Category: Feature

This bulletin outlines the security recommendations that NIST recently provided in Special Publication (SP) 800-125A – security recommendations for Hypervisor Deployment on Servers. The document provides technical guidelines about the secure execution of baseline functions of the hypervisor, regardless of the hypervisor architecture. In the past, a user wishing to set up a computing server generally needed to use a dedicated host with dedicated resources such as a central processing unit (CPU), memory, network and storage. Modern systems have technology that lets one create virtual machines to emulate what used to be physical, dedicated resources. This practice is known as virtualization and supports more scalable and dynamic environments. A critical component of this technology is the hypervisor, the collection of software modules that enables this virtualization and thus enables multiple computing stacks – each made of an operating system (OS) and application programs – to be run on a single physical host. Such a physical host is called a Virtualized Host and is also referred to as a Hypervisor Host. The individual computing stacks are encapsulated in an artifact called a Virtual Machine (VM). To make a VM an independent executable entity, its definition should include resources such as CPU and memory, allocated to it. The VMs are also called ‘Guests,’ and the OS running inside each of them is called ‘Guest OS.’ The resources associated with a VM are virtual resources, as opposed to physical resources associated with a physical host. The hypervisor forms part of the virtualization layer in a virtualized host and plays many of the same roles that a conventional OS does on a non-virtualized host, or server. Just as a conventional OS provides isolation between the various applications, or processes, running on a server, the hypervisor provides isolation between one or more VMs running on it. Also, like an OS, the hypervisor mediates access to physical resources across multiple VMs. Therefore, all other functions needed to support virtualization – such as emulation of network and storage devices and the management of VMs and the hypervisor itself – can be accomplished using kernel-loadable modules, although some hypervisor architectures accomplish these tasks using dedicated VMs. The hypervisor can be installed either directly on the hardware, or bare metal (Type 1 Hypervisor), or on top of a fullfledged conventional OS, called Host OS (Type 2 Hypervisor). Here, we discuss the baseline functions of a hypervisor, how these functions are distributed in a hypervisor, and how this information is used to develop security recommendations that provide assurance against potential threats to the secure execution of tasks involved in the hypervisor’s baseline functions. Hypervisor baseline functions It might appear that all activities related to the secure management of a hypervisor and its hardware host – collectively called the hypervisor platform – should simply consist of established best practices for any server class software and its hosting environment. However, closer examination reveals that the unique functions provided by the Hypervisor Platform require a dedicated set of security considerations. These functions are called hypervisor baseline functions (HY-BF) and are labeled HY-BF1, HY-BF2, HY-BF3, HYBF4, and HY-BF5. They are described below: HY-BF1: VM process isolation Scheduling of VMs for execution, management of the application processes running in VMs (e.g., CPU and memory management), and context switching between various processor states during the running of applications in VMs; HY-BF2: Devices mediation & access control Mediates access to all devices (e.g., network interface card [NIC], storage device such as IDE drive etc). One mediation approach is to emulate network and storage (block) devices that are expected by different native drivers in VMs by using emulation programs that run in the hypervisor kernel; HY-BF3: Direct execution of commands from guest VMs Certain commands from Guest OSs are executed directly by the hypervisor instead of being triggered through in terrupts and context switching. This function applies to hypervisors that have implemented para-virtualization instead of full virtualization; HY-BF4: VM lifecycle management This baseline function involves all functions from creation and management of VM images, control of VM states (start, pause, stop etc), VM migration, VM monitoring, and policy enforcement; and HY-BF5: Management of Hypervisor This baseline function involves defining some artefacts and setting values for various configuration parameters in hypervisor software modules including those for configuration of a Virtual Network inside the hypervisor. NIST SP 800-125A provides detailed security guidance based on an analysis of threats to the integrity of all the above functions. The only exceptions are the set of guidelines for configuration of virtual network (subset of HYBF5), which are covered in a separate document (NIST SP 800-125B). The above functions are carried out by different hypervisor components, or software modules. There are some minor differences among hypervisor products in the way that they distribute these functions. The mapping of these functions to hypervisor components and the location of these components within a hypervisor architecture are described in the table below: Approach for developing security recommendations Developing security recommendations for the deployment and use of a complex software such as the hypervisor requires knowledge of potential threats which, when exploited, would affect the three basic security properties – confidentiality, integrity, and availability – of hypervisor functions. The approach adopted for developing security recommendations for the deployment of hypervisors in NIST SP 800125A is as follows: Ensure the integrity of all components of the hypervisor platform, starting from the host BIOS to all software modules of the hypervisor. This action is accomplished through a secure boot process, outlined as recommendation HY-SR1; Identify the threat sources in a typical hypervisor platform. The nature of threats from rogue or compromised VMs is briefly discussed in SP 800-125A; and For each of the five baseline functions HY-BF1 through HY-BF5 (except for HY-BF3, the direct execution of certain commands from guest VMs by the hypervisor), identify the different tasks under each function, and for each of the tasks, identify the potential threats to the secure execution of the task. The countermeasures that will provide assurance against exploitation of these threats…

Access management can be defined as the process of granting authorized users the rights to use a service, while preventing access to non-authorized users. Following are the key access management growth factors over the next five years. GDPR deadline fast approaching Traditionally, finance, banking, insurance, government, utilities and other heavily regulated end-user sectors have focused on identity- and accessmanagement solutions. However, over the past year there has been growth in non-traditional markets. Not only have the manufacturing and retail sectors become more security conscious, but the increase in the number of data breaches and the looming legislation around General Data Protection Regulation (GDPR) in May 2018 has also piqued renewed interest in security and identity and access management (IAM) solutions. ● Highlight ● The global access management market is projected to increase from $5.4 billion in 2016 to $9.6 billion in 2021. ● Companies with 5,000 or more employees are projected to contribute the largest revenue growth to the access management market over the next five years. ● Over the past year, there has been growth in non-traditional market sectors such as manufacturing and retail. Smaller organizations using access management solutions Access management solutions have traditionally been deployed by larger organizations. In fact, companies with 5,000 or more employees are projected to contribute the largest revenue growth over the next five years, increasing from $4.38 billion in 2016 to $5.4 billion in 2021. The proportional importance of this segment is forecast to decline from 80 percent of total access management revenue in 2016 to around 56 percent in 2021. Small and medium-sized enterprises (SMEs) will steadily increase the amount of access management solutions they deploy. For example, revenue from companies with between 1 and 499 employees is projected to increase from $109.6 million in 2016 to $705 million in 2021. This segment managed to grow from 2 percent of total revenue in 2016 to 7.3 percent in 2021. The introduction of more cloud solutions within the access management market is likely to help SMEs, in particular, because cloudbased access management solutions can be more cost effective and scalable for small and medium enterprises. On-premises hybrid and cloud solutions As there are still a lot of applications running on premises at companies, a significant portion of larger organizations still want some on-premises solutions. Larger organizations are more likely to move to a hybrid model, with some applications running in the cloud as a stepping stone toward full adoption of cloud solutions. Hybrid solutions are projected to increase from $1.1 billion in 2016 to $1.7 billion in 2021. In contrast, smaller organizations are more likely to deploy software-as-a-service (SaaS) solutions, which for them can be more cost effective than on-premises solutions. Technological developments and the battle with hackers There is a continuous battle being waged as hackers increasingly try to gain control of the networks they want to compromise. It is important for organizations to take into account people’s locations, to help detect fraudulent activity and ensure the right people have the right access, at the right time and at the correct location. Technologies like machine learning (ML) and artificial intelligence (AI) are also important weapons in this battle. Leveraging emerging technologies, such as behavioral biometrics, will help to reduce the burden on end-users and increase the validity of identity proofing. Organizations can learn a lot about how people interact with their networks, to give a full picture of how things are evolving, but these technology developments are a bit of a cat-and-mouse game. Blockchain makes security cheaper and more accessible Many organizations have isolated and centralized identity management systems, but the current landscape demands federation and single sign-on (SSO). These systems make identity management, protection and verification very cumbersome, costly and risky for industry enterprises and government agencies. Blockchain has the potential to introduce improvements that can make security more accessible and budget friendly. With smart contract capabilities, there can even be a secondary market where users benefit from sharing resources back to the network. Smart contracts automatically execute pieces of code carrying valuable data or performing other condition-based executions. A permissioned blockchain technology provides core capabilities that enable a trusted digital identity network to build and operate the following: A shared, append-only ledger, with one version of the facts shared across all permissioned network participants in real time. Smart contracts that ensure verifiable and signed business logic is executed in each transaction. Trust between known participants, to verify transactions and ensure records are valid. Privacy and security measures that grant access only to permissioned parties. Cybersecurity – Access Management Report 2018 This two-volume report provides coverage in several key areas of the identity and access management market, including access management and identity governance and administration. It provides detailed analysis of individual vertical markets from market-specific operating models to key trends and development opportunities.

Lower storage spend Organizations are keeping as much as 40% of their inactive data on their most expensive infrastructure. With unstructured video growing exponentially, fueled by the rise of new video surveillance programs, one can’t afford to have this kind of inefficiency. The solution is to adopt a multi-tier storage system that automatically migrates the video to the most cost efficient tiers of storage. Whether that’s high-performance disk storage, object-based storage or high-capacity primary storage, file-based tape or the cloud – the organization can cost-effectively store data based on various policy requirements. Easy, immediate access Finding a file in the system should be no more difficult than finding a document on a C: drive.           Quantum’s solution for video surveillance is a single file system, built specifically for video applications. On the backend, retention and access policies can be set to handle data migration and simplify organization and file recall. High performance Storage performance that performs inefficiently prevents companies from capturing usable data. Quantum’s StorNext software retains data cost-effectively, supports complex video management systems and analytic applications, and ingests video from 4 times as many cameras per server to deliver time-to-decision results, allowing proactive protection and crime prevention. Quantum’s storage infrastructure not only handles this sheer volume of data with ease, but also delivers streaming performance regardless of whether it’s on disk, tape, or in the cloud. Scale with storage needs The ability to seamlessly integrate more sources of information into modern analytical tools is becoming more important, as is the capacity to scale and accommodate increased camera and sensor counts, panoramic coverage and higher image resolution. As more cameras are added, image resolutions increase and retention times become longer, Quantum’s solution can scale to handle the need for more capacity. Compliant with current infrastructure Quantum’s storage solutions support all major platforms, operating systems and networks, and      integrate seamlessly with VMS and other systems. This enables security professionals to integrate the solution into their existing infrastructure without being locked into a  single vendor or platform as well as to configure the file interface to receive input from a variety of devices and systems. No trade-off necessary To gain more insight and an increased return on investment from video surveillance data, a storage solution must balance high performance, high capacity and high retention. These three parameters can be flexed to provide the best trade-off between budget and mission whilst minimizing sacrifice of redundancy, accessibility or scalability. Gateway storage architecture Upgrading storage capabilities while also satisfying budgetary restrictions is a challenging part of building a comprehensive storage infrastructure. Instead of replacing the pre-existing storage system, why not build onto it? Artico™ offers an easy, nondisruptive choice for adding Quantum tape, FlexTier™, and Lattus™ scale-out storage to an existing security environment. Quantum’s StorNext platform is a policy-driven tiering software, allowing users to extend primary storage with scalable, more cost-effective tiers of storage. Our multi-tier solution is ideal for security and surveillance organizations with large amounts of video dealing with the challenges that come with scaling storage with your data growth. End users can set up policies to automatically migrate data across tiers, utilizing less costly types of storages like file-based tape and cloud, thus delivering the total capacity needed more cost effectively.  

Do you know how to protect your webcam from being hacked? Would you know if a cybercriminal was using your printer to carry out cyberattacks? While most of us are aware of the dangers that cybercriminals can pose to our computers and mobile phones and take steps to protect them, we seldom consider how these threats can affect the growing number of Internet vc connected devices we use in our daily lives. The ‘Internet of Things’ All devices which can connect to the Internet – collectively called the ‘Internet of Things’ or IoT – are potentially at risk of a cyberattack. Everyday personal items like video cameras, refrigerators and televisions can be used by cybercriminals for malicious means. Cyberattacks targeting or using IoT devices have increased significantly in the past two years, according to several reports from the private cybersecurity industry. An example was the Mirai botnet, which in 2016 infected tens of thousands of devices, mostly Internet routers, with weak password security. These were then used in coordinated distributed denial of service (DDoS) attacks against websites worldwide including a university and several media sites. In the world of cybercrime, the number of IoT devices a criminal has access to is seen as a sign of their status. Although police around the world are developing the skills necessary to forensically examine computers and mobile phones, they are often not aware of how to collect evidence from other connected devices. The latest edition of the INTERPOL Digital Security Challenge tackled this threat, with 43 cybercrime investigators and digital forensics experts from 23 countries investigating a simulated cyberattack on a bank launched through an IoT device. “Cybercrime investigations are becoming more and more complex and operational exercises such as the Digital Security Challenge, which simulate some of the hurdles that investigators face every day, are vital for the development of our capacities,” said Peter Goldgruber, Secretary General of the Austrian Ministry of the Interior. Meeting the challenge I n the scenario, cybercriminals attacked a bank in an attempt to steal large sums of money. The investigators analysed the bank’s computers to identify the date, time and files where the malware installed by the criminals. Through this digital forensic examination, the teams discovered the malware was contained in an e-mail attachment sent via a webcam which had been hacked, and not directly from a computer. This is an emerging modus operandi, as it is more difficult to identify the source of the attack. Once the teams accessed the digital data held by the compromised webcam, they identified the command and control server being used to remotely control the device to conduct the cyberattack. Further evidence led to the identification of a second command and control server, and the investigators identified technical vulnerabilities of the servers which could be used to prevent further attacks. Noboru Nakatani, Executive Director of the INTERPOL Global Complex for Innovation said the scenario provided a learning experience on how to conduct real-world investigations more effectively. “The ever-changing world of cybercrime is constantly presenting new challenges for law enforcement, but we cannot successfully counter them by working in isolation. “A multi-stakeholder approach which engages the expertise of the private sector is essential for anticipating new threats and ensuring police have access to the technology and knowledge necessary to detect and investigate cyberattacks,” said Mr Nakatani.   Tips for safeguarding IoT devices: Change the factory default passwords – these can be the same for hundreds or thousands of devices, making it easy for criminals to hack; Regularly update all software; Disable features which allow the device to be accessed remotely; Take extra care when buying used devices – you don’t know what the previous owner installed on the device.   Sharing expertise Conducted annually, INTERPOL’s Digital Security Challenge helps police worldwide develop the skills necessary to tackle the latest cybercrime threats. The first two events in 2016 and 2017 simulated cyber blackmail involving bitcoin and a ransomware attack. This year’s three-day (19-21 February) event was organized in close I n the Americas, hurricanes, tornadoes and earthquakes are occurring more frequently, so unimpeded mass communication during these events is critical. MNS software is often employed so companies can communicate with their employees, federal agencies, university students and the general public. More channels of communication available in these types of events, means more people can reach safety faster and more lives can be saved. In Western Europe, the second-largest market for MNS software, weather-related incidents occur less often, How Catastrophic Events are Changing Mass-Notification System Market By Robert Brooks – Analyst, Security and Building Technologies, IHS Markit cooperation with the INTERPOL National Central Bureau in Vienna and private sector partners NEC Corporation and Cyber Defense Institute. “NEC has contributed as a strategic partner to INTERPOL’s commitment to improve the cybersecurity skills of investigators throughout the world. For the third year, NEC is honored to have helped develop the Digital Security Challenge by providing our expertise at this cutting-edge event,” said Kozo Matsuo, Vice President of NEC Corporation’s Cyber Security Strategy Division.’ Training sessions to develop participants’ practical knowledge on IoT device analysis and the latest trends in malware-related crime were delivered by specialists from NEC Corporation, InfoSec, Meiya Pico, SECOM, Kaspersky Lab and Trendso the need for MNS software is lower than in the Americas. While individual countries might deal with specific weather threats – like blizzards and freezes in Sweden and flooding in the UK – in 2017 the United States alone experienced four major hurricanes. Mass-notification system (MNS) software used in emergency communication, the primary segment used during a catastrophic event, is expected to grow in the Americas at a compound annual growth rate (CAGR) of 6.8 percent from 2017 to 2021, reaching $293.1 million in 2021. Micro. Support was also provided by the UN Office on Drugs and Crime (UNODC). Kenji Hironaka, President of Cyber Defense Institute said, “We are proud to have provided forensic content and technical support during all three INTERPOL Digital Security Challenge events. We will…

With Cybersecurity becoming an increasingly important factor in designing modern Ethernet networks, ComNet have launched an industry first edge security feature that is both simple, secure and easy to configure and use. The ComNet exclusive Port Guardian feature has the capability to physically disable a port if unauthorized access is detected. The value in Port Guardian comes in situations where network intrusion is attempted by disconnecting an IP addressable device at the edge to connect to the network. When Port Guardian senses this disconnect, an SNMP notification is sent to the head end and the affected port is physically locked out, preventing access. The network administrator can re-enable the port once the threat is eliminated. This feature also thwarts access through ‘Spoofing’ by disabling the port as soon as an interruption is sensed. Layer 2 managed switches can typically implement port security which consists of checking incoming packets for a matching MAC address. If a packet with a valid MAC address is received on a particular port then the switch will allow that packet to pass through the switching fabric of the switch as normal. If a packet with an invalid MAC source address is received on the switch port then that packet is dropped by the switch and is not allowed to proceed any further and therefore, this provides a basic level of security as only traffic from the user defined MAC address is allowed on that port. With this method it is therefore possible to easily implement basic port security against a potential intruder from removing the original device and replacing it with a device designed for network intrusion or from cutting the cable that went to the original device and connecting this cable to their own network intrusion device to gain access to the network. This level of protection is common amongst most layer 2 managed switches on the market today and indeed all ComNet managed switches support this capability as standard. This feature is referred to by many names including (but not limited to) the following: Port locking. MAC locking. Port security. MAC filtering. What’s wrong with traditional switch port security? The issue with the traditional Layer 2 MAC filtering/ locking as previously described is that it can be defeated with relative ease in a matter of minutes by using readily available software which can artificially alter the MAC address of the sender to match whatever the potential intruder wants. In the example below the intruder will alter the MAC address of their laptop to use the same MAC address of the authorised camera and gain access to the network. How would the intruder know what MAC to spoof? So how would a potential intruder know the MAC address of the camera (in this example) in order to be able to spoof that address from their laptop and gain network access? This could be done in several ways but one simple way could be to use a low cost network tap device so the camera is briefly unplugged and then connected to the tap and then quickly re-connected to the network again. The operator would see video loss for some seconds but would unlikely put this down to a potential intruder if it was even noticed at all. How does port guardian prevent such intrusions? At the basic level Port Guardian works as a layer 1 protection system so the actual data being sent on the port is not important and the switch does not need to know anything about it. Port Guardian constantly monitors the enabled ports and as soon as it detects that a cable has been unplugged or there is a link down event that port will be immediately disabled and the network administrator notified via an SNMP alert (and optionally by a local contact relay if supported on the particular switch model) to the potential intrusion. What happens after Port Guardian locks out a port? Once Port Guardian has been triggered on a certain port then that port is in a permanent lock out condition and will appear to be dead to the potential intruder (no LEDs or anything will work on that port). The port will remain in this lock out condition even if the original legitimate device is re-connected. The lock out state can only be cleared by the network administrator through one of 4 possible methods as outlined below SNMP reset command issued. Reset via Web GUI. Port Guardian reset command issued from the local USB serial port CLI. A contact input is closed (only available on models that have contact inputs). The contact input method is user configurable and is not enabled by default. What about cycling power to the switch? This is another user configurable option. The port lock out states can be set to clear on a power cycle or they can be set to go into lock out condition in the event of a power cycle (this would be the most secure option). So how can Port Guardian be used in networks? There are really two distinct ways to use the Port Guardian feature and the correct implementation depends on how secure the location is where your remote ComNet edge switch (with Port Guardian feature) is located. An outline description and visual example of both scenarios follows. Edge switch in secure location scenario I f the ComNet edge field switch is installed within a secure location then there is no concern about an intruder gaining access to the physical switch itself so one could enable Port Guardian just on the ports where he has edge devices connected that are physically located outside of the secure location and not enable Port Guardian on the uplink port(s) which are part of the secure network. In this scenario one could also set the option to have a power cycle clear any locked out ports as again he would not be as concerned with a potential intruder being able to power cycle the switch itself. Edge switch in…