Saturday, March 29, 2014
2014 NACo National Cyber Symposium
For those who may have not heard about it already, NACo is holding an important cyber security event on April 9-11, the 2014 National Cyber Symposium, in Omaha, NE. For more information, check out http://www.naco.org/education/Education/Pages/2014-Cyber-Symposium.aspx. If you are a county official or county IT professional, you won't want to miss this event.
Friday, March 28, 2014
Who has access to your network?
The research into the well publicized breach at Target during the 2013 Christmas shopping season is probably not completely over yet, but a few facts have been well established that I believe provide a great opportunity for counties to learn from someone else's mistakes. For those who may not have been following the story, what has been established is that a successful phishing attack on one of Target's HVAC and refrigeration providers was the initial source of the breach. If you are interested in some of the details, Brian Krebs security blog has probably the best coverage of the story in my opinion. Check out his blog at http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/.
Just this one fact in the story provides some powerful reminders that county leaders should take to heart. First, phishing has proven once again to be an effective tool in gaining privileged information and in this case access to Target's entire network. Phishing cannot be combated by technology. It's effectiveness can only be reduced through effective awareness training and diligence on the part of our employees and those of our business partners, such as outside contractors and service providers. The second reminder is just how connected everything is today. The access gained through the HVAC contractor ultimately enabled the bad guys to gain access to the point of sale machines throughout Target's organization.
That really brings up the question raised in the title of this post? Who has access to your network? I know in my county's case that our building automation provider has remote access to one of the servers on our network. We were given push back from the vendor because we required them to use two factor authentication in order to gain access. Their argument was that they have multiple employees that need access from time to time and requiring them to use a hardware token every time they needed access was a huge inconvenience. You have to wonder however, if Target had required some form of two-factor authentication if the breach could have been prevented. In such a case, the stolen credentials would have been insufficient for gaining access to Target's network.
It would be wise for county officials to review who has remote access and how much security is in place to prevent unauthorized access. Is remote access truly necessary? We have a number of software providers who demand full time remote access, such as a direct VPN connection so they can access servers to provide support for their products. The problem with such connections is that a breach at the service providers network also means the counties network has been breached. For this reason, we do not allow full time always on connections to our network for any outside service provider. We allow them to connect when needed and we make sure they only stay connected as long as necessary. We get a lot of complaints from some vendors for this approach and sometimes even push back from local officials who are more inclined to trust their outside contractor than their own IT department. But just as in the Target case, compromised access to one system, such as our building automation system, could lead to compromise in other areas of the network. We can't ever forget how connected everything is.
If access for a particular outside service provider is required, what can you do to protect your network? I strongly recommend some form of two-factor authentication, where not only do they need to know something to connect, such as a username and password combination, but they also have to have something in order to complete the process. In our case we require a token generator such as a Yubikey, but there are lots of other options. The reason two-factor authentication is effective is because while a username or password can easily be compromised in a phishing attack, getting possession of a physical object is a lot harder.
The second, and perhaps the most important thing you can do is separate privileges as much as possible. Don't reuse passwords. Don't give administrative access to outside contractors. Give them the minimum amount of permission that they need to provide their service. Isolate services that have outside connectivity as much as possible. This isn't always easy, but keeping tabs on who has access to your network and what access they have is vital to protect your systems from determined attackers.
Just this one fact in the story provides some powerful reminders that county leaders should take to heart. First, phishing has proven once again to be an effective tool in gaining privileged information and in this case access to Target's entire network. Phishing cannot be combated by technology. It's effectiveness can only be reduced through effective awareness training and diligence on the part of our employees and those of our business partners, such as outside contractors and service providers. The second reminder is just how connected everything is today. The access gained through the HVAC contractor ultimately enabled the bad guys to gain access to the point of sale machines throughout Target's organization.
That really brings up the question raised in the title of this post? Who has access to your network? I know in my county's case that our building automation provider has remote access to one of the servers on our network. We were given push back from the vendor because we required them to use two factor authentication in order to gain access. Their argument was that they have multiple employees that need access from time to time and requiring them to use a hardware token every time they needed access was a huge inconvenience. You have to wonder however, if Target had required some form of two-factor authentication if the breach could have been prevented. In such a case, the stolen credentials would have been insufficient for gaining access to Target's network.
It would be wise for county officials to review who has remote access and how much security is in place to prevent unauthorized access. Is remote access truly necessary? We have a number of software providers who demand full time remote access, such as a direct VPN connection so they can access servers to provide support for their products. The problem with such connections is that a breach at the service providers network also means the counties network has been breached. For this reason, we do not allow full time always on connections to our network for any outside service provider. We allow them to connect when needed and we make sure they only stay connected as long as necessary. We get a lot of complaints from some vendors for this approach and sometimes even push back from local officials who are more inclined to trust their outside contractor than their own IT department. But just as in the Target case, compromised access to one system, such as our building automation system, could lead to compromise in other areas of the network. We can't ever forget how connected everything is.
If access for a particular outside service provider is required, what can you do to protect your network? I strongly recommend some form of two-factor authentication, where not only do they need to know something to connect, such as a username and password combination, but they also have to have something in order to complete the process. In our case we require a token generator such as a Yubikey, but there are lots of other options. The reason two-factor authentication is effective is because while a username or password can easily be compromised in a phishing attack, getting possession of a physical object is a lot harder.
The second, and perhaps the most important thing you can do is separate privileges as much as possible. Don't reuse passwords. Don't give administrative access to outside contractors. Give them the minimum amount of permission that they need to provide their service. Isolate services that have outside connectivity as much as possible. This isn't always easy, but keeping tabs on who has access to your network and what access they have is vital to protect your systems from determined attackers.
Subscribe to:
Posts (Atom)