|THE IT SECURITY PROFESSIONAL|
The IT Security Professional
Helping Organizations Understand IT Security
The cloud has become ubiquitous in today’s IT infrastructure as most organizations have adopted it as an integral part of their infrastructure architecture, but it continues to be difficult to implement and setup properly. While there are controls and specific settings that can be applied to your cloud resources, it is important to understand which ones and how to do it. This begins with choosing the right service provider and developing an overall strategy on how it will be implemented within your company.
1. Determining the Right Service Provider
This begins with determining the right service provider. While there are a couple of HUGE players in this area (we don’t need to drop names here). They are not the only ones these days as there are more and more independent or affiliated providers that are becoming more competitive in the market. When implementing cloud security, it’s not just the data center that you are evaluating. It is the services that the provider has to offer and what types of security application resources they have to offer.
Understanding what you will be using the cloud infrastructure and resources for is an important part of the evaluation and implementation process. The controls that are used to secure the cloud infrastructure will be different depending on its usage within your infrastructure. This is a key component of securing the cloud, including the cloud as part of the network, and securing as you would those within your corporate firewalls.
2. Zero Trust
DON’T TRUST ANYBODY! REALLY, I MEAN IT, DON’T TRUST ANYBODY! This seems to be a great mantra these days as we find that even the slightest kink in the armor of a well-protected network can lead to a compromise. Employing Zero Trust across your cloud infrastructure will allow you to enforce and implement security controls that require your users to validate who they are by multiple methods.
Why is this important? Because the cloud is one of those resources that once you are able to compromise a server or application, or even a service, it is easy to pivot and try to get into other resources of the same company (yes, even if they are logically separated) or even a different one for that matter. Zero trust allows you to be able to require and restrict all users regardless of who they say they are. This is critical for those services that your organization depends on to deliver for your customers and clients.
3. Access Management
Once the service provider has been determined, it is important to determine who will gain access and how will they be granted it. The various service providers all have the capability to help determine who will be granted it. Additionally, they may have the capability of implementing multi-factor authentication (MFA). Logs and access events will also be recorded and documented, which is important if you want to know who is access your cloud resources and when.
4. Endpoint Security
Securing your endpoints in the cloud is one area that most organizations do not employ when setting up and configuring their resources. This is a mistake and these assets should be protected as much as the systems that sit in the office or in the homes of your employees. Its important to have the same security measures in place for your cloud assets. A majority of organizations will depend on service providers for their security controls, even when this is not the case.
The organization pays for the hardware and the bare metal of the servers and the infrastructure for which those assets reside. It is up to the company to employ endpoint security measures to secure those endpoints. Whether this means employing malware detection software, or scanning those assets for vulnerabilities, it is important that those systems are managed in a similar manner as those that are on premises.
5. Network Monitoring
One of the key areas of monitoring will be the network environment, this is especially true of the resources and infrastructure that your utilizing in the cloud. This resource is something that your business will be paying for and it is important that it be utilized effectively. Monitoring traffic, access, and utilization are all important aspects that should be monitored closely be any company.
6. Define Cloud Usage Policies/ Procedures
No matter why you are using the cloud, defining the policies and procedures that you will use is important for your company to establish right away. The reason for this is that resources in the cloud are finite and you may be restricted based by capacity or availability, and even monetarily. These restrictions can be detrimental to an organization that is using the cloud infrastructure to enhance their network environment. Establishing the guidelines for its usage is important as it will lay the groundwork for future development and utilization of those resources.
7. Determine Trusted Services
What services are you employing using the cloud? Setting up trusted services allows for the organization to employ automated processes to help secure those services in a timely manner. Whether it is the deployment of certificates from a trusted certificate authority as soon as the previous one expired. This allows your IT Security staff to be one step ahead of a potential bad actor.
Establishing the trust relationship will enable an organization to secure its perimeter by trusting that those services meet specific requirements. Its important for an organization to determine what specific factors they will want in a trust relationship and how those factors are measured. While most cloud providers will be able to help in this process, it is important that IT Security Pros follow up and do their own evaluation.
8. Manage Data
Understanding your data and how it will be transmitted and stored is important especially when monitoring network traffic. Data can accumulate at a rapid pace and it can be difficult to sift through the complex and exhaustive logs and datasets. Developing a process for how this data will be managed and monitored will help to make sure that this information is manageable.
Depending on which industry you are working in, there may be specific requirements as to how long the data will need to be stored for. It is important to understand these requirements as they will effect which standard your organization adopts. With data storage, it all comes down to the capacity to store the data and how it is managed once it is collected. Having this addressed when you setup your cloud environment will go a long way in saving headaches later on.
9. Adopt a Standard
While there is a myriad of standards out there, it is important to pick and adopt a standard that makes sense for your organization. This may be due to the type of work your company does, or industry specific requirements. Whatever the reason, adopt a standard. Here are some cloud related standards to consider:
Having an established baseline to build from will help to determine configurations and settings that will be employed during the development of your cloud infrastructure. Being compliant with these standards is different than being certified as the majority of the standards listed here require a third-party assessment in order to validate their processes.
SummaryOrganization’s are continuing to adopt cloud services in order to realize the cost savings and the flexibility that these service providers are able to offer their business. No matter the reason that you are looking to adopt the cloud infrastructure, it is important to remember that there are things that you can do to help secure the environment and infrastructure. By employing the 9 Cloud Security Best Practices as outlined in this article, your organization will greatly benefit from the enhanced settings and configurations outlined here.
Companies and organizations continue to grow and develop, and as a part of that process, they end up acquiring other businesses through a merger or acquisition. The question always comes, how do you integrate the diverse networks while still being secure? This can be a complicated and difficult question to answer because of all of the variables and moving pieces involved in such a issue.
Whether you are the VP of IT, or the Director of IT Security, there is just not one way to tackle this issue. There are steps and some initial guidance on how this should be approached. While this is not a “one size fits all” type of recommendation, it can provide some of those basic aspects that you as the IT Security Pro will be facing.
Getting a Handle on Things
So, determining how you will integrate your computer networks and determining the direction from your senior management team will help facilitate a strategy that will be employed by your organization. This is true no matter if you are the acquiring organization or the one being acquired. This direction will help to provide a roadmap of how the integration will be accomplished and the ultimate goals that are looking to be achieved by its implementation.
Risk Assessment & Evaluation
Since you will be integrating two different networks, it is important to understand the potential risks involved and how those risks are evaluated. There could be quite dramatic differences between how the networks are managed and the resources that have been allocated to those requirements. Reconciling how this is accomplished will help to determine the course of action in merging these networks.
Evaluating network security is an important part of this initial assessment in that it will provide a gap analysis as to what might be missing in one network, and what is available with the other. Having this detailed out will also allow the IT Security Pro to determine the best course of action that needs to be taken. This will also help those in senior management to make decisions based on what is occurring instead of guess work done by non-technical staff members.
Course of Fire
Each of the organizations have a responsibility to inform the other of what actions and process were taking place prior to the acquisition. This area should be accomplished prior to finalization of the process, but due to the complexities that go into these sorts of deals, its not usually thought of till after the fact. This is where the IT Security Pro will step in and help guide and provide information to all of the stakeholders involved in the network integration.
This can be a very difficult aspect of the merger process to handle and should be carried out with integrations from both parties of the merger. Databases and repositories can be in diverse locations and both on premises and in the cloud. This can cause a headache to even the most seasoned IT Security Pro. Developing a plan on how to consolidate this information will be crucial in helping to determine the ultimate course of action that will be implemented.
There are two common methods that organizations may employ initially: with a full integration and merger coming later in the process:
Compliance Complicates Everything
Compliance requirements add to all the integration efforts a complication that can be very frustrating. This is especially true if you are in healthcare dealing with HIPPA requirements or PCI DSS for those in the banking industry. Some of these requirements and standards come into play when the organization hits specific benchmarks or capacities. Additionally, there could be fines associated with non-compliance to these standards as well.
With diverse organizations merging, some will have certifications and others may not. Determining what certifications to go with can or how they can be combined can pose its own difficulties. Some of these may be overcome with the accreditation body or the certification body that one of the organizations have used for their certification process. Also, adopting policies, procedures, and standards will have to be a course of action that should be addressed at the time of this integration process. The IT Security Pro will need to know the processes they need to follow and how that will relate to the work that they need to accomplish.
Making it Work
One of the most difficult aspects of this process is making everything work like it is all on the same network. Cost savings and combining resources is a huge reason why acquisitions happen. Once a strategy has been developed; it is up to the IT Security Pro to implement the plan and execute the various projects that can come from such a complicated project. Organizations will greatly benefit from the efforts that are put into the planning process and the IT Security Pro will benefit with they communicate these plans and issues to all the stakeholders involved.
Merger and acquisitions of corporate networks can be challenging, it is not as daunting as it looks on the surface. Integration needs to be planned and systematically applied across the network and its infrastructure. The effectiveness of this planning process will come in overall cost reductions in the management of the network and the increased efficiencies that come from integrating these systems. The roadmap to the integration should happen as soon as possible (during the negotiation period would be preferred) with both organizations providing resources and direction to the overall strategic outcome.
As the days continue to drag on with the most resent high-profile ransomware attack here in the US (Colonial Pipeline that started on May 6th 2021), the east coast and the south are feeling the brunt of the effects of this recent attack the most. This is not a new thing; ransomware has been around for a few years now and organizations of all sizes should be prepared for its potential effects on their business.
We have seen attacks against municipalities infrastructure and also governmental services as well. Ransomware is indiscriminate in who or what they attack, and let’s be clear here, these are individuals that are out to extort money from whomever and wherever they can. It is that plain and simple. This was a targeted attack on a system that was vulnerable.
Preparation for Attack
One of the key aspects that is coming to light after the initial shock of it is that the infrastructure that supports the US economy is the largest target on the face of the planet for these types of attacks. Whether it is the lack of a Patch Management Process, or simply using outdated and unsupported equipment, the attackers have done their research in preparation for the attack. Additionally, it was also revealed that they were able to exfiltrate a large amount of data prior to the attack taking place. Is this preparation for more to come?
Paying the Ransom or Not?
As most IT Security Pros know, the company or organization will have to determine what is in their best interests to do. Is it to pay the ransom and get on with your business, or is it better to work to find the culprits who are behind it, or even to simply replace the systems that have been locked? This is the biggest decision that must be made, and it can’t be made in a vacuum, it must be made in public. But this has consequences for either decision or the potential impacts those may have on the organization.
The issue that seems to come up is what sort of publicity is going to be generated by the ransomware attack? The Colonial Pipeline attack has proven that this key infrastructure is vulnerable and that security measures must be taken in order to address them. It’s a terrible thing to have the world know that you have lack security measures in place and that your organization has been using outdated processes and equipment on a vital piece of infrastructure.
What has come out in the last day (May 12th, 2021) is that Colonial Pipeline has told the world that they were not going to pay the ransom that was demanded of them. But as it turns out, they actually did, to the tune of over $5 million dollars. And when they got the key to unlock their systems, it didn’t work. Talk about having egg on your face! How will Colonial Pipeline explain what happened?
As organizations continue to keep quite on how much they are actually paying for the ransoms of their own information, attackers are ever increasing the amounts that they are asking for. As of the writing of this article, CNA Financial has recently disclosed that they have paid up to $40 Million dollars in order to obtain access to their information. (A link the article is provided below). This shows that depending on the organization that is targeted, it could end up being a huge payday for the criminals involved in the extortion.
Stemming the tide of Infection
One of the key components of ransomware is that it will usually migrate from system to system depending on the type and complexity of the infection apparatus that is being utilized. The following may be considered as ways of helping to stem the tide of infection and preventing more systems from being compromised:
The End User Delma
When it comes to security of the network, the key factor in all of the outbreaks of ransomware has been the end user doing or downloading something that they know they should not. This education process comes in the form of Security Awareness training and how often it is performed. People are creatures of habit and curiosity, and so they will perform tasks without really thinking of the consequences that it may cause them. Here are a few of the ways that a potential ransomware attack can compromise your network:
These are current solutions or ways in which to mitigate or lesson the potential impact of a ransomware attack:
Even with all the actions that have been provided here, organizations are still going to be compromised and will be held ransom for the data that they can’t access. This is also an ever-evolving area of IT Security and the IT Security Pro will need to know what it takes to help prevent an outbreak to their systems. No matter what strategy is employed by the organization, there will be a way to defeat it or work around it. The easiest way as pointed out above, is to focus on the end user and their potential actions when provided a compromised system of file.
User education will allow the IT Security Pro to know where a potential attack may be coming from and what form it may be coming in. Educating the end user will help to secure up the frontline in the threat of a potential ransomware attack or may end up preventing one.
Business Continuity Testing & Evaluation Scenarios
When it comes to Business Continuity Planning (BCP), nothing makes an IT Security Pro more nervous than testing the plan they just created. Whether you live in the Northwestern US, or in Europe, planning for a disaster or business interruption is an important aspect of evaluating the planning process. Whether you are looking to perform a functional test, or just a table-top test, determining the type of scenario can be a daunting task, even scary to even contemplate.
Testing & Evaluation
As part of the evaluation process, IT Security Pros will have to test the BCP in order to determine any gaps or areas that should be addressed that may have been missed during the planning process. This process is perhaps the most important part of planning for a disaster. Measuring the effectiveness of the planning process will allow the organization to determine if they need additional controls or assets in order to deal with the possible incident.
Testing of the BCP should be only to the level that you need to have in order to validate the planning process. There are several levels of testing, and I have listed a few of them here for you:
Choosing a test scenario is important to help to establish guidance that will help the stakeholders or decision makers to “visualize” the events. This is where some creativity may be expressed, as to how realistic you want to be. The basic rule of thumb here is to keep it realistic enough that the company can realistically plan for dealing with the various scenario that is addressed in the testing process. Some examples might be:
Evaluating how your business did during the testing process can be difficult do to how you set up the overall testing and evaluation strategy that you will be using. Evaluation can take many forms, but the focus is to provide feedback to leadership as to how well the company will or won’t do in case of a significant business impacting event. Some sample metrics are below:
Communication in case of a disaster is one of the most important aspects that an organization should address prior to the testing and evaluation process. Asking the following questions may help:
While you will not be able to plan for every major disaster that may occur (see zombie apocalypse/ asteroid impact). Your BCP should be robust enough to be able to deal with multiple types of events. Testing and evaluation of the planning process will help to validate the plan and show the business where potential improvements may need to be made. One plan will not fit all situations, so flexibility will be the name of the game when developing your plan.
With the focus of the plan being on the services or products that your business provides being one of the main drivers, it is also important to remember that without your employees and staff, those capabilities will not be able to be carried out. The company can always replace equipment or where it conducts business, but you can’t replace your personnel.
As the investigation continues into the breach of the computer system for the Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida on February 5th. What is becoming clearer is that this hack was due to several different failures in security that led to the site to be compromised by attackers. While the damage was little, it could have been a lot worse.
While this investigation into the breach of security is still ongoing at the time of this blog post, the common theme is that the facility was using older equipment with lax security protocols. These issues were compounded by the other and helped to provide a path for an attacker to take advantage of these vulnerabilities. Additionally, remote management software could connect to these systems without being blocked.
Here is the list on known security failures as of this post:
While each of these failures are not the only reason for the compromise, all of them in conjunction with one another led to what could have been a serious issue if it were not for someone watching the system and taking corrective action to return the systems to normal.
The FBI was called in to investigate the compromise and found that the levels of sodium hydroxide in the water treatment had been raised from 100 parts per million to 11,100 parts per million for only a few minutes. This chemical is used to clear clogged drains and could have caused potential deaths if ingested by members of the public.
Addressing the failures that have been identified by this attach should be remediated so that a similar type of attack does not occur. But this threat has showed what IT Security Pros already know, our infrastructure is not keeping up to date with evolving technologies. This creates vulnerabilities where it should be more secure. Municipalities are notorious for not updating or upgrading systems or software due to not having the funds to replace or update them.
While taking corrective measures now will address these issues, this is a systemic issue that will only be solved when municipalities, and jurisdictions start taking security seriously and not putting off the much-needed upgrades and enhancements that are required to stay up to date. Microsoft for one puts out notices to the public to let them know that there is going to be an end-of-life date for its systems and applications. Why didn’t the municipality head those warnings and transition to supported hardware and software applications?
Due to the attention that this event is getting, it seems that these corrective actions will be taken as the city tries to deal with the fall out of it. But the underlying fact remains that all public utilities face, a crumbling infrastructure and the management systems that are needed to keep them up and running. This is a high visibility event, and the attention will be on the city to see how they handle these issues in the future.
These remaining threats are going to continue to plague our technologically evolving infrastructure as well. As mentioned in infrastructure-security-securing-the-grid-of-the-future.html there are growing threats to the use of new technologies as well as securing the already well established infrastructure by upgrading the network hardware, software, and IT Security posture.
Security for Infrastructure
Here are some of my recommendations for dealing with these same issues, whether you are a small business, or a large municipality, here are some commonsense guidance that you can follow:
1.Only use supported hardware/software
This means to use only those systems and applications that are fully supported by the manufacturer and that if they are not, you replace them ASAP. This is one of the most common mistakes organizations make, waiting to upgrade later. Do not put it off, when it’s the end of life for a system or application, replace it.
2.Have a patch management program
With the hardware and the OS not receiving updates on a regular basis, these systems continue to increase in the amount of risk and potential vulnerabilities that they pose to the organization. Have an established patch management program and update software and hardware systems as soon as the patches come out. This helps to limit vulnerabilities while also ensuring that potential risks are mitigated in a timely manner.
3.Establish Strong Security Policies/ Standards
The need to establish strong policies and standards can’t be understated here. The use of the following types of characters should be used:
With all of these measures, access account passwords would be more complex and more difficult to potential cracks by an attacker. While no password is 100% secure, there are steps that administrators can take to improve the security of these accounts.
4.Restrict VPN Access to Key Systems
This can be accomplished by preventing incoming connection requests from being responded to, or by securing systems behind a firewall or in a DMZ with restricted IP access points. While there may be ways in which these steps can be overcome, those steps are made more difficult than by not having them in place. This should be especially true to those systems such as a water purification plant or even an electric distribution center.
While nobody was killed during this attack and someone was quickly able to respond to changes within the purification process, it could have been much worse. Like a lot of other assets that are government owned and operated, our infrastructure is prime for being targeted by those that want to do our country or our cities harm. No matter what is found when the actual source of the attack is eventually discovered, this should be a wake-up call for all governmental organizations and jurisdictions that they can be compromised and that they need to be up to date with their security posture, just like in the private sector.
The worst thing about this attack on the purification plant is that all these security issues should have been addressed a long time ago. Even if just upgrading and patching their systems could have helped deter a potential attack. Some of the simplest things make the biggest difference when it comes to these sorts of events. We can only hope that they employ a well-respected IT Security Pro to help them address these issues in the most effective and expedient manner possible.
The use of Artificial Intelligence (AI) in IT Security is shaping up to be transformative in that it helps the IT Security Pro focus on the important aspects of the business, educating the end users. While AI allows for extra source of intelligence in the field, the biggest fear is that it will replace IT Security Professionals and the industry. This is not the case, but there will be synergy between the human in the loop, and the machine in the response to potential threats to the corporate business network.
AI vs. Machine Learning
AI implies that there is adaptive learning involved, and actions can change based on a given set of inputs. With Machine Learning (ML) there are a set of automated processes that are developed with a given scenario or set of inputs that match the specific criteria. Understanding these key differences allows for the IT Security Pro to use the best technology for any given situation that they may run into.
The use of ML is common with most IDS and IPS applications as they provide quick action and prevent further issues for the network with a given a specific set of inputs. This can be everything from disconnecting servers or preventing certain IP packets from traversing the network or to being addressed to a specific targeted IP address. AI will take more time to determine if the behavior is malicious and may also take other inputs into account prior to acting.
As an IT Security Pro, your day is filled with reviewing logs and data that is collected from various sources around your computer network. Whether these are firewall logs, or network traffic IP packets, there is a lot of data to process. This is one of the reasons that security applications that can correlate these records are one of the key components of any well-established IT Security Program.
The need we find is having to sift through these tens of thousands of entries to find the information that is meaningful to us. Even with this, sometimes the IT Security Pro may be overwhelmed with the amount of information they may be presented. This is where AI and ML come into their own. These technologies can help to sort out this data and provide the IT Security Pro actionable information and suggest a course of action depending on all the inputs that have been gathered.
Work with AI in IT Security
With the ever-complex state of IT Security these days, it is important that we use all the tools in the fight against any potential threats to our networks. This means leveraging the strengths of AI and ML to keep up with the changing attack vectors of the adversaries we must defend against. These are an ever-growing number of threats that the IT Security Pro must defend against and having a backup or additional support to help determine the course of action will be helpful. Especially when we must do more with less.
Some of these areas may be any of the following:
These are just some of the issues that an IT Security Pro may have to deal with daily. This is not mentioning the biggest threat of all, the end user. No matter how well you have a network protected, this can always be bypassed by the employee who does not want to work within the security guidelines.
Automated Processes for AI & ML
While there are number of areas that AI and ML can help, these technologies can also help streamline or automate repetitive processes that require attention from the IT Security Pro. These automated processes can be worked into an application or as part of a solution:
While AI and ML are advancing in their skills and capabilities, it is important to remember that these two supporting technologies will help ease the load from overworked and few IT Security Pros. Having an electronic eye on all the various operations that go on a computer network day in and day out will allow staff to address issues that they should really pay attention to, and not all of the static or background noise. Technology should help to enable the IT Security Pro to better secure the networks that we are responsible for, and not take the jobs away from human beings.
Erich is an experienced IT Security Professional that works with businesses of all sizes to help them understand the impact of IT Security on their organizations.