John Worrall

Jan 24 2017

Russians, APTs and Cyber Security: What’s So Common about Common Sense Anyway?

While the world awaits the next titillating chapter of the ongoing saga involving Russia and the U.S. presidential election, there is one section of the recently released Joint Action Report (JAR) compiled by the DHS and FBI that has gone unnoticed and woefully under-reported — and worth digging into.

Yes, there was a lot of discussion as to whether the JAR achieved the goal of proving the Russians tampered with the US election, but I didn’t see one report on the section that every business and agency should pay attention to – the mitigation strategies to prevent cyber attacks.

In the “Top Seven Mitigation Strategies” section of the report, the DHS states:

DHS encourages network administrators to implement the recommendations below, which can prevent as many as 85 percent of targeted cyber-attacks. These strategies are common sense to many, but DHS continues to see intrusions because organizations fail to use these basic measures.

Let that sink in…8 out of 10 cyber-attacks could be stopped if organizations embraced “common sense” and basic cyber security strategies.

Is Common Sense Really That Common?

It can’t be that easy, right? Surely the DHS is highlighting advanced cyber security strategies that are too timely, costly and intrusive for organizations to implement. Let’s look at the recommendations:

Patch applications and operating systems
Application whitelisting
Restrict administrative privileges
Network segmentation and segregation into security zones
Input validation
File reputation/AV tuning
Understanding firewalls

Well, I have to agree with DHS on this one – these are basic, they are common sense, and they are imminently achievable by any organization that cares a modicum about cyber security. Yet far too many organizations either aren’t aware of basic security best practices, or worse, simply choose to ignore them.

While we’re channeling the righteous anger at the prospect of Russian interfering with the U.S. election, could we spare some indignation at the continued failure to address basic security issues?

This isn’t a political issue. This is a problem that spans the public/private sector.

Why We Fail To Embrace Basic Security

This is a question that keeps me up at night – why? Is it an issue of awareness?

Well, a lot of these recommendations are found in long-standing compliance regulations, including HIPAA, PCI DSS, FDDC, Government Connect, FISMA, SOX and more.

On the Federal side, the U.S. GAO issued reports highlighting critical cyber vulnerabilities at the FDA, the FDIC, the IRS, the Department of Education, the FAA, and, in one case, called out 24 agencies in one report. These vulnerabilities align with the seven steps outlined above.

Private enterprise hasn’t proven to be much better (don’t worry John Podesta, you aren’t alone) – spear phishing campaigns have been used to attack major global banks, retailers and technology companies.

Is it a case of a lack of funding and spending? I’d say no. According to IDC, in 2020, organizations are expected to spend $101.6 billion on security software, services and hardware.¹ We’ve seen other estimates that go even higher.

Can We Be Secure?

It’s a tough question to answer when basic cyber security practices are met with an audible sigh across all sectors. We’ve reached a point where the entire ecosystem – politicians, Federal and State government, media, security vendors and businesses – are talking at each other about security, but no one is really listening.

We’re on a cyber security carousel with no sign of it stopping – we call out the same vulnerabilities and issues again and again, yet there’s little action to actually address the fact that we’re leaving out front and back doors open to our geopolitical enemies, and anyone else who wants to come in.

1 – IDC Press Release, “Worldwide Revenue for Security Technology Forecast to Surpass $100 Billion in 2020, According to the New IDC Worldwide Semiannual Security Spending Guide,” October 12, 2016

Jan 20 2017

Small and Medium-Sized Businesses Not Immune From Cyber Attacks

Small- and medium-sized businesses (SMBs) are the backbone of the U.S. economy. According to data available in the U.S. Small Business Administration’s Small Business Profile for 2016, SMBs with fewer than 500 employees make up 99.7 percent of all U.S. companies and employ 56.8 million workers—48 percent of the U.S. workforce.

Cyber security is as important for these companies as it is for large multinationals. SMBs also have sensitive information from employees and customers, proprietary information about products, and they often are part of a global supply chain for other companies. Every business is a target, regardless of size, and none can afford to ignore the security of its IT infrastructure.

The SMB: lots of assets, limited resources

SMBs may assume they have little to interest hackers and therefore put cyber security on the back burner. We know this isn’t true. Hospitals, for example, hold sensitive health information and have networked medical devices at risk. Unfortunately, some learned the hard way with episodes of ransomware disrupting business and damaging reputations.

It is not just a company’s own information and systems that are at risk. SMBs have been the channel in high-profile breaches that compromised millions of records. The 2015 breach of a retail company in which data from 40 million customer credit card accounts were stolen and the U.S. Office of Personnel Management breach that exposed more than 20 million employee records are believed to have originated with credentials from third-party vendors. Attackers use a weak link in the supply chain to breach a larger target; they use the compromised credentials to escalate IT privileges and use privileged accounts to compromise critical systems.

Businesses today run on IT. This makes cyber security a business necessity as well as a technology requirement. A strong security program can not only protect a business’s assets, it can also give it a competitive advantage.

Although SMBs face the same cyber security challenges as large businesses, they often have fewer resources and little in-house expertise to address these challenges. This makes it important that they get the best return on their security investments by prioritizing the right things in their security programs.

The need to know

Cloud computing and hosted services can make advanced technology affordable, and SMBs often find it cost-effective to outsource many IT functions, including security. But at the end of the day, each business is still responsible for its own security. Owners and executives need to understand the basics of cyber security, know what their service providers are doing and what questions to ask of them.

Security needs will vary depending on circumstances. Each company must understand its attack surface—vulnerable areas in the IT environment that could breached to compromise systems—and the impact of each potential breach. By assessing the impact, vulnerabilities can be prioritized, so that the cyber security program focuses on the areas needed to manage risks.

The key to protecting an IT infrastructure is privileged accounts. These accounts, if compromised, can effectively turn an intruder into an insider, giving the attacker rights to move throughout the network, escalate privileges, change settings and configurations and access data. When allocating scarce cyber security resources, privileged accounts must be identified, assessed and prioritized.

A single standard for security

An SMB IT infrastructure may not be as complex as a global enterprise, but the benefits of a layered approach to cyber security applies to all. Additionally, there are documented best practices and basic cyber hygiene practices that should be followed.

Learn more about how CyberArk can help your organization protect privileged accounts.

Jan 12 2017

Get Cyber Security Right in 2017: Prioritize Privilege

Prudent organizations understand the need to have a cyber security program in place to protect assets, but it can be difficult to determine which investments will provide the best business value when making the budget case to C-level executives. This is true whether establishing a new security program or updating an existing one.

When making security plans for 2017, consider a risk-based approach focused on the paths that attackers often take to access the most critical assets in an organization. There are plenty of industry reports and government recommendations flagging the importance of securing privileged accounts and credentials—take your pick. The role they play in advanced attacks is well documented.

Privileged accounts are the gateway to your organization’s assets

Privileged accounts give access to a wide range of assets, often with authority to make changes in settings and configurations. This makes privileged accounts the gateway to your assets. The credentials for these accounts—including cryptographic keys, passwords and hashes—are the keys to these gateways; they allow attackers who have breached the perimeter to travel horizontally and vertically throughout a network to reach and exploit their desired targets.

CyberArk research has found that, on average, 40 percent of the Windows hosts on a given network, if compromised, would provide an attacker credentials that would facilitate complete compromise of the vast majority of the other Windows hosts on that network—whether directly or through a series of compromises. Although 100 percent security of your network is not feasible, denying an intruder access to privileged credentials is a critical first step in reducing risk to your most valuable assets.

Prioritizing the security of your privileged accounts is not only a good security plan, it is also a good business plan.

Making the business case for privileged account security

Most C-level executives are not hands-on in IT, but they understand the need to protect an organization’s assets, brand and reputation. Effective cyber security is necessary because if you lose administrative control of your infrastructure, you’ve lost control of your business. Your infrastructure no longer is working for you; it’s working for the intruder.

When making the case for prioritizing privileged account security, consider the following points:

Metrics: Establish success metrics for your cyber security program and show the progress made in improving your organizations’ security posture.
- Discover the privileged accounts on your network and identify what assets they have access to.
- Prioritize these accounts according to the risks they represent and create a tiered plan for securing them over time.
- Document and report progress in securing the accounts and their credentials.

Demonstrate value: Reduce your organization’s exposure to intruders and show the value this provides to the overall cyber security program.
- Identify the areas of greatest business impact (such as most sensitive operations, most valuable lines of business, markets with greatest growth potential, etc.)
- Define the attack surface of these areas based on their exposure through privileged accounts.
- Demonstrate the reduction of the attack surface through progress in securing the accounts.

Prioritize privilege now

An effective cyber security program is a must for your organization, and the best return on your investment comes from protecting the privileged accounts and credentials that intruders exploit. If you don’t do it now, you will have to do it after an intruder has breached your perimeter. Why wait?

Here are the top five reasons to prioritize privilege account security:

Privilege is the road most traveled by attackers moving through your network.
Privileged accounts represent the express lane to your domain controllers, giving control of the infrastructure.
Your security systems need to be secure; securing privileged accounts protects them.
It’s a single solution to protect against both insider threats and external attackers.
Securing privileged accounts is the first action you will have to take following a breach.

Take the first step

Make sure you know your network better than attackers. Take inventory of your privileged accounts. CyberArk Discovery & Audit™ (DNA) is a free tool available to help organizations discover privileged accounts both on-premises and in the cloud. Use the results to assess security risks, identify accounts with local administrator rights, and identify machines vulnerable to credential theft. Prioritizing the risks lets you begin improving security right away.

Dec 29 2016

Misinformation and the Loss of Public Trust

Misinformation—and the misuse of information—came to the fore of public attention during the 2016 U.S. presidential election. Exactly who was behind the well-publicized hackings, leaks and fake news stories, and their impact, remains under investigation and might not be known for months, if ever. However, what is clear is that the ability to use misinformation for political gain or otherwise will continue to be a significant cyber security issue in 2017 and beyond. In fact, concerns have already been raised about similar attacks on trust in connection with the German Parliament elections in 2017.

Ensuring the integrity of data and controlling its use is critical to maintaining trust not only in organizations, but in public institutions and leaders’ ability to make decisions.

It’s Not New

The use or control of information to sway public opinion or gain political or military advantage is not new. In a Washington Post opinion piece, John Maxwell Hamilton of the Woodrow Wilson Center for International Scholars dated the birth of information warfare to the opening days of the First World War when the British cut German undersea cables to disrupt communications. The theft and manipulation of information for espionage and propaganda is as old as warfare itself. The use of propaganda continues today.

What is new in information warfare is the proliferation of digital data that can be remotely accessed and manipulated as well as disseminated globally. Data has become not only a resource and an asset, but also a weapon as demonstrated during the presidential campaign with the release of stolen e-mails.

That and the proliferation of fake “news” stories that often outperformed real news in social media. According to a survey by the Pew Research Center, 64 percent say fabricated news stories cause a great deal of confusion about the basic facts of current issues and events. In the same survey, 23 percent said they had shared fake stories – either knowingly or not.

This raises questions about the responsibility for protecting the integrity of data.

Manipulating the Data

Most of us (according to the Pew survey) are confident we can spot phony news. Sifting the real from the false is not always easy, however. A story about a love triangle with Elvis can be easily dismissed, but an article that shaves numbers off a political poll or the selective release of documents without context are more difficult to evaluate. Manipulating real data can be more insidious than making something of whole cloth.

A challenge of digital data is that it can be altered in ways that are difficult to detect. Data can be altered in servers and databases so that its owners are not even aware of the changes. When released or accessed under normal circumstances, this altered information can appear to be credible if available from a “trusted” source. Audio and video files can also be edited to deceive. Seeing and hearing are no longer believing, and as a result, trusted sources lose integrity.

The internet has blurred the distinction between publishers and readers/viewers. Phony or doctored information can be distributed globally at little cost and amplified through social media. Identifying the original source of falsified data or information can be difficult.

Defending our institutions

Defending ourselves and our institutions against misinformation requires a combination of personal skills and technology.

People must be media and information literate. Whether a baby boomer or a digital native, it is increasingly important to have the ability to evaluate the credibility of information and its sources. This requires a mix of critical thinking and enough knowledge/healthy skepticism to question things that just do not seem to be right. Understanding the nature of digital data and the challenges of cyber security contribute to these skills.

The creators, owners and distributors of data also have an obligation to integrity. Reputations are at stake, and the integrity of institutions could be damaged through a loss of public trust and confidence.

We have already written about the importance of data integrity as a part of a complete cyber security program. Basic practices such as encrypting data can help protect it, and hashing can help assure it has not been altered. Monitoring network activity and controlling access to privileged accounts that have permission to make changes in data also are critical.

Instilling trust in the data relied on to make decisions and protect citizens must be part of advanced cyber security strategies. Raising visibility of this challenge and spurring ongoing discussions will help maintain global awareness, even as elections fade from the front page.

Dec 13 2016

The Most Fundamental Endpoint Security Problem is a Privilege Problem

Privilege escalation is at the center of the cyber attack cycle. Why? Because attackers need the credentials of an insider, and administrative credentials give them the power to move laterally throughout the data center, to access high value servers and to take over domain controllers. Organizations now realize that securing privilege access is the first step they need to take to protect their organization from damaging cyber attacks, but it’s important to remember that privilege access is a security challenge across the entire IT infrastructure – not just the data center.

Privilege accounts exist in EVERY piece of technology in the organization. Every server, every database, every application including SaaS, every domain controller, every hypervisor, and of course, every endpoint. Securing privileged access on the endpoint is just as important as securing privileged access to servers and domain controllers.

Ownership is Privilege

There are a number of reasons why privilege security at the endpoint is critical. I’ll keep it short and focus on one, very important concept – ownership of the endpoint. Privileged access provides a user with total control over the endpoint including the ability to decide who can do what on the machine. If control of the machine remains with a trusted systems administrator, the company controls it. The company retains “ownership” of the device. Once an attacker gains privileged access to an endpoint, s/he has total control over that machine. Ownership now belongs to the attacker. As a result, the attacker can decide who can access the machine, create and modify user accounts, change configuration settings, disable/uninstall anti-virus, install malware, reset local passwords, access data that belongs to others etc.

Microsoft’s Security Response Center’s 10 Immutable Laws of Security state this very clearly. There are multiple “laws” that articulate the need to secure admin credentials, but read #6 carefully:

A computer is only as secure as the administrator is trustworthy

“Every computer must have an administrator: someone who can install software, configure the operating system, add and manage user accounts, establish security policies, and handle all the other management tasks associated with keeping a computer up and running. By definition, these tasks require that the individual have control over the computer. This puts the administrator in a position of unequalled power.”

This also covers the authorized administrators that make mistakes or go rogue, as well as any unauthorized user or executable using an administrative credential.

Knowing this fact, it’s a mystery to me why organizations continue to add on layers of endpoint controls and detection without securing admin accounts. This most basic, but important, step in security control is missing.

Prioritize Privileged Account Security

Organizations have spent billions of dollars trying to protect their organizations from cyber attacks.Yet the number of attacks continues to grow. Industry benchmarks show cyber crimes cost an enterprise organization $15 million per year on average, with the overwhelming majority of attacks originating on the endpoint.

Attackers know that user log-ins are far easier points of infiltration than network or software exploits. Organizations try to train their employees not to click on malicious email, but phishing attempts persist and are increasingly sophisticated. Raising the bar for security literacy is a worthy endeavor in the digital age of business, but education will not contain an attack at the endpoint.

There will always be a new “threat du jour.” Taking a layered approach to security is smart, but there is no silver bullet. For this reason, it’s important to have measures in place to contain the damage of a breach and to mitigate risks. Remember the common denominator across every tool in your security toolbox: privileged accounts. For this reason and others, protecting privilege must be a priority.

CyberArk has focused on privileged account security for more than a decade, and we know what damage can be done when an attacker has access to privileged credentials. Some companies have learned the hard way – and locking down privileged credentials was among the first actions taken during remediation.

We continuously innovate our products to address market needs, and we recently introduced CyberArk Endpoint Privilege Manager to help organizations contain attackers early in the lifecycle by interlocking three core capabilities: privilege management, application control and new targeted credential theft detection. The goal is to stop and contain damaging attacks at the endpoint. Instead of adding layers of preventative endpoint security controls on a weak foundation, we offer a different, proactive approach.

We invite you to learn more here.