Posts

IPS Cloud - Company network security

Today all corporate networks are connected to the internet. The reasons are numerous, from the exchange of emails to the search for information, from the use of the cloud for data storage to the various services that we access with a browser. Furthermore, we increasingly need to access the corporate network remotely, whether from our home or during a business trip. For this reason, it is essential that all these connections are made with the right level of security. Let’s see what are the available means, how they work, and when to use them.

Authentication and authorisation

Let’s imagine we are suppliers of aerospace components and go to visit a NASA site. Surely when we get there, before letting us in, they will ask us to identify ourselves with a document. They will want to know the reason for our visit and they will register us to track it. They will give us a badge to wear that identifies us and someone will escort us exactly where we need to go. We would never be alone. If we were ill-intentioned persons, who want to steal information, we wouldn’t have an easy life. It would not be simple to get out of the secure path in which we are. And even if we did, the various areas would have controlled access systems, perhaps through badges, if not more sophisticated. This all started with two basic steps. First of all, we were identified and authenticated, and consequently, we were given permissions on where we could go and what we could see.

The same thing occurs in the digital world. If users of our company are not required to authenticate before accessing the data, any intruders who manage to enter the network could freely access the servers and PCs. They could do whatever they want with our data, in addition to the possibility of blocking the operations. To go back to the previous comparison, the more checkpoints where “I need a badge to enter” I put in my network, the more the hackers will find the access difficult. Consequently, they will have a hard time trying to damage or steal the data. An apparently trivial but very effective example is how to access the operating system of your PC. If I log in as an administrator I am allowed to do what I want on my computer. You may be thinking it’s good, but we must take into account that if hackers manage to get into my PC, they can do whatever they want as well. And this is a little less good. If instead, I log in with a profile that authorizes me to do only what I need daily, it becomes much more difficult for hackers to tamper with sensitive parts of the operating system or access data for which my user is not authorized. This does not mean I must necessarily be limited too, if sporadically I need to access sensitive functions or data, I access them with another user who has these permissions, but only for a very short time. This method is called the principle of least privilege. If you have internal IT experts, the best thing is to let only them access sensitive areas of PCs and servers. This prevents inexperienced people could inadvertently making the system vulnerable. This does not mean that the principle does not apply to an IT operator as well, who must use administrator privileges only when they are needed.

System monitoring

How do we find out that something dangerous is going on before it’s too late? The first thing is certainly the use of an antivirus, which blocks any risky actions in advance, like opening potentially dangerous files or accessing unsafe websites. However, malware is not always identified in advance, therefore it is good practice to have the antivirus periodically perform in-depth scans. Furthermore, it wouldn’t be a bad thing to have a system that records everything that happens on the network, so who has access to what and when. So we can check if something anomalous has happened and take action before it is too late. For example, those who have a Google account have probably experienced the login from a new device. Google immediately notifies us that there has been an access from an unknown PC or smartphone on that day at that time from that place. In this way, if it were not you, maybe you would be in time to change the account password before the attacker manages to steal or damage data.

Data encryption

Nowadays, transferring information through the Internet has become an essential necessity. But this leads to another need: not having my data read by anyone who is not authorized. On the World Wide Web, as the name implies, there is the whole world. Anyone can potentially read what we transfer unless we make it unreadable. This is achievable by means of cryptography; that is, the translation of messages in an incomprehensible language, such as a code made of apparently random letters and numbers. To obtain this, an encoding key is used, which is a series of rules that determine in which code a sentence is transformed.

Symmetric key cryptography

The simplest encryption system is the so-called symmetric key system. This method uses a single key to both encrypt and decrypt the message when it is received. So this process requires that the person who writes the message and the person authorized to read it are both in possession of the key. The weak point of this method lies in the management of the key. If the key is intercepted by hackers when we send it to the other person, they can use it to decipher all the messages we are exchanging on the internet encrypted with that key.

Asymmetric key cryptography

In 1976 the two mathematicians Diffie and Hellman published a new cryptography system. This method involves the use of two keys, one public and one private. To explain how it works we use the classic analogy of padlocks. Suppose we want to exchange some boxes by mail with a friend of ours and we want to be sure that no one can open them. We could put a padlock on the box, send the key to our friend first, and then the box. But in this case, we would have the problem mentioned above. If someone intercepts the key, they could make a copy of it and then open the lock of the box in transit. To avoid this we can do something more clever. We ask our friend to send us an open padlock of which he is the only one who has the key. We put this padlock on the box and send it to him. Since it was never sent, it is impossible that someone could have intercepted the key during the transit.

The padlock in our example corresponds to the public key, while the key that never left our friend’s house corresponds to the private key. Obviously, if we want to exchange messages in two directions, we would need four keys in total, two public (two padlocks) and two private (the two keys of the padlocks). In reality, even this system has a weak spot. Since I am sending an “open padlock”, anyone could look into it trying to reconstruct the key. To build the public key (the padlock) starting from the private key (its key) and avoid this problem, mathematical calculations that are difficult to reverse are used. For example, with a computer, finding the result of the multiplication 709 x 887 is immediate, but it is not so fast to find which two numbers have been multiplied to obtain the result 628883. If we make this number large enough, let’s say at least 600 digits, the time to find the two values that multiplied together give that result is so long that in practice it is not feasible. The two numbers to be multiplied represent the private key of the padlock, while the result of the multiplication represents the open padlock that I send. This is just an example to explain the concept, there are various methods for obtaining a secure “padlock”.

Where cryptography is used

Maybe you have noticed that today almost all websites start with HTTPS. This additional S indicates that the exchange of information with that site is secure because it is encrypted using the public and private key system. If we are going to a site that does not use encryption, the browser warns us with a message saying not secure. In reality, the systems used are often hybrids between asymmetric and symmetric keys, because using only the former, communication would become very slow.

There is still a problem to solve. For example, when my bank’s website sends me the public key, that is the padlock to close my box before I send it, how can I be sure that it is really my bank and not a hacker who pretends to be the bank? The answer lies in certificates. There are certification authorities that ascertain that a public key actually belongs to its owner, who has deposited it with this authority. In this way, if an attacker sends his public key to try to steal information from us, the browser does not recognize the certificate as reliable and immediately warns the user of the risks.

The VPN

In addition to websites, encryption is used to create secure channels between two physically distant private points. An example is when I want to connect to the corporate network from home. If I log in without taking any precautions, all the data exchanged would be accessible by anyone, given that they pass through the internet. To solve the problem I can use a VPN (virtual private network). It is a virtual channel that connects my PC to the company network, where the data passing through it is encrypted. In this way, I am confident that nobody can read what I am exchanging.

But even though the VPN channel is encrypted, someone could try to enter this virtual tunnel and get to the corporate network, the same way I entered it to exchange data. To avoid this, the authentication and authorization systems that we saw at the beginning are used. So, in addition to using encryption, there is an “entrance check” system as well.

In case we do not need to have a flow of incoming data, but we only want to send it outside our network (for example to a cloud server), instead of using a VPN, we can decide to open the communication only in one direction: outbound. In any case, the data must travel encrypted, otherwise anyone could read it. With this system, a hacker would not be able to read the information sent and could not even access our network through this communication channel, because the entrance is closed. To do this, however, we must choose a protocol that does not require communication in both directions, otherwise it would not work. An example is the MQTT, which publishes data on an intermediate server, to which the final server (where we want to send the data) will make a request to have it. This system is called publish-subscribe. The flow of information becomes bidirectional only from the intermediate server onwards. While, for our network, it allows the door used for this communication to always remain closed for the inbound flow.

The firewall

The name derives from the systems (e.g. fire doors) used to confine a fire in an area of a building and prevent it from spreading undisturbed. In a computer network, we can imagine it as a door manned by someone who checks what enters and exits. It can be placed between the corporate network and the internet, between a PC and the corporate network, or within the network itself at intermediate points. The aim is to avoid unwanted access.

A firewall is a set of rules that determines what can pass through a specific point. For example, to connect a user from home to the company, we can set as a firewall rule that only certain PCs can access (each computer has a unique identifier). So anyone who tries to connect from another computer is blocked. Or accept connections only from certain IP addresses (the address that uniquely identifies any device connected to a network). Its use can also be reversed. Let’s assume that a program with a virus has ended up on my PC. This program attempts to connect to the internet to open a channel that will allow a hacker to enter. I can set on the firewall that only certain programs can communicate with the internet, and only in certain pre-established ways.

Let’s summarise the 10 key points for cybersecurity

After having explained what the security tools are, we conclude by summarising the 10 main actions that need to be taken to make our network secure:

  1. Divide the network into areas and filter each entry through a firewall, and not only between the corporate network and the internet (which is the bare minimum).
  2. Manage areas, devices, and software with an appropriate authentication and authorization system.
  3. Always apply the principle of least privilege.
  4. Use a monitoring system to see what is happening on the network.
  5. Use strong passwords (the longer, the more secure) and not the same for different things.
  6. Constantly update operating systems and software.
  7. Have an active and updated antivirus on every computer and server.
  8. Use a VPN for private connections with the outside (unless encrypted connections that open only the outbound flow are used).
  9. Use only secure sites (you can read it in the browser).
  10. Do not use non-original programs, they can hide malware.
Cyber security - IPS Cloud

I want to start with the assumption that anything connected to the internet is potentially vulnerable to cyber-attacks. It can be a computer, a mobile phone, an alarm system, or any other device. It has an umbilical cord that can turn into a gateway for hackers. Therefore, it is sufficient not to connect anything to the internet and the problem is solved. Obviously, this statement is a provocation, the advantages that the Internet gives us are enormous. The impact would probably be comparable to do without electricity. And as for electricity, the solution is not to avoid using it, but to make systems and networks with the right level of security.

What are cyber attacks

There are various attack systems and the common factor is to reach the device with a software called malware. The purposes can range from creating a malfunction of the attacked object, to reading the information, up to controlling the system. Let’s consider hackers who take control of the computer network of a modern hotel. As in all other sectors, the level of digitalization is quite high and the doors of the rooms are locked and unlocked with coded cards. The hackers could lock all the doors and ask for a ransom to reopen them. And this is not just imagination, but a true story. They could lock the company’s computers and unlock them only if their requests are granted. In a more hidden manner, they could steal the data present in the computers (emails, documents, etc.) to resell them to whoever may be interested. Nevertheless, we must not be scared of this. Let’s consider another example; think about how our money is managed, in an IT system that goes through the internet and interconnects millions of users. But that doesn’t mean that when we get up in the morning we have to start worrying that someone will steal money from our bank account. In fact, let’s say it’s such a remote possibility that nobody thinks about it. Not because banks keep everything disconnected from the internet, on the contrary, they are totally connected, but because the security system they use is so well structured that being able to penetrate it would be an extremely difficult challenge.

Who are the hackers

Let’s start with the amateurs. These hackers lack advanced technical skills, but they exploit malicious programs found on the internet. Their purpose can even be only to cause damage, sometimes they do it just out of curiosity, other times to demonstrate their skills. In any case, we should never underestimate the troubles they can cause.

Then we find the actual hackers. People with in-depth knowledge of networks and IT systems, who are divided into three types. The White Hats look for vulnerabilities in IT systems in order to improve security. They do this for the owner, to whom the results are reported. On the contrary, the Black Hats do it illegally to make a personal profit. The job can be commissioned by someone else. The Grey Hats are located in between. They find the vulnerabilities of a system and, depending on the case, either they may communicate them to the owner or they publish them on the internet to let other hackers exploit their achievements.

Finally, there are real criminal organisations. These are well-organised and funded people, who can work for other people or even governments. Their attacks are aimed at specific targets, behind which there are often political motivations.

Why choose the Cloud

By cloud system we mean remote servers or, more in general, remote services. Instead of having local computers that manage data storage or different kinds of software, all this is done on computers located in special centres dedicated to this type of service. So, with all the risks we have seen earlier, why should we choose the cloud? I ask you the following question by using a comparison: Why put money in a bank instead of hiding it in our mattresses? After all, It becomes digital, into the network exposed to hackers, so this wouldn’t seem such a clever solution. This would be true if we don’t consider that the security level of a digital banking system is far superior to that of our house. Similarly, the cloud services of big players such as Microsoft, Amazon, or Google have much higher security levels compared to those we can have at home or in our company. These providers spend more than a billion dollars a year just on cyber security.

A migration already in progress

In reality, all of us are progressively moving towards the cloud, even if we don’t always realise it. To read our emails, we open a browser and go to the page of our email provider, or through an app on our mobile phone. All of our emails are on a server somewhere in the world, the same as the backup of our pictures or the files we upload on OneDrive or Google Drive, not to mention on social media. We are much more scared of keeping our photos only on our mobile phone, or emails only on PC because they could malfunction and we would lose everything. Whereas, in the cloud, they are constantly backed up.

Configuration and update of devices

Another important point to be considered is the state of our devices. Let’s take the example of a corporate server where there is a lot of sensitive data. Are we sure that the operating system is constantly updated? As soon as a hacker finds and exploits a bug and the problem becomes known, the operating system supplier releases an update to fix the bug, but, if the update is not promptly installed, our server is at risk. The same can apply to our PC or smartphone. Moreover, security configurations must be set correctly. Even a single wrong or unsuitable setting is enough to make a server or a computer vulnerable. Unfortunately, we cannot always have the best IT security experts who configure our network and the devices connected to it, whereas Microsoft, Amazon or Google have them, as well as banks. Lastly, there are backups. If a device is managed by us, we must manage correctly the backup of all data, to avoid a malfunction causing their loss. On the cloud, this is part of the service, so one thing less to be managed, checked, and maintained, with all the risks it would bring with it.

In conclusion, we can say that a cloud service is an intrinsically more secure system, always updated, with data backup and best configured to make an attack very difficult. The cloud alone is not the solution to every problem, we must also think about the security of the devices that remain on our premises. In the next post, we will talk in more detail about how these IT security systems and configurations work and their importance for the protection of our company from cyber attacks.