Oberberg-Online Business-Frühstück zum Thema OT-Security

Am 30.01.2020 findet unser erstes Business-Frühstück im neuen Jahr statt – und das direkt mit einem Top-Thema.

IT-Security hat heute jedes Unternehmen auf dem Radar. Was aber ist mit den leicht angreifbaren Produktionsumgebungen? Live-Hack und Gegenmaßnahmen werden bei unserem Business-Frühstück erläutert.

Bei frischem Kaffee und knusprigen Brötchen starten wir in das Jahr 2020 mit unserem ersten diesjährigen Business-Frühstück.

In der jüngeren Vergangenheit wurden immer häufiger Produktions- und Steuerungsanlagen Ziel für Hackerangriffe. Oftmals richtet sich so ein Angriff gegen die verwendeten SPS (Speicher-Programmierbare Steuerungen), die in nahezu jeder Prodktionsumgebung zum Einsatz kommen.
Im Gegensatz zu mittlerweile i.d.R. gut geschützten IT-Umgebungen, bieten Produktionsumgebungen einfache Angriffsflächen mit großem Schadenpotenzial. Risiken hierbei sind oftmals vielfach größer, da nicht nur einzelne Unternehmen betroffen sein können, sondern im Falle von Angriffen, z.B.  auf öffentliche Versorger eine weitreichende Wirkung erzielt werden kann.

Wir zeigen auf, welche Art Angriffe es in der jüngeren Vergangenheit zu verzeichnen gab und welche Konsequenzen hieraus erwuchsen.

In einer Live-Demo wird der Referent zeigen, wie einfach eine SPS heute angreifbar ist. Im Nachgang werden recht preiswerte und einfache Möglichkeiten aufgezeigt, wie der Schutz der Infrastruktur hier verbessert werden kann.

Abschließend laden wir zum offenen Austausch untereinander ein.

Melden Sie sich an via E-Mail an vertrieb@oberberg.net, persönlich bei Ihrem Oberberg-Online Ansprechpartner, oder auf unserer XING-Eventseite

Wir freuen uns auf ein spannendes Event mit Ihnen.

Threat Roundup for January 3 to January 10

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan 3 and Jan 10. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU01102020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for January 3 to January 10 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Datacenter Security: How to Balance Business Agility with Great Protection

By Brad Casemore When IDC consults with enterprise customers or performs worldwide surveys, security is invariably an acute concern. That’s regardless of geography, industry, and identity of respondent (executive, LoB, IT, DevOps, etc.). While the challenge of providing protection and security extends across all places in the network, the problem is especially vexing in the datacenter.
There’s good reason for that, of course. The parameters of the datacenter have been redrawn by the unrelenting imperative of digital transformation and the embrace of multicloud, which together have had substantive implications for workload protection and data security.
As workloads become distributed – residing in on-premises enterprise datacenters, in co-location facilities, in public clouds, and also in edge environments – networking and network-security challenges proliferate and become more distributed in nature. Not only are these workloads distributed, but they’re increasingly dynamic and portable, subject to migration and movement between on-premises datacenters and public clouds.
Data proliferates in lockstep with these increasingly distributed workloads. This data can inform and enhance the digital experiences and productivity of employees, contractors, business partners, and customers, all of whom regularly interact with applications residing across a distributed environment of datacenters. The value of datacenters is ever greater, but so are the risks of data breaches and thefts, perpetrated by malevolent parties that are increasingly sophisticated.
In that cloud is not only a destination but also an operating model, the rise of cloud-native applications and DevOps practices have added further complications. As DevOps teams adopt continuous integration and continuous deployment (CI/CD) to keep up with the need for business speed and as developers leverage containers and microservices for agility and simplicity, traditional security paradigms – predicated on sometimes rigid controls and restrictions – are under unprecedented pressure. For enterprises, the choice seems to be between the agility of cloud and cloud-native application environments on one side and the control and safety of traditional datacenter-security practices on the other.
Perhaps that isn’t true, though. There is a way to move forward that gives organizations both agility and effective security controls, without compromise on either front. Put another way, there needn’t a permanent unresolved tension between the need for business agility and the require for strong security, capable of providing the controls that organizations want while aligning more closely with business outcomes.
The first step toward this goal involves achieving visibility. If you can’t see threats, you can’t protect against them. This visibility must be both pervasive and real-time, capable of sensing and facilitating responses to anomalies and threats that span users, devices, applications, workloads, and processes (workflow). From a network standpoint, visibility must be available within datacenters – into north-south and east-west traffic flows –between them, and out to campus and branch sites as well as to clouds. The visibility should extend up the stack, too, all the way to application components and behavior, giving organizations views into potentially malicious activity such as data exfiltration and the horizontal spread of malware from server to server.
Once visibility is achieved, organizations can leverage the insights it provides to implement policy-based segmentation comprehensively and effectively, mitigating lateral propagation of attacks within and between datacenters and preventing bad actors from gaining access to high-value datacenter assets.
The foundations of visibility and policy-based segmentation, in turn, facilitate a holistic approach to threat protection, helping to establish an extensive network of capabilities and defenses that can quickly detect and respond to threats and vulnerabilities before they result in data loss or prohibitively costly business disruptions.
While it might seem that cloud-era business agility and effective security are irreconcilable interests, there is a path forward that merges the two in unqualified alignment.
For more information, see the Cisco-IDC webinar: https://engage2demand.cisco.com/lp_datacenters_18976?DTID=odiprl000517&CCID=cc000159&OID=wbrsc019628.
The post Datacenter Security: How to Balance Business Agility with Great Protection appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Continued Escalation of Tensions in the Middle East

By Talos Group
Cisco Talos works with many organizations around the world, monitoring and protecting against sophisticated threats every day. As such, we are watching the current state of events in the Middle East very closely for our customers and partners who may be impacted by the ongoing situation. We are continuing to evaluate potential threats and attack vectors, especially related to critical infrastructure and high-profile businesses and industries.
A challenge with protecting against state-sponsored campaigns is that the primary and ideal targets are potentially already compromised, either by a specific adversary or their allies who would be amenable to acting on their behalf. In previous research, Talos has observed footholds like this that can go undetected for extended periods, waiting to be modified remotely to exact a variety of potential malicious activities.
It may be difficult for primary target organizations to detect activity and defend themselves at the perimeter. Hopefully, they have employed a layered defense, which should include two-factor authentication, network segmentation and endpoint protection.
Of course, the potential also exists for the adversary to move away from a targeted maneuver to more broadly focused disruptions that could incorporate a much wider array of businesses and even consumers. This means that everyone should view this as a wake-up call — shore up defenses, update/patch your devices and focus on cyber hygiene. Employ authentication everywhere, beware of suspicious links, emails, etc. — phishing/credential theft continues to be popular among attackers. Every business should at least take a second look at every strange thing they see — don’t ignore anomalous activities, take the time to see if there is something nefarious at the end of the tunnel.
While prior campaigns in the region have heavily relied on wiper malware, this is no guarantee that future campaigns will continue this trend. At times like this, vigilance is key.
Read More >>
The post Continued Escalation of Tensions in the Middle East appeared first on Cisco Blogs.

Source:: Cisco Security Notice

An Overview of Zero Trust Architecture, According to NIST

By Thu T. Pham NIST recently released a draft publication, SP 800-207: Zero Trust Architecture (ZTA), an overview of a new approach to network security.
While ZTA is already present in many cybersecurity policies and programs that sought to restrict access to data and resources, this document is intended to both “abstractly define” ZTA and provide more guidance on deployment models, uses cases and roadmaps to implementation.
What’s the problem they’re trying to solve? Agencies and enterprise networks have given authorized users broad access to resources, since they’ve traditionally focused on perimeter defenses. But that’s led to lateral movement within the network – one of the biggest security challenges for federal agencies.
Realistically, NIST recognizes that the migration to a ZTA is more of a journey rather than a complete replacement of an enterprise’s infrastructure. Most enterprises will likely continue to operate in a hybrid model – of both zero trust + legacy mode – for awhile as they continue their IT modernization investments.
And despite the misleading name, they state that ZTA is not a single network architecture, but rather a set of guiding principles.
The overall design denotes:
A shift away from wide network perimeters to a narrower focus on protecting individual or small groups of resources
No implicit trust is granted to systems based on their physical or network location
While traditional methods block attacks coming from the internet, they may not be effective at detecting or blocking attacks originating from inside the network.
ZTA seeks to focus on the crux of the issue, which NIST defines as two main objectives:
Eliminate unauthorized access to data and services
Make the access control enforcement as granular as possible
Zero Trust Architecture Tenets
NIST lists out a few conceptual guidelines that the design and deployment of a ZTA should align with (summarized for brevity below):
All data and computing services are considered resources. For example, an enterprise might classify personally-owned devices as resources, if they’re allowed to access enterprise resources.
All communication is secure regardless of network location. This means access requests from within the network must meet the same security requirements as those from outside of it, and communication must be encrypted and authenticated.
Access to individual enterprise resources is granted on a per-connection basis. The trust of whatever is requesting access is evaluated before granted access – authentication to one resource doesn’t automatically mean they get access to another resource.
Access to resources is determined by policy, including the state of user identity and the requesting system, and may include other behavioral attributes. NIST defines ‘user identity‘ as a network account used to request access, plus any enterprise-assigned attributes to that account. A ‘requesting system‘ refers to device characteristics (software versions, network location, etc.). ‘Behavioral attributes‘ include user & device analytics, any behavior deviations from baselined patterns.
The enterprise ensures all owned and associated systems are in the most secure state possible, while monitoring systems to ensure they remain secure. Enterprises need to monitor the state of systems and apply patches or fixes as needed – any systems discovered to be vulnerable or non-enterprise owned may be denied access to enterprise resources.
User authentication is dynamic and strictly enforced before access is allowed. NIST refers to this as a ‘constant cycle of access‘ of threat assessment and continuous authentication, requiring user provisioning and authorization (the use of MFA for access to enterprise resources), as well as continuous monitoring and re-authentication throughout user interaction.
Zero Trust Architecture Threats
What follows is a summary of some of the key potential ZTA threats listed in the publication:
Insider Threat
To reduce the risk of an insider threat, a ZTA can:
Prevent a compromised account or system from accessing resources outside of how it’s intended
MFA for network access can reduce the risk of access from a compromised account
Prevent compromised accounts or systems from moving laterally through the network
Using context to detect any access activity outside of the norm and block account or system access
To prevent the threat of unauthorized access, Duo provides MFA for every application, as part of the Cisco Zero Trust framework. An additional layer of identity verification can help mitigate attacker access using stolen passwords or brute-force attacks. That paired with Duo’s device insight and policies provides a solid foundation for zero trust for the workforce.
Learn more about Duo’s new federal editions tailored to align with:
FedRAMP/FISMA security controls
NIST’s Digital Identity Guidelines (NIST SP 800-63-3)
FIPS 140-2 compliance
See more about FedRAMP authorized authentication, providing secure application access for federal agencies and other public sector customers, including role/location-based access policies, biometric authentication, and more.
Network Visibility
In a ZTA, all traffic should be inspected, logged and analyzed to identify and respond to network attacks against the enterprise. But some enterprise network traffic may be difficult to monitor, as it comes from third-party systems or applications that cannot be examined due to encrypted traffic.
In this situation, NIST recommends collecting encrypted traffic metadata and analyzing it to detect malware or attackers on the network. It also references Cisco’s research on machine learning techniques for encrypted traffic (section 5.4, page 22):
“The enterprise can collect metadata about the encrypted traffic and use that to detect possible malware communicating on the network or an active attacker. Machine learning techniques [Anderson] can be used to analyze traffic that cannot be decrypted and examined. Employing this type of machine learning would allow the enterprise to categorize traffic as valid or possibly malicious and subject to remediation.”
Cisco Encrypted Traffic Analytics (ETA) allows you to detect and mitigate network threats in encrypted traffic to gain deeper insight without decryption. It also allows you to quickly contain infected devices and uses, while securing your network. Paired with Cisco Stealthwatch, you can get real-time monitoring using machine learning and context-aware analysis.
Zero Trust Architecture: Continuous Monitoring
The publication also references having a strong Continuing Diagnostics and Mitigations (CDM) program as “key to the success of ZTA.”
This is a complete inventory of physical and virtual assets. In order to protect systems, agencies need insight into everything on their infrastructure:
What’s connected? The devices, applications and services used; as well as the security posture, vulnerabilities and threats associated.
Who’s using the network? The internal and external users, including any (non-person) entities acting autonomously, like service accounts that interact with resources.
What is happening on the network? Insight into the traffic patterns, messages and communication between systems.
How is data protected? Enterprise policies for how information is protected, both at rest and in transit.
Having visibility into the different areas of connectivity and access provides a baseline to start evaluating and responding to activity on and off the network.
Cisco Zero Trust
Asking the above discovery questions and finding a solution that can accurately and comprehensively answer them can be challenging, as it requires user, device, system and application telemetry that spans your entire IT environment – from the local corporate network to branches to the multi-cloud; encompassing all types of users from employees to vendors to contractors to remote workers, etc.

Get visibility into everything on your infrastructure, and get control over who can access what, on an ongoing basis. Cisco Zero Trust provides a comprehensive approach to securing all access across your applications and environment, from any user, device and location. It protects your workforce, workloads and workplace.
It is comprised of a portfolio of the three following primary products:
To protect the workforce, Duo Security ensures that only the right users and secure devices can access applications.
To protect workloads, Tetration secures all connections within your apps, across multi-cloud.
To protect the workplace, SD-Access secures all user and device connections across your network, including IoT.
This complete zero-trust security model allows you to mitigate, detect and respond to risks across your environment. Verifying trust before granting access across your applications, devices and networks can help protect against identity-based and other access security risks.
Cisco was recently named a leader in The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 – read the report to learn more about our market leadership in current zero-trust offerings and strategy.
The post An Overview of Zero Trust Architecture, According to NIST appeared first on Cisco Blogs.

Source:: Cisco Security Notice