Ransomware holds a user’s data hostage. The latest ransomware variants encrypt the user’s data, thus making it unusable until a ransom is paid to retrieve the decryption key. The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper. Under the Windows 32-bit on Windows 64-bit (WOW64) environment, it is indeed able to switch the processor execution context from 32 bit to 64 bit.
In 2013, our internal Information Security team carried out a series of controlled anti-phishing exercises. The purpose was to raise employees’ awareness of potential spear phishing attacks through emails. Spear phishing has been a common first step for Advanced Persistent Threat (APT) attacks to gain access to a user’s system before launching further attacks at internal targets. As such, if employees are vigilant against such attack patterns, we should effectively reduce the risk of successful APT attacks involving email phishing.
Through a series specially designed phishing emails executed over the four quarters, at one to two emails each month, the team captured an average “click” rate of 26%. The lowest click rate was 5%, and a highest was 61%. However, month over month, there was no discernible trend, as some months were low and others suddenly shot up. What was the data telling us? Did the users’ awareness rise or remain indifferent because of this exercise?
Editor’s Note: In the two previous blogs, we discussed some of the issues and dilemmas found within information security knowledge and practice domains. Those challenges arise fundamentally from the traditional approach that many organizations have adopted to address information security requirements. In this fourth installment, we look at how good preparation can improve security outcomes, as illustrated in a few case examples.
As the Dutch philosopher Erasmus once said, “prevention is better than cure.” Most organizations’ security approaches have focused primarily on erecting defensive systems to prevent attackers from compromising information and systems through exploiting security weaknesses associated with technology, process, or people in the organization.
Chances are you might be reading this blogpost on a device other than a laptop or desktop computer. I’d also wager that the device you’re using to read this post handles double-duty – that is, you use it for both work (e.g., checking email, reviewing confidential documents) and play (e.g., Vine, Flappy Bird, social media).
You’re not alone. Everywhere you turn, you’ll see someone using a smartphone or tablet to be productive – both on corporate and non-corporate networks, for example, a coffee shop’s guest network. For enterprise IT, this means that the scope of managing an “enterprise network” has really expanded beyond controlling user access to a company intranet to controlling user access to company data across the “extended network” – wherever and however employees choose to do that.
The increased risk due to a larger “attack surface”, fundamentally changes how you approach access control and security. Traditional Network Access Control (NAC) was technology that, while complex and complicated to deploy, worked well enough when enterprise IT controlled the intranet and the procurement of allowed devices.
However, as the Enterprise Mobility, a.k.a. Bring Your Own Device (BYOD), phenomenon accelerated to become the new corporate norm, traditional NAC wasn’t as effective anymore, due to technology that was overly complex to scale with an overarching need for multiple 802.1X supplicants that generally targeted on more “traditional” endpoints like Windows PCs. As a result, enterprises turned to mobile device management (MDM) platforms as a new way to secure just those mobile devices. These MDM solutions were definitely easier and less expensive to deploy and manage than NAC and offered a tangible security ROI.
Even today, many organizations continue to use MDM (and its successor, enterprise mobility management or “EMM”) as a bit of a security silo to secure and manage these devices. However, as is implied, this strategy has a couple of caveats:
- MDM/EMM can enforce device policies (e.g., PIN lock, encryption, whitelisted applications) but offers zero enforcement capabilities for actual network access policies – e.g., restricting corporate network access to financial databases or sales document repositories. The device may be secured, but network access is potentially wide open.
- Obtaining 100% full compliance with installing/configuring the MDM/EMM agent on endpoints is nigh impossible, since the MDM/EMM solution works in isolation from other security solutions. Thus, compliance relies heavily on end-user cooperation and participation, which makes it highly likely that non-compliant devices could gain access to the network. From there, who knows what might happen, if the device is compromised.
The net-net here is that enterprises that leveraged solely MDM/EMM to protect their devices and networks are potentially achieving only part of their security objectives.
Fortunately, network access control platforms have seen a renaissance in the past few years and have evolved substantially. In my last post, I highlighted a recent white paper that discussed how NAC is evolving away from simply basic access or admission control and transforming into a more sophisticated set of controls for endpoint visibility, access, and security – technology dubbed “EVAS” by some. Unlike its overly complex and complicated ancestor, the newest generation of NAC solutions (or EVAS) utilize advanced contextual data gleaned from a number of different sources – including EMM/MDM – in order to enforce granular, dynamic network access policies. In essence, these solutions leverage the network as a sensor in order to make proactive access control decisions e.g., applying different access policy depending on the device being used or the compliance state of the device; or enforcing access to prevent unauthorized lateral movement across a network) throughout the extended network – regardless of how authorized users or devices connect.
This evolution has transformed NAC from a limited security hindrance into a powerful business enabler for enterprises, with more advanced solutions going beyond simple access policy and integrating with other network and security solutions to share data and improve the efficacy of all solutions. For example, here at Cisco, when I attempt to access the network with my iPad, the Cisco Identity Services Engine (“ISE”) (our NAC/EVAS solution) sees my device’s attempt to connect. It checks the profile and posture of the tablet to ensure that it is compliant with our mobile device wireless access policy (i.e., with MDM/EMM software installed). If not, Cisco ISE, which is integrated with an EMM/MDM software solution, redirects me to install that software first in order to become compliant before I gain whatever access my particular level of authorization allows on the network. With this integration between the two solutions, my tablet is now secured with the MDM/EMM software, and my level of access to network resources is seamlessly controlled, down to the letter, courtesy of the NAC/EVAS solution. Caveats solved.
Ultimately, this is just the beginning. Enterprises have realized that the “new NAC” can serve as a viable centerpiece for not only securing access but also for integrating with existing and previously silo’ed security and productivity solutions – like EMM/MDM – that may already be deployed in the enterprise network.
At the end of the day, NAC sure isn’t what it used to be…but that’s, actually, a very good thing.
For an additional perspective on NAC, market trends, and solutions, I invite you to look at the newly-released 2014 Gartner Magic Quadrant for Network Access Control (NAC).
Editor’s note: In A Circular Problem in Current Information Security Principles, we highlighted one of the challenges in our knowledge domain that contributes to the ineffectiveness of today’s information security practices. In this third installment, we review the issues and dilemmas that are common in our practice environment.
One of the challenges information security management teams face is justifying their value proposition to the business to ensure that security requirements receive adequate resource allocations. The paradox here is that if security management within an organization is effective, the results typically show no observable outcome (i.e., no security incident). Interestingly, even if a security incident is not present, it does not necessarily mean that good security management practices are in place. They might be missing because of a security detection mechanism flaw, or simply because the attacker has no interest in carrying out an attack during that time period.
On the other hand, when a security breach occurs, the security manager is often questioned for failure to anticipate and prevent the incident. Security managers therefore often fall back on past or external incidents as a form of justification. Business managers frown on these explanations because they normally do not believe they are no better than their peers or competitors in the industry. Read More »