Yesterday I had the honor of presenting some security information at the Seattle CTO Club. I loosely based the discussion on a similar presentation I gave last week at an event for Equinox IT, a WatchGuard partner, covering the cyber security landscape and top threats businesses face. Members of the group learned common attack patterns and discussed strategies for effectively implementing security. I wanted to share some of the questions asked, and answers to help other businesses facing these same problems.
Does pen testing really work?
One person said he hired a pen testing company that never breaks into the network but he doesn’t think he’s doing such a great job that it is not possible. Pen test companies are not all equal. Some only run an automated scan and send the report printed from the scanning software. Other companies will be more thorough, performing different types of scripted and manual testing. When hiring pen testing companies, networking with trusted security professionals and obtaining references may be helpful. ZDnet published an article on this topic: 10 Things You Need to Know Before Hiring a Pen Tester
How do I know where to start with cloud security?
Before moving sensitive data to the cloud, companies should understand the cloud-specific security controls. Read security-related white papers such as the AWS Overview of Security Processes. On AWS, make sure to follow the AWS IAM Top 10 best practices. Understand the controls for each service or feature in the cloud. For example, AWS offers EBS volumes (virtual hard drives), S3 (object storage), RDS (relational database service) and Glacier (low cost, slow access storage). The documentation for each service will explain whether it will run solely within a VPC (Amazon private cloud) or needs Internet access, whether encryption is available, and how to set up permissions for the service. Some services like S3 offer resource-specific policies that further limit access and enforce rules related to accessing and storing data.
What if I lose my AWS root MFA device?
Some companies print out the QR code used to get into the AWS root account. One I know stores it in a safe that needs two people to unlock. One member of the group printed copies stored at the house of the CTO, CEO, and one in a safe. When using a hard copy of a QR Code, the company should test it to make sure it works in case of emergency. Personally, I have had the device that generates the QR code stop working after not accessing an account for a few months. I contacted Amazon and followed a process that restored access in a short amount of time. For any company that has the resources to do so, signing up for a support plan and maintaining a relationship with an AWS account manager can also help if an issue arises with the account.
How does a WAF work and do you use one?
A WAF, or web application firewall, is a security appliance or service that monitors all incoming web requests. A WAF can inspect all the values and the format of an HTTP request and block the request if common attack patterns exist. Attack patterns may indicate things like directory traversal, SQL injection, and cross-site scripting attacks. WAFs can also handle rate limiting if an attacker is trying to scan the website or brute force a password. One member noted that the AWS WAF offers a solution that mitigates the OWASP top 10, a list of the most common website attacks. Although a WAF did not stop the Equifax breach, they still offer value and I not only created one myself years ago, but have used them at multiple companies. As with any security technology, WAFs need constant updates for new attacks and vulnerabilities.
How can I secure APIs?
Articles and books cover the topics of API security in great depth. OWASP offers a Rest Security Cheat Sheet. A WAF can protect APIs requests that follow the HTTP standard. However, a WAF will not provide authentication, authorization, or encryption. A recent Secplicity article covers some of the best practices for handling encryption and authentication keys. Companies can follow the fido standard which offers guidelines for implementing authentication. The group also discussed third-party authentication services such as the one provided by a company recently acquired by WatchGuard. Encrypt data in transit using HTTPS.
Should a small business hire a security professional or outsource?
No single answer exists for this question. Just like penetration testing, a company can employ a range of professionals with different levels of knowledge and price points. Some companies may outsource IT services such as patching and creating firewall rules to a company that specializes in security, such as a WatchGuard MSSP. Other companies may opt to train staff internally but bring in a top security professional to come up with a security strategy. Other companies may decide to hire a full-time security expert or train existing staff to become experts. When selecting a training organization or school, ensure that the instructors have real-world experience, proper credentials, or both. Top security certifications include CISSP which covers broad security knowledge or SANS certifications which cover general or specialized topics.
How can companies protect themselves from recent attacks?
As outlined in my slides, 81% of attacks involved stolen credentials. MFA is the best protection. Some companies use password managers. Train all employees on the importance of protecting passwords.
Companies can stop many of the recent breaches by preventing access the network ports on which these attacks operate. WannaCry needed access to port 445 and Mirai Botnet required 23 to be open from the Internet to infiltrate devices on a network. NotPetya spread on internal networks on port 445 so preventing access with host-based firewalls will help. SANS offers a firewall checklist that lists ports companies will want to block unless required. The WatchGuard Firebox can automatically block hosts that connect to blocked ports.
Security Data Analytics and Related Tools
Different tools analyze data and protect against new attack patterns and tactics such as services included in the WatchGuard Total Security Suite. Companies should ensure they are monitoring networks for patterns that indicate malware has compromised one or more hosts. WatchGuard publishes security intelligence information in our Quarterly Security Report.
Encrypt data stored at rest with different keys for different types of data and separate storage locations and keys for backups.
Patch. Create an automated pipeline with embedded security checks for all software, configuration, and system deployments, including firewall configurations. Some people mentioned scanners, though scanning did not stop the Equifax breach. A deployment pipeline and tools designed to help track the inventory of systems and software versions can help.
Immutable Infrastructure and Automated Deployments
Many companies in the room were familiar with the concept of immutable infrastructure. Immutable means something can’t change once it has been created and comes from the concept of immutable objects in software development. A microservices system architecture helps. When systems need to change, re-deploy the entire system and shut down the old version. All changes should come from a source control system and an automated process.
Standard Configurations and Best Practices
Some organizations publish recommendations for secure configurations and security best practices. These include CIS benchmarks, NIST, the Critical Security Controls, OWASP Top Ten, and cheat sheets or templates published on various topics by numerous security organizations and individuals.
Information and Idea Sharing
I really appreciate the invitation to speak to this organization. Not only could I share some information, I also learned a few things from the group, as I always do. Sharing information is one of the best ways security professionals, business owners, and crime-fighting organizations can help each other in the fight against cyber crime. — Teri Radichel (@teriradichel)