Securely connect everything, so that anything is possible
Cybersecurity done right!
How to go from 'making do', to using cybersecurity to your advantage
Your business could and should be able to reach its potential, and offer your customers the value they deserve. To do that, security has to become part of your business strategy.
In a recent Cisco survey of security professionals, 74% of respondents said that the main purpose of cyber security was to ‘mitigate risk’, instead of enabling growth.
Reducing risk is of course a huge part of it. Any good security partner will sit with you in these key stakeholder meetings, and help you build a security infrastructure that is specifically tailored to your company.
However, the consensus seems to be that cybersecurity, although helping you reduce risk, remains the ‘fire extinguisher’ for business innovation. Some questions you may be familiar with:
- “It’s a great idea, but surely that gives us a security headache?”
- “I’d love to empower our employees to do that, but then again we’d be opening ourselves up to potential misuse.”
Many ideas have the cybersecurity fire extinguisher blasted on them before they’ve had a chance to really catch on. Therefore, you end up with the plateauing answer of, “Let’s just do what we’ve always done. We know it’s safe”.
In fact, 39% of our survey respondents said that they had actually halted ‘mission critical’ initiatives due to cybersecurity concerns.
That just won’t do…
“Security has to become part of your business strategy”
It’s not just cyber criminals who are the main threat to your business. In five years time, 4 out of the top 10 market leaders are said to be likely displaced by innovative start ups which have been fuelled by digital ingredients.
Subpar security leaves companies in the worst possible competitive position: not innovating fast enough to compete, yet not safe enough to handle a cyber attack, despite delaying digital innovations.
So, how do you grow and innovate whilst protecting yourselves from the bad guys?
Read on…
Today, when a cyber attack happens...
How do you try and fix it?
When something happens...
Most breaches happen because someone made a mistake – they clicked on a link, opened an attachment, or added a malicious USB stick.
Who is to blame here? The IT department? The CEO? The employee?
A great deal of finger pointing often goes on, without ever getting to the root cause of the problem. It's time to change that, and this ebook is designed to help you do just that.
"Too much attention is spent trying to remedy the bad situations created by cyber attacks, instead of educating people about how to avoid them in the first place."
This is a great example of “making do” and putting up with the real problem, and just fixing the immediate danger instead. So, instead of trying to find a ‘fall guy’, we should investigate what are the current challenges which are facing businesses today.
There are 3 big ones - read on by clicking the arrow over there on the right hand side!
Problem 1: The 'threat surface' has never been bigger or more complex
Read about the new and emerging threats...
Problem 1: The 'threat surface' is getting larger, and more complicated
Picture the scene:
- Users are accessing your network from their own smart devices, from wherever they are.
- Your corporate apps, servers, and data are in the cloud.
- Devices that don’t even look like computers are connecting to your networks (think smart meters, thermostats, cameras...)
And to thicken the plot, you need to figure out how to get security everywhere to secure this complex infrastructure.
In 2016, 27% of connected third-party cloud applications, introduced by employees in enterprises in 2016, posed a high security risk.
“This kind of operation is like catnip for hackers”
This is undoubtedly a result of workers wanting to improve their own levels of productivity and stay connected while on the job… but they’re not necessarily thinking about the security implications on their data when accessing these applications.
This practice, known as ‘Shadow IT’, can be anything from installing an instant messenger service onto a corporate device, to downloading your own file sharing software and using it to transfer sensitive data. This kind of operation is like catnip for hackers.
The case of 'WannaCry'
On the 14th May, news broke in the UK of a ‘significant cyber attack’, which initially looked like a deliberate attempt on our national health service. They appeared to be hit by a ransomware campaign, which was designed to exploit any technology weaknesses, and bring their systems to a halt…unless they paid the cyber criminals a fee.
However, it soon became clear that as more and more countries came forward with their own similar reports, that this was a rapidly spreading global threat. No one industry was immune, and it definitely wasn’t your ‘usual’ case of ransomware…
Our Talos threat intelligence team dived deep into research mode, and here's what they found:
WannaCry became installed through a vulnerability in the Microsoft SMB protocol, not phishing emails or malvertising which is how ransomware normally gets distributed.
SMB is a network protocol used to share files between computers. One of the reasons that this ransomware spread so rapidly and so quickly is because of the fact that it can spread laterally on the same network, automatically installing itself on other systems in the network without any end user involvement.
The malware was particularly effective in environments with Windows XP machines, as it could scan heavily over TCP port 445 (Server Message Block/SMB), compromising hosts, encrypting files stored on them, and then demanding a ransom payment in the form of Bitcoin.
On March 14, Microsoft released a security update to patch this vulnerability. While this protected newer Windows computers that had Windows Update enabled, many computers remained unpatched globally.
This is very much true of Windows XP computers which are no longer supported by Microsoft, as well as the millions of computers globally running pirated software, which are (obviously) not automatically upgraded.
A really key part of our findings confirmed that the malware had been designed as a modular service. It appears to us that the executable files associated with the ransomware have been written by a different individual than whomever developed the service module. Potentially, this means that the structure of this malware can be used to deliver and run different malicious payloads.
So what can we learn from WannaCry?
Talos strongly encourages organisations take the following industry-standard recommended best practices to prevent attacks and campaigns like this and similar ones:
- Ensure your organisation is running an actively supported operating system that receives security updates.
- Have effective patch management that deploys security updates to endpoints and other critical parts of your infrastructure in a timely manner.
- Run anti-malware software on your system and ensure you regularly receive malware signature updates.
- Implement a disaster recovery plan that includes backing up and restoring data from devices that are kept offline. Cyber criminals frequently target backup mechanisms to limit the possibilities a user may be able to restore their files without paying the ransom.
A new type of attack is now emerging...
Though they are still primarily motivated by financial gain, the aim of some cyber criminals now is to step things up a gear, and not just to attack, but to destroy in a way that prevents organisations from restoring their systems and data (i.e taking out their backups).
As revealed in the 2017 Cisco Midyear Cybersecurity Report, our researchers commented that the extent of this new era of ‘destructive’ attacks is very sinister activity, and is a precursor to a new and devastating type of attack that is likely to emerge in the near future: Destruction of service (DeOS).
Why is this? A large reason is that cyber criminals have seen the huge opportunity in being able to hack into IoT devices (those which haven’t necessarily been built with security in mind), and create large scale attacks using IoT botnets.
The report goes on to explain that we’ve seen evidence that most organisations aren’t fully aware of what IoT devices may be connecting to their network – such as smart metres, cameras, or thermostats. Many of these devices lag well behind desktop security capabilities, and are typically rarely patched or run outdated applications.
In addition, it’s not always clear who inside the organisation is responsible for addressing IoT compromises. Typically, once an IoT project is completed, that team moves onto the next one.
This is why it has never been more important for organisations to make cybersecurity a top priority.
Visibility is the key here – it’s about learning to see what you currently can’t see, and that means devoting the time and resources to ensuring you always know exactly what is in your IT environment…and that everything within it is deployed correctly, and securely and kept up to date.
This isn’t an easy task for organisations, especially considering how fragmented the security industry has made itself.
Which is why, as an industry, we need a customer-first approach. Businesses should be able to implement security solutions that will work best for them, and make the most of their existing investments.
Solutions which can communicate with each other, and work together to protect users and businesses, is the only way in which we can meet the challenge of cyber criminals who are determined to interfere with an IoT world.
As one of our threat intelligence experts, Martin Lee, has observed, we have a small window of opportunity to do something about this:
"“As the world builds the infrastructure and deploys the devices that comprise the IoT, we as a society have the opportunity to apply the decades of good practices learned as part of the development of the Internet—including painful lessons about the importance of security.”
– Martin Lee, Cisco Talos
Problem 2: Threats are becoming increasingly sophisticated
Hackers know your weaknesses, and how to exploit them
Threats are becoming increasingly sophisticated
Hackers can now demonstrate a level of professionalism that challenges a business’s ability to cope. Whilst some remain motivated by the fun or challenge of it, and some do it for reputational purposes, more and more hackers are motivated by financial gain.
When cyber criminals break into systems, more often than not it’s to steal credit card information, email addresses, usernames and passwords…or anything that they can sell onto a higher bidder.
Alternatively, they can hold businesses hostage with ransomware; a ruthless practice which grew by 300% last year. Ransomware encrypts your files without your consent—and only the developer of the ransomware has the key to solve it. Some forms of ransomware also spread across the network.
“Cyber criminals exploit any weaknesses they find ruthlessly.”
Once the infection is complete, a message will appear on your screen, demanding that you pay a ransom in bitcoins for your data. A typical ransom can be anywhere from £200 to £10,000, but some organisations have paid a lot more.
Crucially, cyber criminals understand their targets—down to their likes and dislikes and how they conduct business. They know what they will pay for their data to be released, and they exploit any weakness they find ruthlessly.
In 2016, cybercriminals stole $81m directly from a bank in Bangladesh - and would have got away with almost ten times more, were it not for a crucial typo that aroused suspicion.
Attackers are agile, while companies can’t always say the same. Especially when they’ve just been ‘making do’ with security.
Problem 3: Companies have been piling on point solutions
The ‘Got a problem? Buy a box’ approach is now working against us.
Companies have been piling on point solutions to address a plethora of needs.
Businesses are facing the challenge of having a patchwork quilt of old and new technologies, with a significant amount of legacy IT, and multiple security vendor solutions.
We have tried to solve the problem of cybersecurity by throwing unconnected technology at the problem, without a clear strategy in mind.
This creates gaps, management headaches and inefficiencies that attackers can exploit.
“Security is a huge business enabler – when it’s done right”
Each new solution comes with another management interface. Each new solution demands human resources, management hours to set up, set policy, respond to alerts and its not always clear whether the extra security outcome you gain is worth all the extra effort you are putting into managing that solution - rather than focusing on bigger problems elsewhere.
You may have added complexity without much overall incremental effectiveness.
This situation isn’t helped by the fact that security is still seen as primarily an ‘IT issue’. According to the Cisco Security Benchmarks Study, UK organisations don’t strongly agree (as much as other countries) that line of business managers are engaged with security.
This is a real issue, because it often means that security often gets “bolted on” rather than embedded in a company’s ecosystem. The attitude in the UK is, overwhelmingly, “Security is IT’s problem”.
Making do with a solution becomes a hindrance in the long run, when security is actually a huge business enabler when done right.
Cutting corners creates more work.
1. Increased visibility
In order to get to more effective security, we need visibility everywhere. From the network to the endpoint to the cloud – and everything in between. At Cisco, we know what mobile devices are connecting. And we see the computers, operating systems and users connecting locally.
“Cisco Talos examines more data sets from diverse sources than anyone”
We stop more threats with usable threat intelligence across files, DNS, web, email and network traffic. We connect the dots of the data and telemetry we see, and convert that to insights. The things we see that may appear benign are suddenly revealed for what they are – threats that need to be stopped. And you don’t have to just take our word for it. We’ve been identified as the leader for three years in a row in the NSS Breach Detection Systems (BDS) test.
It all starts with our intelligence gathering through our superb Talos team. Cisco Talos examines more data sets from diverse sources than anyone… sources like threats and malware, web traffic, email, DNS, network intrusions and endpoint intelligence – even insights about attacker infrastructure.
Talos coordinates threat protections so all products are seamlessly in sync to block threats. Once a threat is detected, Talos immediately coordinates protections across products, from web and email security to endpoint and network security, for a fast, synchronised response across our entire portfolio, with no effort needed by the end user.
2. An integrated threat defence
“You need security products that intentionally play nicely with others.”
The goal for businesses has to be to see threat once, and block it everywhere – across your entire network. Supported by this capability, organisations can advance their business more quickly and capture opportunities ahead with the confidence that they are secure.
To do this, you need security products that intentionally play nicely with others in the security stack.
This openness fosters “best of breed” solutions in the truest sense of the word—solutions that interoperate. Cisco’s security products are open, which means that when you use them, they will solve incrementally more of your security problems.
Cisco builds products designed to interoperate at every level of the security stack, not only across our portfolio but also with products provided by others. Open offerings set the stage for an ecosystem that can accelerate innovation.
3. Getting the strategy right: Not just ‘making do’
We want to empower businesses to understand how to anticipate and respond to new threats, reduce complexity and fragmentation, and adapt with agility to changing business models.
Backed by our team of talent from former CISOs to consultants to forensic experts and architects, Cisco customers can better manage risk and compliance, control cost, and achieve strategic objectives.
Stay competitive
If businesses keep moving forwards without building security into the core strategy, the likelihood is that this ‘labyrinth’ feeling will become never ending.
With a ‘making do’ approach, you just have to hope that you are heading in the right direction. And hope, as we all know, is not a strategy.
If we don’t build our businesses with security in mind, the so called ‘digital revolution’ will be plagued with issues. All those great ideas may begin to work against you. Which is not only inconvenient; it’s a travesty.
IoT: What's the best approach?
Instead of constantly trying to 'fix' things, here's some great advice about how you can securely take advantage of the Internet of Things
IoT: What you need to know about how cyber criminals are trying to exploit this technology
Words by Martin Lee, Senior Technical Lead, Cisco Talos
The Internet of Things is made possible by continuing advances in chip technology leading to cheap devices that can be deployed to collect data, and effect changes to an environment. Securing these devices means recognising IoT devices as little different from any other networked computing device such as a laptop.
The nature of the threats and vulnerabilities faced by an IoT device will depend on the circumstances of device itself and the ever changing threat environment. By considering the likely vulnerabilities of the device, and the way that threat actors might seek to subvert it, we can design a suitable set of defences that will protect the device during its lifespan.
There are broadly two approaches for identifying the security requirements of an IoT system. Consider the issue as a technical question, with the devices comprising a stack of layers, each of which has its own security needs which can be addressed by applying knowledge of how to secure similar computing systems. Or IoT devices can be considered as an opportunity and target for attackers. Knowledge of the likely tools and tactics of the attackers who will attempt to compromise the devices can be used to specify the defences necessary to protect the systems.
The IoT as a Computing Device
IoT devices, as with any other computing system, consist of a stack of technologies running on top of one another. The layers in the stack comprise, the physical layer of the device itself, the operating system and firmware which allow the device to operate, the application layer of functionality on top of that, and of course the network layer which allows the device to communicate with other systems.
Each of these layers has its own particular set of security requirements and protections which need to be taken into consideration when planning the security of the device. Its important to remember that the most sophisticated cyber protection maybe rendered useless if the physical security of the device is not protected, and the device is stolen.
Physical Layer.
Devices installed in locations that are open to the environment may be exposed to extremes of temperature or water ingress and require a weatherproof enclosure. Devices in public areas may be tempting targets for theft.
For example, criminals in South Africa discovered that they could steal SIM cards used in the city’s connected traffic lights. https://techcentral.co.za/thieves-steal-sim-cards-from-joburg-traffic-lights/20075/ Although IoT devices may be inexpensive, components within a device may provide opportunities for criminals.
Defenders should consider the physical security of the IoT, physically protecting devices where necessary. The physical tampering or theft of a device should be able to be detected, with the device being able to be wiped of application software, data and access rights if required.
Firmware and Operating System Layers.
Inevitably, any system that includes software, will include vulnerabilities that will need to be fixed by the application of a software patch.
For example, CVE-2016-2148 is a vulnerability in BusyBox prior to version 1.25.0 which allows an attacker to execute commands on a device running the vulnerable software by interacting with the device over the network. https://nvd.nist.gov/vuln/detail/CVE-2016-2148 The vendor released a patch to resolve the vulnerability, but defenders need to be aware of the patches that are required for their IoT systems, and have a robust patching regimen so that vulnerabilities and their appropriate patches are identified and applied in a timely manner.
In some cases, it may be possible to apply patches to systems, either because a fix is not available to patch a vulnerability, or the affected device may not be able to be taken out of service in order to apply the patch. In these cases, it is possible to protect vulnerable systems by using an Intrusion Detection System (IDS) or Next Generation Firewall (NGFW) to filter network traffic to block attempts at exploiting a vulnerability.
Network Layer
If a device is connected to a network, sooner or later network based attacks are going to be directed against it. Properly segmenting networks so that IoT devices are on separate networks helps limit unauthorised access and exploitation of vulnerabilities.
For example, the Shodan search engine lists many IoT devices that are exposed to the public Internet with all the risks that entails. https://www.shodan.io/explore/tag/iot
Usernames and passwords are not an adequate or manageable solution for authenticating users or administrators to IoT devices. Similarly, usernames and password are poor for authenticating devices when they attempt to connect to other systems. The use of certificate based authentication or software defined networks ensures that only duly authenticated devices are able to access the services to which they are permitted.
For example, compromised IoT devices are able to conduct Sybil attacks, supplying fake data to analysis systems to fool them into making erroneous decisions based on incorrect data.
Vulnerable IoT devices may be compromised by attackers and used as a point of ingress within a network in order to conduct further attacks against other systems. Network administrators should consider IoT devices as any other networked computer and ensure that they are given as few network privileges as necessary to fulfil their function. This may require IoT devices to be only able to access a specially segmented network, or using software defined networking to ensure that IoT devices are unable to connect to other networked systems.
Application Layer
IoT devices fulfil a purpose by executing application code that utilises the functionality provided by the other layers in the device. Like any software code, it must be assumed that the application code will contain vulnerabilities that will require patching. Or, if patching isn’t possible, the device will require additional network protection, such as an IDS or a NFGW to prevent exploitation of the vulnerabilities.
The integrity and origin of any application will need checking. During the software installation process, code may become corrupted and will require re-installation. This must be able to be managed without the device crashing and requiring a manual reboot. Hence, some form of code management system should be available to facilitate this.
Despite best efforts, in limiting network access and protecting against exploitation of vulnerabilities, attackers may still be able to install and execute malicious code on an IoT device. In these cases, it is important to be able to identify aberrant behaviour from the devices through monitoring its network behaviour, and prevent compromised devices from contacting malicious command and control servers.
For example, the Mirai botnet was compromised of IoT devices compromised by attackers accessing devices through unchanged default usernames and passwords. Attackers installed malicious code on the devices to participate in launching denial of service attacks against targets of the attacker’s choosing. https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
Adopting defences such as certificate based authentication, preventing or limiting access to external networks, and good network segmentation help prevent these types of attacks being successful.
The IoT as a Target for Attackers
Any computing device, able to execute commands and connected to the Internet presents an opportunity for attackers. Even if the device seems small and insignificant, spare CPU cycles and network capacity can be stolen through executing malware.
Behind every cyber attack is an individual, the threat actor, who is seeking to fulfil a goal or purpose. Different threat actors have different objectives, and different levels of skill. These skill levels may range from the unsophisticated who is only able to launch attacks using off-the-shelf tools supplied by a third party, to extremely sophisticated and well resourced attackers who are able to compile a bespoke attack against a target using an otherwise unknown vulnerability in the system.
The majority of threat actors are relatively unsophisticated and are likely to view an IoT device as a generic network connected device from which they can make money using a tried and trusted criminal business model. Typically, these attackers seek to compromise as many systems as possible, while expanding a minimum of effort.
Extremely sophisticated threat actors are few and far between. These attackers may be able to invest great time and effort in identifying specific vulnerabilities in systems. They may consider a compromised IoT device as a place to gain a toe hold within a network, where they can persist for long periods of time in order to conduct attacks against other more valuable systems. These attackers are likely to put much effort into seeking to compromise a small number of systems.
In any case, the goal of the defenders is to make the successful compromise of a device as difficult as possible. If a system is compromised, then the defender should be able to identify that quickly as possible, and to be able to respond as swiftly as possible in order to remove the attacker and prevent their future ingress.
Attackers may be motivated by idle mischief or the challenge of conducting an attack. Preventing IoT devices from being easily discovered over the Internet or indexed by Shodan helps prevents devices from being subject to attack. Such attackers tend to target the easiest or most tempting option, ensuring that your IoT systems are less easily discoverable than others helps to encourage attackers to target other systems.
In cases, where it is impossible to remain largely invisible, using strong encryption and certificates to ensure that only authorised systems are able to connect to each other, and ensuring that network traffic is not amenable to unencrypted analysis helps frustrate such attackers.
The majority of threat actors have criminal motivations. Criminals are aware how to make money from compromised devices through installing malware that can: steal CPU cycles, in order to crack hashes or mine for bitcoins; steal bandwidth, in order to participate in denial of service attacks; steal data, that can be stolen and resold to other criminals; or encrypt data in order to hold it to ransom and not restore it unless payment is made.
Securing IoT systems against unauthorised connections by good network segregation and management either through keeping networks physically separate from other systems, software defined networking or NGFW protection, helps prevents criminal threat actors from accessing devices.
If a device is compromised, then preventing the device from connecting to the command and control systems of the attacker means that although there may be malware on the device, the device is unable to receive the commands from the attacker in order to fulfil the goals of the attacker. Ensuring that connections to other networks are protected by firewalls that are able to block connections to known command and control systems, and recognise and block known command and control protocols prevents the malware from receiving additional malicious instructions.
Conclusion
IoT systems seem at first glance to easy to construct. This is true, but like any other networked system, the IoT needs protection against attack. Risk management processes such as ISO 27005 or NIST SP 800-30 are very useful tools to apply to identify the types of defences that IoT systems require in order to protect against the current threat environment. However, any form of reflection about the types of risks that the IoT entails is going to be better than none.
No single form of protection is likely to be sufficient, but a layered approach of deploying multiple different security systems can protect against even the most determined attacker and help give defenders the upper hand.
In an era of amazing possibilities through digitisation, security can be one of the few things that can hold you back. Worse than that, it can start to work against you if you take a ‘making do’ approach.
In just three years, an estimated 50 billion new devices will be connected. Businesses have a multi trillion pound opportunity—if they can seize this digital revolution securely. All it takes: a holistic approach to cybersecurity.
Enacting layers of protection from routing and switching to the cloud and beyond. Only Cisco offers a portfolio that integrates security at every step. And we’ve been put firmly to the test.
“Securely connect everything, so that anything is possible.”
Finally, a security approach is now available that takes the burden off businesses, and detects and remediates threats faster.
Move to more effective security with an integrated architectural approach that gives digital menaces less time to make their mark.
Security that works together. It’s the smart solution.
Is your security strategy aligned to your business goals? Tick the box that best describes your situation
- Yes, we have a strong strategy for security and it’s frequently discussed at board meetings
- It’s a top priority, but we’re lacking a proper strategy at the moment
- We know we need to do more, but we’re stretched too thinly at the moment
- We don’t have a well thought out security strategy
- Security has been given no consideration whatsoever in our business
