Is it time to move to the cloud?

As out of office work has become more common all businesses must address the security of their remote workforce. Early during this pandemic’s quarantine, businesses were forced to become extremely agile and required to adapt and adjust to our current situation.  However, now that Covid-19 is with us for the near future we must pivot from making things work to making things work securely.

Once the pandemic eventually ends normal business operations will resume with a few resemblances of normalcy.  But one thing is certain compliance and regulatory requirements will remain and the new remote workforce will need to be secured.

Most modern businesses had already implemented remote access methods prior to the pandemic.  For organizations of all sizes adjusting to 100% remote for their workforce caused unexpected consequences. Many organizations had to develop a disaster recovery/business continuity plan in real-time. A common problem that most likely occurred for medium-sized businesses is a lack of available bandwidth for the VPN appliance.  Most VPNs are built for between fewer than 100-200 users and once that user threshold is met the device can become unstable for some or all VPN users.  Utilizing a high availability pair can provide load balancing for these types of events. In addition, a second VPN Appliance that often also performs double duty as a firewall can also help increase bandwidth over the VPN. Having a duplicate VPN Appliance can be costly as it doubles the cost as you’re now utilizing two appliances instead of one. That high cost can be justified for businesses that require high uptime or are performing critical work that can’t be delayed. But scalability will not end with your VPN and may need to be addressed for other services or functions as well.

Additionally, organizations must begin to consider the level of access given to its users. One problem with VPNs is that they provide network layer access to users, which is often unrestricted.   It is commonplace for a VPN user to have access to the entire network if the network is not segmented.  It is possible to limit VPN access or segment the network to avoid unauthorized access to subnets or networks which normal users wouldn’t require access too.  In networking the old philosophy of trusting traffic on the same access level is beginning to change.  The idea of Zero Trust addresses the very idea that all hosts are given Zero Trust and in order for a user to access any system it requires the same authentication process disregarding the user’s connection origin. The user attempting to connect to a host from a public Wi-Fi connection or plugged into a switch right next to the host, the traffic will be treated the same, requiring the same authentication process for either origin location.   Zero Trust utilizes systems, which are already established such as centralized access controls, multi-factor authentication, and device authentication.  A Zero Trust authentication will require a valid username/password that is tied to a central identity access system (ideally), then a multi-factor authentication token, and a certificate, which was issued to the device at deployment. This method effectively authenticates the user, the session, and the device. Zero Trust and cloud computing work very nicely and I’d suggest if you move to the cloud that is the time to implement Zero Trust. 

Having resources in the cloud can now be utilized by businesses of all sizes and can avoid requiring a VPN connection to the physical office. The older model of IT infrastructure utilized on-premises servers that contain resources such as file shares, desktop applications, or desktop environments.  This internal infrastructure would require a VPN or less secure alternatives to access the internal network’s services and functions which employees need to perform their job functions.   Some businesses may require to keep their equipment on-site however the vast majority will have the ability to move to the cloud. The cloud offers alternatives as you can utilize a cloud provider for file shares and web applications to replace the older desktop applications.  Pivoting to cloud resources can eliminate the need for a VPN and can enable a remote workforce to flourish.  

If you’re considering adjusting your organization’s infrastructure placement, you must ask a series of questions about your organization. 

  • Will the move be Cost-Effective?
  • Will the cloud satisfy my Compliance Regulations?
  • Will the cloud satisfy my Business Agreement Obligations?
  • Will the cloud satisfy my Legal Requirements?

The answers to all of these questions is most likely yes…

Once you’ve identified if you can move to the cloud an organization must determine what services are required. Do you need a complete virtual environment for workers or just a web application? As desktop applications become more obsolete web applications will continue to allow for more agility in our remote workforce.  Previously organizations may have had an internal application, which was only accessible on an endpoint in the office or over a VPN, as now a web application can be utilized. Access to a web application can be safe if you implement a centralized identity management system that utilizes a two-factor authentication token for verification.  As the potential web application would be exposed over the Internet the use of centralized identity management and two-factor authentication help compensate to prevent unauthorized access. 

One benefit of moving to a cloud environment is the idea that disaster recovery and business continuity can become much easier to engage. Spinning up a warm site or cold site can take time and require a large effort for physical hardware. But in AWS or Azure, it can be a few mouse clicks away by replicating a server to a different Availability Zone (AZ) in AWS and/or a different region to spread it across multiple data centers within your cloud provider.

Moving to the cloud does not guarantee a more or less secure environment. If you move to a cloud environment don’t forget the basics. Zero Trust is a great idea but it should be implemented along with the normal security operations such as limiting permissions for users, reviewing access, user awareness training, running frequent patching, and utilizing secure protocols for transmitting sensitive data. Often organizations look for security silver bullets and neglect the mundane tasks that will equate to a stronger security posture.   

Technical Risks of third-parties

A third party would be defined as any contractor, business associate, business partner, vendor or even volunteer who works within your organization.  When you work with a third party it will instantly create an additional risk for your organization. However, that level of risk will depend upon the third party, as not all third parties are created equal. A third-party security services firm with a positive reputation will most likely introduce less risk than a contractor hired to do marketing.  

Third Party Risk Management has quickly been recognized as a vital task, which must be taken seriously. As companies look to adopt newer technologies and become more agile it is only reasonable to think that third parties will be utilized more frequently in the future for more and more services and tasks. Without assessing, and managing third party relationships how can you be sure that your third party is taking your security seriously? 

From a technical perspective a third-party connection could come in various forms for example a web API (web hook) pulling data from one source into another system which could inadvertently share information through web services. A more traditional third-party connection could be a remote user with VPN access or direct connections through an application such as Citrix. Another possibility of a third-party connection could be a Site-to-Site VPN between corporate networks, which is always, open and connected which could potentially lead to the most risk.  Additionally, a third party may have access to a secure file transfer protocol (SFTP), which could be used to transfer and/or exchange information between companies. Each method described details differing levels of access and with that third-party access it introduces potential risks.

A Web API could be utilized to transfer PHI or other data through HTTP(s).  This method is similar to a user accessing a web application to view a medical record, but instead of a user it’s an automated process which pulls the medical record or other information requested and returns results to be incorporated or displayed to the initial program, which made the request. An example of this would be if I created a web site dedicated to the price of gold. One of my main objectives of this website is to display the current price of gold.  However, I don’t want to edit the website continuously to keep updating the price of gold as it changes in real-time.  Instead I could create an API which will pull the price of gold from another site of my choosing which would then be displayed on my website.  This API would be updated in real-time and would not require me to consistently update the gold price on my web site.   

A remote VPN is pretty straight forward it would be a single user accessing a VPN to obtain network access to utilize the agreed upon asset.  Similarly, a direct access connection through a Citrix or VMware application environment can utilize a native ability to limit the contractor or third parties’ access to only the required resources. While a site to site VPN is a consistent open connection between your organizations network and the third parties’ networks.  Site-to-Site VPNs should be avoided, as the trust of the third party can never truly be known without extensive audits. If a Site-to-Site VPN must be used it is important to utilize a strict deny all rule and allow only the specifically needed traffic through the VPN tunnel.

An SFTP connection is a common way to allow the exchange of information.  A third party can be provided unique credentials and provide the source of their IP address to allow for the source validation of the incoming IP addresses to allow only the known third parties to upload data to your file upload service.  Validating the source IP address along with a unique username/password to authentication over a SFTP is a secure method.  Ideally, the third parties would only have permissions to view data or folders associated with their company and have the ability to only upload data.

Additionally, a third party may actually host all of your data. With the strong adoption of cloud hosting it is becoming more common for companies to offload their sensitive information to the cloud. If sensitive information is stored in the cloud it should be detailed in a third-party risk tracker. Additionally, the vetting and continued assessing of any hosted provider should be considered as the wrong choice could have costly consequences.

All of these different methods have many similarities when it comes to managing third party access. The use of third-parties will only continue to increase with newer technologies and advancing skill gaps between workers. If an organization follows the proper vetting, management and continued auditing of their associated third-parties then an organization can effectively limit and document the risks involved. We have some steps below that all organizations should follow to keep their relationships productive and secure.

The first step is to include, review and update contract language in BAAs addressing third party security requirements, obligations and best practices. This is especially true for any service which hosts PHI.

Second is to track which contractors or third parties have access to what data or systems.  A detailed tracker will go a long way to document and understand who has access and what level of access they possess. Additionally, for APIs, SFTP, VPNs, hosted data and other connections should include the IP addresses of a connection; ports, protocols and all characteristics of the connections possible. 

Additionally, the technical aspects of third-party management should spin-off different tasks, which should be performed regularly to add a layer of defense.  These audits can catch mistakes, anomalies, things falling through the cracks and any other things overlooked regularly. 

      Verify unique IDs are in place for all users

      Verify the appropriate level of privileges is set for all users

      Test the monitoring in place to ensure it is in place and working properly especially for third party users

     Verify secure protocols are implemented for all transmitting of sensitive information

 Verify that any PHI stored is encrypted while at rest

      Review connection agreements are matching the agreed requirements

When it comes to securing your third-party relationship, it should follow the same principles as the rest of your security practices. Do the basic things track the third-party users or connections, detail the level of access, implement strong access controls, and verify your monitoring is working properly. Also, make sure only secure protocols are used for any data exchanges and always audit and review. Finally, strongly assessing and reviewing your third party can help ensure the continued security of your sensitive infrastructure. It is better to discover the possible can of worms now before you find yourself making a headline for the wrong reasons.

Jawn of the Month

For February 2020 the Jawn of the month is…

NMAP

NMAP is such a powerful tool that it is can be used for multiple functions including pen testing, network mapping, vulnerability scanning and more.

https://nmap.org/

What Do You Gain by Performing a Penetration Test?

As we continue to rely on technology in our everyday lives we must remember this interconnectivity comes with a price.  The ability to access devices remotely over the Internet has created a new world of ease and freedom, which can be manipulated by malicious actors.  If a device is exposed on the Internet it has the possibility of being compromised.  Organizations can’t help but exposing some services over the Internet, items such as VPNs, SFTPs, HTTP Logins, Emails, APIs and etc. will require exposure to the Internet.   Items such as these often become the target of a hacker.  Hackers will scan the Internet looking for specific known ports containing exposed running services, which can be exploitable. Hackers will eventually find the services you’re hiding and will test your defenses.  How will your perimeter defenses hold up against any possible attacks?

Organizations can take steps to protect themselves against hackers and make their environment unappetizing for any attacker. Testing systems through vulnerability scanning is now a common practice which companies utilize to gain meaningful incite regarding both their internal and external postures.   These vulnerability scans are high-level automated scans that provide information regarding the versioning of systems, identifying exposed services and determining the associated risk of those findings. A vulnerability scan can help an organization determine if their configurations are following best practices and if system patching is occurring regularly. New vulnerabilities are discovered every day and once a discovery is reported a specific software or hardware vendor must scramble to remediate the issue through a patch and push those patches out to its clients. If a patch is not applied and the vulnerability exists it creates a possible vector for a hacker to pinpoint. This is where the difference between a vulnerability scan and Penetration test begin to diverge.

A Penetration test can utilize information obtained from vulnerability scans and additionally probing with the goal of discovering possible exploits. After vulnerabilities are discovered a hacker will plan and begin executing different exploits against those detected vulnerabilities.  A Penetration test will provide the organization with a live assessment of real-world techniques to obtain unauthorized access into your network.

During a Penetration test, an ethical hacker will review and plan a course of action to perform exploits and test different perimeter defenses.  Additional tactics such as social engineering to obtain user access are also common practices, which can be included in a Penetration Test.  Often an attacker will spray an organization with fraudulent emails attempting to either inject malware into the company network or trick the user into entering the network credentials into a malicious site, which are sent directly to the attacker. According to the Verizon Data Breach Investigations Report 2017 90% of all incidences and breaches included a phishing element. [i]

Once a hacker has obtained a user’s credentials the next step will be to access the network and pivot. Once access is obtained the hacker will attempt to pivot access to different systems along with obtaining administrator-level credentials for further access into the network.  If administrator credentials are obtained an attacker can create several different backdoors back into the organization, which can be extremely difficult to detect.

The type of Penetration test required will need to be decided by each organization. There are different types of Penetration testing, which include, web application testing, internal testing (simulated insider threat) and external testing.  Web application Penetration testing will test an application for weakness in several different ways. An internal Penetration test could simulate an insider threat.  This attack could originate from a remote user’s credentials being compromised and provide VPN access to a hacker. In this scenario, the attacker has access to the internal network but must bypass any internal controls to access sensitive systems.   And the last type of attack is an external attack, which is the most common. This type of attack is simulating a hacker with no knowledge of your infrastructure and attacking only the external addresses provided for testing attempting to breach the internal network.

Ethical hackers will simulate as close as possible what is a real-life attack scenario. Utilizing Penetration testing will only strengthen your organization’s security posture. The findings from a Penetration test can provide valuable incite for an IT or InfoSec department to add additional risk levels to correctable items or create new additional risk for unrealized discoveries. As interoperability continues to grow the risk of the Healthcare space attracting more hackers will only continue. While companies grapple with difficult issues such as managing 3rd party access and tracking, the prevalence of remote access workers and the constant threat of human error it will only increase the probability of creating vulnerabilities that a hacker can and will eventually exploit.  It’s important to stay a step ahead of all the scary things, which lurk on the Internet.

Organizations must face the reality that hackers are out there searching for their next victim. In 2019, the publication Recorded Future reported on the 100th publicly reported state or local government hit with a ransomware attack.[ii] These types of numbers are alarming and should motivate every organization to bolster its Information Security budgets not only for better defenses but security awareness training.


[i] https://www.phishingbox.com/downloads/Verizon-Data-Breach-Investigations-Report-DBIR-2017.pdf

[ii] https://www.recordedfuture.com/state-local-government-ransomware-attacks-2019/

Jawn of the Month

For the last Jawn of the Month for 2019, I have to go with Disconnect. Disconnect is an impressive ad and tracker blocker. Disconnect is installed through browser extension for all the popular flavors of web browsers. Disconnect also has a pretty cool paid mobile application which can provide some insight into what processes are running on your phone.

Our data is now extremely profitable to organizations. You can make it more difficult for any company to track you by using a few different tools to block their activity. Using tools like Disconnect, and the Brave Browser can go a long way to block some tracking services. Tools such as PI Holes and other firewall settings can block further tracking services by changing the DNS server or blocking known tracking addresses.

Unfortunately for us some trackers can still bypass blocking the trackers in the web browser and through DNS. To avoid these trackers deeper steps must be taken such as utilizing a VPN to mask the true origin of your connection. Smarter trackers can track a user’s activity based on the device’s external IP address. This is possible even with cell phones as the UID or Mac address can be used to link a single device to multiple IP addresses considering it wouldn’t be common for a mobile device to keep a static IP address.

Using tools like Disconnect may not make you completely invisible to advertisers but it certainly can reduce the information they’ve obtained about you.

https://disconnect.me/

Jawn of the Month

I’ve been extremely busy at work and haven’t had time to do much writing.

So without further delay, the jawn of the month is…

The Brave Browser…

I downloaded it months ago for the free airdrop of coins. I recently faced an issue with my recent browser of choice Firefox and switched over to Brave. I was able to import everything and set up my password manager and haven’t skipped a beat. Additionally, it has more built-in security capabilities while using much fewer system resources. And you also can earn BAT a digital currency used for tipping content providers by simply viewing some occasional adds.

It’s a cool product and it serves a purpose but keeps security at the core of its principles.

https://brave.com/

Jawn of the Month October

The Jawn of the Month for October 2019 is Wazuh.

Wazuh is an open-source security platform that can work within enterprise environments.

Wazuh can help organizations utilize compliance required tools such as monitoring, threat detection, file integrity monitoring and intrusion detection. Normally these tools cost exuberant amounts of money for off the shelf products. This tool has the capability but will require installation, implementation and maintenance performed by your IT team. If you have the technical capability it is a no brainer to look for open-source tools.

This jawn is cool and it is free!

An Assessors thoughts on Split Tunneling

Today’s modern networks require flexibility to allow workers to work from multiple locations.  One of the most common methods to achieve remote network access is a Virtual Private Network (VPN).  VPNs can come in all shapes and sizes, from hosted, to on premises, to in the cloud, and can be built to fit all needs.  However one topic that is often over looked is the topic of whether or not to allow VPN users to utilize split tunneling. Webopedia defines a split tunneling as “The process of allowing a remote VPN user to access a public network, most commonly the Internet, at the same time that the user is allowed to access resources on the VPN.” The idea is a user has a tunnel to the corporate network to access any apps or shared drives through the VPN connection while still utilizing the local internet connection of the remote user for access to the web or local resources. 

A common question assessors are often asked is if split tunneling is allowed for remote VPN connections.  Whether or not to allow split tunneling will come down two things.  First does your organization have specific legal or compliance requirements surrounding network access?  Additionally, the trust of the party using the remote access VPN must also be considered.

If user-owned devices are accessing your network the risk is that those devices are not meeting the basic policy compliance of your organization and are creating a possible attack vector to enter your organization’s network. And now by allowing split tunneling, it creates a broader situation. If the user’s remote device is compliant it is still possible for the remote user to become infected by malware or a virus while connected to the split tunnel VPN. An infection could spread from the remote users device across the VPN connection. 

In terms of security, the biggest risk of enabling split tunneling is the loss of a defense in depth strategy. By enabling split tunneling you now have an open connection to your network which can send/receive traffic which does not pass through your organization’s perimeter security devices such as a firewall, IPS or IDS. This will create a situation where your organization cannot monitor web traffic on the remote device through the VPN connection.

In addition, utilizing a split tunnel can increase the possibility to exfiltrate data out of the organization.  If any controls are in place to prevent copy and pasting of data these controls may now be ineffective because traffic is being sent outside of the organizations Data Loss Prevention system (DLP). Now it is certainly possible for this to occur with a full VPN tunnel however now the task of preventing that data loss becomes much more difficult with a split VPN tunnel.  

If the remote VPN user used a public Internet connection that user’s web traffic would not be encrypted. This can make that data not sent over the VPN susceptible to snooping if an unsecured protocol is in use. 

Protections to mitigate the risk of split tunneling should include first and foremost a valid BAA, which requires the third party to require security controls to verify the remote workstations are protected. Second, user training and a signed acceptable use policy should also be implemented. As far as the technical controls, a VPN agent, which can perform a health check and verify the device is compliant, should be implemented. This health check should verify that the operating system patches are installed, an anti-virus is installed, running and is updating regularly.

It is common practice to place a firewall in front of the VPN traffic however this firewall is generally not as robust as the perimeter firewall.  That firewall is the only protection for your network against malicious traffic traversing that VPN tunnel. If proper configuration of the VPN firewall is in place it will protect your network against any malicious VPN traffic but it is a single layer of defense.  As IT security is becoming more prominent it is common practice to implement multiple layers of defense in place to prevent a breech of data.  Disabling split tunneling for VPN access will help prevent some malicious traffic traveling over the VPN connection.

One of the most effective protections an organization can implement is strong network segmentation. Remote users should be limited to only access the systems that are required to perform their job functions. Restrictions should be in place to segment your network to prevent unlimited network access for remote users.  It is all too common that our security professionals see remote access VPNs that allow for complete unrestricted network access. Segmenting VPN connections to access only the required systems is paramount in creating a strong security posture. A Strong network-wide segmentation practice can be the deciding factor if a company will experience a minor breach or a massive breach.  

The benefits of split tunneling are based on needs. A split tunnel VPN will provide the remote user the fastest web browsing speed as now they can utilize the ISP they’re connected too instead of send that traffic through the business’s network.  From a network stand point, it will decrease the bandwidth in use for the VPN traffic as now only business functions will be sent over the VPN and other traffic will flow directly through the remote users ISP connection. A small benefit of a split VPN tunnel would be that now a remote worker could print to their local network printer while connected to the VPN.  This is a minor issue but it certainly is brought up a lot.           

The Hitrust CSF itself does have a requirement regarding split tunneling.  However, there is a specific requirement prohibiting split-tunnel VPNs but it’s not common in the Cyber Security Framework 9.2. This requirement is only applicable to larger organizations.  The decision to allow a split-tunnel VPN will come down to a few things.  One is there that legal or compliance requirement which must be satisfied?  Two does the reward of split tunnel VPNs outweigh the risk?  And third, do you have enough trust with the employees, contractors or vendors who may be utilizing that split-tunnel VPN.  Once an organization answers the three questions above they can make a determination if a split-tunnel VPN works for their organization.

Jawn of the Month

For July the Jawn of the month is……..

Discord

I’m no longer employed by an organization which utilizes Slack. I missed my group chats and I’ve been able to rediscover this lost fondness of group chatting. Discord if you haven’t used it is very cool and contains all of the options you’d like for a chat.

I’ve found that it contains tons of non gamer chat rooms for interesting topics. I had used IRC again briefly and quickly moved over to Discord.

@jerkyyy