Using a wildcard certificate may make sense if you are looking for easy management and multiple deployments. They allow you to secure all subject alternative names (SAN) within a domain, and can be a very cost-effective way to secure many different devices. If you have a single registered root domain, a wildcard certificate can secure all domains associated with that root.
The problem with wildcard certificates is that single private key is used to issue certificates to any number of devices, both inside and outside of your infrastructure. This increases the organization's susceptibility to fraud and data loss. Two important aspects to incorporating wildcard certificates is to implement proper control and monitoring of the certificates. Without this, malicious users can issues fake SANs and associate those with your domain.
Wildcard certificates can be installed on many different servers, which could potentially expose the private key to others. Specific certificate keys, in this case, are very accessible, increasing the risk of eavesdropping. If the private key is compromised, encrypted traffic can easily be decrypted by a malicious user, exposing data and confidential information. Impersonation of a SAN can also occur.
Wildcard certificates are dangerous if not controlled. If one server is compromised and the private key is discovered, every single device on your network using that certificate is considered compromised. Trying to keep track of each device and application using the certificate can be a nightmare, leading to expiration of the certificate and problems with usability.
Your best option is to create single certificates for each SSL device requirement. This ensures that each device has a unique private and public key pair, so that if the private key is compromised, only that device is affected. Always store the private keys very securely; if using PKI, keep the server storing these keys offline so that it cannot be compromised.
Thursday, September 19, 2013
Monday, September 16, 2013
Traveling with Data
In today’s
connected world, it isn’t uncommon for business people to travel
internationally to meet with partners, colleagues, and investors. Traveling today means extra special care must
be considered when staff are transporting potentially sensitive data across
these borders. Common threats to
business travelers include Wi-Fi hotspots, untrusted hotel Internet
connections, border or custom officials, and theft or loss of physical
devices. To help protect your organization
and your people, it is important to create an international travel policy when
traveling with corporate data and assets.
Whether
traveling internationally, or commuting daily on a public train or bus, people
log onto corporate laptops and work on sensitive information with little regard
for what is going on around them. Maybe
there is some element of trust when people take the same train each and every
day. The problem is traveling by air can
be one of the most likely spots to lose data.
Airports
offer wireless Internet access for their patrons but who can tell how secure
these hotspots are? The connections are
not encrypted and it is highly likely that these hotspots have been hacked,
with stealthy users now watching your every move. People want to stay connected, and hackers
take advantage of this by setting up fake hotspots that attract people anxious
to connect with business and friends.
For business travelers, the biggest dangerous hotspot venues are the
airports.
The
clientele of airports, simply be sheer nature of the industry, varies daily and
never are people in one place long enough to gain any relationships with fellow
passengers. This leaves airports as one
of the most compromised places, with thefts and pickpocket activity occurring
around the globe. With added security
since 9/11, many travelers know to keep their bags and valuables within sight
at all times, but this attitude is lost as soon as a laptop or tablet opens to
corporate information. In the USA,
border guards and customs officials are allowed to confiscate any equipment
they want, and do with the data as they please.
This means copying it, sending it to other agencies, and obtaining
access to encrypted containers.
Some
countries can be difficult to travel to with laptops because of import
laws. If a business traveler cannot prove
they are not importing a laptop, they may lose the equipment. Some countries do not want people to connect
to the Internet and expose any corruption or fraud to the media. And malicious officials may be involved as
well, asking for a special tax to be paid to them before releasing the laptop
back to its owner.
Take extra
special caution when traveling with data.
If possible, use a clean, freshly imaged machine that has no corporate
data stored locally. Always use your
company’s VPN to access and update corporate documents. And watch where you are using your laptop –make
sure to position yourself against a solid wall so that no one can shoulder surf
or gather information through a window.
Friday, September 13, 2013
Basic SCADA Security Requirements
Traditional SCADA systems
were designed to connect directly to each other either via serial connectors or
SONET. Because of their compact design
and communications requirements, SCADA protocols were developed to enable the
polling needs of these systems. Common
SCADA protocols include Modbus RTU, RP-570, Profibus and Conitel. With the expansion of data networks into
remote locations, companies operating SCADA systems decided they would tie
these into their corporate networks.
However, increased and wide exposure to public Internet sites have led
many SCADA systems to compromise from the wide range of vulnerabilities
associated with their protocols.
Unlike common desktop
computers and servers, simply installing anti-virus programs is not the best
way to secure SCADA systems. Their
legacy design and components leads them to hang or worse when anti-virus
programs are introduced. SCADA software
itself lacks any basic security controls because when it was designed years
ago, security was not an issue. Vendors
do not develop or release patches for SCADA equipment as quickly and
efficiently as enterprise and consumer software vendors, either. Some of these patches require a reboot of the
system running the software, and in critical infrastructures, this can be a
huge headache. Plant shutdowns rarely
occur, so vendors and staff need to wait until one of these annual planned
outages to perform SCADA patching.
With new government
regulations dictating the security of critical SCADA infrastructure, it is now
more important than ever to examine your systems and ensure that no malicious
users or code can attack. This means segregating
PLC’s and HMI’s behind several firewalls and forcing all traffic to pass back
to your headquarters. Nothing on the
SCADA segments should ever communicate directly with your corporate networks
either, but should communicate only with systems within a secure DMZ. Traffic should also flow from the high
security zones (SCADA) to lower security zones and any other traffic, unless it
is absolutely verified as necessary, should be blocked by the firewalls.
Some considerations for
developing and maintaining your critical infrastructure include performing
vulnerability assessments regularly against your systems, networks and
communications. Stay up to date on any
new developments in the SCADA virus and malware domain, and make sure any SCADA
software is running on a hardened operating system. Employ multi-levels of defense with a
firewall, IPS, and virus scanning of devices that are capable of running this
software. Keep your virus software up to
date. The use of encryption and VPNs can
help when transmitting polled data from a remote site back to centralized SCADA
systems. If an incident occurs, you
should be prepared with a thorough and tested Incident Response Plan. And always ensure your SCADA data, including
the software, is backed up regularly, and tested for integrity.
Monday, September 9, 2013
Assessing Information Security Risk
Assessing information security risk is critical to the overall business approach for decisions and actions within your organization. Risks can impact your shareholder value, customer confidence, and investment plans. For a risk to be present, at least one exploit is vulnerable to a threat on the asset. Three basic elements to risk assessments are assets, threats, and vulnerabilities.
Assets:
An asset is any device or component that is critical to your company's operations. This includes not only hardware and software, but also includes your company's critical data. Examine your assets first and identify those that must be evaluated for risk probabilities. This allows you to prioritize assets in terms of the potential for risks to occur and enables you to place resources against these critical services.
Threats:
A threat is any identified exploit or security issue that has potential to cause havoc within your system. This does not mean that your system will succumb to the threat. You need to identify threats to your systems and determine the significant ones that have a higher opportunity for occurrence.
Vulnerabilities:
Vulnerabilities are the actual associations with threats. Once you have identified threats, you can determine what systems, if any, could actually be exploited by a vulnerability that exists. This is where you then need to place your efforts - patch systems, apply further controls, and fix any vulnerabilities. You need to determine the impact to systems if vulnerabilities are exploited to ensure the allotment of resources is correct.
Performing an information security risk assessment really does only involve the identification of assets, determination of threats, and protection of vulnerabilities. Ensure your risk assessments are business-focused to obtain the support and resources needed to protect your environment. Keep your assessment simple, but remain up-to-date on changes occurring in the economy, threat landscape and business environment.
Assets:
An asset is any device or component that is critical to your company's operations. This includes not only hardware and software, but also includes your company's critical data. Examine your assets first and identify those that must be evaluated for risk probabilities. This allows you to prioritize assets in terms of the potential for risks to occur and enables you to place resources against these critical services.
Threats:
A threat is any identified exploit or security issue that has potential to cause havoc within your system. This does not mean that your system will succumb to the threat. You need to identify threats to your systems and determine the significant ones that have a higher opportunity for occurrence.
Vulnerabilities:
Vulnerabilities are the actual associations with threats. Once you have identified threats, you can determine what systems, if any, could actually be exploited by a vulnerability that exists. This is where you then need to place your efforts - patch systems, apply further controls, and fix any vulnerabilities. You need to determine the impact to systems if vulnerabilities are exploited to ensure the allotment of resources is correct.
Performing an information security risk assessment really does only involve the identification of assets, determination of threats, and protection of vulnerabilities. Ensure your risk assessments are business-focused to obtain the support and resources needed to protect your environment. Keep your assessment simple, but remain up-to-date on changes occurring in the economy, threat landscape and business environment.
Thursday, September 5, 2013
7 Gbps Wireless?
A new wireless standard set to be release in early 2014 that will provide higher throughput and capacity. This new 802.11ad wireless standard could be the answer to many enterprises' bandwidth and availability issues relating to BYOD and increases in high-definition streaming video. Everything about this situation sounds great, but there are few catches to consider.
802.11ad operates in 60 GHz bands, which are unlicensed offering frequencies between 7 and 9 GHz of spectrum. However, radio waves at 60 GHz are subject to degradation caused by the presence on oxygen in the air. This means 60 GHz is ideal for use in space for inter-satellite communications, for indoor short-range applications, and for point-to-point, highly directional outdoor uses. To get around this problem, regulators transmit at a high power level. The 60 GHz band also faces problems with going through walls, which is determined by the type of antenna being used, construction of the building, and distance between endpoints. One technology that can be used to improve performance at this band is complementary metal-oxide-semiconductor chips.
How will 7 Gbps throughput help us out? It can mainly be used to supplement existing wireless networks by providing more capacity for the increasing number of BYOD programs and devices coming into most organizations. This new wireless standard gives those users enough bandwidth to handle the types of traffic they generate while leaving your existing infrastructure to deal with the business-related traffic. 60 GHz bands offer a limited range, so eavesdroppers may be less likely to get signals.
High definition video is now more prominent in the workplace so using this 7 Gbps wireless standard exclusively for video streaming may help alleviate bandwidth concerns on your network. A typical HDMI video requires 3.3 Gbps for uncompressed transmission, so this new standard would be beneficial to this type of traffic.
It will be exciting and intriguing to learn more as 802.11ad is released and more people implement it across their networks. It offers unprecedented wireless speeds that can help your organization manage its growing wireless infrastructure.
802.11ad operates in 60 GHz bands, which are unlicensed offering frequencies between 7 and 9 GHz of spectrum. However, radio waves at 60 GHz are subject to degradation caused by the presence on oxygen in the air. This means 60 GHz is ideal for use in space for inter-satellite communications, for indoor short-range applications, and for point-to-point, highly directional outdoor uses. To get around this problem, regulators transmit at a high power level. The 60 GHz band also faces problems with going through walls, which is determined by the type of antenna being used, construction of the building, and distance between endpoints. One technology that can be used to improve performance at this band is complementary metal-oxide-semiconductor chips.
How will 7 Gbps throughput help us out? It can mainly be used to supplement existing wireless networks by providing more capacity for the increasing number of BYOD programs and devices coming into most organizations. This new wireless standard gives those users enough bandwidth to handle the types of traffic they generate while leaving your existing infrastructure to deal with the business-related traffic. 60 GHz bands offer a limited range, so eavesdroppers may be less likely to get signals.
High definition video is now more prominent in the workplace so using this 7 Gbps wireless standard exclusively for video streaming may help alleviate bandwidth concerns on your network. A typical HDMI video requires 3.3 Gbps for uncompressed transmission, so this new standard would be beneficial to this type of traffic.
It will be exciting and intriguing to learn more as 802.11ad is released and more people implement it across their networks. It offers unprecedented wireless speeds that can help your organization manage its growing wireless infrastructure.
Tuesday, September 3, 2013
Managing Privileged Accounts
As
companies grow, the job of monitoring account activity becomes tougher. In order to establish and maintain compliancy
and security, you need to plan a robust privileged account management policy. Creating accountability in the age of diverse
infrastructures, contract staff members, and outsourced cloud application
services is one of the top concerns for IT managers.
Privileged
accounts are those accounts with more access to add, change, delete and
otherwise alter data and configurations within the infrastructure’s critical
systems. These accounts are typically
held by members of the IT staff – the very people who have the ability to
monitor what everyone else in the company is doing. It goes without saying that the IT staff may
have the expertise to alter the logs in order to cover a covert attack attempt,
so it’s obvious why privileged account management is extremely important in
today’s environments.
When
developing a PAM program, your enterprise needs to start out slow. Be methodical in determining what needs to be
monitored and what compliancy regulations need to be followed. Inventory all privileged accounts, passwords
and access. Document any service
accounts or shared accounts and understand what each is used for, and who has
access to these. To make life easier,
establish a strict naming convention for all accounts to easily determine what
type of accounts they are. Your program
also needs to identify any accounts with too many credentials, and accounts
used across a wide range of systems.
Also make sure individual user accounts are audited regularly to ensure
people are not operating with too many privileges than what their job
description calls for.
Some key
requirements for auditing and logging privileged account activity include
capturing and collecting all user access, both externally and internally initiated
sessions. Encrypt your audit data both
in transit and in rest.
Make sure
that your audit logs support replay and search options. You may need to develop queries of your logs
during an investigation so ensure that these are easy to conduct.
Set up your
auditing so that only trusted devices can send information to the auditing
system.
Configure
all users who have access to the system with role-based access control. Never apply access directly to a person
without assigning a particular role.
The best
way to manage privileged accounts is to use a real-time auditing system that is
capable of logging account activity from all platforms, including Windows,
Linux and UNIX. Audits should not only
include the user account but also the date, time and any commands
executed. You need to protect your
organization’s sensitive and critical data, so you must have a reliable and
detailed auditing system within your infrastructure. This will help with investigations and legal
cases involving data loss and theft.
Subscribe to:
Comments (Atom)