Security

FeedzyRead MoreBy Stephen Kovac, Vice President of Global Government and Head of Corporate Compliance, Zscaler In wake of recent […]
The post Cyber EO and Meeting Cloud Modernization Effort appeared first on Cyber Defense Magazine.By Stephen Kovac, Vice President of Global Government and Head of Corporate Compliance, Zscaler In wake of recent […]
The post Cyber EO and Meeting Cloud Modernization Effort appeared first on Cyber Defense Magazine.

By Stephen Kovac, Vice President of Global Government and Head of Corporate Compliance, Zscaler

In wake of recent high profile attacks and an evolving hybrid work environment, agencies are working to meet President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity to protect users, devices, and data.

In the recent Zenith Live virtual event, I sat down with cyber leaders from the Department of Health and Human Services Office of Inspector General, Department of Education, and Cybersecurity and Infrastructure Security Agency (CISA).

We discussed zero trust security, FedRAMP, the Trusted Internet Connection (TIC) 3.0 policy, and how agencies can achieve modernization goals and the terms of the EO.

The EO requires agencies to prioritize cloud adoption using Office of Management (OMB) guidance, plan for zero trust architectures using National Institute of Standards and Technology (NIST) special publications, and report their status to OMB and the Department of National Security Advisor for Cybersecurity.

Working to implement these modernization efforts is a journey, not a destination, as agencies work to make a culture shift towards cloud, zero trust, and new technology rather than just checking the boxes.

“Thank God for the EO, I say,” said Gerald Caron, Chief Information Officer for the Department of Health and Human Services Office of Inspector General. “I think it moves us more towards being effective overall – for our agencies to be effective at cyber – not just checking boxes.”

Mitigating Threat with Zero Trust

The EO gave agencies 60 days to implement zero trust as they shift to cloud technology to “prevent, detect, assess, and remediate cyber incidents.”

Zero trust gives agencies strong access management and security tools to prevent unauthorized users from seeing applications and sensitive data – creating a zero attack surface and giving IT teams peace of mind as they monitor their environment.

NIST SP 800-27 zero trust guidance provides a roadmap to migrate and deploy zero trust across the enterprise environment. This guidance outlines the necessary tenants of zero trust, including securing all communication regardless of network location, and granting access on a per-session basis. This creates a least privilege access model to ensure the right person, device, and service has access to the data they need while protecting high-value assets.

The NIST National Cybersecurity Center of Excellence (NCCoE) recently announced its Implementing a Zero Trust Architecture Project where best-of-breed zero trust leaders will collaborate to demonstrate several approaches to implementing zero trust architectures. This coalition will work side by side to realize the opportunity for zero trust to strengthen every agency’s cyber defenses.

“For us, when we talk about zero trust architectures, it’s not just the discussion around technologies, infrastructure, services, cloud, and all the cool things that come together to make it happen,” said Steven Hernandez, Chief Information Security Officer at the Department of Education. “It’s also a very robust discussion around data, because data is at the heart of everything that we’re driving.”

President Biden’s EO also gave agencies 60 days to begin modernizing FedRAMP, and specifically “establish a training program to ensure agencies are effectively trained and equipped to manage FedRAMP requests.”

A FedRAMP-authorized zero trust security model allows IT administrators to wrap policies around users and applications to ensure comprehensive security regardless of where they connect from, and what they connect to.

This approach reduces the attack surface and the risk of users accessing unauthorized data or applications. Additionally, IT administrators have centralized visibility to track, log, and manage all users connecting to the network on any device, in any location – a huge advantage for managing an extensive remote or hybrid environment.

Updated Policy and Modern Security for Complex Environments

The updated TIC 3.0 guidance has opened the door for agencies to adopt modern, hybrid cloud environments. This security approach will be critically important for agencies to secure their cloud capabilities and scale up and down as needed.

“The guidance offers a new security strategy for agencies to explore new opportunities, redefine the perimeter, and flexible architectures, zero trust being one of those we want to talk about,” said Sean Connelly, TIC Program Manager and Senior Cybersecurity Architect at CISA. “New visibility is the most fundamental change in the guidance.”

As employees work in remote or hybrid environments and agencies follow modern TIC 3.0 guidance, agencies can position the security closer to the resources, having everything at one access point.

To secure access points, agencies should adopt a Secure Access Service Edge (SASE) security model, which addresses today’s most common security challenges arising from more applications living outside the data center, sensitive data stored across multiple cloud services, and users connecting from anywhere, on any device.

Following the SASE model, agencies can invert the traditional security model to move essential security functions to the cloud so users can access data and networks from any location, while security is pushed as close to the user/device/data as possible. With the SASE model, CISA inverted their services, such as the Continuous Diagnostics and Mitigation (CDM) program to secure data where it is generated, and Government Services Administration (GSA) has likewise adjusted their model of Enterprise Infrastructure Solutions (EIS) in the same way.

What’s Next as Agencies Modernize

The updated policies, authorizations, new security measures, and hybrid work environments are pointing agencies towards one initiative – cloud adoption and modernization. Now as agencies unify towards this push, they can learn from one another on this journey.

“I think we’re headed in that direction, we’re going to find ourselves there one way or another, and I think that’s a good thing,” said Hernandez. “I think that by having more people in a centralized environment, with less attack surface, better configuration, and change control – ultimately, we can learn from each other and have a body of practice around centers of excellence that do this well.”

About the Author

Stephen Kovac is the Vice President of Global Government and Head of Corporate Compliance of Zscaler. He is responsible for strategy, productizing, and certification of the Zscaler platform across global governments. He also runs the global compliance efforts for all of Zscaler. In his role, Stephen leads his team’s efforts to advance Federal IT modernization by delivering cloud security solutions through direct-to-cloud connections and zero trust security capabilities. He has pushed for cloud security reform by speaking at events, meeting with agency leaders, publishing, working on pilot programs, and working directly with the Hill. Stephen can be reached online at Twitter, LinkedIn, and at our company website https://www.zscaler.com/solutions/government

FeedzyRead MoreGetting the first 100 days right is critical to achieving momentum, credibility, and long-term success. By Etay Maor, […]
The post New CIOs: 5 Key Steps in Your First 100 Days appeared first on Cyber Defense Magazine.Getting the first 100 days right is critical to achieving momentum, credibility, and long-term success. By Etay Maor, […]
The post New CIOs: 5 Key Steps in Your First 100 Days appeared first on Cyber Defense Magazine.

Getting the first 100 days right is critical to achieving momentum, credibility, and long-term success.

By Etay Maor, Senior Director, Security Strategy, Cato Networks

Starting off as a new CIO in a tough, dynamic environment can be daunting. CIOs must juggle multiple issues like coping with hybrid workplaces, changing cybersecurity and compliance protocols, increasing ransomware attacks and high expectations from the board, to name but a few. New CIOs need to tackle biased perceptions, make a good first impression, assess the current state of processes and policies and determine a strategy to build a foundation that drives innovation.

Other CIO challenges may involve building a deep awareness of the IT organization, developing close relationships with key stakeholders and achieving wide acceptance for strategic goals while also gaining some quick wins that boosts confidence in your talents.

In speaking with countless CIOs about their security posture, I’m always intrigued by what lessons they’d offer new CIOs. In truth, there doesn’t seem to be a single set of ‘guiding principles’ for best launching into a CIO role. There are, however, strategies and tips that repeat themselves in my conversations. Here, then, are five of those often-cited takeaways battle-tested CIOs recommend new CIOs follow in their first 100 days in office.

Get to Know Your Organization and Team

With many stakeholders and team members operating remotely, one of the most significant hurdles a CIO must overcome is to forge meaningful, interdepartmental relationships.

With IT Teams: Start with regular one-on-ones, seek out the issues they regularly wrestle with and assess whether it involves technology, infrastructure, processes or people. Familiarize yourself with the strategy and tactics currently in place and evaluate if these adequately align with overall business goals.
With non-IT Teams: Start with key executives and leadership teams. Understand their role in the business and how they interact with IT. Evaluate recent IT requests and determine whether they have been resolved satisfactorily. Prepare questions relevant to their role but listen carefully to understand their overall strategic vision and expectations from IT.
Determine the state of IT and Security Infrastructure

Conduct a detailed technology risk assessment of your network infrastructure, databases, applications, cybersecurity and back-ups. Evaluate the current state of policies, procedures, compliance, security awareness and service delivery levels. Get to know your vendor-partners and learn the contract status from each, especially big-ticket deals. Know your IT budgets (planned vs. actual). Figure out what stage the company is at relative to their digital transformation process.

As a first measure, benchmark what you can. Three years down the road you should be able to sell a story of sustained improvement. Conduct a baseline assessment and capture metrics from current applications and security practices. This will also help identify what is and isn’t working.

Define your Goals and Chart Out a Plan

Once you’ve got a handle on IT’s position and learned about its resources and capabilities, it’s time to develop swift action plans for urgent and simple issues to help define an overall blueprint of your longer-term company strategy. Your plan should include an executive summary, your department’s strengths and weaknesses; opportunities and threats; new trends, tools and capabilities; the tactics you will use along with costs, time and impact – in short, guiding principles that will drive future decisions.

Incorporate Digital Transformation

Whether it’s changing buyer behavior or securing a large-scale remote workforce, the demand for digital transformation post-pandemic (i.e., digital methods to improve business processes and continuity) has accelerated by several years.

New CIOs must keep this momentum going by identifying and implementing technology that can significantly transform customer and employee experiences. As an example, CIOs can leverage automation and AI to improve product efficiency or augment intelligence to an existing product, giving it a competitive edge. In cybersecurity, CIOs can leverage transformational technologies like SASE (Secure Access Service Edge) to boost cybersecurity, provide high-speed connectivity and reduce IT overheads.

Get Priorities in Order

Choose your battles wisely based on mandates, urgency, business needs, ROI, previous experiences and understanding of market trends. Seize opportunities for quick wins like improving processes, vendor management, SLA timelines and end-user applications. Resist firefighting.

Weigh out the risks and repercussions before you make major decisions. Get executive sponsorship for your actions and priorities. If needed, set up a steering committee to secure buy-in from a diverse group. Determine where the power lines are drawn and what priorities can be addressed first to instill greater confidence across internal stakeholders.

There is no silver bullet for a successful transition. We can all agree that there is a lot to manage and not everything is just about technology. Having an organized approach in place for your first 100 days ensures you cover all your bases, leaning in for a better shot at being successful in your new role along with establishing yourself as a valued and inspirational leader.

About the Author

Etay Maor is the Senior Director of Security Strategy for Cato Networks, provider of the world’s first Secure Access Service Edge (SASE) platform, converging SD-WAN and network security into cloud-native services. Previously, Etay was the Chief Security Officer for IntSights, where he led strategic cybersecurity research and security services. Etay has also held senior security positions at IBM, where he created and led breach response training and security research, and RSA Security’s Cyber Threats Research Labs, where he managed malware research and intelligence teams. Etay is an adjunct professor at Boston College and is part of Call for Paper (CFP) committees for the RSA Conference and QuBits Conference. He holds a BA in Computer Science and a MA in Counter-Terrorism and Cyber-Terrorism.

FeedzyRead MoreBy Vinay Pidathala, Director of Security Research, Menlo Security Cybersecurity is never straightforward. While defense techniques, technologies, policies […]
The post HTML Smuggling: A Resurgent Cause for Concern appeared first on Cyber Defense Magazine.By Vinay Pidathala, Director of Security Research, Menlo Security Cybersecurity is never straightforward. While defense techniques, technologies, policies […]
The post HTML Smuggling: A Resurgent Cause for Concern appeared first on Cyber Defense Magazine.

By Vinay Pidathala, Director of Security Research, Menlo Security

Cybersecurity is never straightforward.

While defense techniques, technologies, policies and methodologies continue to evolve at pace, such defenses often trail in the wake of novel cyber attacks that seek out and exploit vulnerabilities in new ways, catching security teams off guard.

Indeed, recent times have provided many headaches for security professionals; Cybersecurity Ventures reveals that cyber attacks in 2021 will amount to a collective cost of approximately $6 trillion – and the situation isn’t forecast to improve any time soon. Where attacks are expected to intensify by an additional 15% a year for the next four years, total cyber attack-centric damages could amount to as much as $10.5 trillion by 2025.

One of the main concerns today is the exponentially growing number of techniques that cybercriminals are adding to their arsenal. Whether that’s malware, ransomware, DDoS attacks or phishing, they continue to expand their techniques, with the next being ever more malicious than the last.

HTML Smuggling explained

HTML Smuggling is a prime example of this in action.

While the broad concept itself is nothing new, the threat is making something of a resurgence having recently been used by Nobelium – the hackers behind the renowned SolarWinds attack that was uncovered in December 2020.

In simple terms, HTML Smuggling provides hackers with a means of bypassing perimeter security through the generation of malicious code behind a firewall. This is executed in the browser on the target endpoint.

Where a malicious payload is constructed in the browser, no objects need to be transferred, which network perimeter security systems might typically detect. As a result, through HTML Smuggling, many commonly used, traditional security solutions, such as sandboxes and legacy proxies, can be sidestepped.

ISOMorph – a new variation

This is what happened in the case of Nobelium’s HTML Smuggling attack that we are calling ISOMorph.

Here, popular talk over voice, video, and text digital communication platform Discord was targeted, the app being home to more than 150 million active users.

With ISOMorph, HTML Smuggling allows the first attack element to be dropped onto a victim’s computer. This is then constructed on the endpoint, removing the opportunity for detection. After installation, the hackers are then able to execute the payload that infects the computer with remote access trojans (RATs), before setting about logging passwords and exfiltrating data.

While the resurgence of HTML Smuggling through ISOMorph is new, it shouldn’t necessarily come as any great surprise. Indeed, from the cyber attackers’ perspective, it is a logical avenue to pursue.

Thanks to the pandemic, remote and hybrid working has become the new norm. Where such working models are now commonly used, the increased use of cloud services and expansion of organizations’ digital footprints has exposed a series of new security related challenges.

Today, the browser plays a more vital role in day-to-day operations than ever before – yet, unfortunately, it remains one of the weakest links in the cybersecurity chain, making HTML Smuggling an all the more attractive proposition to threat actors.

From access to execution

So, what should we be looking out for in the case of an HTML Smuggling attack?

In the case of ISOMorph, Menlo Security’s analysis has shown that attackers are using both email attachments and web drive-by downloads to achieve initial infection.

Thereafter, using JavaScript, they are opting to use a technique often used by web developers to optimize file downloads. This entails the construction of the malicious payload on the HTML page as opposed to making an HTTP request that can then retrieve a desired asset from a web server.

With ISOMorph, the payload in question was an ISO file – a disk image that contains all the required components that would be able to install software. The benefit of the ISO file is that it does not require the endpoint to have any third-party software to install. In this instance, ISOMorph was also able to achieve persistence by creating a Windows directory on the endpoint.

Equally, it is one example of a file type that is exempt from inspection across both web and email gateway devices.

In analyzing the ISO files that were used in the campaigns that we were monitoring, we found that the VBScript will often contain various malicious scripts capable of executing and thereafter fetching additional PowerShell scripts that can download a file to the endpoint.

The malicious code is also executed by proxy by tapping into trusted elements on the endpoint. We saw MSBuild.exe used, for example – a process that is typically whitelisted, allowing the injected code to further avoid detection. Here, ISOMorph used reflection techniques to load a DLL file in memory before injecting the remote access trojan into MSBuild.exe, ensuring antivirus software could then be bypassed.

Prevention and solutions

The resurgence of HTML Smuggling should be cause for concern.

While vaccination efforts continue to ramp up and economies and societies continue to open up once more, the impact of COVID-19 will be felt long after 2021. In the case of work, the many benefits that have been realized from remote and hybrid working models will ensure that such ways of working won’t disappear anytime soon. As a result, the browser will continue to offer hackers new avenues to attack their target endpoints.

For this reason, HTML Smuggling is expected to stay. In the case of ISOMorph, it is proving to be an effective method from which attackers are able to infiltrate victims’ devices and deploy payloads while bypassing traditional network security tools.

So, how can it be combatted? The answer is in the form of isolation technologies.

Developed with the simple purpose of comprehensively protecting users as they use web services – be it email applications, browsers, or otherwise – isolation creates a virtual barricade between the endpoint and external threats from the internet.

While content, such as emails and web traffic, can still be viewed in a seamless manner, it is never downloaded to the endpoint, eliminating the opportunity for malicious code to infiltrate a device and begin exploiting vulnerabilities.

To achieve a robust endpoint protection strategy, isolation must be placed front and center.

About the Author

Vinay Pidathala is Director, Security Research at Menlo Security based in Mountain View, California. Previously, Vinay was at Aruba Networks and also held positions at FireEye and Qualys.

Vinay can be reached online at: @menlosecurity and at our company website: https://www.menlosecurity.com/