Cisco Blogs


Cisco Blog > Security

A Holistic Approach to Secure Enterprise Mobility

Cisco_FOM_Podcast_Gordon 6.18.14“It’s not secure enough… so we are not going to allow it to happen.”

Does this phrase seem all too familiar?

Today, IT and business leaders are faced with the challenge of securing any user from any location on any device with access to any information. At times, it can be a daunting road to travel on the path towards true enterprise mobility security. This is especially true as the combination of sophisticated threats and new mobile capabilities and applications are continuing to shape the role and evolution of security controls and policies.

As the mobile endpoint becomes the new perimeter, how can organizations evolve their mobility security policies to mitigate risk? Is protecting information at the data or device level the way to keep employees and assets secure when users conduct business on untrusted networks?

Recently, I had a chance to participate in a new Future of Mobility podcast with Dimension Data’s Stefaan Hinderyckx, to discuss the biggest challenges our customers are seeing as they deploy enterprise mobility security solutions.

Many CSOs that Stefaan speaks with are seeing the clear and present danger of opening their networks, devices and applications to a new mobile world. Yet, many are not shying away from the benefits that enterprise mobility offers. They say:

“Mobility is inevitable. It’s happening and we need to embrace it and deliver it for the business.”

With this in mind, how can IT and business leaders address key challenges and embrace a holistic approach to secure enterprise mobility?

Complexity: There Are No Boundaries Anymore

One of the biggest challenges our customers are seeing is the increase in complexity as they work to meet business needs through mobility, all while keeping users and assets secure.

Simply put, there are no boundaries anymore. There is no place you can put a firewall to make things secure on the inside and insecure on the outside.

A major reason for this complexity is the result of approaching security in a siloed manner. It can be complex to try to secure the device, data on the device, the user and the network in a disparate way!

IT and business leaders need to work together to make the whole environment secure. It is no longer enough to find point solutions to data-centric or device-centric controls, the only way to be confident in your approach is to build a holistic strategy.

Read More »

Tags: , , , , , ,

New blueprint for data center security

RATS in the Data Center, a recent blog post by Cisco’s Tom Hogue, highlighted the current threat landscape for data centers. Tom was referring to Remote Access Toolkits, not the disease-carrying vermin that likely started the plagues that ravaged Europe in the Middle Ages. However, the destructive effect of modern-day RATS can be devastating.. They provide a novice hacker the tools to craft a successful attack, lowering the skill and proficiency needed while increasing the volume and likelihood of attacks. And RATS attacks will likely target the data center because that is where the most valuable information is stored – whether it’s credit card numbers, social security and other personally identifiable information (PII), financial records, intellectual property, or trade secrets.

Many organizations secure the perimeter of their network. But once network access is granted, there are minimal controls in place for authorized users. They are completely trusted on the network. The underlying problem in today’s threat environment is these users may not be in control of their device due to malware infection. Or they may not be who they say they are due to stolen credentials/passwords. A new model is needed to continually protect the critical assets of the business and to minimize complexity while supporting new data center services and business models.

Cisco developed the Secure Data Center for the Enterprise Solution portfolio of validated design guides to create a comprehensive and modular approach to securing data centers. The newest Cisco Validated Design (CVD) to be added to this portfolio is Threat Management with NextGen IPS -- First Look Design Guide.  This new CVD builds on the capabilities introduced in the Single Site Clustering with TrustSec CVD by integrating the FirePOWER NextGen IPS to provide a true threat management system. The FirePOWER appliance provides threat protection capabilities beyond what a traditional IPS offers, resulting in a comprehensive solution for today’s malicious environment using highly capable threat management workflows. These workflows provide a different approach: the point of view of a cyber-attacker.

A First Look from a Different Viewpoint

That’s what makes this CVD intriguing—and, we hope, very useful. By looking at the “Attack Chain” where the capabilities to execute a successful attack are developed, this information can arm cyber-defenders with the tools and knowledge to effectively protect their networks and the business-critical information contained in their data centers.

 

Attack Chain

Attack Chain

 

The Threat Management with NextGen IPS First Look Design Guide also introduces a new security model, the attack continuum, which identifies each of the critical processes integral to a complete security system. This model addresses the cyber threat problem by looking at the actions to take before, during, and after an attack, across a broad range of attack vectors such as endpoints, mobile devices, data center assets, virtual machines, and in the cloud. Where most security solutions tend to address threat protection at a single point in time, it is important to look at it as a continuous cycle with key actions to take at each point in time.

Attack Continuum

Before an Attack: Organizations need complete visibility of their environment, including but not limited to the systems, services, users, endpoints, operating systems, applications, and network behavior models. From this visibility, ongoing monitoring and actionable alerts must be in place so informed decisions may be made in a timely manner.

During an Attack: Awareness is critical to identify the attack at the earliest possible point in time, ideally before the critical systems are compromised and valuable data is accessed. A security system should aggregate and correlate data using historical patterns and global attack intelligence to provide context to distinguish between active attacks, exfiltration, and reconnaissance using continual analysis and decision making.

After an Attack: Retrospective security is a big data challenge. With an infrastructure that can continuously gather and analyze data to create security intelligence, security teams can, through automation, identify indicators of compromise, detect malware that is sophisticated enough to alter its behavior to avoid detection, and then remediate it.

The attack continuum model provides a view of how to address threats, and helps build a framework of capabilities so organizations can start implementing robust security controls to protect their data centers. This new Cisco Validated Design, Threat Management with NextGen IPS, provides fresh tools and technologies needed to develop a comprehensive response to today’s threats affecting not only the data center, but also the entire enterprise.

Cisco Web Security and the Health Insurance Portability and Accountability Act (HIPAA)

Spurred by the Health Insurance Portability and Accountability Act (HIPAA), which outlined a set of standards and guidelines for the protection and transmission of individual health information, as well as the subsequent amendment to address standards for the security of electronic protected health information, customers often ask me the following questions:

  • Is your product HIPAA certified?
  • Is your product HIPAA compliant?
  • Will your product meet HIPAA standards?
  • If I implement your products, will I be HIPAA compliant?

While this blog post is in no way to be construed as legal advice, I wanted to provide an overview pertinent to answering the above questions.

The Reality

In short, the answer to the above questions is NO! Here is why. There are no products on the market that are HIPAA certified or HIPAA compliant! I know this sounds challenging and some vendors have claimed that implementing their products will make the customer HIPAA compliant, but that is not the case.

HIPAA cannot be addressed with a single product or set of products. HIPAA is a series of policies and procedures that “covered entities” must implement to safeguard information. Products manufactured by Cisco and other technology companies can be used to implement those defined policies and procedures but the simple inclusion of a technology in the network does not automatically make an entity compliant. Products have to be configured to adhere to the standards set forth by HIPAA.

For a better grasp on the implications of HIPAA, let’s take a look at some of the details outlined in the Act.

Covered Entities

First, let’s examine a 2“covered entity” as defined by HIPAA.

HIPAA standards apply only to:

  • Health care providers who transmit any health information electronically in connection with certain transactions
  • Health plans
  • Health care clearinghouses

What is a Health Care Provider?

Any person or organization who furnishes, bills, or is paid for health care in the normal course of business

Protected Information

1The statute requires the privacy standards to cover individually identifiable health information. The Privacy Rule covers all individually identifiable information except for: (1) Education records covered by the Family and Educational Rights and Privacy Act (FERPA); (2) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (3) employment records. (see the Privacy Rule at 65 FR 82496. See also 67 FR 53191 through 53193).

3The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” (PHI).

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

Technical Safeguards

HIPAA defines security controls around the storage, access, control, and transmission electronically of the above noted protected information.

1Technical Safeguards (§ 164.312)

We proposed five technical security services requirements with supporting implementation features: access control, audit controls, authorization control, data authentication, and entity authentication. We also proposed specific technical security mechanisms for data transmitted over a communications network, communications/network controls with supporting implementation features; integrity controls; message authentication; access controls; encryption; alarm; audit trails; entity authentication; and event reporting.

In this final rule, we consolidate these provisions into § 164.312. That section now includes standards regarding access controls, audit controls, integrity (previously titled data authentication), person or entity authentication, and transmission security.

4Technical Safeguards Summary

  • Access Control—A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
  • Audit Controls—A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
  • Integrity Controls—A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
  • Transmission Security—A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Cisco believes that today’s dynamic threat landscape, new business models, and complex regulatory requirements require a new threat-centric approach to security. This new security model reduces complexity, while providing superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum. This makes it easier for customers to act more quickly before, during, and after an attack, which is particular important to risk management and reduction.

In regards to Cisco Web Security products and transmission security conformance, Cisco Web Security products provide the necessary encryption services along with audit, entity authentication, and event reporting to help address the technical safeguards.

Cisco Web Security products do not determine that the receiving website is of the appropriate type or has implemented the appropriate controls for handling HIPAA protected data but ensures that the information was transmitted securely upon request by the transmitter (think data loss prevention, not covered in this paper). It is the responsibility of the customers’ security and administrative staffs to determine which sites are deemed acceptable for receiving or transmitting this data. Cisco Web Security products can provide transmission security, transmission entity authentication, event reporting, and integrity of the transmission via the HTTPS protocol.

Conclusion

The Department of Health and Human Services HIPAA Act of 1996 amended in 2003 has many complex provisions and should be reviewed on a regular basis by any covered entity’s security and administrative staffs for conformance. The intent of the Act is the protection of private health information via both administrative and technical safeguards. Cisco provides a range of security products that can be used by customers to meet many of the requirements outlined in the HIPAA standards but only if properly configured, maintained, and monitored. As stated earlier, deployment of a single product or set of products will not, in and of themselves, ensure HIPAA compliance.

References

  1. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf
  2. http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/coveredentities.pdf 45 CFR §§ 160.102, 164.500
  3. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
  4. http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

Tags: , , , ,

A New Model to Protect the Endpoint, Part 1: Continuous vs. Point-in-Time Security

The fundamental security problem that many defenders face is securing their environment in a world of continuous change. IT environments change. Threats change. But today’s threat detection technology doesn’t change. It’s stuck in time, point-in-time to be exact.

Sure, detection technologies have evolved. The latest improvements include: executing files in a sandbox for detection and analysis, the use of virtual emulation layers to obfuscate malware from users and operating systems, reputation-based application whitelisting to baseline acceptable applications from malicious ones, and, more recently, attack chain simulation and analysis detection. But predictably, attackers fundamentally understand the static nature of these security technologies and are innovating around the limitations associated with them to penetrate network and endpoint defenses.

These point-in-time detection technologies will never be 100 percent effective and are unable to identify the unfolding follow-on activities of the attacker which require continuous scrutiny. The disconnect stems from the fact that malware is dynamic and three dimensional. It doesn’t just exist in a two-dimensional point-in-time ‘X-Y’ plot waiting to be detected, where X is time and Y is the detection mechanism. Malware exists as an interconnected ecosystem that is constantly in motion. To be even remotely effective, malware defenses have to be multi-dimensional and just as dynamic, taking into account the relationship dimension as well.

Read More »

Tags: , , , ,

Steganographic Key Leakage Through Payload Metadata

Steganography is the ancient art of invisible communication, where the goal is to hide the very fact that you are trying to hide something. It adds another layer of protection after cryptography, because encrypted message looks like gibberish and everyone immediately notices that you want to hide something. Steganography embeds the (encrypted) secret message into an innocuous looking object such that the final communication looks perfectly normal. The “analog” form of steganography is the art of writing with invisible ink. The digital version hides the message by a subtle modification of the cover object. Probably the most researched area in digital steganography uses digital images as a cover media into which the message is inserted. The oldest (and very detectable) technique replaces the least significant bit (of each colour channel) with the communicated message. Shown below, the first picture is the cover object and the second one is the stego object.

cover

stego_2

Read More »

Tags: , , , ,