Cyber Readiness – A Holistic Approach to Network Security

Just because you’re doing the right things, doesn’t mean you’re doing things right

 

Part 1 of a 3 Part Series on how businesses can leverage proven US Military “Intelligent Adversary” tactics to stay cyber-secure.

If I were to ask an IT Professional to explain why his or her network is secure, I would probably hear a response that goes something like, “I have the latest and best technology, I do regular vulnerability scans, I do an annual penetration test, and I am in compliance with my industry’s security requirements and standards.”  At face value, that sounds like a solid answer and it appears that the IT Professional is taking the necessary steps to ensure that his company’s network is secure.  In reality, it is more likely that this answer is only partially correct.

In spite of the efforts that IT Professionals across all industry verticals take to secure their networks, the widely accepted approach of deploying the latest technology, conducting vulnerability assessments, and following compliance checklists is not adequate.  While each of the aforementioned components is important, they are generally applied independently and without operational context which means they are viewed as administrative functions.   The notion that network security is an administrative issue is problematic because virtually every company relies on its network to conduct business operations.    So businesses must ensure that their networks are ready for the inevitable attack.  We call that “cyber readiness” in the Military.  When I was responsible for Navy Cyber Operational Readiness I learned quickly that my business, the US Navy, could not fight if it didn’t control its networks.  The constantly growing list of companies that have been breached over the past few years is an indicator that many businesses are not cyber ready.

So how does an organization achieve truly effective cyber readiness?  Most importantly, businesses need to view network security holistically.  It isn’t enough to “check the boxes” by buying the latest and greatest technology, conducting vulnerability assessments, and completing compliance checks.  A different paradigm, which has proven successful in the Military, built upon three interdependent focus areas is what is truly needed.  The three focus areas Network Infrastructure, Compliance, and Operational Behavior, form the Cyber Readiness Triangle, depicted below.

triangle

 

Let’s briefly discuss each of the three focus areas to more fully understand how they contribute to more comprehensive cyber readiness:

1.  Network Infrastructure.  Perhaps the most significant problem that I have observed in industry since leaving the Navy is that businesses tend to look for the next best technology that will provide an acceptable level of security without increasing IT management cost.  This approach falls short because we continue to see businesses being breached.  It only takes one next generation firewall to be misconfigured for an attacker to find a way to breach a network.  So we see how even the most sophisticated technology will not be effective if that technology is not employed properly.

2.  Compliance.  Up front, compliance is often viewed negatively because there is a tendency for people to focus solely on what’s needed to meet the compliance requirement. Think about certification “boot camps” that are focused on preparing students to pass the certification exam rather than ensuring students finish the course with a firm understanding of the material.  But in this case, let’s assume that most IT Professionals perform due diligence when they execute the various compliance checklists associated with their particular industry.  Let’s also assume that compliance standards are valuable and that they provide comprehensive frameworks   for businesses to use when developing and maintaining cyber readiness.  Even with these assumptions, compliance standards don’t tell businesses anything about new hacker techniques, or what tactics and technology businesses can use to protect their data in response to the constantly changing threat.  Finally, many standardized compliance programs are overly generic and do not take business operations into account.

3.  Operational Behavior.  What are employees doing on the company network, and how is that activity affecting company cyber readiness?   A business can deploy the most advanced technology, pass every compliance audit with flying colors…and get breached because a an employee clicks on a malicious link in a phishing email.  Conversely, even if every employee of a business follows established information assurance policy to the letter, the network may still be vulnerable due to outdated patches or misconfigured routers.

No business is immune to cyber-attack and in fact, businesses should expect that it’s just a matter of time before an attacker succeeds.  But because attacks are inevitable doesn’t relieve a business from its obligation to do everything possible to prepare.  But preparation isn’t a series of checks in blocks.   Preparation means businesses understand that Network Infrastructure, Compliance, and Operational Behavior work together to form the Cyber Readiness Triangle and that if one leg fails, the triangle collapses.

Part 2 of this series will cover “Red Teaming”, a Threat-Based approach to network assessments.  This edition will discuss why and how Red Teaming is different and more effective than current assessment processes.  Stay tuned!


Mike Walls is Managing Director, Security and Operations and Analysis at EdgeWave. While on Active Duty in the U.S. Navy, Mike served as Commander Task Force 1030 reporting directly to the Navy’s Fleet Cyber Command, and was responsible for Cyber readiness of over 400,000 people, 300 ships, and 4,000 aircraft.  Comments and questions for Mike Walls are welcome: blog@edgewave.com

Navy Red-Team Testing Moves to Business

Mike Walls, EdgeWave Managing Director and former head of US Navy Cyber Readiness, spoke with iSMG’s Eric Chabrow at the Gartner Security & Risk Management Summit. Walls shares valuable insights on how businesses can implement Red-Team tactics to protect organizations from data breaches.

navy-red-team-testing-moves-to-business-showcase_image-4-i-2750

 

 

Chabrow’s article can be found HERE

As a U.S. Navy aviator, Mike Walls dropped bombs for a living for 26 years and then took that experience to the Fleet Cyber Command to lead so-called “red teams” to not only test the information systems on warships, but the impact degraded systems had on warfighting capabilities.

Now, as managing director of security operations and analysis at the IT security company EdgeWave, the retired Navy captain is evangelizing those Navy red-team testing capabilities to the private sector

“Penetration testers are trying to stay up with adversary tactics, the latest hack,” Walls says in an interview with Information Security Media Group. “The difference is the operational contest. The red teamer is not just trying to get into the network to prove he can. He’s going two or three steps beyond to create effects with a very definitive purpose. A pen test is very encapsulated. A red team has a very broad operational view of what [it's] doing and what the impact is going to be.”

In the interview, conducted at the Gartner Security and Risk Management Summit outside Washington, Walls:

  • Describes how red-team testing in the Navy prepares a warship commander to continue to engage in a battle with degraded IT systems;
  • Provides an example how a business could benefit from red-team testing;
  • Explains why warfighting experience in the Navy or business know-how in the private sector are key attributes for red-team members and their tleaders.

An Annapolis graduate, Walls joined EdgeWave shortly after retiring from the Navy last July. In the Navy, Walls directed forces conducting cyber operations across the global Navy cyber domain, including all Navy unclassified networks and websites. He also oversaw development and implementation of the Navy’s first website vulnerability assessment capability and directed a cadre of sophisticated cybersecurity trainers and assessors conducting cooperative (blue team) and non-cooperative (red team) cyber-readiness assessments. He also provided penetration testing support to the Navy’s operational test and evaluation force.

Cyber Threats to Education Systems

schoolAs we approach mid-June, our thoughts in the U.S. naturally turn to those that are graduating High School and College at this time of year.  This is a major accomplishment for many, to be celebrated by all.  It is also a time to reflect upon our educational institutions, and the many threats facing them today.  While some of these threats have been well documented (skyrocketing costs, low teacher salaries, child abuse scandals, etc.), the Cyber threat to our educational systems has been steadily growing.

Cyber threats to educational systems can take a number of forms, from the bored student to political extremists and even foreign Governments.  The sheer cost of higher education in the United States will likely draw the attention of Eastern European organized cyber criminals specializing in penetrating databases for the exfiltration of financial data.  While cases in which students “hack” systems to change their grades garner a bit more attention (and perhaps a bit of envy), other cases can be much more serious.

Some threat actors want attention, and find school websites around the world to be easy targets.  “Hackers” affiliated with the Islamic State and other extremist organizations are demonstrating their ability to deface websites, even at elementary schools and churches.  This can be quite disconcerting to average American elementary school students, naturally worrying that “terrorists are coming to get them.”  Such was the case in March, when a group claiming to be the “Voice of Palestine” defaced the webpage of the Greenbrier Christian Academy in Chesapeake, Virginia.  The FBI later stated that the attack originated from a “local” IP address, but it is not clear whether that IP was used as a transit point or was the actual source.  The FBI is continuing to investigate.

Penn State recently announced the FBI had told the College their systems had been penetrated by “Advanced Persistent Threat” actors operating from China.  This intrusion forced the disconnection of the College of Engineering at Penn State, and the outage lasted several days.  Far from changing grades, the actors in this case were specifically targeting Intellectual Property, and the losses are still being evaluated.  Additionally, more than 500 public (government) and private research partners were notified of the breach, and more than 18,000 people were offered credit monitoring services due to the compromise of their personal information (including social security numbers).  Penn State furthermore brought in expensive outside consultants to combat the intrusion, and promptly discovered two other previously undetected threat actors on the Penn State network, one of which dated back to September 2012.  Remediation is ongoing.

The above examples are not likely to be isolated incidents, and it is expected that many more educational institutions are unaware of threat actors already on their networks, including threats posed by “trusted insiders.”  Recently, the media has reported several cases of high school students gaining unauthorized access to restricted areas of school networks in order to change grades for themselves and friends.  These activities were not detected by vigilant network security staff members, but rather teachers that noticed something odd occurring within their accounts.

Educational systems must invest in their network security, just as many in the private sector have already discovered.  Risks to educational networks are arguably higher, as seemingly tech-savvy students may not always recognize dangerous phishing emails and do not have corporate IT policies to follow.  Further, peer pressure is often a factor, with many students downloading and running popular games, sharing video sites, and trading pictures with their friends to pass the time in monotonous classes.  It is not a stretch to envision malicious software hosted on sites specifically aimed at students in order to target educational institutions.

Schools and Universities must begin to take steps to protect not only their students, but also their investments in Intellectual Property and research partnerships.  As government and corporate networks improve their Cyber defenses, so must educational systems.


Dave Bell, EdgeWave Technical Director, Security Operations and Analysis,  is a former Red Team leader for the U.S. Department of Defense. With over 20 years of experience within the DoD and Intelligence Community, Dave led the Red Team in many major DoD exercises in order to demonstrate the potential operational impacts of offensive cyber operations and improve the effectiveness of US Military cyber tactics and personnel.  You can read Dave’s blog HERE

 

EdgeWave a 2015 IT World Awards Finalist 4x!

2015-NPG-Finalists

EdgeWave named a Finalist in four categories in the Network Products Guide 2015 IT World Awards!  EdgeWave ePrism Email Security named Finalist for Best Cloud Security and Best Email Security categories.  Edgewave iPrism Web Gateway named Finalist for Best Web Security and Best Deployment in the USA categories.  Read more

Cyber Threat Update – 4/27/2015

cyber_threat_banner_PNG

Last week, our EPIC analyst team identified and stopped a large botnet campaign targeting various sectors, with Consulting Services being the hardest hit.  Over 17 million emails strong, this campaign used several unique email identifiers, but all linked back to the German based website: catcut[dot]net that points toward known Ukrainian spammers.

In the email campaign the spammer provides a link that directs users to a website that containing a very suspicious java script code. The code can infect systems operating on Windows or Macintosh platforms. The malicious website is also likely to send system information and credentials to the spammer.

This is uniquely dangerous because the site will likely steal your credentials which can be used as a gateway to future cyber attacks.  As always, be very cautious when opening an email from an unknown sender and never click on a link that isn’t from a trusted site.


EdgeWave EPIC provides comprehensive Military Grade cyber security to companies large and small in all sectors, deploying the latest in automated protection backed by 24/7 human analysis, and guarding against Advanced Persistent Threats. EdgeWave monitors networks and customizes security rules for over 6000 clients globally, ensuring compliance and timely reporting. Visit www.edgewave.com to find out how easy it is to secure your network.