In an interview with, Gregg Ostrowski, Executive CTO at Cisco AppDynamics, Minu Sirsalewala, Editorial Consultant, CISO MAG, discussed how ransomware attackers and cybercriminals increasingly exploit vulnerabilities caused by gaps in rapid digital transformation. And how increased use of applications, driven by the pandemic, has changed the way application security is viewed. Security sits on top of the total application experience.

Ostrowski is an Executive CTO at AppDynamics, part of Cisco. He engages with customer senior leadership to help prioritize their strategy for digital transformation. Prior to AppDynamics, Ostrowski held senior leadership positions at Samsung and Research in Motion.

Excerpts from the interview follow:

Can you explain why Application Security has gained so much importance in the past year?

In the world we live in today, applications have become critical to our daily lives; they are critical to us and companies or organizations we work with. To help attract new customers, retain customers, and keep them happy, they need to create rapid development cycles. As they needed to innovate quickly, they started introducing different cloud technologies.

With the expansion of the existing infrastructure – which typically runs on premise – it has sprawled to include additional cloud components or additional dependencies for that application. So, what you’re seeing is a sprawl of the overall application topology or the application map that makes all these things work. With all these different dependencies and the need for speed to deliver applications, going with an application security approach or application first security really helps our customers stay ahead of the game and understand what’s happening from a security perspective across all the dependencies of that application. For companies looking to build rapidly, attract new customers and ensure the desired user experience, security needs to be placed in the application first type mentality.

This enables businesses to understand the application stack from a user experience, performance, and security perspective as security affects users more than performance, and a security threat is highly detrimental to the brand.

Is there something called beyond Layer 7 security? If so, what is it?

That is a really interesting question. The OSI, as we know, has 7 layers, and the 7th layer is the Application Layer; everything underneath is a dependency for that application all the way and goes down to the physical servers (Physical Layer).

I wouldn’t necessarily consider a layer beyond seven, but security must be the critical component of every step along the way. So, each piece is going to be implementing security. Be it Denial of Service (DoS) attacks or threat detection, or intrusion detection where application security comes in, it brings all the components together and allows full visibility of the entire layer from a security perspective. I wouldn’t call it beyond Layer 7; rather it is an evolution of how security fits into the overall OSI model.

How can we use Cisco Secure Application to detect and block threats in real time?

The AppDynamics — the product overall has an agent-based model that runs in the runtime of the application. We have included the security, the Cisco secure application within the runtime of the application. This enables us to analyze and understand what’s happening, not just for performance, but also how it is being ineffective by any kind of security threats or vulnerabilities.

And we do that by being able to pull in data from public resources and some proprietary resources that run a list of the current threats and vulnerabilities. So, there is a real-time alert pop-up with tracking that shows where the security threat is happening. We did an application stack, and once a threat is found, we can simply alert and send out a notification to the security teams and the application. And as a preventive measure, we can go down and block that component of the application from becoming more detrimental to the business. This enables both teams – the application teams and the security teams – to collaborate on how to really address the threat.

For example, if there is a web server that’s running a version 2.5 and the version 2.7 happens to have a threat, it can notify the customer that an upcoming version of one of your components of the application stacks has an upcoming vulnerability, so they can address it before it hits the production servers.

Prioritizing and classifying data is key to data management. How can organizations prioritize threats by business impact?

One of the key fundamental aspects of AppDynamics is being able to present it in the business context. We can use our AI capabilities to provide the insights to stack rank on how these threats are coming in and which is the most critical to the business, thereby allowing a window for the IT teams to know which ones to go out and fix.

A good example would be a payment service that affects multiple applications, as the way apps were built, multiple tasks are performed in a shared service type model. Most of these deployed applications run in a microservice-type architecture. So here, the payment services are the most valuable piece to the business, as it is directly tied to the business revenue. Using the AI, we can prioritize the detection and fixing of the threat for the payment service application in comparison to other threats that were coming in and were picked up by Cisco security.

How beneficial is the Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) approach?

I think it is definitely beneficial. When one implements application security testing before the application goes to production, you are putting security in the process of your CI/CD pipeline. As security testing is done pre-production, the Cisco secure application monitors the application while it is running in production.

It is best to move through the scanning process while you are building the application, ensuring security is part of the CI/CD pipeline.

AppSec is a focus area for CISOs with the increasing incidents of data breach. How can DevSecOps help mitigate the security risks and enhance application security?

There is a need to start thinking and bringing teams together and collaborating amongst all aspects of the application development. I strongly believe CISOs need a seat at the table. When one goes through the development cycle, the DevSecOps model, you want to make sure that security is built into the application from the word go. The CISOs role is to look at what new advancements and capabilities need to be incorporated from the security aspect.

When an organization starts focusing on building applications that drive a high-end user experience and performance, the CISO ensures that the application is secure. Their role is not limited to ensuring the latest security technologies but also driving innovations or new user experiences along with security.

DevSecOps is a very, very strong growth trend in the industry. If organizations are not embracing it, it is highly recommended that they consider building some practice that helps with security within their DevOps.

Learnings from the Facebook outage?

This is truly an example of that anybody and everybody could be vulnerable. Though I have not been closely tied to the issue at Facebook, from what I have read and understood, there are multiple shared services and how their entire ecosystem was taken out. The sprawling IT infrastructure is causing the same level of concern for a lot of our customers, with multi dependencies and interdependence, neutropenic type environments where risk must be managed, completely or inclusively.

When you have multiple different applications running in a shared service environment, you do not know where to target first and resolve the issue. It is a combination of both performance as well as security; this incident is a validation of the efforts we need to put at viewing every single dependency of the application stack from a business and security perspective. This also includes the infrastructure that is running on-premise or cloud. Most important is to have the right tools and visibility to be able to do their jobs right.

Security recommendations or best practices?

A DevSecOps model is definitely a strong way of getting started. The second one is to ensure the CISOs seat at the table, when it comes to new innovations and new capabilities. Many organizations are working in silos and not communicating enough to focus on the same direction thereby impacting the business. You have the infrastructures team, the network team, the development team all working in silence. This delays delivery and leads to misalignment of the organization. Having everybody on the same page with a common goal for the business helps align your teams a little bit tighter for the greater good of all.

About the Interviewer

Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.

More from Minu.

The post “Security is a Priority for Total Application Experience” appeared first on CISO MAG | Cyber Security Magazine.

Minu Sirsalewala, Editorial Consultant, CISO MAG, chatted with Vishak Raman, Director, Security Business, Cisco India and SAARC,  on what it takes for organizations for #BeingCyberSmart in this digital-distributed age. Raman also delved into the new age cybersafe techniques like Zero Trust Architecture, current security trends, and new-age cyberthreats.

Raman leads Cisco’s Security business for the India and SAARC region. He brings over 20 years of experience in the Information Security Services space with stints in product management, sales, marketing, and business development.

Prior to Cisco, Raman was the Senior Regional Director (India & SAARC) at FireEye. He was also the Global Head of Content Delivery Network (CDN) & Managed Security Services (MSS) business at Tata Communications for three years. Before joining Tata Communications, Raman was the Senior Regional Director for Fortinet and is credited with having built Fortinet’s Unified Threat Management success story in India and SAARC for 10 years. He was instrumental in setting up the first-of-its-kind Global Technical Assistance Centre in Bangalore to support Fortinet’s customers worldwide. Raman has also worked at WatchGuard, Sify, and HCL Technologies. He has an engineering degree in Computer Science and MBA from IIM – Ahmedabad.

Edited excerpts of the interview follow:

What does #BeingCyberSmart mean for an organization?

#BeingCyberSmart is knowing what to defend and what is the maximum I need to defend. As the budgets are limited, you must bite what you can chew. IoT Security, DDoS, and other large threat vectors have been observed during the pandemic, contributing 70–80% of the attacks. So, being able to prevent the most vulnerable and probable attacks is #BeingCyberSmart.

The four big vectors that need to be closely evaluated are email security to avoid phishing; endpoint security, which is the last line of defense; cloud security, which ensures cloud data is secure; and the most important is securing technology by adding layers of security towards the identity part. #BeingCyberSmart means picking the right battles and reducing the risks in these probable vectors which are email, identity theft, cloud, and endpoint.

Is zero trust approach an answer to better protection or just a buzzword?

Zero trust is not a buzzword; it’s a framework for organizations to put together their security posture. It starts with fundamentals like, what are you trying to protect? It is to simply design a trust framework and to look at the design philosophy for zero trust.

If you look at zero trust, foundationally there are five pillars. What you assume is environmental – be it an SMB customer, a very large enterprise, a government, a critical infrastructure – you start with a baseline assuming that all the environments are hostile and in a state of a paranoid breach. So, when you go into a security posture, you assume that the environment is already hostile and that is the zero trust fundamentals. The second part is no access until the device proves its trust. It means you must challenge the authentication, challenge the identity of that access. If you are connecting from your home, I would make sure that the endpoint is running the right patch, the operating system is running anti-virus and anti-malware endpoint, and it is not a jailbroken device that is coming from a trusted source. Essentially, the second principle is no access until the user on the device is proven as a trusted device. Third, authorize every single transaction and encrypt all the transactional force. There is no non-encrypted traffic that will be going in or out of the setup. While there is a big hype about state-sponsored attacks,  Zero trust focuses on data protection and how you classify your confidential data — the fourth pillar. You cannot protect all your crown jewels; you need to classify which needs maximum security because data classification is the foundation. And for the fifth pillar, you must log all the activity and keep a repository of all the transactions.

While these are the foundational principles, the way to classify zero trust is into three large buckets. First, your workplace, which is the on-premise setup, your server, email, etc. For asset identification, you follow a 3W framework — workplace security, workload cloud, and workforce  — which is for the endpoints and users — the most vulnerable.  Zero trust principles must be applied across the workforce, workload, and workplace framework. It does not stop with the selection of products; you have to look at enabling it with credible threat intelligence.

SMB cyber incidents in India have been peaking. What were the most exploited vulnerabilities?

From an attack surface point of view, phishing was a larger vehicle through which the hacks happened. Phishing, malware, DNS tunneling, DDoS are the four large attack vectors that were looked at by the hackers. Close to about 85% of them experienced malware attacks in the last 12 months, followed by phishing attacks.

DNS tunneling is the biggest vulnerability and is not very well understood by enterprises. DNS basically translates an IP address to a domain name. When you type into google.com it goes to an IP address in the backend, but somebody is resolving that domain name to an IP address. So, the tunneling part is important because any hack or malware implant needs to go and communicate back to a downloader.

Another attack that surged is the denial-of-service (DoS) attack. In a DoS attack, a legitimate connection request is sent to the server but the connection is never completed. Malware attacks (around 85%), phishing attacks (about 70%), DNS tunneling (about 68%), and DDoS attacks (around 64%) are the top four major vectors APJC SMBs have experienced over the last 12 months.

The security hygiene can get ugly if the DNS layer and Active Directory security are not managed or secured. How can organizations avoid being targets of these advanced cyberattacks and vulnerabilities?

You need to have a framework approach. Let’s take an endpoint, when you look at DNS as a protocol, it is stateless. It just makes a connection, there is no information around it. You got to have layers of security. When you look at endpoint protection, first and foremost, you need to have the base of a virtual private network (VPN), where you want to have a connection back to your corporate setup working from home, and ensure a VPN is established.

Besides VPN, you have to look at the DNS security, because the corporate VPN will go through a SaaS application, direct to a Dropbox. How do you secure that? You add one more layer of cloud security and make sure that you do a split tunneling of VPN, where the VPN connects back to your corporate network for your corporate applications, for SaaS application — it does not have to go to the corporate and then to the cloud. You are doing a split tunneling option, as most of the home connection and endpoint connections are on a shared Wi-Fi with multiple users from the family.

Man-in-the-middle attacks become common, and if there is no encryption between your laptop and Wi-Fi access point, you want to add another layer of security on top of the VPN, which is DNS security.  You want to make sure that there is a cloud-based solution that will tell you that the domain is good, bad, and ugly. The third layer you add is your identity. How do you make sure that the user who is accessing the corporate resource is a real person? So, you resort to passwordless authentication, whereby your device and user identity are protected.

This ensures you have the VPN, DNS layer of security, identity access management, and anti-malware solution.  Make sure that the endpoint which is connecting back from the home has an anti-malware solution. Security at the endpoint layer has become a lot more important. This is a principle for zero trust for endpoint security.

This is a framework that we have been successfully enabling in India post-pandemic when the lockdown was announced. We enabled half a million endpoints within two weeks of adopting this framework, so people can continue working from home with secure infrastructure.

What about the new-age cyberthreats?

New age attacks are state-funded. They are geopolitical in nature and target supply chains. Supply chain attacks look at your trusted hardware and software. They plant malware or threats into the trusted networking partner. I would rather not break into the company setup; I would look at what was the most popular setup of products and services they use and plant malware on their updates. We are seeing the new-age attacks very clearly towards supply chains. Talos has written a blog on a group called Gamaredon. Cybercrime-as-a-service is being delivered. We mapped all these attacks during 2019 and the pandemic, and then we looked at the highest vulnerable medium. These new-age attacks that have emerged are email, cloud visibility and endpoint. We saw zero trust in action for endpoint security. If you block and have a zero trust approach across all these four domains, you are cyber smart. The key focus areas will be: how to ensure cyber preparedness, how do you look at remote working and access policies, how do you augment your security monitoring capability, how do you look at a trade-off between employee information on privacy and how do you train your people when we were working from office. The first line of defense is humans. So, how do you prepare your remote workforce against social engineering attacks? It is not just about technology.

Let’s take an example of incident response. When there is a breach, how do you respond and look at your roles and responsibilities? How do you report the breach and how do you rework all your playbooks? Playbook works like you are writing a security rulebook, the DOs and DON’Ts, and the steps to follow in case of a breach. How do you conduct cyber drills in a remote environment?

Look at how to audit privileged access for remote workers. How can we enhance the SOC monitoring capability? These are questions beyond technology that need to be evaluated and updated.  A practitioner’s view is very different. You will have frameworks, but operationally, it’s more complex than what we think.

About the Interviewer

Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.

More from Minu.

The post “#BeingCyberSmart means picking the right battles and reducing the risks in the probable vectors” appeared first on CISO MAG | Cyber Security Magazine.

AMD’s Latest EPYC 7003 Series Processors

The newest generation of 7003 Series processors imbibes the Zen 3 architecture, which AMD says significantly improves performance for enterprise, cloud, and HPC workloads. The hardware manufacturer claims that it delivers “the best performance of any server CPU with up to 19% more instructions per clock.”

Technically, this is the 3rd Generation of AMD’s EPYC processors, and thus, taking into consideration the current security risks to businesses, AMD has introduced a host of security features like:

• Secure Memory Encryption (SME)
• Secure Encrypted Virtualization-Encrypted State (SEV-ES)
• Secure Encrypted Virtualization-Secure Nested Paging (SEV- SNP)
• A dedicated security subsystem
• Hardware-validated secure boot
• Hardware root of trust

The SEV and SNP Features

AMD Infinity Guard offers a robust set of security features that help complement industry ecosystem partners at both the software and system levels. The SEV and SNP security features are both provided under the AMD Infinity Guard.

SEV-ES: This provides a layer of protection for CPU registers. AMD has added interrupt restrictions that should prevent malicious hypervisors from injecting interrupts and attacking ES guests. The new AMD EPYC processors help safeguard the privacy and integrity of data by encrypting each virtual machine with one of up to 509 unique encryption keys known only to the processor.

SEV-SNP: Another important and new feature that AMD has introduced is SNP, which provides enhanced memory protections against malicious hypervisors carrying out replay, corruption, or remapping attacks. SNP creates an isolated execution environment which helps in adding memory integrity protection capabilities designed to prevent hypervisor attacks.

The AMD EPYC processor ecosystem is expected to grow significantly by the end of 2021 with numerous OEMs, ODMs, cloud providers, and channel partners like AWS, Cisco, Dell Technologies, Google Cloud, HPE, Lenovo, Microsoft Azure, Oracle Cloud Infrastructure, Supermicro, Tencent Cloud and others announce its integration into their respective ecosystems.

Related News:

With Pluton, Microsoft Brings Chip-to-Cloud Security Tech to Windows PCs

Is Samsung’s New Data Security Chip a Game Changer?

The post AMD’s Newest EPYC 7003 Series Processors Arrive with Additional Security Features appeared first on CISO MAG | Cyber Security Magazine.

Affected Devices

• IOS XE SD-WAN Software
• SD-WAN vBond Orchestrator Software
• SD-WAN vEdge Cloud Routers
• SD-WAN vEdge Routers
• SD-WAN vManage Software
• SD-WAN vSmart Controller Software

 Multiple Vulnerabilities

Multiple Command Injection vulnerabilities tracked as CVE-2021-1260, CVE-2021-1261, CVE-2021-1262; and Buffer Overflow vulnerabilities CVE-2021-1300, CVE-2021-1301 in Cisco SD-WAN products could allow a remote attacker to execute attacks on compromised devices.

• CVE-2021-1260 – This is a Command Injection vulnerability in the CLI of Cisco SD-WAN Software that could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands. These arbitrary commands could allow the attacker to obtain root privileges and read, write, and delete files of the underlying file system of an affected device.
• CVE-2021-1261- This Command Injection vulnerability in the CLI utility tcpdump of Cisco SD-WAN Software could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow the attacker to obtain root privileges.
• CVE-2021-1262- The vulnerability exists in the CLI of Cisco SD-WAN Software and could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands.
• CVE-2021-1300- A Buffer Overflow vulnerability in Cisco SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow condition.
• CVE-2021-1301- Another Buffer Overflow flaw in the NETCONF subsystem of Cisco SD-WAN Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device or system.

Cisco has released security updates to fix all the vulnerabilities, as there are no workarounds to address these flaws.

“The vulnerabilities are not dependent on one another. The exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability,” Cisco said.

The post Cisco Fixes Multiple Vulnerabilities in its SD-WAN Products appeared first on CISO MAG | Cyber Security Magazine.

Related News:

Facebook sues NSO Group for violating Computer Fraud and Abuse Act

NSO Claims “Sovereign Immunity”

In April 2020, the NSO group filed a request to dismiss the lawsuit pressed by Facebook arguing that it provided hacking tools to police and spy agencies around the globe, and hence, it should be granted “Sovereign Immunity” as foreign governments enjoy in any lawsuit.

The basis of NSO’s arguments was made on two grounds:

1. The Foreign Sovereign Immunities Act (FSIA): The law that limits whether a foreign state can be sued in U.S. court.
2. Federal Rule of Civil Procedure 19 (Rule 19): The rule that governs the joinder of parties in civil lawsuits.

The justification provided was not enough and found unfit on both counts. The appeal was correspondingly dismissed by the Northern District of California in July 2020. The NSO has, however, filed once again with the Ninth Circuit for overturning this ruling.

Why Other Tech Giants Support Facebook

Based on a Citizenlab report,  four Pegasus operators had successfully abused an exploit chain known as “KISMET.” KISMET exploited a zero-day vulnerability in the then-latest iPhone 11 iOS 13.5.1. The targets of these operators were 36 personal phones of Al Jazeera employees, including journalists, producers, anchors, and executives. Facebook found the same vulnerability being abused in its case as well; however, the number of targets grew to 1,400.

Considering the NSO’s client base, the targeted numbers unearthed until now are only a fraction of the actual number. Fearing this and the subsequent violation of human rights, other tech giants have joined forces with Facebook to argue against granting sovereign immunity to the NSO. In a brief argument filed with the Ninth Circuit, they said,

“This would lead to a proliferation of hacking technology, and in the foreseeable future, we will have more foreign governments with powerful and dangerous cyber-surveillance tools. That, in turn, means dramatically more opportunities for those tools to fall into the wrong hands and be used nefariously.”

It will now be interesting to see whether the U.S. court still agrees with the argument presented by Facebook and other tech giants or accepts the defendant’s plea of overturning the previous ruling and abolishing the lawsuit altogether.

The post Google and Microsoft Join Facebook’s Legal Battle Against Israel’s NSO appeared first on CISO MAG | Cyber Security Magazine.

In response to the multiple Cisco Security Manager vulnerabilities reported by security researcher Florian Hauser, the networking device manufacturer has published three advisories. The vulnerabilities, if exploited, allow remote code execution (RCE), thus giving the attacker complete control of the victim’s system.

The Backstory

Hauser, who is a security researcher at Code White, had originally found 12 vulnerabilities affecting the web interface of Cisco Security Manager nearly four months back. As per standard ethical practice, Hauser shared his findings with Cisco so that they could fix it. However, even after 120 days Cisco failed to reply or acknowledge the fixes in their latest update v4.22. Hence he decided to tweet about it and go ahead with the publishing of the Proof-of-Concept (PoC) of the vulnerabilities.

Since Cisco PSIRT became unresponsive and the published release 4.22 still doesn’t mention any of the vulnerabilities, here are 12 PoCs in 1 gist:https://t.co/h31QO5rmde https://t.co/xyFxyp7cJr

— frycos (@frycos) November 16, 2020

Related News:

Patched! Cisco Fixes High-Severity Bugs Impacting its Fabric Services Component

Cisco finally acknowledged and contacted Hauser on November 17, and announced that they had indeed fixed the issues reported and, in response, released three advisories for the three CVEs that contained multiple vulnerabilities.

The Cisco Security Manager Vulnerabilities

As per the analysis shared by cybersecurity service provider Tenable, following was the description of the three CVEs fixed by Cisco:

• CVE-2020-27125 (CVSSv3 score – 7.4): This is a static credential vulnerability in Cisco Security Manager. If exploited successfully, an unauthenticated remote attacker could easily obtain static credentials by viewing the source code of a specific file. This would allow the attacker to “carry out further attacks.”
• CVE-2020-27130 (CVSSv3 score – 9.1): This is a critical path traversal vulnerability in Cisco Security Manager. If exploited successfully, an unauthenticated remote attacker could send a specially crafted request containing directory traversal character sequences (e.g. “../../”) to a vulnerable device. This would allow the attacker to arbitrarily download and upload files to the device.
• CVE-2020-27131 (CVSSv3 score – 8.1): It addresses multiple vulnerabilities in the Java deserialization function of Cisco Security Manager. A remote attacker could exploit this vulnerability by generating malicious serialized Java objects using a tool like ysoerial.net and sending them as part of a specially crafted request to the vulnerable device. Successful exploitation would grant the attacker arbitrary code execution privileges on the device as NT AUTHORITY\SYSTEM.

Rody Quinlan, Security Response Manager at Tenable said, “These vulnerabilities are relatively easy to exploit and the researcher who discovered them, Florian Hauser, has already publicly shared proofs-of-concept (PoCs). Almost all the vulnerabilities directly give RCE, which presents multiple attack vectors that a threat actor could potentially exploit to take control of affected systems. Given the impact of exploiting these vulnerabilities could have, and the fact that PoCs are available, it is imperative organizations patch as soon as updates are released as it’s inevitable that we will see in-the-wild attacks in the coming weeks, if not days.”

Cisco has already released patches for CVE-2020-27125 and CVE-2020-27130, and a patch for CVE-2020-271131 will be made available soon. However, the company’s Security Response Team has not yet found any evidence of these vulnerabilities being exploited in the wild but cautioned its users about keeping their systems updated with the latest patches.

Related News:

Multiple Security Flaws Detected (and fixed) in Cisco Small Business Routers

The post Cisco Fixes Multiple Vulnerabilities in Cisco Security Manager appeared first on CISO MAG | Cyber Security Magazine.

According to Cisco’s Future of Secure Remote Work Report, most organizations across the globe are only somewhat prepared to support a remote workforce environment. The report also found:

• 85% of organizations said that cybersecurity is extremely important or more important than before COVID-19.
• Secure access is the top cybersecurity challenge faced by the largest proportion of organizations (62%) when supporting remote workers.
• One in two respondents said endpoints, including corporate laptops (56%) and personal devices (54%), are a challenge to protect in a remote environment.
• 66% of respondents indicated that the COVID-19 situation will result in an increase in cybersecurity

Cisco’s second annual Consumer Privacy Survey revealed that consumers globally are worried about the privacy of remote working tools and are uncertain about organizations data security policies. Findings include:

• 60% of respondents are concerned about the privacy of remote collaboration tools.
• 53% want privacy laws maintained, with little or no exception for pandemic-related data.
• 48% feel they are unable to effectively protect their data today, and the main reason is that they cannot figure out what companies are doing with their data.
• 56% believe governments should play the primary role in protecting consumer data, and consumers around the world are highly supportive of the privacy laws enacted in their country.

Jeetu Patel, SVP and GM of Cisco’s Security & Applications business, said, “Security and privacy are among the most significant social and economic issues of our lifetime. Cybersecurity historically has been overly complex. With this new way of working here to stay and organizations looking to increase their investment in cybersecurity, there’s a unique opportunity to transform the way we approach security as an industry to better meet the needs of our customers and end-users.”

Harvey Jang, VP, Chief Privacy Officer, Cisco, “Privacy is much more than just a compliance obligation. It is a fundamental human right and business imperative that is critical to building and maintaining customer trust. The core privacy and ethical principles of transparency, fairness, and accountability will guide us in this new, digital-first world.”

The post New Normal Effect! 85% of Organizations Say Cybersecurity is More Important than Ever appeared first on CISO MAG | Cyber Security Magazine.

By David Hillman, Senior Security Consultant, Securicon

Criticality of Cyber Resilience for Remote Workforce

According to a March 2020 Gartner’s pandemic preparedness study, many organizations and their leaders are unsure whether their risk mitigation strategy is sufficient. One area of particular concern is operational resilience. Many security leaders are getting even less sleep because they are thinking of the potential fallout if a critical piece of network or VPN technology fails and their people are cut off from the resources they require to do their jobs remotely. Not being able to access the systems which keep an eye on security could spell disaster.

COVID-19 is now amusingly being referred to as the greatest change agent in the history of the internet. It is the straw that breaks the camel’s back for those that are unprepared.

In a recent survey conducted by industry group YL Ventures, VPNs and DDoS mitigation have come up as issues that CISOs are very concerned about. This is a justifiable concern because the shift to work from home (or anywhere) has now placed many enterprises in the unenviable position of being service providers to their own workforce. DDoS vulnerabilities that would have impacted business continuity are now being proactively looked at. Non-critical network activities are now being cut off. The business continuity concern is so great that organizations such as the Department of Defense (DoD) have had to block YouTube and other social media activities from their networks. COVID-19 is now amusingly being referred to as the greatest change agent in the history of the internet. It is the straw that breaks the camel’s back for those that are unprepared. Change is hard, but inaction can be deadly, both from a network resiliency and a health standpoint. So, what should organizations focus their energies and investments on?

Integrative Problem Solving is the New Norm

How about a better response system based on a combination of best practices and training?  Until a few years ago, only backups and disaster recovery were considered as integral parts of the response system that would help the business maintain or recover normal business operations. COVID-19 has added an extra dimension to this problem. However, this should come as no surprise because according to the Center for Financial Professionals (CeFPro), the operational risk landscape has changed tremendously over the last ten years.

Collaboration is in and silos are out.

Smart organizations that are reporting no significant impact during the coronavirus pandemic have already shifted to more holistic risk management practices and are paying closer attention to emerging trends. Collaboration is in and silos are out. Infrastructure groups are now encouraged to learn from software development groups. Integrative problem solving is the new norm. Terms like automation and DevOps are being whispered in boardrooms. Even regulatory bodies are placing more focus on enhanced standards for operational resilience through better network intelligence, problem identification, and mitigation.

How to Improve Operational Resiliency

Some organizational leaders have expressed concern there is not enough guidance from the regulatory bodies on how to deal with resiliency from an operations perspective. In that case, an approach that could work is to create an action plan which consists of taking high-level best practices from something like the NIST Cyber Security Framework and combining them with vendor-provided recommendations to create a hybrid organizational framework for dealing with the problem of operational resiliency. Vendors such as Cisco have published their Service Provider Infrastructure Security whitepaper. Utilizing a six-phase approach to service provider security, the whitepaper talks about a framework for deploying edge security systems in a resilient way. These six phases are:

1. Preparation
2. Detection
3. Classification
4. Traceback
5. Mitigation
6. Post-mortem

Designed specifically to counter DDoS attacks in service provider type networks, the framework provides a “good overall approach to securing service provider environments.”  Despite being geared towards Cisco edge equipment, these recommendations can be adapted to vendors such as Palo Alto Networks and Juniper Networks. Some surveys suggest that organizations are only utilizing 20% of the total capabilities of their network equipment when it comes to guarding against DDoS attacks. Most of this is due to the lack of training and unfamiliarity with these features. That must change if critical networks are to become more resilient.

Q’s to Ask for Becoming a Hero in Operational Resiliency

When the features are already available, even a modest increase in spending on training and awareness can result in huge gains – sometimes up to 30% – in operational resiliency.

Going from zero to operational resiliency hero does not have to involve ripping out what is already in place to replace it with something bigger. It just takes security leaders to ask the right questions, such as:

• Does our current equipment have features such as Packet Buffer Protection to guard against DDoS attacks?
• What would it take to enable those features?
• What are the risks involved if we do enable the extra protection features?
• Why haven’t those features been enabled before?

Nine out of ten times, security leaders will find these advanced features not been enabled because their operations people either are not aware of them or have not been properly trained on how to make use of those features. In the same 2020 Gartner study, it was mentioned security leaders are putting training on the back burner to focus on network availability and VPN connectivity instead. This will not work in the new era of holistic, integrative network security, and cyber resiliency – continuous training and skills development must be part of the prescription.

About the Author

David Hillman, who is currently working as a Senior Security Consultant with Securicon, has more than five years of experience in designing, testing, and deploying network security solutions.  Mr. Hillman has led and/or participated in the development of security architecture and policy framework solutions for many complex projects. That includes experience in implementing information technology (IT) solutions to ensure compliance with audit requirements, deployment of Supervisory Control and Data Acquisition (SCADA) firewalls for segmentation, and he has also built, tested, and installed large-scale packet capture solutions.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and our publication does not assume any responsibility or liability for the same.

The post Cyber Resilience is a Fork in the Road for Remote Workforce appeared first on CISO MAG | Cyber Security Magazine.

According to the security advisory, the high-severity flaws affecting Cisco’s NX-OS software were tracked as CVE-2020-3397, CVE-2020-3398, CVE-2020-3338, CVE-2020-3415, CVE-2020-3517, and CVE-2020-3454. The two medium severity bugs impacting Cisco’s NX-OS software include CVE-2020-3397 and CVE-2020-3398. These flaws could allow an attacker to cause process crashes, which could result in a denial of service (DoS) condition on an affected device.

“The vulnerabilities are due to insufficient error handling when the affected software parses Cisco Fabric Services messages. An attacker could exploit these vulnerabilities by sending malicious Cisco Fabric Services messages to an affected device. A successful exploit could allow the attacker to cause a reload of an affected device, which could result in a DoS condition,” the advisory stated.

In addition to the eight vulnerabilities, Cisco also fixed a high severity flaw CVE-2020-3504 that impacted Cisco’s web services interface, Adaptive Security Appliance (ASA), and the Firepower Threat Defense (FTD) software. This vulnerability could have allowed an unauthenticated remote attacker to perform directory traversal attacks and steal sensitive data.

Counterfeit Cisco Switches

Recently, an investigation report from F-Secure revealed a pair of counterfeit network switches  impersonating the  Cisco network switches.   The counterfeit devices, versions of the Cisco Catalyst 2960-X series switches, were designed to bypass authentication processes to system components. According to the investigation, the counterfeit devices did not have any backdoor functionalities, but had the ability to bypass security controls.  The counterfeits were physically and operationally similar to an authentic Cisco switch. Threat actors either invested heavily in imitating Cisco’s original design or had access to proprietary engineering documentation to create fake copy, the report said.

The post Patched! Cisco Fixes High-Severity Bugs Impacting its Fabric Services Component appeared first on CISO MAG | Cyber Security Magazine.

“An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device,” Cisco said.

It is found that the vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software with a vulnerable AnyConnect or WebVPN configuration. The company also confirmed that this vulnerability does not affect Cisco Firepower Management Center (FMC) Software and cannot be used to obtain access to ASA or FTD system files or underlying operating system files. The company has released software updates to fix the vulnerability.

“The attacker can view files within the web services file system only. The web services file system is enabled for the WebVPN and AnyConnect features outlined in the Vulnerable Products section of this advisory; therefore, this vulnerability does not apply to the ASA and FTD system files or underlying operating system (OS) files. The web services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs,” the advisory said.

Counterfeit Cisco Switches

Recently, an investigation report from F-Secure revealed a pair of counterfeit network switches  impersonating the  Cisco network switches.   The counterfeit devices, versions of the Cisco Catalyst 2960-X series switches, were designed to bypass authentication processes to system components. According to the investigation, the counterfeit devices did not have any backdoor functionalities, but had the ability to bypass security controls.  The counterfeits were physically and operationally similar to an authentic Cisco switch. Threat actors either invested heavily in imitating Cisco’s original design or had access to proprietary engineering documentation to create fake copy, the report said.

The post Patch Now! Hackers Exploiting Cisco’s ASA/FTD Software to Steal Data appeared first on CISO MAG | Cyber Security Magazine.