Canon Business Process Services suffered a security incident, according to a data breach disclosure by General Electric, for which Canon processes current and former employees’ documents and beneficiary-related documents.
GE systems were not impacted by the cyberattack, according to the company’s disclosure, but personally identifiable information for current and former employees as well as their beneficiaries was exposed in the Canon breach. The breach, which was first reported by BleepingComputer, took place between Feb. 3 and Feb. 14 of this year, and GE was notified of the breach on the 28th. According to the disclosure, “an unauthorized party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon’s systems.”
Said documents included “direct deposit forms, driver’s licenses, passports, birth certificates, marriage certificates, death certificates, medical child support orders, tax withholding forms, beneficiary designation forms and applications for benefits such as retirement, severance and death benefits with related forms and documents.” Personal information stolen “may have included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information contained in the relevant forms.”
GE’s disclosure also said Canon retained “a data security expert” to conduct a forensic investigation. At GE’s request, Canon is offering two years of free identity protection and credit monitoring services.
GE shared the following statement with SearchSecurity regarding the Canon breach.
“We are aware of a data security incident experienced by one of GE’s suppliers, Canon Business Process Services, Inc. We understand certain personal information on Canon’s systems may have been accessed by an unauthorized individual. Protection of personal information is a top priority for GE, and we are taking steps to notify the affected employees and former employees,” the statement read.
Canon did not return SearchSecurity’s request for comment. At press time, Canon has not released a public statement.
Cisco believes CISOs are overwhelmed by too many security products and vendors, and the company introduced a new platform, ominously code-named Thanos, to help enterprises.
But despite being named after the Marvel Comics megavillain, Cisco’s SecureX platformisn’t necessarily designed to wipe out half of all existing security products within enterprise environments. Instead, Cisco is taking a different approach by opening up the platform, which was unveiled last month, and integrating with third parties.
Gee Rittenhouse, senior vice president and general manager of Cisco’s Security Business Group (SBG), said the aim of SecureX is to tie not only Cisco products together, but other vendor offerings as well. “We’ve been working really hard on taking the security problem and reducing it to its simplest form,” he told SearchSecurity at RSA Conference 2020last month.
That isn’t to say that all security products are effective; many “are supposed to have a bigger impact than they actually do,” Rittenhouse said. Nevertheless, the SBG strategy for SecureX is to establish partnerships with third parties and invite them to integrate with the platform, he said, rather than Cisco trying to be everything to everyone. In this interview, Rittenhouse discusses the evolution of SecureX, how Cisco’s security strategy has shifted over the last decade and the company’s plan to change the infosec industry.
Editor’s note:This interview was edited for clarity and length.
How did the idea for SecureX come about?
Gee Rittenhouse: We thought initially if we had a solution for every one of the major threats vectors — email, endpoint, firewalls, cloud, etc. — for one vendor, Cisco, then that would be enough. You buy Cisco networking and you buy Cisco security and that transactional model will simplify the industry. And we realized very quickly that didn’t do anything except put a name on a box. Then the second thing we thought was this: What happens if we take all these different things and integrate the back end together so that when I see a threat on email, I can block on my endpoint? We stitch all this together [via the SecureX framework] on behalf of the customer, and not only does the blocking happen automatically but you also get better protection and higher efficacy. We’d tell people we had an integrated architecture. And the customers would look at us and say ‘Really? I don’t feel that. You’ve got a portal over here, and a portal over there’ and so on. And we’d say, ‘Look, we’ve worked for three years integrating this together and we have the highest efficacy.’ And they’d say, ‘Well, everybody has their numbers …’
About a couple of years ago, we said we’ve simplified the buying model and simplified the back end. Let’s try to simplify the user experience. But you have to be very careful with that. The classic approach is to build a platform, and everyone jumps on the platform and if you only have Cisco stuff, life is great. But, of course, there are other platforms and other products. We wanted to be precise about how we do this, so we picked a particular use case around investigations. It’s an important use case. We built this very simple investigation tool [Cisco Threat Response] that you can think about as the Google search of security. Within five seconds, you can find out that you don’t have [a specific threat] in your environment, or yes, you do and here’s how to block it and respond. The tool had the fastest rate of adoption of any of our products in Cisco’s history. It’s massively successful. More than 8,000 customers use it every day as their investigation tool.
Were you expecting that kind of adoption for Cisco Threat Response?
Rittenhouse: No. We were not. There were two things we weren’t expecting. We weren’t expecting the response in terms in usage. We thought there’d be a few customers using it. The other thing that we didn’t expect was a whole use community came together to, for example, integrate vendor X into the tool and publish the connectors on GitHub. A whole user community has evolved around that platform and extended the capability of it. In both cases, we were quite surprised.
When we saw how that worked, saw the business model, and we understood how people consumed it, we attached it to everything and then said ‘Let’s take the next step’ with analytics and security postures. We asked what a day in the life for security professional was. They’re flooded with noise and threats and alerts. They have to be able to decipher all of that — can the platform do that automatically on their behalf? That’s what we’re doing with SecureX, and the feedback has been super positive
What kind of feedback did you get from customers prior to Cisco Threat Response and SecureX? Did they have an idea of what they wanted?
Gee RittenhouseSVP and GM, Cisco
Rittenhouse: There was a lot of feedback from customers who asked us to make the front end of our portfolio simpler. But what does that actually mean? It was very generic feedback. And in fact, we struggled with the ‘single pane of glass’ approach. What typically happens with that approach is you try to do everything through it, and all of the sudden that portal becomes the slowest part of the portfolio. This actually took a lot of time and a lot of conversations with customers on how they actually work. We engaged a lot of them with design thinking, and Cisco Threat Response was the first thing to come out of those discussions, and then SecureX.
And I want to make the distinction between a platform and a single pane of glass or a portal. And we very much think of SecureX as a platform. And when you think about a platform, it’s usually something that other people can build stuff on top of, so the value to the community is other people’s contributions to it, and you get a multiplier effect. There is only a handful of true, successful platform businesses in the world; it’s very hard to attract that community and achieve that scale.
Like other recent studies, Cisco’s CISO Benchmark Reportshowed that many CISOs feel they have too many security products and are actively trying to reduce the number of vendors they have. Other vendors have talked about this trend and are trying to capitalize on it by becoming a one-stop security shop and pushing out other products. But with SecureX, it sounds like you’re taking a different approach by welcoming third-party vendors to the platform and being more open.
Rittenhouse: We would encourage the industry as a whole to be more open. In fact, the industry is not very open at all. One of the benefits to being open is the ability to integrate. In today’s industry, for example, let’s say you’re a security vendor and your technology says a piece of malware is a threat level 5, and I say it’s a level 2. And you’re integrated into our platform, and you’re freaking out because it’s a level 5. I ask you, ‘Rob, why do you think this? What’s the context around this? Share more.’ And until you have that open interface and integration, I just sit there and say, ‘For some reason, this vendor over here claims it’s big, but we don’t see it'”
So yes, we’re open. And I would anticipate the user experience with Cisco security products integrated together will be very different than what you would get with third parties integrated until they start to share more. And this is one of the issues you see in the SIEM and SOAR markets; they become data repositories for investigations after you get attacked. What actually happened? Let’s go back into the records and figure it out. Because of the data fidelity and the real-time nature [of SecureX] this is something you interact with immediately. It can automatically trace threats and set up workflows and bring in other team members to collaborate because you have that integrated back end.
Cisco has said it’s thebiggest security vendorin the world by revenue, but most businesses probably still associate the company with networking. Now that SecureX has been introduced, what’s the strategy moving forward?
Rittenhouse: We’ve spent a lot of time on the messaging. I think more and more people recognize we’re the biggest enterprise security company. In many ways, our mission is to democratize security like [Duo Security’s] Wendy Nather said, so we want to make it invisible. We don’t want to be sending the message that you have to get this other stuff to be secure. We want it to be built into everything we do.
There’s been a lot of mergers and acquisitions, especially by companies looking to increase their infosec presence. But Wendy talkedduring her keynoteabout simplifying security instead adding product upon product. But it doesn’t sound like you’re feeling the pressure to do that.
Rittenhouse: No. We are not a private equity firm. We buy things for a purpose. And when we buy something, we’ll be happy to tell you why.
Todyl, a New York City company that sells a networking and security platform through MSPs, reported increasing interest in its product as organizations face secure remote access challenges.
“Things have been rapidly evolving over the last two weeks with the COVID-19 response,” Todyl CEO John Nellen said. “We have been really busy trying to help existing partners and new partners.”
The company offers MSPs — and their SMB customers — the ability to consolidate networking and security components into a cloud-based platform. Todyl MSP partners deploy the technology by installing agents on customers’ Windows, Mac, Linux, iOS or Android devices. A VPN tunnel then links customers to Todyl’s Secure Global Network offering, which incorporates web proxy, firewall, content filtering, intrusion detection/prevention (IDP), malware interception and security information and event management (SIEM) technologies.
The Secure Global Network’s points of presence link end customers to multiple network providers. Todyl’s platform connects organizations’ remote workers, data centers, cloud providers, main offices and branch locations, according to the company.
Todyl is currently offering its platform to MSPs for free for 30 days “to help support the immediate need,” Nellen said. Once the offer expires, pricing is device-based with add-on features. Todyl offers pricing for two groups: mobile (Android/iOS) and desktop/laptop/server (Windows, Mac, Linux).
MSP taps Todyl for remote enablement
Infinit Consulting Inc., an MSP based in Campbell, Calif., is selling Todyl as a white-labeled offering. The company has branded Todyl as Infinit Shield Total Defense, which it has paired with its own Infinit Shield security process management platform, according to Jerod Powell, president and founder of Infinit Consulting.
Powell called Todyl “instrumental in helping our customers rapidly enable complete remote workforce capabilities.”
Infinit Consulting had previously enabled nearly all of its customers to use cloud services, but the company is currently tasked with helping them significantly expand remote workforces. The expansion sometimes includes moving customers from having 15% of employees working remotely to nearly 100%.
While assisting with remote workforce expansions, Infinit Consulting has run into issues such as licensing and hardware limitations around customers’ previous remote work applications, Powell said. He pointed to another issue: Properly securing devices to ensure data integrity, company policy adherence and security, while allowing employees to work remotely — often from their personal home PC or Mac.
Powell said Todyl lets Infinit Consulting enable remote access in a matter of a few hours in a full-scale deployment. The Todyl offering also lets the company “secure that remote connection 100%, end to end;” bring clients onto the Secure Global Network; and feed data back to the SIEM. The SIEM feature provides the MSP with “the telemetry needed to identify potential security risks [and] enforce corporate policy just as if [remote employees] were on the client’s LAN.”
John NellenCEO, Todyl
He said Todyl also offers IDP and advanced threat protection scanning to flag potentially malicious applications and data before they reach customers.
The demand for supporting customers’ remote workforces is “extremely high,” Powell noted. He cited a case in which Infinit Consulting rolled out Todyl to a customer that needed to enable more than 500 users to work remotely. The customer’s previous remote work product only supported 100 users. Todyl also identified security issues in several of remote workers’ home PCs. The MSP was able to resolve those issues before admitting the remote workers’ devices onto the network, he added.
Powell said his company has created deployment packages for Todyl that can implement the product in an automated manner.
Waves of demand for secure remote access
Citing conversations with Todyl MSP partners, Nellen said MSPs anticipate two waves of unfolding demand for remote work technology.
The first wave consists of early adopters trying to quickly set up their organizations for newly distributed workforces. The second wave will comprise SMBs that have yet to determine the best way to support remote workers. Those companies will start making decisions, based on guidance from government agencies, in the coming weeks, Nellen said.
“They are expecting this not to be just a single shot, but something that is taking place and evolving over time,” Nellen said.
The city of Las Vegas used AI-driven infrastructure security tools to stop an attacker in January before sensitive IT systems were accessed, but the city’s leadership bets future attempts won’t even get that far.
“Between CrowdStrike [endpoint security] and Darktrace [threat detection], both tools did exactly what they were supposed to do,” said Michael Sherwood, chief innovation officer for Las Vegas. “We had [a user] account compromised, and that allowed someone to gain short-term access to our systems.”
The city’s IT staff thwarted that attacker almost immediately in the early morning of Jan. 7. IT pros took measures to keep the attacker from accessing any of the city’s data once security monitoring tools alerted them to the intrusion.
The city has also used Okta access management tools for the last two years to consolidate user identity and authentication for its internal employees and automate access to applications through a self-service portal. Next, it will reinforce that process with multi-factor authentication using the same set of tools, in the hopes further cyberattacks will be stopped well outside its IT infrastructure.
Multi-factor security will couple a physical device — such as an employee badge or a USB key issued by the city — with usernames and passwords. This will reduce the likelihood that such an account compromise will happen again, Sherwood said. Having access management and user-level SecOps centralized within Okta has been key for the city to expand its security measures quickly based on what it learned from this breach. By mid-February, its IT team was able to test different types of multi-factor authentication systems and planned to roll one out within 60 days of the security incident.
“With dual-factor authentication, you can’t just have a user ID and password — something you know,” Sherwood said. “A bad actor might know a user ID and password, but now they have to [physically] have something as well.”
SecOps automation a shrewd gamble for Las Vegas
Las Vegas initially rolled out Okta in 2018 to improve the efficiency of its IT help desk. Sherwood estimated the access management system cut down on help desk calls relating to forgotten passwords and password resets by 25%. The help desk also no longer had to manually install new applications for users because of an internal web portal connected to Okta that automatically manages authorization and permissions for self-service downloads. That freed up help desk employees for more strategic SecOps work, which now includes the multi-factor authentication rollout.
Another SecOps update slated for this year will add city employees’ mobile devices to the Okta identity management system, and an Okta single sign-on service for Las Vegas citizens that use the city’s web portal.
Residents will get one login for all services under this plan, Sherwood said. “If they get a parking citation and they’re used to paying their sewer bill, it’s the same login, and they can pay them both through a shopping cart.”
Michael SherwoodChief innovation officer, city of Las Vegas
Okta replaced a hodgepodge of different access management systems the city used previously, usually built into individual IT systems. When Las Vegas evaluated centralized access management tools two years ago, Okta was the only vendor in the group that was completely cloud-hosted, Sherwood said. This was a selling point for the city, since it minimized the operational overhead to set up and run the system.
Okta’s service competes with the likes of Microsoft Active Directory, OneLogin and Auth0. Las Vegas also uses Active Directory for access management in its back-end IT infrastructure, while Okta serves the customer and employee side of the organization.
“There is still separation between certain things, even though one product may well be capable of [handling] both,” he said.
Ultimately, the city would like to institute a centralized online payment system for citizens to go along with website single sign-on, and Sherwood said he’d like to see Okta offer that feature and electronic signatures as well.
“They’d have lot of opportunity there,” he said. “We can do payments and electronic signatures with different providers, but it would be great having that more integrated into the authentication process.”
An Okta representative said the company doesn’t have plans to support payment credentials at this time but that the company welcomes customer feedback.
Default configurations for most OSes are not designed with security as the primary focus. Rather, they concentrate…
on ease of setup, use and communications. Therefore, web servers running default configurations are obvious targets for automated attacks and can be quickly compromised.
Device hardening is the process of enhancing web server security through a variety of measures to minimize its attack surface and eliminate as many security risks as possible in order to achieve a much more secure OS environment.
Because web servers are constantly attached to the internet and often act as gateways to an organization’s critical data and services, it is essential to ensure they are hardened before being put into production.
Consult this server hardening checklist to ensure server hardening policies are correctly implemented for your organization’s Windows Internet Information Services (IIS) server.
Never connect an IIS server to the internet until it is fully hardened.
Place the server in a physically secure location.
Do not install the IIS server on a domain controller.
Do not install a printer.
Use two network interfaces in the server: one for admin and one for the network.
Restrict remote logons. (The “access this computer from the network” user right is removed from the Everyone group.)
Do not share accounts among administrators.
Disable null sessions (anonymous logons).
Require approval for account delegation.
Do not allow users and administrators to share accounts.
Do not create more than two accounts in the administrator group.
Require administrators to log on locally, or secure the remote administration system.
Files and directories
Use multiple disks or partition volumes, and do not install the web server home directory on the same volume as the OS folders.
Contain files and directories on NT file system (NTFS) volumes.
Put website content on a nonsystem NTFS volume.
Create a new site, and disable the default site.
Put log files on a nonsystem NTFS volume but not on the same volume where the website content resides.
Restrict the Everyone group — no access to WINNTsystem32 or web directories.
Ensure website root directory has deny write access control entry (ACE) for anonymous internet accounts.
Ensure content directories have deny write ACE for anonymous internet accounts.
Remove resource kit tools, utilities and SDKs.
Remove any sample applications or code.
Remove IP address in header for Content-Location.
Remove all unnecessary shares, including default administration shares.
Restrict access to required shares — the Everyone group does not have access.
Remove administrative shares — C$ and Admin$ — if they are not required. (Microsoft System Center Operations Manager — formerly Microsoft Systems Management Server and Microsoft Operations Manager — requires these shares.)
Restrict internet-facing interfaces to port 443 (SSL).
Run IIS Lockdown Wizard on the server.
Restrict remote registry access.
Secure the local Security Account Manager (SAM) database by implementing the NoLMHash Policy.
Auditing and logging
Audit failed logon attempts.
Relocate and secure IIS log files.
Configure log files with an appropriate file size depending on the application security requirement.
Regularly archive and analyze log files.
Audit access to the MetaBase.xml and MBSchema.xml files.
Security vendor Sophos this month expanded its endpoint protection lineup with Intercept X for Mobile. The new mobile security application extends the company’s Intercept security software to devices including phones, tablets and laptops.
The new offering is meant to bolster mobile threat defense for devices running on Android, iOS and Chrome. Features include:
Authenticator: Helps to manage multi-factor authentication passwords for sites like Google, Amazon and Facebook.
Secure QR code scanner: Scans target URLs for malicious content.
Privacy protection: Detects when personal data is accessed or if there are hidden costs associated with downloaded apps.
“The biggest unique point of the Intercept X model is that we are a security model, and we do security for different platforms and can be configured in one place,” said Petter Nordwall, director of product management at Sophos. “Intercept X, as a whole, can now protect Windows, Mac iOS, Chromebooks and servers. Regardless of what platform they use, they can use Intercept X.”
In “Advance and Improve Your Mobile Security Strategy,” a recent report from Gartner, senior analyst Patrick Hevesi found that “mobile security products are becoming increasingly important as a rate of mobile attacks continues to grow.” Hevesi recommended tech professionals track new threats, build a mobile threat defense strategy and set minimum iOS and hardware versions.
He added that organizations should focus on training users on what threats actually look like, rather than letting the systems do all the work.
“Everyone is doing antiphishing training, but think about the application,” Hevesi said. “The user doesn’t think about mobile in the same way; they see a highly rated app and don’t think about why the app needs permission to my contact data.”
Pricing for Intercept X for Mobile ranges from $24.50 to $63 per 100 seats depending on the addition of Sophos’ mobile, a unified endpoint management system. Intercept X for Mobile is available free for download for individual use, from Google Play and the Apple App Store.
Amazon Web Services has a stranglehold on the public cloud market, but the company’s dominance in cloud security is facing new challenges.
The world’s largest cloud provider earned a reputation over the last 10 years as an influential leader in IaaS security, thanks to introducing products such as AWS Identity & Access Management and Key Management Service in the earlier part of the decade to more recent developments in event-driven security. AWS security features helped the cloud service provider establish its powerful market position; according to Gartner, AWS in 2018 earned an estimated $15.5 billion in revenue for nearly 48% of the worldwide public IaaS market.
But at the re:Invent 2019 conference last month, many of the new security tools and features announced were designed to fix existing issues, such as misconfigurations and data exposures, rather than push AWS security to new heights. “There wasn’t much at re:Invent that I’d call security,” said Colin Percival, founder of open source backup service Tarsnap and an AWS Community Hero, via email. “Most of what people are talking about as security improvements address what I’d call misconfiguration risk.”
Meanwhile, Microsoft has not only increased its cloud market share but also invested heavily in new Azure security features that some believe rival AWS’ offerings. Rich Mogull, president and analyst at Securosis, said there are two sides to AWS security — the inherent security of the platform’s architecture, and the additional tools and products AWS provides to customers.
“In terms of the inherent security of the platform, I still think Amazon is very far ahead,” he said, citing AWS’ strengths such as availability zones, segregation, and granular identity and access management. “Microsoft has done a lot with Azure, but Amazon still has a multi-year lead. But when it comes to security products, it’s more of a mixed bag.”
Colin PercivalFounder, Tarsnap
Microsoft has been able to close the gap in recent years with the introduction of its own set of products and tools that compete with AWS security offerings, he said. “Azure Security Center and AWS Security Hub are pretty comparable, and both have strengths and weaknesses,” Mogull said. “Azure Sentinel is quite interesting and seems more complete than AWS Detective.”
New tools, old problems
Arguably the biggest AWS security development at re:Invent was a new tool designed to fix a persistent problem for the cloud provider: accidental S3 bucket exposures. The IAM Access Analyzer, which is part of AWS’ Identity and Access Management (IAM) console, alerts users when an S3 bucket is possibly misconfigured to allow public access via the internet and lets them block such access with one click.
AWS had previously made smaller moves, including changes to S3 security settings and interfaces, to curb the spate of high-profile and embarrassing S3 exposures in recent years. IAM Access Analyzer is arguably the strongest move yet to resolve the ongoing problem.
“They created the S3 exposure issue, but they also fixed it,” said Jerry Gamblin, principal security engineer at vulnerability management vendor Kenna Security, which is an AWS customer. “I think they’ve really stepped up in that regard.”
Still, some AWS experts feel the tool doesn’t fully resolve the problem. “Tools like IAM Access Analyzer will definitely help some people,” Percival said, “but there’s a big difference between warning people that they screwed up and allowing people to make systems more secure than they could previously.”
Scott Piper, an AWS security consultant and founder of Summit Route in Salt Lake City, said “It’s yet another tool in the toolbelt and it’s free, but it’s not enabled by default.”
There are other issues with IAM Access Analyzer. “With this additional information, you have to get that to the customer in some way,” Piper said. “And doing that can be awkward and difficult with this service and others in AWS like GuardDuty, because it doesn’t make cross-region communication very easy.”
For example, EC2 regions are isolated to ensure the highest possible fault tolerance and stability for customers. But Piper said the isolation presents challenges for customers using multiple regions because it’s difficult to aggregate GuardDuty alerts to a single source, which requires security teams to analyze “multiple panes of glass instead of one.”
AWS recently addressed another security issue that became a high-profile concern for enterprises following the Capital One breach last summer. The attacker in that exploited an SSRF vulnerability to access the AWS metadata service for company’s EC2 instances, which allowed them to obtain credentials contained in the service.
The Capital One breach led to criticism from security experts as well as lawmakers such as Sen. Ron Wyden (D-Ore.), who questioned why AWS hadn’t addressed SSRF vulnerabilities for its metadata service. The lack of security around the metadata service has concerned some AWS experts for years; in 2016, Percival penned a blog post titled “EC2’s most dangerous feature.”
“I think the biggest problem Amazon has had in recent years — judging by the customers affected — is the lack of security around their instance metadata service,” Percival told SearchSecurity.
In November, AWS made several updates to the metadata service to prevent unauthorized access, including the option to turn off access to the service altogether. Mogull said the metadata service update was crucial because it improved security around AWS account credentials.
But like other AWS security features, the metadata service changes are not enabled by default. Percival said enabling the update by default would’ve caused issues for enterprise applications and services that rely on the existing version of the service. “Amazon was absolutely right in making their changes opt-in since if they had done otherwise, they would have broken all of the existing code that uses the service,” he said. “I imagine that once more or less everyone’s code has been updated, they’ll switch this from opt-in to opt-out — but it will take years before we get to that point.”
Percival also said the update is “incomplete” because it addresses common misconfigurations but not software bugs. (Percival is working on an open source tool that he says will provide “a far more comprehensive fix to this problem,” which he hopes to release later this month.)
Still, Piper said the metadata service update is an important step for AWS security because it showed the cloud provider was willing to acknowledge there was a problem with the existing service. That willingness and responsiveness hasn’t always been there in the past, he said.
“AWS has historically had the philosophy of providing tools to customers, and it’s kind of up to customers to use them and if they shoot themselves in the foot, then it’s the customers’ fault,” Piper said. “I think AWS is starting to improve and change that philosophy to help customers more.”
AWS security’s road ahead
While the metadata service update and IAM Access Analyzer addressed lingering security issues, experts highlighted other new developments that could strengthen AWS’ position in cloud security.
AWS Nitro Enclaves, for example, is a new EC2 capability introduced at re:Invent 2019 that allows customers to create isolated instances for sensitive data. The Nitro Enclaves, which will be available in preview this year, are virtual machines attached to EC2 instances but have CPU and memory isolation from the instances and can be accessed only through secure local connections.
“Nitro Enclaves will have a big impact for customers because of its isolation and compartmentalization capabilities” which will give enterprises’ sensitive data an additional layer of protection against potential breaches, Mogull said.
Percival agreed that Nitro Enclaves could possibly “raise the ceiling,” for AWS Security, though he cautioned against using them. “Enclaves are famously difficult for people to use correctly, so it’s hard to predict whether they will make a big difference or end up being another of the many ‘Amazon also has this feature, which nobody ever uses’ footnotes.”
Experts also said AWS’ move to strengthen its ARM-based processor business could have major security implications. The cloud provider announced at re:Invent 2019 that it will be launching EC2 instances that run on its new, customized ARM chips, dubbed Graviton2.
Gamblin said the Graviton2 processors are a security play in part because of recent microprocessor vulnerabilities and side channel attacks like Meltdown and Spectre. While some ARM chips were affected by both Meltdown and Spectre, subsequent side channel attacks and Spectre variants have largely affected x86 processors.
“Amazon doesn’t want to rely on other chips that may be vulnerable to side channel attacks and may have to be taken offline and rebooted or suffer performance issues because of mitigations,” Gamblin said.
Percival said he was excited by the possibility of the cloud provider participating in ARM’s work on the “Digital Security by Design” initiative, a private-sector partnership with the UK that is focused in part on fundamentally restructuring — and improving — processor security. The results of that project will be years down the road, Percival said, but it would show a commitment from AWS to once again raising the bar for security.
“If it works out — and it’s a decade-long project, which is inherently experimental in nature — it could be the biggest step forward for computer security in a generation.”
Wireless LAN vendor Aruba has strengthened security in its software-defined branch product by adding intrusion detection and prevention software. The vendor is aiming the latest technology at retailers, hotels and healthcare organizations with hundreds of locations.
Aruba, a Hewlett Packard Enterprise company, also introduced this week an Aruba SD-Branch gateway appliance with a built-in Long Term Evolution (LTE) interface. Companies often use LTE cellular as a backup when other links are temporarily unavailable.
The latest iteration of Aruba’s SD-Branch has an intrusion detection system (IDS) that performs deep packet inspection in monitoring network traffic for malware and suspicious activity. When either is detected, the IDS alerts network managers, while the new intrusion prevention system (IPS) takes immediate action to block threats from spreading to networked devices. The IPS software takes action based on policies set in Aruba’s ClearPass access control system.
Previously, Aruba security was mostly focused on letting customers set security policies that restricted network access of groups of users, devices and applications. The company also provided customers with a firewall.
“But this IDS and IPS capability takes it a step further and allows enterprises that have deployed Aruba to quickly detect and prevent unwanted traffic from entering and exiting their networks,” said Brandon Butler, an analyst at IDC.
The latest features bring Aruba in line with other vendors, Butler said. In general, security is part of a “holistic” approach vendors are taking toward SD-branch.
Other features vendors are adding include WAN optimization, direct access to specific SaaS and IaaS providers, and a management console for the wired and wireless LAN. Software-defined WAN (SD-WAN) technology for traffic routing is a staple within all SD-branch offerings.
Aruba LTE gateway
The new gateway appliance is a key component of Aruba’s SD-Branch architecture. The multifunction hardware includes a firewall and an SD-WAN.
The device integrates with Aruba’s ClearPass and its cloud-based Central management console. The latter oversees the SD-WAN, as well as Aruba access points, switches and routers.
The new SD-Branch gateway with an LTE interface is the latest addition to the 9000 series Aruba launched in the fourth quarter of last year. The hardware is Aruba’s highest performing gateway with four 1 Gb ports and an LTE interface that delivers 600 Mbps downstream and 150 Mbps upstream.
Certification of the device by all major carriers will start this quarter, Aruba said.
Other network and security vendors providing SD-branch products include Cisco, Cradlepoint, Fortinet, Riverbed and Versa Networks. All the vendors combine internally developed technology with that of partners to deliver a comprehensive SD-Branch. Aruba, for example, has security partnerships with Zscaler, Palo Alto Networks and Check Point.
The vendors are competing for sales in a fast-growing market. Revenue from SD-branch will increase from $300 million in 2019 to $2.6 billion by 2023, according to Doyle Research.
The Department of Homeland Security warned of potential of Iranian cyberattacks against the U.S., and security experts weighed in on the risks facing enterprises.
In the bulletin, released Saturday as part of the National Terrorism Advisory System, DHS said there was no indication that attacks from Iran were imminent, but noted the country and its allies “have demonstrated the intent and capability to conduct operations in the United States.” The bulletin was issued in the wake of escalating military conflict with Iran.
“Iran maintains a robust cyber program and can execute cyberattacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States,” DHS wrote in the bulletin. “Be prepared for cyber disruptions, suspicious emails, and network delays. Implement basic cyber hygiene practices such as effecting data backups and employing multi-factor authentication [MFA].”
In general, experts agreed there is a legitimate threat of Iranian cyberattacks against U.S. entities and many added that while Iran has offensive cyber capabilities, they are not known to have capabilities on the level of the U.S., China or Russia.
Rick Holland, CISO and vice president of strategy at Digital Shadows in San Francisco, said Iran has proven the ability to cause damage with cyberattacks.
“Iranian offensive cyber capabilities have grown significantly since the days of Stuxnet, which was a catalyst for the Iranian regime to mature their capabilities,” Holland told SearchSecurity. “While Iran isn’t as mature as the United States, Russia or China, they are capable of causing damage. Destructive or wiper malware like Iran used against Saudi Aramco could cause significant damage to their targets.”
Robert M. Lee, CEO and founder of Dragos, said Iran has “consistently been growing their capabilities and are aggressive and willing to be as destructive as they can be.”
“We’re unlikely to see widespread issues or scenarios such as disrupting electric power but it’s entirely possible we will see opportunistic responses to whatever damage they think they can inflict,” Lee told SearchSecurity. “Iran has shown previously to be opportunistic in its targeting of infrastructure with denial of service attacks against banks as well as trying to get access to industrial control systems in electric and water companies. While it is important to think where strategic targets would be for them, it’s just as relevant that they might search for those who are more insecure to be able to have an effect instead of a larger effect on a harder target.”
High disruption value
While DHS was unclear what organizations Iran might target with cyberoperations, some experts tended to agree with Lee that infrastructure and financial targets would be most likely.
Jake Williams, founder and president of Rendition Infosec in Augusta, Ga., classified Iran as having “moderately sophisticated capabilities.”
“They aren’t on par with Russia or China, but they aren’t script kiddies either. Iran will most likely target defense industrial base and financial institutions — basically, targets that have a high disruption value,” Williams told SearchSecurity. “For an enterprise, the things to keep in mind are DDoS and early indicators of compromise for defense industrial base organizations. Of course, Iran could target other verticals, but we assess these to be the most likely initial targets.”
Levi Gundert, vice president of intelligence and risk at Recorded Future, noted that “Iranian sponsored groups are constantly probing potential targets for weaknesses toward intelligence gathering.”
“When provoked, these groups have also successfully demonstrated retaliatory cyberattacks. Based on historical precedent, Iran retaliates with destructive attacks against perceived threatening organizations (e.g. Sands Corporation), or they attack businesses toward achieving economic impact — large American financial service companies (Operation Ababil) and Saudi Aramco are two good examples,” Gundert told SearchSecurity via email. “We believe the most likely targets of cyberattacks remain the United States government, contractors, and partner businesses involved in U.S. regional interests.”
However, Chris Morales, head of security analytics at threat detection vendor Vectra in San Jose, Calif., said “everyone could be at risk” of an Iranian cyberattack.
“While certain industries were targeted in the past for disruption or for data theft, there is no limitation to who could be targeted in an asymmetric attack that involves disruption, misdirection and confusion,” Morales told SearchSecurity. “Earlier state-sponsored Iranian actors stole only basic information, but over the past few years they have been building long-term espionage campaigns. The risk here being in many cases Iranian actors already persist inside networks and it becomes a case of identifying their presence and removing them.”
Holland said the risk of being targeted by Iran would be low for most organizations, but enterprises should perform threat modeling by asking:
How do Iranian interests intersect your business?
How has historic Iranian targeting/victimology related to your company?
How does the Iranian threat stack up against your supply chain?
Protecting your organization
Experts agreed that taking care of the basics is probably the best approach to defend against possible Iranian cyberattacks.
Dr. Chase Cunningham, principal analyst serving security and risk professionals for Forrester Research, suggested enterprises “fix the easy stuff: deploy MFA everywhere; bolster DDoS defense and make sure email security is in place. Other than that, brace for impact and maintain situational awareness.”
Holland said enterprises “shouldn’t have to take any extraordinary measures.”
“Patch operating systems and applications. Disable Microsoft Office macros. Implement application whitelisting. Restrict admin privileges. Disable external-facing Remote Desktop Protocol,” Holland said. “Enable multi-factor authentication for external-facing applications and privileged users. Monitor for malicious domains registrations related to your organization.”
Gundert suggested organizations “take the time to understand Iranian sponsored groups’ historical tools, tactics, and techniques.”
“These groups typically achieve initial unauthorized access through password re-use, phishing, and/or web shells,” Gundert said. “Now is a great time to review and improve security controls for each threat category, as well as visibility into post-compromise activity like the usage of native Windows tools.”
Lee said the best approach is for cybersecurity professionals to “be in a heightened sense of awareness and put the investments they’ve made into people, process, and technology to use.”
“For companies that have yet to make proper investments into the cybersecurity of their business, there is not much that can be done quickly in situations like this,” Lee said. “Companies need to prepare ahead of these moments and these moments and any angst felt should serve as an opportunity to look internally to determine what your plans would be especially for incident response and disaster recovery.”
Virtualization-based Security (VBS) uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. Windows can use this “virtual secure mode” (VSM) to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat operating systems protections.
The Microsoft hypervisor creates VSM and enforces restrictions which protect vital operating system resources, provides an isolated execution environment for privileged software and can protect secrets such as authenticated user credentials. With the increased protections offered by VBS, even if malware compromises the operating system kernel, the possible exploits can be greatly limited and contained because the hypervisor can prevent the malware from executing code or accessing secrets.
The Microsoft hypervisor has supported VSM since the earliest versions of Windows 10. However, until recently, Virtualization-based Security has been an optional feature that is most commonly enabled by enterprises. This was great, but the hypervisor development team was not satisfied. We believed that all devices running Windows should have Microsoft’s most advanced and most effective security features enabled by default. In addition to bringing significant security benefits to Windows, achieving default enablement status for the Microsoft hypervisor enables seamless integration of numerous other scenarios leveraging virtualization. Examples include WSL2, Windows Defender Application Guard, Windows Sandbox, Windows Hypervisor Platform support for 3rd party virtualization software, and much more.
With that goal in mind, we have been hard at work over the past several Windows releases optimizing every aspect of VSM. We knew that getting to the point where VBS could be enabled by default would require reducing the performance and power impact of running the Microsoft hypervisor on typical consumer-grade hardware like tablets, laptops and desktop PCs. We had to make the incremental cost of running the hypervisor as close to zero as possible and this was going to require close partnership with the Windows kernel team and our closest silicon partners – Intel, AMD, and ARM (Qualcomm).
Through software innovations like HyperClear and by making significant hypervisor and Windows kernel changes to avoid fragmenting large pages in the second-level address translation table, we were able to dramatically reduce the runtime performance and power impact of hypervisor memory management. We also heavily optimized hot hypervisor codepaths responsible for things like interrupt virtualization – taking advantage of hardware virtualization assists where we found that it was helpful to do so. Last but not least, we further reduced the performance and power impact of a key VSM feature called Hypervisor-Enforced Code Integrity (HVCI) by working with silicon partners to design completely new hardware features including Intel’s Mode-based execute control for EPT (MBEC), AMD’s Guest-mode execute trap for NPT (GMET), and ARM’s Translation table stage 2 Unprivileged Execute-never (TTS2UXN).
I’m proud to say that as of Windows 10 version 19039D, we have succeeded in enabling Virtualization-based Security by default on somecapable hardware!
The Samsung Galaxy Book2 is officially the first Windows PC to have VBS enabled by default. This PC is built around the Qualcomm Snapdragon 850 processor, a 64-bit ARM processor. This is particularly exciting for the Microsoft hypervisor development team because it also marks the first time that enabling our hypervisor is officially supported on any ARM-based device.
Keep an eye on this blog for announcements regarding the default-enablement of VBS on additional hardware and in future versions of Windows 10.