense against attackers.
Joyner feels the security pyramid made popular by the SANS Institute and others isn’t really relevant to as many companies anymore. “We shouldn’t have to worry about this if we have built our systems correctly. While it is true that a denial-of-service attack can bring down a public website, an organization doesn’t have to host that website internally. Instead, they should move it to a cloud provider and let them handle the necessary security,” he said. “It makes more sense to put [our customer-facing websites in the cloud] than to run them on our own networks.” They do this with many of their customers’ websites, and because they are a Microsoft partner, use Azure as their cloud provider.
Joyner feels that today’s enterprises should harden their security infrastructure, perhaps by using network access controls or application-based security, which would make them that much more difficult to penetrate. “Why should anyone waste resources when there are so many great alternatives available?” he asked. “Certainly, for backups and disaster recovery, the cloud offers some solid and very secure solutions. But you don’t need a SOC for these functions.”
He talks about using “thoughtful applications architecture” — now there is a term that I like — and making sure that you can compartmentalize your various apps so when you do get penetrated the threat can be better contained, or better yet, alter your infrastructure so it doesn’t matter if you are penetrated. “We can replace most of our sensitive data so its capture doesn’t reveal anything.”
As cybercriminals exploit infected web pages to launch targeted attacks on state networks, security appliances are essential to thwarting them. The FireEye Network Threat Prevention NX-1400 1U appliance can protect up to 100 users from a variety of zero-day malware and multiprotocol attacks.
You can read the full review in this month’s StateTech Magazine here.
This post is going to be a bit more technical than the most, but I will try to keep it as simple as I can. Last month I wrote about how domain owners can mask their identity by purchasing extra-cost private domain services. Today I want to talk about the opposite: where domain owners want to prove who they really are by making use of special encrypted certificates, called Secure Sockets Layer Extended Validation or SSL EV certs. It is something whose time has finally come.
One of the many problems with the average website is that you don’t necessarily know if the server you are browsing is for real or not. Scammers do this all the time when they send you a phished email: they copy the “real” site’s images and page design for say your local bank, and then try to trick you to login using their scammy page, where they capture your credentials and then steal your money. Rinse and repeat several million times and even if just a few folks take the bait, they can grab some significant coin.
So along came the SSL certificate many years to try to solve this problem. They did, for a while, until the scammers figured out a way to spoof the certificates and make it look like they came from the “real” site operator. So the certificate issuers and several other interested parties got together and formed two efforts:
First was a standards body where they would up the ante for how certs were vetted, to make sure that the real owner was who they say they were. This involves checking the domain ownership and making sure there actually is a Real Corporation (or some other trackable entity) behind the Internet registration. Now there are three different levels of certs that are available: the regular, old-school cert called domain validated (DV), a medium grade one called organization validated, and the most stringent of them all, the EV cert. Only the EV cert will turn the URL address bar of your browser green, showing you that you are connecting on the real site. Steve Gibson has a nice explanation on his site of how this works under the covers and how it is tamper-proof, at least so far.
That is nice and welcomed, but the second effort is also interesting, and that is a non-profit corporation is just getting ready to issue their own SSL certs for free. Called the Let’s Encrypt Project, they have begun with a few test accounts and will be ramping up over the next couple of months. The cost is nice — some of the issuing authorities such as Thawte and Digicert charge $300 per year for their SSL EV certs, and GoDaddy has recently discounted their SSL EV certs to $100 per year. (Wikipedia has a more complete list of those vendors that offer the EV certs.) But the real issue is that installing the certs is a multi-step process that requires some care. If you don’t do it very often (and why would you), it is easy to mess up. The Let’s Encrypt certs are supposedly easier to install.
One downside is the free Let’s Encrypt certs aren’t EV-class ones: they are just the old school DV low-level certs. So if you are serious about your certs and want that nice green label in your browser, you still have to buy one. But at least the issue has been raised, and one of the reasons why I am writing about this arcane topic today. If you own a domain and are doing ecommerce from it, look into getting at least the free certs when they are available or pay for one of the EV models.
Running an IT security department in a nonprofit or charitable agency is very different from what’s found in a typical for-profit corporation. I spoke to David Goodman, who has held CIO jobs in a variety of nonprofits and is now the CIO-in-residence for the international benefit company NetHope. In his universe, Goodman rarely sees the kinds of regulatory and compliance structures and level of security that are commonplace in the average bank or even a local business.
As CIOs adopt hybrid-cloud strategies, some quickly learn that these environments need new kinds of security models or, at least, contexts in which to apply existing controls and security technologies. Most organizations also find that their environments are not as simple as a pure private plus public cloud. Legacy on-premises systems and SaaS applications come into play.
The new “my way” work style and the demand for on-the-go access to any service from any device and virtually any location requires that you bring your best encryption game with you when you’re on the move. This is especially true for the group of people often labeled Gen Y, or 20-somethings. Why? Because they are so digitally native and so used living their lives with instant access to their money, their friends, really anything that they do. As they are so steeped in technology, they tend to forget that there are lots of folks online who want to steal their identities, empty their bank accounts, and cause other havoc with their digital lives. But Gen Y is also more likely to use mobile banking than their elders, and more likely to go elsewhere if banks do not offer the mobile services they desire.
For a white paper for Vasco, I wrote about the challenges around providing better and more native authentication technologies for Gen Y and indeed, all users.