Cloud Vulnerabilities

Recent cyber activity now suggests that it isn’t just networks that are vulnerable to cyber attacks. A 2019 year-end article in the Wall Street Journal identifies Chinese cyber attackers that were found lingering in the cloud, collecting data.

https://www.wsj.com/articles/ghosts-in-the-clouds-inside-chinas-major-corporate-hack-11577729061

The attackers, dubbed APT10 by U.S. officials, seem to have infiltrated cloud networking services, gaining access to proprietary data, security clearance information, and even medical research. Even scarier, the attackers could still be lingering among cloud services, years after the first known attack in 2016.

“They came in through cloud service providers, where companies thought their data was safely stored.”

After accessing the cloud, APT10 has had the ability to “hop” from client to client gathering sensitive data, the report says. Officials say there is evidence of IP addresses pinging data back to APT10’s network between April and mid-November. The Cloud Hopper attack has affected companies and organizations ranging from IT giants Hewlett Packard Enterprise Co. and IBM, to the U.S. Justice Department and Navy.

“The hack illustrates a weakness at the heart of global business, with the biggest companies in the world increasingly storing their most sensitive data with cloud providers, also known as managed service providers, which have long touted their security.”

It is important to note that among a cloud provider’s “proprietary data” is their customer subscriber information. If this information is hacked, it helps the attackers identify and prioritize who’s data might be of the most interest to steal. In some cases, it also narrows the possible location (data centers) of where the data-of-interest is stored. While the attackers might be “hopping” between cloud locations and clients, the attack might not be random but rather a focused effort on high-value brand-identity targets that were registered in the cloud provider’s subscriber databases.

If you’re looking for solutions to cloud cyber attacks, we have them.

           How to help mitigate the APT problem?

  • Use a low-profile surrogate identity to subscribe for network services and especially for cloud hosting of your sensitive data.
  • Isolate and disguise your network within the overall cloud environment so that it is not as apparent to APTs that may be lingering in-wait.
  • Utilize more than one cloud to make it more difficult for an APT in one environment to “hop” and follow your activity.  
  • Don’t be a static network. If you shift and move,  APTs can’t easily map your location and then simply sit in-wait to steal and collate your data.
  • Be proactive, not reactive. Disguise and protect your network before you become the target of an APT.

           “If they can’t find you…they can’t attack you.”

Network Vulnerabilities

Are company CISOs (Chief Information Security Officers) aware of the vulnerabilities of the networks they are using to transmit valuable and proprietary data through their chosen communications networks?

Anyone directly using the Internet exposes their IP address, location and network identity. Any external connection used by your company is a potential source of attack on your data and systems. Even more problematic, typical networks are fixed, static and easily located. By the time you discover a network breach, you’ve already lost the battle. Your adversaries have found your network…they know who you are, where you are located and have harvested invaluable metadata for a future attack.

Since the advent of the Internet and worldwide connectivity, how we are all inter-connected has changed drastically, but the underlying network infrastructure has progressed little from what was implemented 50 years ago. Have you ever asked or questioned how your network connectivity is implemented? Is your network exposing potential cyber-attack vectors?

There is a 90% chance of someone knowing the exact routing of any particular data transmission.

What’s the Risk?

Reports of network and endpoint data exploitation are in the news almost daily:

  • “Attacker hit VPN firm Avast through its VPN”
  • “NSA warns VPN vulnerabilities exploited by nation-state hackers”
  • “DHS Alerts to Remote Vulnerabilities in Multiple VPN Applications”
  • “Capital One Reports Data Breach Affecting 100 Million Customers, Applicants”
  • “Top VPNs secretly owned by Chinese firms”
  • “Exclusive: China hacked eight major computer services firms in years-long attack”
…and on and on!
Attack Vulnerability

An Internet Exchange Point (IXP) is where Internet networks come together to peer or exchange traffic between their networks. Peering is a process by which two networks connect and exchange traffic. There are only a few large global peering points around the world.

Because of this limited and well-established topology for network transmissions, nation-states and organized crime, even individual hackers, prefer to target attacks at the closest router locations. These networks have become a huge malware transmission vehicle.

Only 10% of malware is normally detected …90% of malware gets through.

Today’s Reality

Carriers are points of attack for adversaries in order to identify the carriers’ customers and as a point of attack for their network management data. Subscriber information located in data center/carrier records are a great source to help identify the specific circuit that is being used by the target customer.

Carrier network infrastructure is the single, most logical point of attack for any given target.  

As a result, users are open to the vulnerabilities of the carrier’s infrastructure; e.g. malware infested routers.

What to do?

Many enterprises aren’t even aware of the risks they are accepting with their endpoint and network configurations. Although risk managers implement very complex and expensive processes to mitigate all kinds of other enterprise risks, they often overlook their network vulnerabilities. Just as in any other risk mitigation policy, you need “insurance” against loss.

We all carry different types of insurance policies. Hopefully we never have to claim against them but when we do, they are there to help mitigate costs. The same is true with enterprise network risks…why wait to actually be attacked to then worry about how you are going to react and what the costs will be to your organization?

Enterprises need to look beyond their current configurations and reactionary processes. NetAbstraction is unique in that the company provides a proactive foundation for smart enterprise privacy. By transparently distributing network communications within and across multiple clouds, and regularly churning the underlying network infrastructure, NetAbstraction effectively hides your enterprise’s network.

The dynamic shifting of communications across multiple commercial providers and use of multi-hop transport, make actual user information, origin location and identities a nearly impossible target to find for hackers, search engine optimization companies and other privacy threats. “If they can’t find you…they can’t attack you.”

Enterprises must start thinking about their networks proactively instead of reactively, and consider reducing their “network risk insurance” costs.

Cloud-Delivered Secure Access Service Edge (SASE): Comprehensive Network Security with WAN capabilities

Gartner Group has recently published research and thought leadership pieces that discuss SASE (pronounced “sassy”) and why this emerging technology needs to be considered by enterprises operating in the cloud and on the Internet. Its worth a look at the drivers behind SASE and why network decisions should include the SASE concept.

Gartner’s Market Landscape

Traditional network offerings are not suited to delivering reliable, agile, cost-effective and high-performing solutions in support of hybrid cloud IT architectures.

Planning Assumptions:

  • 30-25% of large enterprise traffic is shifting to the cloud, changing traffic flows and making the traditional WAN suboptimal.
  • 20% increase in enterprises WAN bandwidth per year at the branch. Network traffic is doubling every three years.
  • Through 2021, organizations that isolate and remove digital business communications services from direct public internet access will experience 70% fewer successful attacks than organizations that didn’t adopt isolation.
  • By 2023, 30% of enterprise locations will use internet-only WAN connectivity, up from less than 10% in 2019, to reduce bandwidth costs.
  • By 2024, at least 80% of enterprises will have moved branch office security to cloud-based or hosted services, up from less than 20% in 2019.
  • By 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.

SASE is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions to support the dynamic secure access needs of digital enterprises.

SASE Defined

The secure access service edge is an emerging offering that combines comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA), with comprehensive WAN capabilities to support the dynamic secure-access needs of organizations.

SASE capabilities are delivered as cloud-based services driven by the identity of the entity, real-time context, organization security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, internet of things (IoT) systems or edge computing locations.

SASE Capabilities

  • Core Capabilities: SD-WAN, SWG, CASB, ZTNA, and FWaaS, all with the ability to identify sensitive data or malware, and the ability to decrypt content at line speed, at scale with continuous monitoring of sessions for risk and trust levels.
  • Recommended Capabilities: Web application and API protection (WAAP), remote browser isolation, recursive DNS, network sandbox, API-based access to SaaS for data context, and support for managed and unmanaged devices.
  • Optional capabilities: Wi-Fi hotspot protection, network obfuscation/dispersion, legacy VPN and edge compute protection (offline or cached protection).

SASE is in the early stages of development. Although adoption of SASE will occur over the next several years, successful vendors will be easy to identify within three years.

Both network and security vendors should remember:

  • End-user demand will continue to ramp quickly for SASE, especially as SD-WAN expands to an even broader offering of multiple security services.
  • Slower moving incumbents that do not pivot to SASE quickly enough will be displaced.

It is critical that SASE providers be able to terminate and inspect encrypted sessions, where required, based on policy with a scalable (ideally, software-based) architecture.

Other important services include DNS protection, remote browser isolation, Wi-Fi hot spot protection, traditional VPN services, and web application and API protection services. Some vendors will offer network privacy-as-a service, hiding enterprise network infrastructure from visibility when using SASE services.

The Problem We Solve

Public cloud computing has rendered traditional enterprise wide-area networks (WANs) suboptimal, from a price, performance and security perspective. Software-Defined Wide-Area Networks (SD-WAN) have revolutionized how enterprises manage their wide-area networks. However, SD-WANs increase the enterprise’s public exposure and therefore its cyber profile, rendering traditional security methods inadequate. NetAbstraction provides the protection lacking in the traditional SD-WAN and is the next generation of wide-area networking.

NetAbstraction provides a simple but very effective solution that obfuscates and anonymizes WAN traffic, enables private browsing and privatizes application-to-cloud connections.

While SD-WAN has made the enterprise’s use of their WAN more efficient, it has not solved some of the fundamental issues in today’s WAN. Leased lines and MPLS services are static and make a fixed target for cyber attack. They also limit the ability to elastically meet bandwidth demands. When considering the use of the Internet or cloud, there are significant cost savings, but performance and security are key concerns.

NetAbstraction is a natural fit in Gartner’s new SASE category, providing the network security that enterprises need as part of the digital transformation.

Relevant Gartner Research:

2019 Strategic Roadmap for Networking, dated 10 April 2019

Jonathan Forest, Neil Rickard

Market Trends: How to Win as WAN Edge and Security Converge into the Secure Access Service Edge, dated 29 July 2019

Joe Skorupa, Neil MacDonald

5 Options to Secure SD-WAN Based Internet Access, dated 28 August 2019

Bjarne Munch, Craig Lawson

The Future of Network Security is in the Cloud, dated 30 August 2019

Neil MacDonald, Lawrence Orans, Joe Skorupa

Forecast Analysis: Enterprise Networking Connectivity Growth Trends, Worldwide, dated 20 September 2019

Gaspar Valdivia, Lisa Unden-Farboud, To Chee Eng, Gigory Betskov, Susanna Silvennoinen

Emerging Technology Analysis: Cloud-Delivered Network Security is an Essential Step in SASE Transformation, dated 4 October 2019

Nat Smith

Emerging Technology Analysis: SASE Poised to Cause Evolution of Network Security, dated 22 October 2019

Nat Smith, Neil MacDonald, Lawrence Orans, Joe Skorupa

Emerging Technologies and Trends Impact Radar:  Security, dated 13 November 2019

Lawrence Pingree, Nat Smith, Elizabeth Kim, John A. Wheeler, Ruggero Contu, Eric Ahlm, Mark Driver

Critical Capabilities for WAN Edge Infrastructure, dated 26 November 2019

Jonathan Forest, Mike Toussaint, Mark Fabbi

VPN Vulnerabilities

Today’s VPNs can provide a secure point-to-point tunnel between two devices, an origin and a destination. The level of security across a VPN is largely dependent upon the type of encryption that is used to encapsulate the transmission. Key issues with traditional VPNs:

· Discoverability: VPNs typically connect an ingress point to an egress point, and are static and easily discoverable. As a result, it is possible for an adversary or interested party to detect the presence of a VPN link and obtain intelligence related to the existence of a link between the ingress point and the egress point, even if the traffic itself remains encrypted.

There are well known vulnerabilities in the most popular VPNs, which result in users having a false sense of security.

 

· Network topology changes: To alter the topography of a traditional VPN (i.e., change the egress point), the existing link is “torn down” and a new VPN is established. This process results in a break in traffic exchange, and the establishment of a new VPN can consume significant network overhead and take a significant amount of time to restore communications. Moreover, users and/or administrators associated with the origin and/or destination computer devices have little or no control over the physical and/or virtual path the VPN tunnel takes across the cloud(s).

As a result, most users fail to alter the network topology of their VPN once established, making them a static target for attack. 

 

· Latency/Performance: Traffic sent across VPNs or implemented in a cloud applying traditional network virtualization techniques will typically take an unpredictable and/or varied path through the physical and/or virtual infrastructure. As a result, traditional VPNs have inconsistent latencies as two packets traversing a VPN implemented across a virtual network may take different routes and may arrive out-of-order.

Many users will elect not to use VPNs when performance matters, which is often when they need them the most.

 

· TOR: The Onion Router (TOR) allows a user to surf the Internet with some degree of anonymity by obfuscating the path between the origin and the destination. TOR clients and nodes maintain a list of participating TOR nodes in a routing table that is updated via network broadcasts. TOR clients then select a path between the origin and destination by randomly selecting multiple routing nodes from the list. TOR, however, does not allow a client or administrator to select a path through the TOR network. TOR operates by broadcasting a node list so that each client and node remain up-to-date.

As a result, an adversary or interested party can recognize the use of TOR and take advantage of well-documented TOR vulnerabilities. 

 

The NetAbstraction patents allow us to provide dynamically shifting VPN routing that enables a user and/or administrator to control the routing and select the path through the network that:

o   Improves privacy by protecting the location and identity of our customers;

o   Improves network performance by providing a consistent path for our customers; and

o   Improves security by not broadcasting information in order to set up a connection.

Remote Workers can Compromise your Communications Network

It is a strange new world for most businesses. More workers than ever are working remotely from home…across all industries, and products and solutions. Examples of the effects of this new reality are in the news daily.

·        “How to Secure Zoom Video Conferences, Work From Home Collaboration”: Read More

·        “Coronavirus: Its Four Most Prevalent Cyber Threats”: Read More

·        “Corona virus challenges remote networking”: Read More

While businesses are scrambling to address the current crisis, and keep their communications and data safe, they should also be looking at the long-term effects of managing an online workforce that will be exposing their network security. Will there be a permanent paradigm shift? Even as some workers go back to reporting to offices and other work locations, will there still be a significant number who choose to work from home?

Networks and cloud infrastructures were already straining under increased cyber vulnerabilities and attacks.

(See NetAbstraction blogs: “Cloud Vulnerabilities” and“Network Vulnerabilities”.)

Best practices suggested in the recent past are still valid now:

  • Use a low-profile surrogate identity to subscribe for network services and especially for cloud hosting of your sensitive data.
  • Isolate and disguise your network within the overall cloud environment so that it is not as apparent to APTs that may be lingering in-wait.
  • Utilize more than one cloud to make it more difficult for an APT in one environment to “hop” and follow your activity.
  • Don’t be a static network. If you shift and move, APTs can’t easily map your location and then simply sit in-wait to steal and collate your data.
  • Be proactive, not reactive. Disguise and protect your network before you become the target of an APT.

Enterprises need to look beyond their current configurations and reactionary processes.

NetAbstraction is unique in that the company provides a proactive foundation for smart enterprise privacy. By transparently distributing network communications within and across multiple clouds, and regularly churning the underlying network infrastructure, NetAbstraction effectively hides your enterprise’s network.

The dynamic shifting of communications across multiple commercial providers and use of multi-hop transport, make actual user information, origin location and identities a nearly impossible target to find for hackers, search engine optimization companies and other privacy threats.

Enterprises must start thinking about their networks proactively instead of reactively, and consider reducing their “network risk insurance”costs.

NetAbstraction can help with network and cloud security options now and in the future with a Malware-Protected Browser for both remote and onsite workers, and a Wi-Fi Hotspot device for remote workers.

“If they can’t find you…they can’t attack you.”

Reduce Threats When Using RDP-Type Access Methods

With remote workplaces becoming the “new normal,” businesses and institutions are struggling to provide their employees with secure off-premise access to critical sensitive systems and data. Large corporations and even previously obscure government entities are turning to well-known open Internet applications (Zoom, MS Teams, Skype, etc.) to keep employees both technically and socially connected to the parent organization while they remain physically separated.

 

The Challenge

The solution chosen by each entity is reflective of the resources (i.e. budget) dedicated to proactive cybersecurity. With the sudden paradigm shift to remote access required, some organizations have chosen to use embedded tools such as Microsoft’s Remote Desktop Protocol (RDP) or multi-OS based tools such as NoMachine to open up internal resources to remote workers. These tools can be quickly deployed, are client friendly and can provide the same level of access as on-premise connections.

Tools typically come with encryption and configurable network parameters to “obscure” network activity from would-be attackers, leaving the user with a false sense of security. One has to spend only minutes on research to find the plethora of inherent vulnerabilities in Remote Desktop Applications. Specifically, the use of RDP in Microsoft’s cloud computing solution has provided a lucrative target for hackers who are especially interested in finding and exploiting RDP vulnerabilities. Naturally, it is important to keep RDP updated with the latest patches. Some major known vulnerabilities in earlier RDP versions include:

 · In May 2019, a patch was released to fix a major vulnerability known as BlueKeep, which allowed for the possibility of remote code execution. According to Microsoft, the vulnerability was “wormable,” meaning it could be self-propagating, with the potential to cause widespread problems.

· Earlier versions such as 6.1 can reveal all the usernames and profile pictures of users on the RDP server.

· Very early versions allowed computers to be compromised by worms and unauthenticated clients and to “man-in-the-middle” attacks.

· Version 5.2 is vulnerable, where a hacker can eavesdrop on sessions, or hijack sessions.

Some additional research on the open Internet or the Dark Web reveals that much of the targeting and credential harvesting work has already been done for would-be criminals. Access to thousands of corporate and government systems can be purchased for as little as 10 USD. While alarming, there are some basic steps any organization can take to limit their exposure on the Internet. For example:

· Put RDP ports behind a firewall that can only be accessed using a VPN.

· Specific trusted hosts should be whitelisted.

· Follow strong password protocols, enable multi-factor authorization, and put in place lock-out policies to block brute force attacks.

· Disallow RDP to be used by administrator accounts.

· Enable automatic updates for the client/server software you are using and disallow access by clients that have not been updated.