10月 18 日(October 18th),我们受邀参加Cisco Connect 2017。在这次活动中,我们会见了安全专家(security expert) Jamey Heary。他是Cisco (Cisco)Systems的杰出系统工程师(Systems Engineer),负责领导全球安全架构团队(Global Security Architecture Team)。Jamey是(Jamey)思科(Cisco)许多大客户值得信赖的安全顾问和架构师。(security advisor and architect)他也是书籍作者(book author)和前网络世界博主(Network World blogger) . 我们与他讨论了现代企业的安全性、影响企业和组织的重大安全问题,以及影响所有无线网络和客户端 ( KRACK ) 的最新漏洞。这是他不得不说的:
我们的受众由最终用户和业务用户组成。首先介绍一下自己,您会如何以非公司的方式描述您在思科的工作?(Cisco)
我的热情是安全。我每天努力做的是向我的客户和最终用户传授架构知识。例如,我谈到了一种安全产品(security product)以及它如何与其他产品(我们自己的或来自第三方的)集成。因此我从安全的角度(security perspective)来处理系统架构(system architecture)。
以您作为安全专家(security expert)的经验,现代企业面临的最大安全威胁是什么?
最大的是社会工程和勒索软件(engineering and ransomware)。后者对许多公司造成了破坏,而且情况会变得更糟,因为其中有很多钱。这可能是恶意软件创建者想出的最有利可图的事情。
我们已经看到,“坏人”的重点是最终用户。他或她是目前最薄弱的环节。作为一个行业,我们已经尝试过培训人们,媒体在宣传如何更好地保护自己方面做得很好,但是,向某人发送有针对性的电子邮件并让他们接受是相当微不足道的您想要的操作:单击链接,打开附件,无论您想要什么。
另一个威胁是在线支付。我们将继续看到公司在线支付方式的改进,但在行业实施更安全的在线支付方式之前,该领域将成为一个巨大的风险因素(risk factor)。
在安全方面,人是最薄弱的环节,也是攻击的主要焦点。既然社会工程是主要的安全威胁之一,我们该如何应对这个问题?
我们可以应用很多技术。你能为一个人做的只有这么多,尤其是在一个有些人往往比其他人更有帮助的行业。例如,在医疗保健行业(healthcare industry),人们只想帮助他人。所以你给他们发一封恶意的邮件,他们比其他行业的人更有可能点击你发给他们的东西,比如警察局(police department)。
所以我们有这个问题,但我们可以使用技术。我们可以做的一件事是分段,这可以大大减少任何最终用户可用的攻击面。(attack surface)我们称之为“零信任(zero trust)”:当用户连接到公司网络(company network)时,网络了解用户是谁,他或她在组织中的角色,用户需要访问哪些应用程序,它会了解用户的机器和什么是机器的安全态势(security posture),非常详细。例如,它甚至可以告诉用户应用程序的流行程度。流行率(Prevalence)是我们发现有效的东西,它意味着世界上有多少其他人在使用(world use)此应用程序,以及给定组织中有多少。在Cisco,我们通过散列进行分析:我们对应用程序进行散列处理,我们有数百万个端点,他们会回来说:“这个应用程序的流行率为 0.0001%”。流行(Prevalence)度计算应用程序在世界范围内的使用量,然后在您的组织中使用。这两种措施都可以很好地确定某件事是否非常可疑,以及是否值得仔细研究。
您在Network World(Network World)中有一系列关于移动设备管理(Mobile Device Management)( MDM ) 系统的有趣文章。然而,近年来,这个话题似乎很少被讨论。业界对此类系统的兴趣是否正在放缓?从您的角度来看,发生了什么?
几乎没有发生什么事情,其中之一是MDM系统在市场上已经相当饱和。几乎(Almost)我所有的大客户都有一个这样的系统。发生的另一件事是隐私法规和用户的隐私观念(privacy mindset)发生了变化,以至于许多人不再将他们的个人设备(智能手机、平板电脑等)提供给他们的组织并允许安装MDM 软件(MDM software)。所以我们有这样的竞争:企业想要完全访问他们员工使用的设备,这样它就可以保护自己,而员工对这种方法变得非常抗拒。双方之间有这种持续的战斗。我们已经看到,流行MDM系统因公司而异,具体取决于公司文化和价值观(company culture and values),以及每个组织希望如何对待其员工。
这是否会影响采用自带(Bring)设备(Device)( BYOD ) 等程序的工作?
是的,它完全可以。在大多数情况下,正在发生的事情是人们在公司网络上使用自己的设备,在非常受控的区域内使用它们。再次(Again),细分开始发挥作用。如果我将自己的设备带到公司网络,那么也许我可以访问互联网、一些公司内部的Web 服务器(web server),但绝不会能够访问数据库服务器、我公司的关键应用程序或其来自该设备的关键数据。这是我们在思科以编程方式做的事情,这样用户就可以从个人设备到(Cisco)公司网络(company network)中需要去的地方,而不是公司不希望用户去的地方。
大家最关心的安全问题(security issue)是“ KRACK ”(密钥重装攻击(Key Reinstallation AttaCK)),影响所有使用WPA2 加密(WPA2 encryption)方案的网络客户端和设备。思科(Cisco)正在做些什么来帮助他们的客户解决这个问题?
一个我们多年来依赖的东西现在可以破解了,这是一个巨大的惊喜。它让我们想起了SSL、SSH以及我们从根本上相信的所有事情的问题。所有这些都变得“不值得”我们信任。
对于这个问题,我们确定了十个漏洞。在这十个中,其中九个是基于客户端的,因此我们必须修复客户端。其中之一是网络相关的。为此,思科(Cisco)将发布补丁。这些问题是接入点(access point)独有的,我们不必修复路由器和交换机。
我很高兴看到Apple在(Apple)beta 代码(beta code)中得到了修复,因此他们的客户端设备很快就会得到全面修补。Windows已经准备好补丁(patch ready),等等。对于思科(Cisco)来说,这条路很简单:我们的接入点上存在一个漏洞,我们将发布补丁和修复程序。
在一切都得到解决之前,您会建议您的客户如何保护自己?
在某些情况下,您不需要做任何事情,因为有时加密是在加密内部使用的。例如,如果我访问我银行的网站,它使用TLS 或 SSL(TLS or SSL)来确保通信安全,这不受此问题的影响。因此,即使我使用的是全开放的WiFi,比如星巴克(Starbucks)的 WiFi,也没关系。WPA2的这个问题更多地体现在隐私方面(privacy side)。例如,如果我访问一个网站并且我不想让其他人知道,现在他们会知道,因为WPA2不再有效。
您可以做的一件事来保护自己是建立VPN连接。您可以连接到无线网络,但接下来要做的是打开您的VPN。VPN很好,因为它创建了一个通过WiFi的(WiFi)加密隧道。它会一直有效,直到VPN 加密(VPN encryption)也被黑客入侵,您需要找出新的解决方案。🙂
在消费市场上(consumer market),一些安全供应商将VPN与他们的防病毒和整体安全套件捆绑在一起。他们还开始教育消费者,仅仅拥有防火墙和防病毒软件已经不够了,还需要VPN。思科(Cisco)在企业安全方面的方法是什么?您是否也积极推广VPN作为必要的保护层(protection layer)?
VPN是我们为企业提供的软件包的一部分。一般情况下,我们不谈加密隧道内的VPN ,WPA2(tunnel and WPA2)是加密隧道。通常,因为它是矫枉过正的,并且必须在客户端(client side)发生开销才能使其一切正常。在大多数情况下,这是不值得的。如果频道已经加密,为什么还要再次加密呢?
在这种情况下,当您因为WPA2 安全(WPA2 security)协议从根本上被破坏而陷入困境时,我们可以依靠VPN,直到问题得到WPA2解决。
但话虽如此,在情报领域(intelligence space),像国防部类型的组织这样的安全组织(Department),(Defense type)他们已经这样做了多年。他们依靠VPN,加上无线加密,而且很多时候他们的VPN中间的应用程序也被加密,所以你得到了三向加密,所有这些都使用不同类型的加密。他们这样做是因为他们应该是“偏执狂”。:))
在Cisco Connect的演讲中,您提到自动化在安全方面非常重要。您推荐的安全自动化方法是什么?
自动化将很快成为一项要求,因为作为人类,我们的行动速度不够快,无法阻止安全漏洞和威胁。一位客户在 10 分钟内拥有 10.000 台被勒索软件加密的机器。您无法对此做出反应,因此您需要自动化。
我们今天(approach today)的方法并不像它可能必须变得那样严厉,但是,当我们看到可疑的行为,似乎是违规行为时,我们的安全系统会告诉网络将该设备或该用户置于隔离区。这不是炼狱;您仍然可以做一些事情:您仍然可以上网或从补丁管理(patch management)服务器获取数据。你不是完全孤立的。将来,我们可能不得不改变这种理念,并说:一旦你被隔离,你就没有任何访问权限,因为你对你的组织来说太危险了。
思科(Cisco)如何在其安全产品组合中使用自动化?
在某些领域,我们使用了很多自动化。例如,在我们的威胁研究小组(threat research group)Cisco Talos中,我们从所有安全小部件中获取遥测数据,并从其他来源获取大量其他数据。Talos 小组(Talos group)每天使用机器学习(machine learning)和人工智能对数百万条记录进行分类。如果您查看我们所有安全产品随时间推移的功效,会发现在所有第三方功效测试中都令人惊叹。
DDOS攻击的使用速度变慢了吗?
不幸的是,DDOS作为一种攻击方法(attack method)还活得好好的,而且越来越严重。我们发现DDOS攻击往往针对某些类型的公司。这种攻击既用作诱饵又用作主要攻击武器(attack weapon)。还有两种类型的DDOS攻击:容量攻击和(volumetric and app)基于应用程序的攻击。如果您查看他们可以生成多少数据来让某人失望的最新数据,那么体积已经失控了。这太荒谬了。
DDOS攻击的目标之一是零售企业,通常是在假日季节(holiday season)(黑色星期五(Black Friday)即将到来!)。另一种成为DDOS攻击目标的公司是那些在石油和天然气(oil and gas)等有争议领域工作的公司。在这种情况下,我们正在与具有特定道德和道德事业的人打交道,他们决定对一个组织或另一个组织进行DDOS,因为他们不同意他们正在做的事情。这样的人这样做是有原因的,是有目的的,而不是为了钱。
人们不仅将自己的设备带入他们的组织,还带入他们自己的云系统(OneDrive、Google Drive、Dropbox等)。这对组织来说是另一个安全风险(security risk)。像Cisco Cloudlock这样的系统如何处理这个问题?
Cloudlock做了两件基本的事情:首先,它为您提供对所有正在使用的云服务的审计。我们将Cloudlock与我们的 Web 产品集成,以便(Cloudlock)Cloudlock可以读取所有 Web 日志。这将告诉你组织中每个人的去向。例如,您知道很多人都在使用自己的Dropbox。
Cloudlock做的第二件事是它全部由与云服务通信的API组成。(API)这样,如果用户在 Box 上发布了公司文档(Box),(company document) Box会(Box)立即告诉Cloudlock有一个新文档到了,它应该查看它。因此,我们将查看文档,对其进行分类,找出文档的风险概况(risk profile),以及它是否与他人共享。根据结果,系统将停止或允许通过Box共享该文档。(Box)
使用Cloudlock,您可以设置如下规则:“永远不应与公司以外的任何人共享。如果是,请关闭共享。” 您还可以根据每个文档的重要性按需进行加密。因此,如果最终用户(end user)没有对关键业务文档(business document)进行加密,则在将其发布到Box时,Cloudlock将自动强制对该文档进行加密。
我们要感谢Jamey Heary的这次采访和他坦诚的回答。如果你想取得联系,你可以在 Twitter 上(on Twitter)找到他。
在本文结尾处,使用下面提供的评论选项分享您对我们讨论的主题的看法。
Jamey Heary from Cisco: Organizations that work with sensitive information, use encrypted WiFi, VPN, and encrypted apps
On October 18th, we werе invited to Сisco Connect 2017. At this event, we met with security expert Jamey Heary. He is a Distinguished Systems Engineer at Ciscо Systems where he leads the Global Security Architecture Team. Jamey is а trusted security advisor and architect for many of Cisco's lаrgest customers. He is also a book author and a formеr Network World blogger. We tаlked with him about security in the modern enterprіse, the ѕignificant security іssues that are impacting businesses and organizations, and the latest vulnerabilities that affect all wireless networkѕ and сlients (KRACK). Here is whаt he had to say:
Our audience is composed both of end-users and business users. To get started, and introduce yourself a bit, how would you describe your job at Cisco, in a non-corporate way?
My passion is security. What I strive to do every day is teach my customers and end-users about architecture. For example, I talk about a security product and how it integrates with other products (our own or from third parties). Therefore I deal with system architecture from a security perspective.
In your experience as a security expert, what are the most significant security threats to the modern enterprise?
The big ones are social engineering and ransomware. The latter wreaks devastation in so many companies, and it is going to get worse because there is so much money in it. It is probably the most lucrative thing that malware creators figured out how to do.
We've seen that the focus of the "bad guys" is on the end-user. He or she is the weakest link right now. We have tried as an industry to train people, the media has done a good job at getting the word out on how you could protect yourself better, but still, it is fairly trivial to send somebody a targeted e-mail and get them to take an action you want: click a link, open an attachment, whatever it is that you want.
The other threat is online payments. We are going to continue to see enhancements in the ways companies take payments online but, until the industry implements more secure ways to take payments online, this area is going to be a huge risk factor.
When it comes to security, people are the weakest link and also the primary focus of attacks. How could we cope with this issue, since social engineering is one of the leading security threats?
There is a lot of technology that we can apply. There is only so much you can do for a person, especially in an industry where some people tend to be more helpful than others. For example, in the healthcare industry, people just want to help others. So you send them a malicious e-mail, and they are more likely to click on what you send them than people in other industries, as a police department.
So we have this problem, but we can use technology. One of the things we can do is segmentation, which can drastically reduce the attack surface that is available to any end-user. We call this "zero trust": when a user connects to the company network, the network understands who the user is, what his or her role is in the organization, what applications the user needs to access, it will understand the user's machine and what is the security posture of the machine, to a very detailed level. For example, it can even tell things like the prevalence of an application the user has. Prevalence is something we found effective, and it means how many other people in the world use this application, and how many in a given organization. At Cisco, we do this analysis through hashing: we take a hash of an application, and we have millions of end-points, and they will come back and say: "the prevalence on this app is 0.0001%". Prevalence calculates how much an app is used in the world and then in your organization. Both of these measures can be very good at figuring out if something is very suspect, and whether it deserves to take a closer look at.
You have an interesting series of articles in the Network World about Mobile Device Management (MDM) systems. However, in recent years, this subject seems to be discussed less. Is the industry's interest in such systems slowing down? What is happening, from your perspective?
Few things have happened, one of which is that MDM systems have become fairly saturated in the market. Almost all of my larger customers have one such system in place. The other thing that has happened is that the privacy regulations and the privacy mindset of users have changed such that many people no longer give their personal device (smartphone, tablet, etc.) to their organization and allow an MDM software to get installed. So we have this competition: the enterprise wants to have full access to the devices that are used by their employees so that it can secure itself and the employees have become very resistant to this approach. There is this constant battle between the two sides. We have seen that the prevalence of MDM systems varies from company to company, depending on the company culture and values, and how each organization wants to treat its employees.
Does this affect the adoption of programs like Bring Your Own Device (BYOD) to work?
Yes, it totally does. What is happening, for the most part, is that people that are using their own devices on the corporate network, use them in a very controlled area. Again, segmentation comes into play. If I bring my own device to the corporate network, then maybe I can access the internet, some internal corporate web server, but by no means, I am going to be able to access the database servers, the critical apps of my company or its critical data, from that device. That's something that we do programmatically at Cisco so that the user gets to go where it needs to in the company network but not where the company doesn't want the user to go, from a personal device.
The hottest security issue on everyone's radar is "KRACK" (Key Reinstallation AttaCK), affecting all network clients and equipment using the WPA2 encryption scheme. What is Cisco doing to help their customers with this problem?
It is a huge surprise that one of the things that we relied on for years is now crackable. It reminds us of the issues with SSL, SSH and all the things that we fundamentally believe in. All of them have become "not worthy" of our trust.
For this issue, we identified ten vulnerabilities. Of those ten, nine of them are client-based, so we have to fix the client. One of them is network related. For that one, Cisco is going to release patches. The issues are exclusive to the access point, and we don't have to fix routers and switches.
I was delighted to see that Apple got their fixes in beta code so their client devices will soon be fully patched. Windows already has a patch ready, etc. For Cisco, the road is straightforward: one vulnerability on our access points and we are going to release patches and fixes.
Until everything gets fixed, what would you recommend your customers do to protect themselves?
In some cases, you don't need to do anything, because sometimes encryption is used inside encryption. For example, if I go to my bank's website, it uses TLS or SSL for communications security, which isn't affected by this issue. So, even if I am going through a wide-open WiFi, like the one at Starbucks, it doesn't matter as much. Where this issue with WPA2 comes more into play is on the privacy side. For example, if I go to a website and I don't want others to know that, now they are going to know because WPA2 is not effective anymore.
One thing you can do to secure yourself is set up VPN connections. You can connect to wireless, but the next thing you have to do is turn on your VPN. The VPN is just fine because it creates an encrypted tunnel going through the WiFi. It will work until the VPN encryption gets hacked too and you need to figure out a new solution. 🙂
On the consumer market, some security vendors are bundling VPN with their antivirus and total security suites. They are also starting to educate consumers that it is no longer enough to have a firewall, and an antivirus, you also need a VPN. What is Cisco's approach regarding security for the enterprise? Do you also actively promote VPN as a necessary protection layer?
VPN is part of our packages for the enterprise. In normal circumstances, we don't talk about VPN within an encrypted tunnel and WPA2 is an encrypted tunnel. Usually, because it is overkill and there is overhead that has to happen on the client side to make it all work well. For the most part, it is not worth it. If the channel is already encrypted, why encrypt it again?
In this case, when you are caught with your pants down because the WPA2 security protocol is fundamentally broken, we can fall back on VPN, until the issues get fixed with WPA2.
But having said that, in the intelligence space, security organizations like a Department of Defense type of organization, they've been doing this for years. They rely on VPN, plus wireless encryption and, a lot of times the applications in the middle of their VPN are also encrypted, so you get a three-way encryption, all using different types of cryptography. They do that because they are "paranoid" as they should be. :))
In your presentation at Cisco Connect, you mentioned automation as being very important in security. What is your recommended approach for automation in security?
Automation will become a requirement quickly because we, as humans, we can't move fast enough to stop security breaches and threats. A customer had 10.000 machines encrypted by ransomware in 10 minutes. There is no way humanly possible that you can react to that, so you need automation.
Our approach today is not as heavy-handed as it might have to become but, when we see something suspicious, behavior that seems like a breach, our security systems tell the network to put that device or that user into quarantine. This isn't purgatory; you can still do some stuff: you can still go to the internet or get data from the patch management servers. You are not totally isolated. In the future, we might have to change that philosophy and say: once you are quarantined, you don't have any access because you are too dangerous for your organization.
How is Cisco using automation in its portfolio of security products?
In certain areas, we use a lot of automation. For example, in Cisco Talos, our threat research group, we get telemetry data from all our security widgets and a ton of other data from other sources. The Talos group uses machine learning and artificial intelligence to sort through millions of records every single day. If you look at the efficacy over time in all of our security products, it is amazing, in all the third-party efficacy tests.
Is the use of DDOS attacks slowing down?
Unfortunately, DDOS as an attack method is alive and well, and it is getting worse. We have found that DDOS attacks tend to be targeted towards certain types of corporations. Such attacks are used both as a decoy and as the primary attack weapon. There are also two types of DDOS attacks: volumetric and app based. The volumetric has gotten out of control if you look at the latest numbers of how much data they can generate to take somebody down. It is ridiculous.
One type of corporations that are targeted by DDOS attacks is those in retail, usually during the holiday season (Black Friday is coming!). The other kind of companies that get targeted by DDOS attacks is those that work in controversial areas, like oil and gas. In this case, we are dealing with people who have a particular ethical and moral cause, who decide to DDOS an organization or another because they don't agree with what they are doing. Such people do this for a cause, for a purpose, and not for the money involved.
People bring into their organizations not only their own devices but also their own cloud systems (OneDrive, Google Drive, Dropbox, etc.) This represents another security risk for organizations. How is a system like Cisco Cloudlock dealing with this issue?
Cloudlock does two fundamental things: first, it is giving you an audit of all the cloud services that are being used. We integrate Cloudlock with our web products so that all the web logs can be read by Cloudlock. That will tell you where everybody in the organization is going. So you know that a lot of people are using their own Dropbox, for example.
The second thing that Cloudlock does is that it is all made of API's that communicate with cloud services. This way, if a user published a company document on Box, Box immediately says to Cloudlock that a new document has arrived and it should take a look at it. So we will look at the document, categorize it, figure out the risk profile of the document, as well as has it been shared with others or not. Based on the results, the system will either stop the sharing of that document through Box or allow it.
With Cloudlock you can set rules like: "this should never be shared with anyone outside the company. If it is, turn the sharing off." You can also do encryption on demand, based on the criticality of each document. Therefore, if the end user did not encrypt a critical business document, when posting it on Box, Cloudlock will force the encryption of that document automatically.
We would like to thank Jamey Heary for this interview and his candid answers. If you want to get in touch, you can find him on Twitter.
At the end of this article, share your opinion about the subjects that we discussed, using the commenting options available below.