On-Demand: Cyber Action Plan--Network Security
May 06, 2020
EisnerAmper and WatchGuard discussed future security gaps they anticipate based on the new remote workplace, the risks and fixes for new tools we are relying on, and an analysis of VPN options.
So, in our first go round we're talking with Mark as Lexi mentioned from WatchGuard. And Mark, thanks for your time today. Really appreciate it. And maybe to kick things off, it'd really be interesting to learn about what is it that you do every day.
Marc Laliberte:Yeah, thanks for having me on, Rahul. It's great to be here. I love presenting on these topics because security is a pretty big passion of mine. To answer your question, I am the threat lab manager at WatchGuard Threat Lab at WatchGuard Technologies where I lead a team of researchers that goes out and tries to get what we call threat intelligence from across the industry, multiple verticals, and then take that data and turn it into some usable form for our customer base and other people out there in the industry.
So for example, we've got tens of thousands of firebox security appliances deployed across the world and so we can get threat intelligence back from them anytime they block a piece of malware or they block an attempted network intrusion. And then we use that to build trends and report on emerging threats both in the form of quarterly internet security reports and daily blog posts. I've got a podcast that comes out every Monday for example as well.
And then past that we do our own threat research on just whatever our passion is. So, personally I'm a big fan of trying to break IOT devices and network connected doodads. So, I've got a stack of boxes back here of just random network connected stuff I bought off amazon.com where I like to try and find vulnerabilities in them and then work with the manufacturers to get them fixed just to improve security overall. And I'll say I tend to have pretty good success rate of finding flaws in IOT devices unfortunately.
Rahul Mahna:Wow. Well you're stopping the bad guys is what you're trying to do and protect us in our businesses and our homes. We often hear about layered security and network security. Can you break that down for everyone? What does that mean to have a layered security system?
Marc Laliberte:Yeah. So basically you never want to leave yourself in a place where you only have a single line of defense between you and a cyber-attack succeeding. So back in the day, in the early days of computers, there wasn't any anti malware, any firewalls. There wasn't any of that. If a bad guy was able to run an application on your computer or trick you to opening a malicious email like the, "I love you" virus for example, it would succeed and infect your computer and then go do something malicious.Then we started seeing end point firewalls that could block inbound connections. We started seeing end point antivirus products that would look for signatures of known malware that it had seen previously. But even that's not perfect because these days malware evolves every single day and so you get malware that can get past signature-based antivirus.
So, now a layered security approach takes that first layer of endpoint protection and then also brings it up to the network as well where you've got different types of anti-malware engines running, looking for known malware or zero day malware threats. You've got intrusion prevention services looking for attempted exploits of vulnerabilities on your systems. You've got content filtering to protect your employees from going to malicious websites or otherwise bad domains and basically it boils down to multiple different layers so that if some threat gets through one, it's not going to make it all the way down and infect the system because you've got other layers to back it up.
One thing I actually really like to highlight for this is one of those numbers that my team tracks every single quarter in our security reports and every day on our threat landscape page is this thing called the zero day malware number and I've mentioned that a few times now and for the technical people out there, this doesn't mean a zero day attack, something that goes after an unpatched vulnerability.
When we say zero day malware we mean malware that doesn't have a signature. So, it's either brand new, never seen before malware, or it's an older one that the bad guys have obfuscated in some way. They can use things called Packers and crypters to hide their malware and make it look like something legitimate and get past signature based antivirus. And for the last month or so, I think I pulled this a couple of days ago, about a week ago now, that zero day malware number was 66%. Which means that if you're relying just on signature-based antivirus, so just one layer of security, you're missing two thirds of all malware that's out there, which is just way too much in my opinion.
Rahul Mahna:It's so hard to keep up with this. I know our team is constantly trying to find just different ways to protect our clients and the hard part for us has been the changes that we keep seeing. So you being part of the threat intelligence team there. Can you give some of our technical folks, like you mentioned earlier, some insight into what are some of the changes in the bad activities that have been happening across the network in the last one or two months?
Marc Laliberte:Yeah, so this is one of the reasons why I personally loved the job is because every single day is different. The threat landscape evolves every day. The types of malware you see, the types of attack you see changes every single day. And with this really dramatic shift that we've had because of the COVID-19 pandemic and the shift of everyone working from typically in an office to now typically at home, it's opened up a whole bunch of different avenues for attack for cybercriminals.
So, previously we saw basically a full spread of different types of attack that the bad guys were doing. They'd use malware to try and get into a system. They'd try and fish people, they'd try and steal credentials. They'd try and just launch try by download pages or maybe do brute force attacks against authentication forms. But now with our workforce working primarily remotely, it's changed everything from now instead of attacking the organization, the bad guys are trying to attack the individual now.
Because people are working from home, they're missing out on a lot of layers of security in that layer security engine, which makes them much bigger targets for things like fishing for example. Where now because we don't have as much face to face communication unless you're using video platforms like this all the time, a lot more of our communications over email which leaves you a lot more susceptible to fishing and when it comes to fishing, one of the biggest things that attackers are looking for are your username and password because really authentication is the cornerstone of security.
If we design everything to keep the bad guys out and let the good guys in and how we differentiate them is with a username and a password, then if the bad guys are able to get ahold of a valid set of credentials, they can often just walk right in through the front door. And this is also backed up by research that we've seen through other entities as well. Verizon puts out this really good data breach investigations report every single year and even this last year they noted that 70% of hacking related breaches leverage stolen credentials and more often than not, those come from a fish.
Rahul Mahna:Makes a lot of sense. It really does and it's consistent with what we're seeing. We're seeing a lot of attacks on individuals. The CFO used to be in an office and now the CFO is in their home, but the hackers are following them and they're trying to get to them in different ways.
So, let's take maybe a step back and go to the security in the office. That CFO or that important C level executive used to sit in their office and they used to have a protection and I know your company sells a form of this protection called firewalls, and many of us have heard about it. But being an expert in the space, could you just break down real simplistically, what does a firewall do? Why is it in everybody's offices? And then maybe we can talk later about why isn't it in people's homes now? Or maybe it should be. But let's first talk about that.
Marc Laliberte:Yeah. So on its most basic fundamental level, a firewall blocks access and these days firewalls are pretty old news, the typical appliance that you'd see in an office or even at home for a home office user is something called a UTM, a unified threat management device, or an NGFW, next generation firewall there. I honestly hate industry acronyms, so you can call it whatever you want.
But these days there are firewalls with security services tacked onto them. So, not only is it just blocking ports, so blocking inbound access or outbound access on risky ports, that's also inspecting traffic that it allows through looking for potential malicious activity. So it's inspecting, looking for maybe signatures for malware, or just a file download and then taking that and sending it up in the cloud to run it in a sandbox and see if it's malicious. It's looking for known exploits against known vulnerabilities.
So, let's say you've got a web server that you're protecting and it's got an out of date operating system on it. If you don't have something inspecting inbound traffic to that web server, an attacker might be able to exploit a vulnerability in that and take over the web server. But if you're using intrusion prevention for example, you can detect that attempted exploit and block it while still allowing the legitimate traffic into that server.
Rahul Mahna:That makes a lot of sense. And I'm just going to take a quick moment because I know we only have a half hour on this series. If anyone who's listening has any questions, please put them in the chat window because we're still going to allow for some questions at the end and we want to make sure we try to get to as many of those as possible.
Okay, Marc. So moving along. So we talked about next generation firewall in office. Now everyone's shifted home and we've been told to login through the VPN. Can you walk us through a little bit as to what is a VPN exactly and why should I be logging in from a VPN while I'm at home and if I don't have it, what can we do besides that? But let's first talk about a VPN. What is it exactly?
Marc Laliberte:Sure. So, a VPN at its most basic level is just an encrypted tunnel from one place to another place. And so traditionally we've always recommended them if you're a remote worker or someone traveling where maybe you have to connect back to your office and access some resources but you're on an unsafe network, like at a coffee shop or an airport or something like that. You can use a VPN to then connect back to company resources through this encrypted tunnel without having to expose those resources to the internet. It basically digitally drops your computer behind the firewall as if it were on the local network. That's one flavor of them. The other one is ones that you'd see with Nord VPN or private internet access where they're not trying to give you access to your company resources, they're just trying to keep you safe while you're on one of those un-trusted networks. So, if you're at a coffee shop or an airport or something, you can connect up to a secure cloud location and be protected that way as well.
Rahul Mahna:So, a lot of us are at home. We're using our Wi-Fi in our homes. We have a lot of other users in our homes, a lot of children using it, maybe some other family members. I want to bring this to those folks right now in our audience that is working from home. Are they safe using the same Wi-Fi? Is there any basic things that a home users can do right now?
Marc Laliberte:eah, so there are things that you can do to protect yourself while working from home on your Wi-Fi. And the first thing is just to take basic steps. So, we're used to working in an office where our IT team or our service provider has taken care of making sure that we have a safe, secure environment. They've got a UTM, MGFW, whatever you want to call it at the perimeter. They've got anti-malware engines running on our computers. They probably have someone periodic periodically checking logs and reports, looking for malicious activity.
But now with us working from home, a lot of that falls on us to secure ourselves and we don't have that benefit of that secure network anymore. Now, in general, we're on the same network as our kids who are trying to do a remote schooling. And also if they're like me, trying to actively circumvent any security protections that you've put in to hamper them from doing whatever they want to do. Which means you need to make sure that there's some basics you can do.
First off is just securing your Wi-Fi in general, set it up with a strong password, kick your neighbors off of it. I know you're trying to be friendly and share Wi-Fi or maybe you don't know that you're sharing with them. Step one though is setting up a strong password, WPA to encryption is the option you want to use and then step two is just educating your family on security and the importance of security.
It's okay for your kids to go on the internet and do their schoolwork. It's okay for them to go watch YouTube videos if that's allowed in your house, but you need to make sure that they're aware that there is malicious threat actors out there on the internet that are going to try and take over their computer and do bad stuff.
So, they need to stay away from sketchy sites. They need to stay away from game download sites, things like that because if one of them gets infected, there's the chance that that could move laterally and now hit your work computer on that same network too. On a technical level, there's some things you can do even with really basic, like NETGEAR or Asus router you buy at Best Buy. Things like client isolation are usually a check box somewhere in the configuration on it. It prevents computers from talking to each other on the same wireless network. You might even be able to set up different SS IDs, so two different wireless networks and then provide rate limiting or throttling on the one family uses so that you can still get your work done. There's, even with the most basic consumer routers, generally some stuff you can do to make it a little more secure.
Rahul Mahna:That's really helpful. One question I've always had is I've often gone to Best Buy like you said and seen some of my friends and family do that and buy the $50 NETGEAR. Now that I'm working from home, I'm working behind that $50 network device, firewall router combo that we've all seen. Is that as safe as a more enhanced product or what are the differences between that and maybe more of a business class product that you can buy?
Marc Laliberte:Yeah, so these days most of the wireless routers like NETGEAR, Asus, Linksys, whatever you would get from Best Buy or some other consumer electronics store, they have some security protections in them. All of them will have a firewall, a basic port blocking mechanism to prevent people from connecting inbound through your network or even blocking you from going outbound on certain ports, like if you want to prevent your kids from downloading BitTorrent so you can often block ports to prevent that access.
Some of them even have some more advanced security features where maybe they can actively choose which ports to allow inbound and outbound. Most of them though, don't do any content inspection of the traffic that they do allow through though, which means that you need to allow access to websites, for example, in order to go browse websites, do your work, maybe go access your emails, see YouTube videos, whatever. And you need to make sure that you are inspecting that traffic to look for malicious activity on it and your typical NETGEAR, Asus, whatever, isn't going to do that. That's where something like a tabletop appliance, a UTM or NGFW, this design for a small office or a single user at home. That's where that comes in. Because not only are you restricting that inbound, outbound traffic, the stuff that you're allowing out now you have visibility into it to see exactly what's going on and you can identify threats before they can make it down to your computer or your family member's computer or whoever else is connected onto your network.
Rahul Mahna:Got it, got it. So, it probably does pay if you are doing some sensitive work from your home to maybe have a little bit more of a business class product that you're working behind to protect you. That does make a lot of sense. I can't believe it's moved already. We've already chatted for 20 minutes. Marc, I think you and I could chat for two hours. Let's try to grab some questions to just see what people are thinking right now while we have a few minutes. One question that I see that is popping up is, "What are your thoughts on antivirus software? Does it matter and do I need it in my home?"
Marc Laliberte:The answer is yes and yes. So, even at a bare minimum, Microsoft Windows comes packed with Windows Defender, which does a pretty good job. I think they have something like 99.5% efficacy in the latest tests. It does a decent job, but then on top of that you can look at other anti-malware services too, even just on the endpoint. And when you are looking at them, you want ones that do more than just signature based detection. You want ones that look at behavior of malware, what's it doing there?
Because then even if it's a new sample that you haven't seen, a new virus, a new worm, it's going to do something malicious and if you can see that malicious behavior, you can stop it before it's able to do something damaging on your computer. Even more advanced solutions these days that are still economical for a home user can use machine learning and artificial intelligence in order to predict whether something is malicious or not even before it's allowed to execute on your computer. And then that paired with network-based anti-malware services, things running on that UTM or NGFW that you set up, will leave you in a much safer space as you are working from home and still conducting all of your very important work.
Rahul Mahna: Makes a lot of sense and I think this next generation firewall is really a takeaway that it does matter and I think it will provide a lot more security whether you're at home now for the foreseeable future, in your offices.
Another question that's popping up here is, and this an interesting one, "Am I safer on a Wi-Fi network than a cable network?" Meaning can I cable in I guess is what they're asking and is there any difference between the two?
Marc Laliberte:So in general, plugging hardline in is the safest in terms of people eavesdropping on your traffic. It is technically possible to tap into someone's hardwired connection. The FBI does it all the time. But it's significantly more difficult. And your neighbors or some sketchy person driving by in a van with a big antenna isn't going to be able to do that.
On wireless, it is technically riskier. There's the chance that, for example, if you're using a really weak password, it's possible for someone to drive by with a really big antenna and decrypt your wireless traffic. And then if any of your underlying traffic isn't encrypted, like if the websites you're going to aren't using HTTPS, there's a possibility they can see and modify exactly what you're doing and what your computer is seeing. So, it's a little more risky, but that doesn't mean you shouldn't use it. Wireless is great. Everyone uses Wi-Fi for a reason. You just have to make sure that you deploy it securely with a strong password and using any wireless protection that you can. For example, with some access points you can have wireless intrusion prevention, which adds another layer of defense actively looking for people trying to break in wireless network.
Rahul Mahna:You often see that. We live in closer spaces and when you go look for an active network you see these multiple networks all available to you and I think a lot of people don't realize you can actively try to hack each one of those that you're seeing pop up as is active. And if you're successful, to your point, a lot of people leave simple passwords and you can hack into someone else's network and therefore get access to the computing systems in that network.
Marc Laliberte:And not even that, I've got a little $50 tool in my backpack down here called the Wi-Fi pineapple that lets me impersonate all those wireless networks. So, if I walk around with that turned on and your cell phone is saying, "Is my home network there, can I connect you?" The pineapple says, "Yep, I am. Go ahead, connect to me." And if you're using an open network, something without a password, your mobile device will connect right to it and I can man in the middle all of your traffic.
Rahul Mahna:That's a great point. As we go back and work maybe from a Starbucks or open environments, don't just take it for granted that these open WiFis are secure. They could be an imposter like you just outlined and someone who's just taking your data from you. You don't even realize it.
Rahul Mahna:We're often told in the industry to do multifactor authentication using SMS, text messaging. What's your thoughts on that?
Marc Laliberte:So, if SMS based multifactor is your only option, it's better than nothing. Any MFA is better than no MFA because it makes it a little more difficult for attackers to get into an account if they've already managed to steal or guess your username and password. That said, SMS is not the most secure form of multi-factor. We saw this just last year, or maybe two years ago now, the time is all meshing together. The popular website Reddit was actually breached where an attacker was able to get the usernames and passwords for a bunch of Reddit developers and then they called up their phone provider and managed to convince their phone provider to port their phone numbers over to the attacker controlled phone so that now they could intercept those SMS messages and then got that second factor to login.
In general, it's pretty easy to social engineer that 18 year old on the other end of the phone at T-Mobile, which means that you need to instead use a more secure form of MFA. Something that uses the encrypted push messages down to your phone to an app or even though it's a little less convenient, using something like Google Authenticator's rotating numbers and just type those in as well. But encrypted push notifications are the most secure form of MFA.
Rahul Mahna:Fantastic. Marc, this has been really interesting. If I can just summarize for our audience, definitely have a multilayer security approach. We've learned firewalls, next generation firewalls, is worth the investment because of all the security features they can have. When we're working from home, try to separate your business traffic from your family member's traffic. Set up a different a Wi-Fi network, SSID. If you can cable in is even most preferred and secured way of connecting through. Try to continue to do some SMS authentication. I know we have some more questions that have popped up. I wish we can answer. If you have some more please put them in. We'll make sure that we have someone get back to you on those with Marc's opinions.
But if I could give you one minute or two Marc, where do you think we're going next? What's your thoughts for the audience in regards to security and what we need to be thinking about?
Marc Laliberte:The biggest thing going forward, even once we start making our way back into the offices, is still going to be spear fishing. We're seeing spear fishing evolve almost every single day. For example, we're seeing these types of threats where the attackers are able to use a valid subdomain on a Microsoft owned domain here to host their spearfishing forms to try and see usernames and passwords.
So, as an employee, make sure that your IT team or your managed service provider is giving you some form of phishing awareness training. I know everyone hates security training, but even five minutes here and there can go a long ways to stopping you from accidentally or unintentionally giving up or clicking on a link that's going to download malware onto your computer.
Phishing in a way, right now it's more damaging than ever because all of our communication's over email these days. But even once you're back in the office, it's still a critical security risk that you need to watch out for.
Rahul Mahna:Makes a lot of sense. A lot of sense. Well, thank you Marc, for this time. Again, we'll get to your questions. We promise we'll follow up with them and Marc will give his opinion on those as well.