Expanding Network Edges & Device Proliferation

With the advent of COVID-19, an enormous push to hybrid work changed the threat landscape. Many more activities have become remote, and therefore more reliant on and demanding of secure remote network connections. As more organizations expand their hybrid workforce models, the network edge continues to push out and the number of potential entry points for attackers increases. Device proliferation – specifically BYOD – is exacerbating this trend. As of 2021, 67% of employees use personal devices at work, and 59% of organizations have adopted BYOD.  IoT device proliferation is also broadening the threat surface, adding to the list of endpoints not only in the office, but also in the operating room, the factory floor and the shipping warehouse. There may be some 21.5 billion IoT devices by 2025 – a number that keeps IT security professionals up at night. From security cameras to connected multifunction copiers, IoT devices open the real potential for breaches. 

The Role of Network Access Control

With so many diverse, dispersed devices requesting network access, security teams must be more diligent about setting and enforcing access control policies. To maintain vigilance, security teams need to focus their efforts on network access control (NAC). In a perfect world, this means deploying a NAC that offers cloud RADIUS services, a variety of authentication methods, as well as 24/7 endpoint risk assessment and remediation across all prominent access layers – wired, wireless and VPN. Simple, yet powerful – a NAC that’s easy to use while providing the extensive security coverage needed to confront these challenges head-on is required.

Threat Surfaces Are Expanding

The proliferation of devices requesting access to the network, driven largely by the adoption of BYOD policies and utilization of IoT devices, has forced network security teams to be more diligent about setting and enforcing effective access control policies. Despite best efforts, attempts to address this evolving problem are akin to putting a finger in the dike – rogue devices inevitably slip through the cracks, leaving corporate networks vulnerable to ransomware and countless other cyber threats.

What’s more, network complexity complicates the issue. Today, networks consist of an ever-increasing number of WANs, LANs, VLANS, SD-WANs, MPLS, VPNs, employees’ homes, coffee shops, hotels, airports – wherever authorized devices can connect to gain access to company resources. As if the industry needed another acronym – some are calling it Bring Your Own Network (BYON). Regardless of how we define the trend, access to everything (from everywhere) has changed the security dynamic.

The impact on corporate bottom lines is tangible. The risks and costs associated with network breaches are growing larger by the year. It seems as if every day a new Fortune 500 company is reporting a costly cyberattack. Data breaches from January through September 30, 2021 (9 months), exceeded the total number of events in the entire year of 2020 by 17% (1,291 breaches in 2021 compared to 1,108 breaches in 2020). Adding to the challenge, threat actors are becoming more sophisticated and prevalent, leaving organizations on their heels fighting to catch-up.

A New Age of Cyber Threats

Cyber threats have become alarmingly prevalent, with malware increasing 358% overall and ransomware increasing 435% in 2021 compared with 2019. All threats, from phishing to attacks on Internet of Things (IoT) devices and supply-chains, have grown exponentially. Attacks on IoT devices tripled in the first half of 2019 and supply chain attacks were up 78%.

Costs have escalated in tandem. The average ransomware payment rose 33% in 2020 over 2019, to $111,605. The total cost of cybercrime for each company increased 12% from $11.7 million in 2017 to $13.0 million in 2018. Data breaches cost enterprises an average of $3.92 million annually.

In an attempt to mitigate these costly risks, many companies have opted to deploy niche solutions and tools such as network and host intrusion detection, various threat intelligence feeds, and mobile device management. While useful in isolation, these disparate tools (e.g., Network Performance Management, SIEM, XDR, SOAR, etc.) create many different panes of glass, leaving gaps in network security and complicating IT infrastructures.  All this means extra work for already thinly-stretched IT teams. In this sense, less really is more.

Essential Areas of Cybersecurity

The cybersecurity software market is oversaturated with tools that have been designed for very siloed tasks. Many of these have been developed in direct response to new threats, and require a certain focus and sophistication that doesn’t lend itself to the average IT professional’s chaotic daily life. Instead, companies need to develop a simple, yet solid security foundation that consists of three essentials:

1. Firewalls to monitor incoming and outgoing network traffic
2. Network access control to enforce access policies, assess connected device risk and remediate non-compliant devices
3. Endpoint protection like antivirus to prevent, scan, detect and eliminate malware and other viruses from devices

The First Form of Security

In the beginning – or at least near the beginning – there was the password. This rudimentary method of security pre-dated computers by at least two millennia, and was commonly utilized by militaries like the Roman Legion to maintain secure access to bases, resources and other high-ranking officers across a wide swath of newly conquered territory.  

As we fast forward to the 20th Century and the advent of the computer, passwords became the primary method of personal identification and access to systems, applications, networks…you name it. As computers became increasingly integrated into the daily lives of people both at work and at home, passwords became even more prevalent and served as the de facto method of security. 

Password Management Today

Today, much to our chagrin, we all juggle passwords across our laptops, tablets and phones in work and personal lives. Remembering the multitude of passwords needed to access different areas of our digital existence has become an onerous, often screen-punching task. It has also become a task rife with security vulnerabilities – particularly at the corporate level. Everyone is now required to remember so many passwords that they resort to insecure practices like writing them down, using easy-to-guess passwords, or using the same password over and over again. 

Most security experts see passwords as one of the weakest links in the security system, but many of the procedures that IT teams undertake with the intent of improving security – like requiring frequent password changes – makes the problem worse. If a hacker guesses a password or gains access to a password from one breach, they can try it again across other applications. Such tactics became household names in IT. For example, inputting a bunch of common passwords is known as “password spraying,” and reusing previously breached passwords is known as “credential stuffing.” 

Password-focused attacks are extremely common. For instance, in the well-publicized campaign of attacks on SolarWinds and many other vendors in 2019, the US  Cybersecurity and Infrastructure Security Agency (CISA) noted that “incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying…” 

The Move to Single Sign-On (SSO)

As corporate employees found themselves needing to log into more and more different devices, applications and network types, IT teams began leveraging SSO technology to help simplify the process and eliminate the need for people to remember every single password use. At its core, SSO intended to allow employees to have one password that provided them access to all necessary corporate resources.   

For several few years, while most applications still resided inside of a local IT datacenter, many organizations turned to tools like Microsoft’s Active Directory (AD) to manage user identity and access policies. The rise of AD adoption pushed other application vendors to support AD, further supplanting SSO as the then go-to method for password management and access security. 

Then along came Software as a Service (SaaS), and the game changed. SaaS apps went from novel to common incredibly quickly thanks to the simplicity, efficiency and cost effectiveness they promised. As cloud services like Amazon Web Services (AWS) and Microsoft Azure made it easier to build SaaS apps, these tools went from common to ubiquitous. Today, most companies have so many SaaS applications in use that their IT teams need to subscribe to other SaaS apps to help them discover and manage their active SaaS app portfolio.  

Every one of these new SaaS apps now in use utilized passwords. While early on some of these apps supported MS AD or its successor, Microsoft Azure AD (Azure AD), most did not at first. A such, it quickly became clear that successfully rolling out SSO universally was a daunting undertaking for most mid-sized businesses with complex IT environments and limited internal IT resources. After all, a company-wide password manager doesn’t eliminate the proliferation of passwords, and compromised SaaS apps can serve as gateways into the larger corporate network. 

The Rise of Multi-Factor Authentication (MFA)

The explosion of passwords and password-based attacks has created a market for password management software. There are a plethora of vendors who deal solely with simple passwords (e.g., LastPass, Keeper Security, Dashlane), SSO (e.g., Okta, SailPoint, One Identity), or the third and most recent phase in the evolution of the password: MFA (e.g., Cisco Duo).   

Out of SSO emerged MFA, which compliments and strengthens password management and network security efforts by introducing another means of identity verification on top of a person’s username and password. Most MFA vendors today provide mobile-based authentication, which can include methods such as push-based, QR code-based, and one-time password authentication (event-based or time-based), as well as SMS-based verification.  

MFA, like SSO, has its own shortcomings. Mobile-based authentication is particularly vulnerable as mobile devices can be cloned, and apps often run simultaneously across several mobile devices. Advanced hackers can, in theory, intercept an MFA code sent via SMS or email. While this added layer of security raises the necessary skill level to execute a successful attack against a company’s network, critical vulnerabilities still exist. 

The Gold Standard: Network Access Control (NAC)

With enterprise SaaS adoption and corporate networking eco-systems expanding and becoming more complex, MFA alone simply isn’t equipped to provide the secure access and authentication functionality needed to maintain an effective network security posture. 

As we enter a period of unprecedented device proliferation, network expansion, and increased threat sophistication, NAC has emerged as the gold standard for establishing secure access and authentication to corporate networks, applications and other internal resources. NAC, for lack of a better word, has raised the bar and left hackers with their work cut out for them.  

NAC systems evaluate whether a user and their device should be allowed onto a network, based on a series of security checks, MFA included. NAC combines MFA with other unique data points, such as the location of the device or the MAC address of the device to either grant or block their access to the network. Once connected, a NAC goes a step further by continuously measuring the security posture of each device, taking steps to either quarantine or boot the device off the network should it surpass the organization’s desired risk threshold. Additionally, a NAC can control which segment of the network a device can access, further limiting any impact of an intrusion.  

As such, a NAC is a strong addition to tighter password management and MFA because its security controls are complimentary rather than overlapping. NACs were once thought to be powerful, yet complex and hard to manage. With the advent of cloud-native NAC such as Portnox CLEAR NAC-as-a-Service, however, companies can access that power without the hassle. 

The Future of Password Management

While there are efforts to eliminate the need for passwords altogether, most business software will continue to require a username and password to gain access. Therefore, businesses must do more to secure their environments in the face of so many passwords.  

No combination of security controls can guarantee protection, but if an organization operates with a limited IT budget and staff, a combination of password management, MFA, and cloud-native NAC will substantially reduce its risk of cyberattacks. 

Enhanced IoT Fingerprinting & Security with Cloud-Native DHCP Listening

More Like the Internet of Everything

With the explosion of new devices connecting to the internet, IoT (or, the Internet of Things) really might as well be called IoE (or, the Internet of Everything.) The use cases for always-connected devices span across industries – from facilities that can now better manage energy usage according to peak customer traffic, and medical devices that can adjust medication levels in seconds, to retail warehouses that can track inventory down to the last widget. It’s undeniable that IoT has been a game-changer.

That’s not to say, however, that IoT does not present some unique challenges – specifically for network security professionals.

Who Are You?

The devices themselves tend to run on extremely lean operating systems, which means they don’t run typical monitoring protocols like SNMP. There’s also no possibility of installing extra software like agents. They’re designed to be easy to set up; just point them at an internet connection, which means any user can add an IoT device.

This creates an especially tough situation for IT administrators. After all, an essential part of zero trust security is knowing what is on your network, which means you need to make sure operating systems and firmware are patched and up-to-date to close the gap on any known vulnerabilities. But how can you know what’s on your network if the devices don’t report back specific identification in any way?

This problem has become so common it has a name – “Shadow IoT” – and it’s so prevalent that 80% of IT leaders found devices on their network they didn’t know about.

IoT Fingerprinting to the Rescue!

To combat this, several companies that make security tools like Network Access Control software have begun offering IoT Fingerprinting. This is a way to gather information about IoT devices like model, OS or Firmware, and manufacturer without requiring the devices to report in. While an absolute game changer for helping secure these devices, it is not without its challenges.

The biggest issue is that there is no real standard across devices – most don’t support Simple Network Management Protocol (SNMP) or Windows Management Instrumentation (WMI). Some devices support Universal Plug & Play (UnPNP) or Bonjour, but typically you only find that on consumer devices like a Roku or an AppleTV. Some Cisco devices support CDP (Cisco Discovery Protocol), but that doesn’t cover other vendors; some may use LLDP instead (Link Layer Discover Protocol) but typically you will find that only on phones, video conferencing equipment, and commercial IP surveillance cameras.

Port scanning via Nmap & TCP have more drawbacks – they scale very poorly. Also, with increased pressure on IoT manufacturers to pay more attention to security, more and more devices are being shipped with all ports turned off. And of course, the most basic firewall will raise alarms when a port scan is detected.

MAC address will get you some information, but they pose some challenges too. The first six hexadecimal digits of a MAC address are called the OUI and they identify the manufacturer. This is useful, but also not super accurate in the sense that if you find an HP device on your network, that does little to tell you what it exactly is. It also does not tell you any information about operating systems or firmware.

DHCP at first seems like a great option – when a device connects to a network, its first step is typically to request an IP from a DHCP server. During the DORA process (Discovery, Offer, Request, Acknowledge) much information is passed back and forth, including information to fingerprint the device. Many enterprise switches support a process called DHCP Gleaning, where the switch listens for DHCP requests Switchport interfaces and is then captured as a device sensor and sent along with RADIUS accounting info.

The problem here is that not all switches support DHCP Gleaning. For the ones that don’t, how do you get the information collected by the DHCP server to your network access control software to do the actual fingerprinting? Some solutions have you install an on-prem DHCP forwarder, which signs your IT team up to deal with deploying and maintaining yet another server, upgrades, patches, etc. Even worse, this separate forwarder creates overhead on your network that may impact your users and sensitive traffic.

So, all hope is lost, and there’s no reliable way to accurately fingerprint all your IoT Devices, but there’s great news coming.

Portnox’s DHCP Listener Heads to the Cloud

Keep all the magic of a cloud-based solution – vendor agnostic, no maintenance, no upgrades, no worries – AND get the most accurate fingerprinting of all your IoT devices as part of your comprehensive zero-trust solution!

You can easily configure your network devices to send the data your DHCP server already gathers throughout the course of handing out IP Addresses to the Portnox SaaS DHCP listener.

All you need to enable is a layer 3 device on the same subnet as the devices you want fingerprinted, that is NOT also acting as a DHCP server. You will need to configure the DHCP helper, which will forward this information to us. Most devices support using a DHCP helper – in fact, most devices support running multiple, so no need to sacrifice anything in your current architecture. The helper will forward DHCP and BOOTP broadcasts on directly connected subnets and relay them to the Portnox DHCP listener on port 67.

If you have bandwidth considerations, you can lay them to rest – DHCP is a very lightweight protocol, consuming less than 350 bytes per request on average. Since we are not making DHCP offers, the only bandwidth is from the clients DHCP request that is forwarded from the clients.

So let’s say you have 500 clients. A DHCP lease is typically 24 hours, with clients renewing at 12 hours. That means you’d spend 175 kilobytes of total data every 12 hours…even a 28.8 baud modem could handle that request.

We use this formula to calculate bandwidth:

(((TOTAL # OF DHCP CLIENTS X 350BYTES) X2 FOR 24 HOURS) X8 CONVERT TO BITS)/ 86400 SECONDS IN A DAY

IN EXCEL THE EQUIVALENT FORMULA WOULD READ: =(((500 *350)*2)*8)/86400

This first-of-its-kind SaaS DHCP listener is easy to set up, and opens a whole new world of accurate fingerprinting for IoT Devices.

Log4Shell is Still Lurking.

What Does it Mean for Corporate Networks?

What is Log4Shell & What Does it Affect?

In December 2021, the Log4j vulnerability, also known as Log4Shell, was made public. Log4j is a logging utility for Java that allows developers to output log messages from their applications to various destinations, such as the console, a file, or a database. Like any software, log4j is susceptible to vulnerabilities that can be exploited by attackers. Logging tools are used by developers to keep track of activity within a certain application.

To take advantage of Log4Shell, all attackers have to do is trick the system into logging a unique piece of code. They can then take over their target’s computer and install malware or launch other types of cyber attacks.

Log4j’s handling of serialized data is one area where it might be vulnerable. An attacker may be able to insert harmful code into serialized data supplied to the log4j library in some versions of log4j. The injected code may be executed if the log4j library deserializes this data, which might provide the attacker access to the system without authorization or enable them to carry out other nefarious deeds.

A year later, the issue still posses’ great risks as was noted by an announcement by both the FBI and the Cybersecurity and Infrastructure Security Agency on a network attack by Iranians at a federal civilian executive branch agency. With the relentless rise of attacks and vulnerabilities dominates the cybersecurity landscape, organizations are coping with a compound threat: the vulnerabilities from prior years that may not have been sufficiently addressed as well as the new ones that surface every year.

How Does Log4Shell Affect Corporate Networks?

What makes the Log4j vulnerability even more dangerous is how ubiquitous the Log4j 2 library is. It can be found in large and small services as well as significant platforms like VMware and Amazon Web Services. Organizations across the industry have included Apache Log4j 2 into a variety of applications because it is one of the most used logging frameworks on the internet. This includes well-known cloud providers like Twitter and Stream as well as platforms like Apple, Google, Microsoft, and Cloudflare.

The vulnerability’s impact is amplified in particular by how simple it is to exploit. The Log4j library manages how code and data are logged by applications. The flaw gives an attacker access to a string, which they can use to fool the application into requesting and executing malicious code they have control over. Attackers can thereby remotely take control of any internet-connected service that makes use of specific versions of the Log4j library, regardless of where in the software stack it is located.

The subject is pertinent to more discussions about the software supply chain and how it is more challenging to find and fix vulnerable code since many firms do not have a complete accounting of all the software they use in their systems. However, even if a company has a record of every piece of software it has purchased or installed, those programs may still contain other software components that the end user isn’t precisely aware of and didn’t intentionally choose. Because of this intricate web of dependencies between the impacted platforms and services, patching can be a challenging and time-consuming process.

Attackers are still actively using Log4Shell everywhere they can, from criminal hackers looking for a way into targets’ systems to attackers with the support of the Chinese and Iranian governments who use the exploit in their espionage operations. Moreover, latest analysis released by Tenable Wednesday revealed that the issue still exists as of October 1, 2022, and that 72% of organizations are still exposed to Log4Shell. Some companies that first mitigated the vulnerability are included in that figure. Tenable conducted the study while gathering information from more than 500 million tests.

How can Companies Mitigate This Vulnerability?

Any company can fall victim to Log4Shell. Previous research and data analysis suggest the importance of continually assessing enterprise environments for the flaw, as well as other critical vulnerabilities.

Companies should update their own applications and infrastructure that use Log4j as well as third-party applications immediately. Corporate networks need enhanced security solutions that can immediately and automatically identify vulnerable systems and their dependencies, and help you prioritize the most critical systems to update first.

Prioritizing Java processes that are accessible via public networks and have the potential to leak critical information to malicious intruders is the most effective strategy for solving this problem. Throughout this process, it is important to keep a list of all known and suspected susceptible assets and what is being done with them.

Since malicious cyber actors may compromise an asset and then patch it to cover their tracks, it is crucial to keep track of patching. In order to determine whether a threat actor may have patched an asset, organizations should maintain a detailed record of the susceptible assets they have patched.

Even with proper record keeping, it is important to verify the success of the mitigation. Use the appropriate tools and techniques to scan the patched asset. Utilize different techniques to confirm that the mitigation was properly implemented while keeping a careful eye on the asset. Look out for updates from vendors to the asset’s software.

For information on known affected products and patches, go check CISA’s Github page the GitHub page for CISA. CISA will keep the repository updated when vendors issue patches.

Given the widespread exploitation of this vulnerability, it is also advisable to conduct hunt procedures. Organizations should assume that their assets have been compromised to simulate incident response procedures. It should involve treating assets as compromised, inspecting and monitoring accounts across your enterprise that exist on or connect to assets that use Log4j. These are among the ways that corporate networks can be protected from the vulnerability.

It goes without saying that all firewalls and intrusion detection systems should be updated. The patches could filter or block LDAP and RMI traffic attempting to reach malicious LDAP servers. It is also useful to ​implement general sanitation practices like multi-factor authentication and strict VPN policies. Finally, it was noted that a design flaw in the JNDI Lookup plugin is primarily to blame for this critical vulnerability. By disabling the Jndi Lookup class, the logger will be unable to take action based on data found in the log. JNDI is however disabled by default in version 2.16.0 of Log4j.

What is the Future for Log4Shell & Cybersecurity

Recognizing the problem is the first step in solving a complicated issue like cybersecurity vulnerabilities. Just a few years ago, security breaches were a taboo subject that was rarely addressed outside of the computer sector, and firms that had experienced them were unwilling to reveal and provide specifics. The latest round of public hacks has elevated cybersecurity to the level of board discussion for many businesses. Additionally, customers can now evaluate businesses based on how they choose to handle these incursions.

Another hopeful aspect is the fact that cybersecurity education is becoming more mainstream. Degree programs in cybersecurity are currently available from many prestigious colleges, including Stanford, MIT, and University of California, Berkeley. Similar initiatives are being made in the tech and cybersecurity sectors. There will be a record number of highly skilled professionals in the security sector. They also gain knowledge from the intrusions and weaknesses. News stories from today become case studies and precedents in the law of tomorrow.

It is also encouraging to see that vendors are building new technology with security in mind. While not all technologies will benefit from this, and the environments won’t be future-proofed, it represents a significant shift from decades of development practices. Although it will take time for these modifications to take effect, keep in mind that the choices that led to the creation of Log4Shell were made years ago.

Seeing more public-private partnerships being formed is a step in the right direction. Companies and governmental organizations are working together to exchange knowledge about vulnerabilities and incursions. Organizations are sharing technical information and more comprehensive strategic lessons learned for the good of everybody. In order to respond and address these problems more quickly and effectively, this happens at numerous levels and across a variety of teams.

These are positive moves the security sector sorely needs to take. It raises the possibility that the world will have considerably more robust and resilient cyber defenses in future.