Tag Archives: defense in depth

Why Every Small and Mid-Size Business Should Prioritize Network Segmentation

Posted on by
Reply

 

The safety and efficiency of business operations hinge on robust networking practices. As cyber threats continue to escalate, small businesses must adopt significant protective measures, and one proven strategy is network segmentation. This method can be the difference between maintaining a secure environment and falling victim to a devastating data breach.

Network segmentation involves partitioning a computer network into smaller, manageable sections, enhancing security, and boosting performance. For small businesses, where resources often run thin, prioritizing such a strategy not only helps protect sensitive information but also streamlines compliance with regulations. This makes understanding and implementing network segmentation an essential consideration for any small business owner.

In this article, we will explore the importance of network segmentation for small businesses, its key benefits, and practical implementation strategies. From real-world examples to expert recommendations, we aim to equip you with the knowledge necessary to secure your business’s digital landscape effectively.

Understanding Network Segmentation

Network segmentation is a critical security measure for small and mid-sized businesses aiming to safeguard their digital assets from cyber threats. By dividing the entire network into smaller, isolated segments, businesses can control and monitor traffic flow meticulously, effectively reducing the overall attack surface. This strategic separation means that should one segment suffer a security breach, the unauthorized access remains confined, minimizing the risk to sensitive data across the network.

Segmentation policies play a vital role in maintaining business continuity. Segmented networks allow for targeted fixes in the face of suspicious activity, without disruption to the entire network’s operations. This is a key advantage for smaller businesses that require consistent uptime to remain competitive.

Additionally, network segmentation helps to alleviate network congestion, which can hinder network performance. With security incidents increasingly common, adopting network segregation as part of a broader security strategy is vital for companies to fortify their security posture.

In summary, embracing network segmentation offers the dual benefits of enhanced security and improved operational efficiency. It is a proactive approach to protect a business’s intellectual property while ensuring a smooth, uninterrupted internal network experience.

Importance of Network Segmentation for Small Businesses

Network segmentation stands as a bulwark for small and mid-sized businesses amidst a landscape rife with cyber threats. It reinforces cybersecurity by architecturally delineating the network into smaller, manageable, and independent segments. This systematic compartmentalization impedes the propagation of threats; if a breach occurs within one segment, it is less likely to spread to others. For small businesses, this means that even if one area is compromised, the breach’s impact is curtailed, preserving the integrity of the rest of the network.

A flat network design, devoid of these demarcated boundaries, can be perilous. One vulnerability can cascade, putting the entirety of an organization’s digital infrastructure at risk. Conversely, segmented networks enable more granular control over who or what can access resources, providing greater transparency into the ebbs and flows of network traffic. Moreover, as small businesses expand, their network’s complexity often increases. Transitioning to a segmented approach is not only a defensive maneuver but also simplifies network management. A meticulously crafted network segmentation strategy, resonating with the business’s overall security objectives, is imperative for safeguarding critical data amid growth and changes.

Enhancing Security

When it comes to ramping up the security of a network, segmentation is a crucial undertaking. By subdividing a network into isolated fragments, it acts like a series of firebreaks in a forest, isolating problems and filtering out unwanted or unnecessary traffic. Such compartmentalization substantially diminishes the chances of a cyber onslaught affecting the entire network, thereby fortifying both security and the smooth functioning of operations.

Network segmentation does more than just isolate issues—it stymies the lateral motion of malicious actors. If an attack arises within a particular zone, that segment can be quarantined swiftly, hindering further incursion into the network. Furthermore, with the proliferation of IoT devices, which often fall prey to vulnerabilities, dedicating a specialized network segment for these devices is a prudent move for cybersecurity in small businesses.

Policymakers and regulatory bodies underscore network segmentation as a foundational security measure. It ensures that sensitive data remains shielded and that only authorized personnel can access critical resources, adhering to compliance necessities and elevating the organization’s security posture.

Protecting Sensitive Information

For small businesses that handle sensitive data, network segmentation acts as a guardian. It imposes a structured separation of the network lay-out into more tightly controlled units, empowering security teams to closely guard troublesome areas. An attacker confronted with a segmented network faces significantly increased hurdles to navigate through and access confidential data.

This isolation also plays a critical role in mitigating the spread of malware. If a segment falls victim to such an attack, the segregation prevents the malicious software from infecting adjacent networks, essential for containing the damage. Network segmentation refines access control, limiting reach to authorized users only, which significantly reduces the occurrence of unsanctioned data infiltrations.

Moreover, network segmentation focuses the scope of monitoring and auditing efforts. Security teams can concentrate on sectors housing sensitive information, elevating the chances of detecting and responding to suspicious activities. This targeted vigilance is key in the swift identification and rectification of security incidents, ensuring that the integrity of vital data is preserved and the business’s reputation remains intact.

Key Benefits of Network Segmentation

Network segmentation is an integral strategy for small and mid-sized businesses to enhance their network management and security. By dividing the entire network into smaller, dedicated segments, businesses reap multiple benefits that contribute not only to security but also to the efficiency and regulatory adherence of their operations.

Improved Network Performance

Network segmentation undoubtedly contributes to better network performance. Allocating resources and bandwidth more efficiently, each segment runs more effectively, becoming less susceptible to network congestion. This segmentation allows for issues within a specific area to be resolved with minimal impact on the network’s overall function, essentially reducing system downtime and enhancing productivity.

Simplified Compliance

From a regulatory perspective, network segmentation makes compliance simpler and more cost-effective. By isolating and concentrating on segments that involve sensitive data, an organization can streamline compliance procedures and reduce the scope—and potentially the cost—of audits. This focused approach is particularly advantageous when complying with stringent regulations, such as in healthcare or finance.

In essence, network segmentation is not merely a security solution but a strategic approach that bolsters the security architecture, performance, and compliance of small and mid-sized businesses, ultimately fortifying their position in an increasingly competitive and risky digital landscape.

Reduced Attack Surface

Network segmentation is a proactive security measure that is essential for safeguarding small and mid-sized businesses. It significantly reduces the attack surface by breaking down the entire network into smaller, more manageable segments. Each of these network segments comes with its own set of resources and controls, thereby creating multiple, limited attack surfaces rather than one expansive and vulnerable one. This partitioning is not merely a structural convenience; it’s a strategic security stance that can deter cyber threats and make unauthorized access decidedly more challenging.

The concept of a reduced attack surface is fundamental. Picture a segmented network as a series of compartments in a ship. If a breach occurs in one compartment, it’s contained and doesn’t flood the entire vessel. The application of such a strategy in a network context prevents suspicious activity from sprawling unchecked across the network, as segmentation inherently limits lateral movement. Security teams can more efficiently manage and monitor these individual segments, swiftly identifying and isolating threats.

Here’s a concise overview of the benefits:

Benefit

Description

Concentrated Security

Isolate threats within segments, preventing widespread damage.

Thwarted Lateral Movement

Restricts malware and attackers from moving freely across the network.

Targeted Access Control

Enforces least privilege access, enhancing protection.

By implementing segmentation policies and barriers at each network segment, businesses can maintain a stronger security posture, protect intellectual property, and ensure business continuity even when facing security incidents.

Types of Network Segmentation

Network segmentation is a strategic approach to infrastructure security that divides a computer network into smaller, controllable segments or subnets. This process enhances control over traffic flow and bolsters network security. There are several types of network segmentation that organizations can adopt depending on their specific needs and resources. These include:

  1. Physical Segmentation: Utilizes distinct hardware components to create separate network enclaves, thereby providing clear, concrete network boundaries.
  2. Logical Segmentation: Involves partitioning a network into subnets using software-defined network solutions such as Virtual Local Area Networks (VLANs). This method doesn’t require additional hardware and offers greater flexibility.
  3. Micro-Segmentation: Takes network segregation a step further by breaking down segments into even finer sub-segments at the workload or application layer, which allows for highly specific security policies and controls.

These types of segmentation can play various roles in improving a network’s integrity, from controlling data flows to enhancing security protocols. Understanding these differences is key to determining the most suitable segmentation strategy for a business.

Physical Segmentation

Physical segmentation involves delineating network boundaries using actual hardware. This structural approach to network segregation establishes discrete segments that are physically separated from one another, enhancing the control of data flow and network security. Benefits of physical segmentation include:

  • Targeted Security Measures: With clear network boundaries, security measures can be tailored to each physical segment’s specific needs, increasing a system’s resilience against cyber threats.
  • Operational Efficiency: By reducing network congestion, physical segmentation leads to better performance, lower risk of downtime, and more efficient operational processes.
  • Containment of Security Incidents: In the event of a breach, physical segmentation can confine the impact to one segment, curbing an attacker’s ability to perform lateral movement across the entire network.
  • Enforcement of Access Control: Consistent enforcement of security policies and access controls is more tangible when physical demarcations are in place.

To ensure the effectiveness of physical segmentation, organizations should regularly audit and review their segmentation measures, confirming that policies and controls remain consistently applied across all physical network segments.

Logical Segmentation

Logical segmentation offers an alternative to physical separation by using techniques such as VLANs or subnetting to segment networks on a software level. Main features and benefits of logical segmentation include:

  • Routing Efficiency: VLAN-based logical segmentation facilitates efficient automated traffic routing, streamlining network performance without the need for extensive physical restructuring.
  • Flexibility: Without the requirements for physical infrastructure changes, logical segmentation allows for the swift and flexible creation of network subdivisions.
  • Automated Provisioning: Simplification of network resource management is possible through automated provisioning of subnets, easing the administrative load.
  • Reduced Attack Surface: By isolating network sections from each other, logical segmentation can reduce the overall attack surface, enhancing an organization’s security stance.

Logical segmentation is considered a versatile solution, offering a way to segment networks effectively while avoiding the higher costs and inflexibility associated with physical changes to the network architecture.

Virtual Local Area Networks (VLANs)

At the core of logical segmentation, Virtual Local Area Networks (VLANs) are essential tools for small and mid-sized businesses aiming to improve their network’s security and management. With VLANs, it is possible to:

  • Granular Access Control: Pairing VLANs with access control lists (ACLs) can facilitate micro-segmentation, tightening security at a granular level and offering resistance to cyberattacks.
  • Security Zones: VLANs make it easier to limit lateral movement across the network, creating secure zones that shield the wider network from potentially compromised workloads.
  • **Isolation of Devices:**Isolating specific device categories, like personal and IoT devices from crucial data systems and sensitive information, is achievable with VLANs, which plays into a strong cybersecurity strategy.
  • Streamlined Network Management: By organizing devices and traffic into VLANs, businesses can streamline network management and enhance security protocols.

The introduction of VLANs is more than just a segmentation measure; it’s an integral component of a security solution, contributing vastly to the security strategy of small and mid-sized enterprises by effectively controlling and protecting network traffic and assets.

Best Practices for Implementing Network Segmentation

Network segmentation is an essential strategy for enhancing the security and efficiency of small and mid-sized businesses. It is necessary to embrace best practices when implementing network segmentation, which includes careful planning and the robust enforcement of security measures to protect valuable assets. Let’s delve into some of the best practices that businesses should adhere to when segmenting their networks.

Setting Clear Segmentation Policies

One of the initial steps in successful network segmentation is to create a clear, concise segmentation policy. This policy acts as the blueprint for how the network will be divided into manageable and secure segments. It should stipulate criteria for segmentation, which could be based on departments, functions, or the sensitivity of the data being handled. By aligning these policies with overall security objectives, businesses can ensure a strategic approach to network security that is unified and effective. A well-defined policy not only aids in structured implementation but also helps in achieving specific goals within the set timeframes. To remain relevant and strong against evolving cyber threats, it is crucial to regularly assess and refine the effectiveness of these policies.

Utilizing Firewalls and Access Controls

Firewalls serve as the gatekeepers of network security, diligently monitoring and controlling the traffic that traverses between network segments. To bolster network defenses, businesses should deploy both perimeter and internal firewalls, enforcing detailed security policies that cater to different protocols or applications. This multi-layered approach significantly strengthens the network’s security fabric.

Access control lists (ACLs) are fundamental to maintaining a secure network environment. They require frequent reviews and updates to reflect changes in network configurations or security demands. Furthermore, firewalls can create demilitarized zones (DMZs), which provide an additional layer of security by isolating public-facing services from the core internal network. Strong authentication methods such as multi-factor authentication, paired with stringent controls over application layer traffic, reinforce the security barriers between network trust zones.

Regularly Reviewing Segmentation Strategies

To safeguard the effectiveness of network segmentation over time, small and mid-sized businesses must engage in regular reviews and adjustments of their segmentation strategies. These reviews should be conducted annually, or more frequently in case of significant changes within the network or its security landscape. Ongoing monitoring and strategy updates enable businesses to address emerging issues within individual segments, thus maintaining network integrity without extensive disruptions.

Isolation of network segments empowers organizations to apply precise security measures, bolstering resilience against cyber threats and confining potential breaches. In today’s dynamic cyber environment, adopting a proactive stance in reviewing and revising network segmentation strategies is a recognized best practice, particularly when the stakes involve the protection of sensitive information and intellectual property.

By integrating these best practices into their network management, small and mid-sized businesses not only strengthen their security posture but also optimize network performance, thereby setting a solid foundation for sustainable growth and resilience against cyber threats.

Real-World Examples of Network Segmentation

Network segmentation is not an abstract concept but a practical, architectural approach integral to modern cybersecurity. In essence, it involves dividing a network into multiple segments or subnets, each functioning like a mini-network. This division has myriad benefits, including enhancing control over traffic flow, improving security monitoring, and bolstering overall network performance. By establishing clear network boundaries, organizations can prevent unauthorized access to their most prized digital assets—whether it be customer data, corporate financials, or intellectual property—thereby securing hybrid and multicloud environments against sophisticated cyberattacks.

The implementation of Virtual Local Area Networks (VLANs) and subnets are commonly utilized forms of network segmentation. They not only contribute to more efficient network performance but also play a key role in containing threats, ensuring that any intrusions are confined to a single segment and do not permeate an entire network. Such containment is crucial to minimize damage and rapid response.

An essential component of a robust segmentation strategy is the enforcement of stringent security policies that govern the communication between subnetworks. This involves regulating which users, services, and devices have the permission to interact across these network segments, thereby significantly reducing the chances of unwarranted access to sensitive areas of the network. In the event of a security incident, tailored segmentation significantly limits the affected zone and thwarts the lateral movement of threats within the IT environment—this localized containment simplifies the task of Security teams during incident response and recovery.

Case Study: A Retail Business

In the fiercely competitive and digital-first world of retail, network segmentation becomes critical in protecting not just the company’s assets but also its reputation and customer trust. Retail businesses, regardless of their size, can employ network segregation technologies like firewalls and routers as hardware-based solutions or embrace the flexibility of software-based options such as virtual LANs (VLANs) for effective network segmentation.

A crucial practice for these businesses is the segregation of various device types, including IoT devices and servers, which often store and process sensitive customer data. The impact of a robust network segmentation strategy in a retail business extends beyond security enhancements; it improves operational efficiency as well—by reducing network congestion, streamlining traffic, and thereby minimizing potential downtimes.

Incorporating network segmentation also aligns retail businesses with industry regulations and standards, as it simplifies compliance efforts. Regular audits and assessments become more navigable with clear-cut network boundaries and segmentation policies, ensuring continued compliance and trust in the brand.

Case Study: A Financial Institution

Financial institutions, perhaps more than any other industry, stand to gain significantly from the prudent application of network segmentation. A bank or other financial body can utilize network segregation to isolate sensitive transaction processing systems from more public, customer-facing applications. Such segmentation isn’t merely a barricade for cyber threats—it also serves to enhance system performance by easing the load on core processing networks.

Security policies enforced through network segmentation can serve as a bulwark against unauthorized access, such as by ensuring that branch employees do not gain entry to sensitive financial reporting systems beyond their operational needs. The demarcation established by network segmentation effectively reduces the potential traffic on critical networks, thus enabling a smoother operation of systems—especially those handling intricate financial analytics—for authorized personnel.

Traditional security technologies employed in implementing segmentation policies include internal firewalls, Access Control Lists (ACLs), and Virtual Local Area Network (VLAN) configurations. By scrutinizing the implementation journey of other institutions, financial entities can leverage learned best practices and sidestep common pitfalls. This sharing of experiences fosters an ecosystem of improved security measures across the board, ultimately enhancing the security posture of the entire financial sector.

Network Segmentation and Remote Work

With the dramatic shift towards remote work, network segmentation has become more than just a good practice—it’s an operational imperative for small and mid-sized businesses (SMBs). In a landscape where remote employees are as standard as in-office personnel, the traditional network perimeter has been reinvented, making network segmentation a critical security solution.

By partitioning a network into distinct segments, businesses can cordon off sensitive information, such as customer data and intellectual property, ensuring that unauthorized access is denied even in remote work environments. This is essential because remote connections frequently operate over less secure networks, which can be gateways for cyber threats.

Furthermore, secure remote access capabilities like Virtual Private Networks (VPNs) are integral to a solid security posture. VPNs, by harnessing network segmentation, enable remote workers to securely access the corporate network, reducing risks associated with data breaches or cyber espionage.

The performance benefits are also significant. Segmentation allows for the effective monitoring and control of traffic flow. This keeps critical network segments operating at peak efficiency—an indispensable feature when remote employees depend on network resources.

However, the security strategy must not remain static. Regular evaluation and updating of segmentation policies are necessary to adapt to evolving risks, to ensure a robust defense against security incidents. As technologies progress and threats evolve, SMBs must pivot and scale their segmentation strategies accordingly.

Moreover, the integration of automated workflows within a unified network segmentation strategy can lead to greater security efficiency. Such automation can immediately isolate compromised devices, preventing suspicious activity from exploiting the entire network and enabling security teams to swiftly contain and resolve issues.

Secure Remote Access Solutions

In the domain of secure remote access solutions, technologies like Zero Trust Network Access (ZTNA) embody the principles of network segmentation. ZTNA operates on the assumption that trust should never be implicit within a network, segmenting network access and enforcing strict adherence to ‘least privilege’ principles. This ensures that remote and mobile employees can only interact with network segments and resources for which they have authorization.

The deployment of VPNs enhances the security of employees who access company systems from home networks or public Wi-Fi hotspots, which are often not secure. By utilizing encrypted connections, VPNs act as a security measure for network isolation, even when the physical network boundaries extend far beyond the office space.

For added security, Multi-factor Authentication (MFA) is essential. MFA adds layers to the security architecture by verifying user identities in several ways before granting access to network segments, providing a robust barrier against unauthorized access and bolstering the overall security strategy.

Special consideration should also be given to the segmentation of personal devices. By designating a guest network specifically for non-corporate devices, SMBs create an additional buffer against lateral movement within their networks, thereby maintaining the integrity of their security posture. This segregation is pivotal for adhering to security requirements and regulatory compliance across industries.

Continuous monitoring and the implementation of access controls further strengthen these security solutions. They provide the security teams with the visibility needed to detect any suspicious activity and enforce security policies, ensuring that only authorized users gain access to critical resources.

In summary, network segmentation presents a viable security solution that complements remote work by enhancing both network performance and security. As SMBs navigate the complexities of this new work dynamic, they must be strategic and proactive in embracing network segmentation as a core component of their security measures.

Getting Help

To learn more, or get help with architecture and design of your network segmentation strategy, get in touch with MicroSolved (Info@microsolved.com or 614.351.1237) to arrange for a no-hassle discussion of how our 30+ years of experience can help your small and mid-size business. 

* AI tools were used as a research assistant for this content.

 

Using HoneyPoint as a Nuance Detection System in Utility Companies

Posted on by
Reply

I often get asked about how utility companies deploy HoneyPoint in an average implementation. To help folks with that, I whipped up this quick graphic that shows a sample high level deployment. 

Thanks for reading! Let me know what you think, or if you have an interest in discussing an implementation in your environment.

Three Tough Questions with Aaron Bedra

Posted on by
4

This time I interviewed Aaron Bedra about his newest creation ~ RepSheet. Check it out here:


Aaron’s Bio:

Aaron is the Application Security Lead at Braintree Payments. He is the co-author of Programming Clojure, 2nd Edition as well as a frequent contributor to the Clojure language. He is also the creator of Repsheet, a reputation based intelligence and security tool for web applications.


Question #1:  You created a tool called Repsheet that takes a reputational approach to web application security. How does it work and why is it important to approach the problem differently than traditional web application firewalling?

I built Repsheet after finding lots of gaps in traditional web application security. Simply put, it is a web server module that records data about requests, and either blocks traffic or notifies downstream applications of what is going on. It also has a backend to process information over time and outside the request cycle, and a visualization component that lets you see the current state of the world. If you break down the different critical pieces that are involved in protecting a web application, you will find several parts:

* Solid and secure programming practices

* Identity and access management

* Visibility (what’s happening right now)

* Response (make the bad actors go away)

* HELP!!!! (DDoS and other upstream based ideas)

* A way to manage all of the information in a usable way

This is a pretty big list. There are certainly some things on this list that I haven’t mentioned as well (crypto management, etc), but this covers the high level. Coordinating all of this can be difficult. There are a lot of tools out there that help with pieces of this, but don’t really help solve the problem at large.

The other problem I have is that although I think having a WAF is important, I don’t necessarily believe in using it to block traffic. There are just too many false positives and things that can go wrong. I want to be certain about a situation before I act aggressively towards it. This being the case, I decided to start by simply making a system that records activity and listens to ModSecurity. It stores what has happened and provides an interface that lets the user manually act based on the information. You can think of it as a half baked SIEM.

That alone actually proved to be useful, but there are many more things I wanted to do with it. The issue was doing so in a manner that didn’t add overhead to the request. This is when I created the Repsheet backend. It takes in the recorded information and acts on it based on additional observation. This can be done in any form and it is completely pluggable. If you have other systems that detect bad behavior, you can plug them into Repsheet to help manage bad actors.  

The visualization component gives you the detailed and granular view of offenses in progress, and gives you the power to blacklist with the click of a button. There is also a global view that lets you see patterns of data based on GeoIP information. This has proven to be extremely useful in detecting localized botnet behavior.

So, with all of this, I am now able to manage the bottom part of my list. One of the pieces that was recently added was upstream integration with Cloudflare, where the backend will automatically blacklist via the Cloudflare API, so any actors that trigger blacklisting will be dealt with by upstream resources. This helps shed attack traffic in a meaningful way.

The piece that was left unanswered is the top part of my list. I don’t want to automate good programming practices. That is a culture thing. You can, of course, use automated tools to help make it better, but you need to buy in. The identity and access management piece was still interesting to me, though. Once I realized that I already had data on bad actors, I saw a way to start to integrate this data that I was using in a defensive manner all the way down to the application layer itself. It became obvious that with a little more effort, I could start to create situations where security controls were dynamic based on what I know or don’t know about an actor. This is where the idea of increased security and decreased friction really set it and I saw Repsheet become more than just a tool for defending web applications.

All of Repsheet is open sourced with a friendly license. You can find it on Github at:

https://github.com/repsheet

There are multiple projects that represent the different layers that Repsheet offers. There is also a brochureware site at http://getrepsheet.com that will soon include tutorial information and additional implementation examples.

Question #2: What is the future of reputational interactions with users? How far do you see reputational interaction going in an enterprise environment?

For me, the future of reputation based tooling is not strictly bound to defending against attacks. I think once the tooling matures and we start to understand how to derive intent from behavior, we can start to create much more dynamic security for our applications. If we compare web security maturity to the state of web application techniques, we would be sitting right around the late 90s. I’m not strictly talking about our approach to preventing breaches (although we haven’t progressed much there either), I’m talking about the static nature of security and the impact it has on the users of our systems. For me the holy grail is an increase in security and a decrease in friction.

A very common example is the captcha. Why do we always show it? Shouldn’t we be able to conditionally show it based on what we know or don’t know about an actor? Going deeper, why do we force users to log in? Why can’t we provide a more seamless experience if we have enough information about devices, IP address history, behavior, etc? There has to be a way to have our security be as dynamic as our applications have become. I don’t think this is an easy problem to solve, but I do think that the companies that do this will be the ones that succeed in the future.

Tools like Repsheet aim to provide this information so that we can help defend against attacks, but also build up the knowledge needed to move toward this kind of dynamic security. Repsheet is by no means there yet, but I am focusing a lot of attention on trying to derive intent through behavior and make these types of ideas easier to accomplish.

Question #3: What are the challenges of using something like Repsheet? Do you think it’s a fit for all web sites or only specific content?

I would like to say yes, but realistically I would say no. The first group that this doesn’t make sense for are sites without a lot of exposure or potential loss. If you have nothing to protect, then there is no reason to go through the trouble of setting up these kinds of systems. They basically become a part of your application infrastructure and it takes dedicated time to make them work properly. Along those lines, static sites with no users and no real security restrictions don’t necessarily see the full benefit. That being said, there is still a benefit from visibility into what is going on from a security standpoint and can help spot events in progress or even pending attacks. I have seen lots of interesting things since I started deploying Repsheet, even botnets sizing up a site before launching an attack. Now that I have seen that, I have started to turn it into an early warning system of sorts to help prepare.

The target audience for Repsheet are companies that have already done the web security basics and want to take the next step forward. A full Repsheet deployment involves WAF and GeoIP based tools as well as changes to the application under the hood. All of this requires time and people to make it work properly, so it is a significant investment. That being said, the benefits of visibility, response to attacks, and dynamic security are a huge advantage. Like every good investment into infrastructure, it can set a company apart from others if done properly.

Thanks to Aaron for his work and for spending time with us! Check him out on Twitter, @abedra, for more great insights!

HPSS And OSSEC

Posted on by
Reply

I’d like to go over some of the tools that we mention on the blog. The first one I’d like to take a look at is OSSEC. You may have heard of us talking about it before, we mentioned it a few days ago. That was in relation to HoneyPoints and using OSSEC as another layer of your “defense in depth” strategy. I’ll explain what it does, and how it can help you.

First of all, what is OSSEC? OSSEC is an acronym for “Open Source Host-based Intrusion Detection System”. From the name you can see it’s a Host-based Intrusion Detection System (HIDS). As a HIDS it has the capability to do log analysis, integrity checking, Windows registry monitoring (and event log), rootkit detection, real-time alerting and active response against malicious hosts. It can be run locally, or as a centralized system with agents running on hosts.

So how does OSSEC relate to HoneyPoint? Well they both watch different things, and complement each other. While HoneyPoints are psuedo services and capture traffic from them, OSSEC watches real services for probes and compromises. It does this largely by a system of log analysis. I won’t go into it deeply, but the log analysis rules are very configurable, chainable, and fairly easy to write for anyone that knows regex and has a familiarity of basic scripting language.

With OSSEC’s active monitoring, it’s possible for the host to dynamically write firewall rules to block that host. Similar to HoneyPoints Plugin interface, with which you could also use to write a plugin to do that. You could even use OSSEC to watch your HoneyPoint Console syslogs and integrate HoneyPoint Console triggers with its own active response rules, to centralize blocking of hosts between HPSS and OSSEC.

As you can see, OSSEC can work quite nicely with HoneyPoint Security Server as part of a “defense in depth” strategy. There’s no single tool to “rule them all”, so to speak, so it’s important to watch from multiple perspectives! If you want to check out OSSEC, you can visit www.ossec.net.

Port Knocking and SPA – Thoughts

Posted on by
Reply

A colleague of mine pointed me to an article on Port Knocking, more specifically, Single Packet Authorization. I wasn’t too familiar with either but once I started reading, some thoughts came to mind. Does this look far to cumbersome and “pain in the butt” to implement for such a small gain to anyone else? This is just another method of implementing the doomed “security by obscurity”.
First off, Port Knocking “is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports.” [1] Single Packet Authorization is similar, but requires only one encrypted packet. While this may impress some people with it’s technical savvy, this solution should be thoroughly evaluated before implementing. As far as enterprise usability goes – limited at best. Talking amongst ourselves here we did think of one implementation that would actually be useful. That is to prevent your ISP from knowing you’re hosting a service without having to create extensive black or white lists. You could host an ftp server for example without the port ever showing as open to an overly intrusive ISP. Of course we do not condone the breaking of any agreements with an ISP.
However, for enterprise environments Port Knocking and Single Packet Authorization are in my opinion no way a replacement for good security practices These include keeping the service up to date with any patches/updates provided by the vendor. Be aware of any newly developed or developing threats to the service you’re hosting. Implement proper ACLs at the firewall. Block all of Eastern Asia from accessing your SSH service if need be. Use VPN clients. This is critical, there’s no real reason to have remote access ports opened without protection. Use VPN clients. Just about every enterprise firewall comes with some sort of VPN option. Last but not least, do not forget the importance of a strong password policy. Brute force attacks really become a non issue with a complicated enough password.
In conclusion, PK and SPA sound good in practice, and implemented as part of a greater defense in depth solution could work; otherwise, stand alone PK and SPA in my opinion are less than ideal.

[1] http://en.wikipedia.org/wiki/Port_knocking

The Continuing Saga of Malware by Email

Posted on by
Reply

We’re seeing reports of a new round of storm virus emails. This time they’re using valentine’s day to lure users to a site to download and run the malware. Otherwise it is essentially the same attack as before. We advise that you ensure all your email and virus defenses are running with the latest updates and that your users are reminded to ignore emails from unknown entities. They should also never download attachments from emails or web sites that are not explicitly trusted. There are plenty of potentially intriguing subjects that could be used to dup unsuspecting users. Things like winning Super Bowl tickets, checking out the latest American Idol videos, or even the latest news on the presidential campaign.