Tag Archives: Security

How Digital Transformation Compromises and Corrects Corporate Security | IT Infrastructure Advice, Discussion, Community


Digital transformation – is it a risk or an advantage? A threat or a benefit? Many companies are eschewing the practice, believing that it’s more secure to remain offline in a paper-laden environment that’s comfortable and predictable. Other companies embrace the change with fervor, looking to drive growth and improve performance by taking advantage of new technologies as they are released. Both sides hold merit.

A 2018 survey reported that 67% of respondents had entered the digital transformation process. The same survey indicated that 85% of responding Chief Information Security Officers (CISOs) thought digital transformation security issues had a “somewhat” or “extremely large” impact on their business.

The truth is that digital transformation does compromise security in ways that a manual system never could, but it also improves protection in ways that offline practices never will. The process and the technologies associated with the digital transformation have created a unique ecosystem with the potential to harm and/or help any company hoping to reap the rewards of online infrastructure.

Security gaps created by digital transformation

There are plenty of benefits to migrating your entire company infrastructure from three-ring binders to digital warehousing. Unfortunately, there are also plenty of risks. It’s much easier for unsavory characters to access information stored digitally than it is for them to access information kept in a locked office.

Damage Potential: Digitalization increases what’s known as the attack surface of your company. It creates more virtual access points to your network, making it progressively challenging to monitor and protect each entryway. Sure, even rudimentary security measures can detect obvious threats, but how well do they stand up against disguised and mutating malware capable of imitating critical files in your system? These polymorphic attacks are tough to detect, complicated to remove, and capable of spreading across your network at an alarming rate.

Rate of Change: Further complicating the protection of a digitally transformed company is the rapid change rate brought on by the ease and convenience of an online enterprise. We are now capable of executing development and release cycles in a relatively short period of time. The quicker an item transitions through development, however, the more likely it is to contain bugs, errors, or vulnerabilities missed by a process focused on speed over security.

Regulatory compliance practices overcome some of the risks of digital transformation but aren’t enough to completely protect a company from hackers that don’t subscribe to rules or regulations.  Fortunately, there are other ways to attain digital safety.

Security gaps mitigated by digital transformation

For nearly every threat brought on by digital transformation, there is a new technology capable of providing a solution. The same software characteristics that speed up development processes and create unsecured entry points also allow for the rapid development and deployment of safeguards.  And, because securing infrastructures requires less stealth than infiltrating them, protective measures are not bound by a need to remain discrete.

Integration and automation

Most experts agree that the best way to secure your company online is to integrate and automate. Systems that work cohesively instead of tangentially are much more likely to be effective at identifying threats and responding appropriately. With assistance from new technologies – like Enterprise Platforms as a Service (EPaaS) which often comes with built-in protection features – companies can improve visibility across their network, system, and user interfaces, conveniently monitoring safeguards in a single landscape.

The benefits only increase for companies whose security practices are more than 50% automated. Updates for each stack component can be identified and installed in real time, meaning the length of time your infrastructure spends exposed reduces dramatically. Automatic backups and version replication further serve to defend a unified security architecture from digital threats.

Timing

Timing is also critical when it comes to digital security. How fast can you detect a problem? How often are you conducting penetration tests and updating your software? How quickly can your system respond to threats? The technologies established as the result of digital transformation are uniquely positioned to improve answers to each of the above questions.

Platforms that integrate systems aid in the rapid detection of abnormalities. When internal components are developed using standards and similar methods or styles, outside threats are more easily identified. Add in automatic system updates and instant communication capabilities, and enterprise security improves dramatically. Even complex technical responses can be implemented swiftly thanks to the enhanced development process enabled by digital transformation.

Corporate security is critical to corporate success. Thus, it’s completely understandable that certain companies are hesitant to pursue digital transformation. The threat potential increases and the attacks are more complex in an online environment. However, digital transformation also catalyzes the creation of advanced technology engineered not only to improve enterprise performance but to protect company infrastructure.

It is true that the potential for problems gives way to the opportunity for solutions. Digital transformation merely provides a framework to enhance those opportunities and advance security practices for enterprises around the globe.

 



Source link

The Router’s Obstacle-Strewn Route to Home IoT Security | Software


It is newly minted conventional wisdom that not a single information security conference goes by without a presentation about the abysmal state of Internet of Things security. While this is a boon for researchers looking to make a name for themselves, this sorry state of affairs is definitely not beneficial for anyone who owns a connected device.

IoT device owners aren’t the only ones fed up, though. Right behind them is Eldridge Alexander, manager of Duo Labs at
Duo Security. Even better, he has a plan, and the experience to lend it some credibility.

Before assuming his current role at Duo Security, Alexander held various IT posts at Google and Cloudflare. For him, the through-line that ties together his past and present IT work is the security gains that accrue from aligning all of a network’s security controls with the principle of zero-trust.

“I’ve basically been living and breathing zero-trust for the last several years,” Alexander told LinuxInsider.

Simply put, “zero-trust” is the idea that to the furthest extent possible, devices should not be trusted to be secure, and they should be treated as such. There are many ways zero-trust can manifest, as it is not so much a singular technique as a guiding principle, but the idea is to leave yourself as invulnerable to the compromise of any one device as possible.

A recurring theme among his past few employers, this understandably has left its mark on Alexander, to the point where it positively permeates his plan for IoT security on home networks. His zeal for zero-trust comes to home networks at just the right time.

Although consumer IoT adoption
has been accelerating, zero-trust has yet to factor into most consumer networking tech, Alexander observed, and we’re getting to the point where we can’t afford for it not to.

“Investigating not really new threats but increased amount of threats in IoT and home networks, I’ve been really interested in seeing how we could apply some of these very enterprise-focused principles and philosophies to home networks,” he noted.

Network Segmentation

In Alexander’s home IoT security schema, which he unveiled at Chicago’s THOTCON hacking conference this spring, zero-trust chiefly takes the form of network segmentation, a practice which enterprise networks long have relied on.

In particular, he advocates for router manufacturers to provide a way for home users to create two separate SSIDs (one for each segment) either automatically or with a simple user-driven GUI, akin to the one already included for basic network provisioning (think your 192.168.1.1 Web GUI).

One would be the exclusive host for desktop and mobile end-user devices, while the other would contain only the home’s IoT devices, and never the twain shall meet.

Critically, Alexander’s solution largely bypasses the IoT manufacturers themselves, which is by design. It’s not because IoT manufacturers should be exempted from improving their development practices — on the contrary, they should be expected to do their part. It’s because they haven’t proven able to move fast enough to meet consumer security needs.

“My thoughts and talk here is kind of in response to our current state of the world, and my expectations of any hope for the IoT manufacturers is long term, whereas for router manufacturers and home network equipment it is more short term,” he said.

Router manufacturers have been much more responsive to consumer security needs, in Alexander’s view. However, anyone who has ever tried updating router firmware can point to the minimal attention these incremental patches often receive from developers as a counterclaim.

Aside from that issue, router manufacturers typically integrate new features like updated 802.11 and WPA specifications fairly quickly, if for no other reason than to give consumers the latest and greatest tech.

“I think a lot of [router] companies are going to be open to implementing good, secure things, because they know as well as the security community does … that these IoT devices aren’t going to get better, and these are going to be threats to our networks,” Alexander said.

So how would home routers actually implement network segmentation in practice? According to Alexander’s vision, unless confident consumers wanted to strike out on their own and tackle advanced configuration options, their router simply would establish two SSIDs on router setup. In describing this scenario, he dubbed the SSIDs “Eldridge” and “Eldridge IoT,” along the lines of the more traditional “Home” and “Home-Guest” convention.

The two SSIDs are just the initial and most visible (to the consumer) part of the structure. The real power comes from the deployment of VLANs respective to each SSID. The one containing the IoT devices, “Eldridge IoT” in this case, would not allow devices on it to send any packets to the primary VLAN (on “Eldridge”).

Meanwhile, the primary VLAN either would be allowed to communicate with the IoT VLAN directly or, preferably, would relay commands through an IoT configuration and management service on the router itself. This latter management service also could take care of basic IoT device setup to obviate as much direct user intervention as possible.

The router “would also spin up an app service such as Mozilla Web Things or Home Assistant, or something custom by the vendor, and it would make that be the proxy gateway,” Alexander said. “You would rarely need to actually talk from the primary Eldridge VLAN over into the Eldridge IoT VLAN. You would actually just talk to the Web interface that would then communicate over to the IoT VLAN on your behalf.”

By creating a distinct VLAN exclusively for IoT devices, this configuration would insulate home user laptops, smartphones, and other sensitive devices on the primary VLAN from compromise of one of their IoT devices. This is because any rogue IoT device would be blocked from sending any packets to the primary VLAN at the data link layer of the OSI pyramid, which it should have no easy way to circumvent.

It would be in router manufacturers’ interests to enable this functionality, said Alexander, since it would offer them a signature feature. If bundled in a home router, it would provide consumers with a security feature that a growing number of them actually would benefit from, all while asking very little of them in the way of technical expertise. It ostensibly would be turned on along with the router.

“I think that’s a valuable incentive to the router manufacturers for distinguishing themselves in a crowded marketplace,” Alexander said. “Between Linksys and Belkin and some of the other manufacturers, there’s not a whole lot of [distinction] between pricing, so offering home assistant and security is a great [distinction] that they could potentially use.”

IoT Security Standards?

There is some promise in these proposed security controls, but it’s doubtful that router manufacturers actually would equip consumer routers to deliver them, said Shawn Davis, director of forensics at
Edelson and adjunct industry professor at the Illinois Institute of Technology.

Specifically, VLAN tagging is not supported in almost any home router devices on the market, he told LinuxInsider, and segmenting IoT from the primary network would be impossible without it.

“Most router manufacturers at the consumer level don’t support reading VLAN tags, and most IoT devices don’t support VLAN tagging, unfortunately,” Davis said.

“They both could easily bake in that functionality at the software level. Then, if all IoT manufacturers could agree to tag all IoT devices with a particular VLAN ID, and all consumer routers could agree to route that particular tag straight to the Internet, that could be an easy way for consumers to have all of their IoT devices automatically isolated from their personal devices,” he explained.

VLAN tagging is not restricted by any hardware limitations, as Davis pointed out, but is merely a matter of enabling the software to handle it. Just because the manufacturers can switch on VLAN tagging in software, that doesn’t mean it will be an easy matter to convince them to do so.

It’s unlikely that router manufacturers will be willing to do so for their home router lines and, unsurprisingly, it has to do with money, he said.

“A lot of the major companies produce consumer as well as corporate routers,” Davis noted. “I think they could easily include VLAN functionality in consumer routers but often don’t in order to justify the cost increase for feature-rich business level hardware.”

Most router manufacturers see advanced functionality like VLAN tagging as meriting enterprise pricing due to the careful development that it requires to meet businesses’ stricter operational requirements. On top of that, considering the low average technical literacy of home users, router manufacturers have reason to think that power user features in home routers simply wouldn’t be used, or would be misconfigured.

“Aside from the pricing tier differences,” Davis said, “they also might be thinking, ‘Well, if we bake in VLANs and other enterprise-based features, most consumers might not even know how to configure them, so why even bother?'”

Beyond cajoling router makers to enable VLAN tagging and any other enterprise-grade features needed to realize Alexander’s setup, success also would hinge on each manufacturer’s implementation of the features, both in form and function, Davis emphasized.

“I think each manufacturer would have different flows in their GUIs for setting up isolated VLANs, which wouldn’t be the easiest for consumers to follow when switching across different brands,” he said. “I think if IoT security was more standards-based or automatic by default between devices and routers, overall security in consumer devices would greatly improve.”

Securing both of these concessions from router manufacturers would likely come down to ratifying standards across the industry, whether formally or informally, as Davis sees it.

“The different standards boards could potentially get together and try to pitch an IoT security standard to the router and IoT device manufacturers, and try to get them to include it in their products,” he said. “Aside from a new standard, there could potentially be a consortium where a few of the major manufacturers include advanced IoT device isolation in the hopes that others would follow suit.”

Risk Reduction

Alexander’s THOTCON presentation touched on the 5G connectivity that
many predict IoT will integrate, but in exploring the viability of alternatives to his setup, Davis quickly gravitated toward Alexander’s proposal.

Connecting to IoT devices via 5G certainly would keep them away from home users’ laptop- and smartphone-bearing networks, Davis acknowledged, but it would present other challenges. As anyone who has ever browsed
Shodan can tell you, always-on devices with seldom-changed default credentials connected directly to the public Internet have their downsides.

“Having your IoT devices isolated with your home-based devices is great, but there is still the possibly of the IoT devices being compromised,” Davis said. “If they are publicly accessible and have default credentials, they could then be used in DDoS attacks.”

Enabling IoT for direct 5G Internet connections doesn’t necessarily improve the security of end-user devices, Davis cautioned. IoT owners will still need to send commands to their IoT devices from their laptops or smartphones, and all 5G does is change the protocol that is employed for doing so.

“IoT devices using cellular 4G or 5G connections are another method of isolation,” he said, “but keep in mind, then the devices are relying even more on ZigBee, Z-Wave or Bluetooth Low Energy to communicate with other IoT devices in a home, which can lead to other security issues within those wireless protocols.”

Indeed, Bluetooth Low Energy

has its share of flaws, and at the end of the day protocols don’t impact security as much as the security of the devices that speak it.

Regardless of how the information security community chooses to proceed, it is constructive to look to other points in the connectivity pipeline between IoT devices and user access to them for areas where attack surfaces can be reduced. Especially when weighed against the ease of inclusion for the necessary software, router manufacturers undoubtedly can do more to protect users in cases where IoT largely hasn’t so far.

“I think a lot of the security burden is falling on the consumer who simply wants to plug in their device and not have to configure any particular security features,” Davis said. “I think the IoT device manufacturers and the consumer router and access point manufacturers can do a lot more to try to automatically secure devices and help consumers secure their networks.”


Jonathan Terrasi has been an ECT News Network columnist since 2017. His main interests are computer security (particularly with the Linux desktop), encryption, and analysis of politics and current affairs. He is a full-time freelance writer and musician. His background includes providing technical commentaries and analyses in articles published by the Chicago Committee to Defend the Bill of Rights.





Source link

Addressing Security Challenges in Decentralized Organizations | IT Infrastructure Advice, Discussion, Community


Interop 2019 Fireside Chat with Stacey Halota: How to make “privacy by design” a reality and IT asset management less painful. In this session, Halota (Vice President, Information Security and Privacy, Graham Holdings Company) discusses the challenges of managing security and compliance in a broad, decentralized organization that spans several highly regulated sectors. Also get her tricks for gaining buy-in for major data governance and metrics initiatives without getting doors slammed in her face.



Source link

Fedora’s GRUB2 EFI Build To Offer Greater Security Options


FEDORA --

In addition to disabling root password-based SSH log-ins by default, another change being made to Fedora 31 in the name of greater security is adding some additional GRUB2 boot-loader modules to be built-in for their EFI boot-loader.

GRUB2 security modules for verification, Cryptodisk, and LUKS will now be part of the default GRUB2 EFI build. They are being built-in now since those using the likes of UEFI SecureBoot aren’t able to dynamically load these modules due to restrictions in place under SecureBoot. So until now using SecureBoot hasn’t allowed users to enjoy encryption of the boot partition and the “verify” module with ensuring better integrity of the early boot-loader code.

At last Friday’s FESCo meeting, the ticket was approved for including these modules in the default GRUB2 EFI build starting with Fedora 31 due out in October.

For future releases they may also look at automated signature verification as part of grub2-mkconfig as well as allowing cryptodisk to be configured from the Anaconda installer.


The NSA Is Looking To Contribute To A New x86 Security Feature To Coreboot


COREBOOT --

The US National Security Agency (NSA) has developers contributing to the Coreboot project.

Eugene Myers of the NSA under the Information Assurance Research, NSA/CSS Research Directorate, has been leading some work on an STM/PE implementation for Coreboot.

This implementation is for an SMI Transfer Monitor (STM) to offer protected execution services on x86 by serving as a hypervisor in x86 SMM mode. The NSA work extends STM to support additional virtual machines and paired with an integrity measurement engine can offer greater security to the system. Here’s a video with more information on this STM/PE effort from last year’s Platform Security Summit:

As of earlier this month, that Coreboot STM/PE code is under review including the x86 STM support and other bits.