There's rarely a time when cyber security isn't in the news these days. At the time of writing Twitter, Facebook, PayPal and other platforms had just fallen victim to a cyber attack, and it's even thought attempts have been made to manipulate the US election result from overseas. As society in general and business in particular becomes more dependent on the software that runs its infrastructure and information management systems, the level of security we can achieve becomes not just a business critical issue but an existential one. As security adviser Roger A Grimes said in a recent InfoWorld article: “I've seen American companies work on a secret new product, only to have a Chinese company release a very similar, if not identical product first. Sometimes even the wording in the documentation is identical. I've seen entire American company divisions shut down as a result.”
How hackers work
Every CEO is aware of the need to protect their business: few realise that though most hacks are based on simple password phishing the hackers are some of the smartest people on the globe and it takes equally smart people who understand their mindset, to counter them. Don O'Neil is a Director in PwC's Technology Solutions - CIO Advisory Solution group based in Las Vegas. Ok, he is more of a strategist than a hacker himself, but his division employs some of the best white hat hackers on the planet, whose job is to carry out penetration tests on businesses from start ups to major players and government departments too. It works with the consulting arm of the global PwC organization's verticals, Consumer and Industrial Products; Technology, Communications and Entertainment; Healthcare and Financial Services and a final unit devoted to delivering major government projects, to provide its customers with infrastructure security.
However the division goes beyond just assessing security systems and giving advice: it will do precisely as much work or as little as the customer requires, right though to full implementation. The system he will recommend will be tailor made for the client. “We go into an organization, analyze their business, the way they function, their technology requirements and all of the things that go into how that business operates. Then we map out the right technology solution, architecture and design to meet that requirement. Then we can do the implementation work for the client – if that's what they want.”
The solutions provided by PwC take an identity driven zero trust approach, overlaying on the existing systems and the network, so there's no disruption at the time of implementation, though specific inherent vulnerabilities may have to be addressed. “Many organizations don't think about securing their networks from insider threats, or securing them from lateral movement once an outsider gets access through an edge connection. That's a key point – stopping that lateral movement so if you are breached from the outside they can't continue to exploit that breach, and leave hidden payloads behind. It's equally important to stop the internal threats from employees, contractors and their workers from accessing systems they are not supposed to access.”
Technology that never sleeps
At the heart of PwC's solutions are two technologies: 802.1X authentication to determine who and what can access the network, and next generation firewalls and micro-segmentation capable virtual switches to segment the network, preventing lateral movement and unauthorized application traffic. 802.1X is a highly effective network access control protocol if it is properly aligned with the business's operations: as a consulting firm that has grown on consulting work based on its understanding of every aspect of its clients' business, from finance to HR and data management for example, it can add value a way no single technology provider could. “We understand how businesses function as well as understand the technology,” he says. “The technology we use to counter global threats is complicated. People don't want to deploy it on their own. Networking organizations don't know how the business units work. The problem has to be approached from both angles. Our deep business knowledge is what differentiates us, along with our partnership with industry leading technology providers like Palo Alto Networks, with whom we developed the Security Framework for Business Leaders last year to help our clients establish breach prevention security postures.”
In principle, keeping networks safe is quite simple. First, prevention of unauthorized access to the network thwarts any hacking attempt right on the border. If they can't get in they can't find anything out. Second, in the event of entry they can be contained from making any progress – this is done through segmentation and monitoring of all application and user activity. “Once hackers breach outer layers of protection and get inside the organization they try to move laterally,” explains Don O'Neil. “But because we leverage a zero trust architecture with strong authentication, network segmentation, and application visibility, we can stop the attack at multiple levels. Even if a user’s laptop becomes compromised and controlled by an attacker, the hacker’s malware will not be able to move laterally on the network because the next generation firewalls will enforce segmentation and block any malicious traffic. “ Four or five levels of security stop an intruder at the door. An additional safeguard is provided by segmentation: whether the network is accessed through a VPN, a corporate wired network (LAN) or a WLAN, or even a compromised IoT device, PwC's solution controls how and what each user can access, the time of day they can access it, the device they use and their location at the time.
So every device that connects to the network, workstations, cameras, servers, even an Internet of Things (IoT) device, has to recognized through a valid certificate, fingerprint or profile. This does not interfere with the companies that want to leverage BYOD, however the corporation might only want to allow those devices access to low risk areas like e-mail, a time clock system or an intranet. The organization's critical infrastructure is blocked at the point of entry to the network from the individual or device being even able to detect its presence. Take the education sector. Institutions hold huge volumes of research data and may have privileged access to some government networks. Yet millions of students and researchers rely on easy access to publications and material relevant to their area of study. This is where NAC and segmentation really cuts down the risk. An individual may be granted full access to a research lab when on their home campus, but that access can be restricted or denied depending on the device they have, when they are traveling or if they are visiting a high-risk country.
Too many organizations don't know how their individual business units work, O'Neil concludes, nor how their technology is deployed, what their networks look like from end to end or which devices have access to it. But after a PwC consultation process, custom designed system and architecture and can be implemented, the risk of internal or external breach is reduced to virtually zero. “Knowledge transfer is a big piece of this,” he insists. “At the end of the process we don't want to leave them with an inherent dependency on us - unless they want that dependency.” Some organizations may be able to maintain and manage the system on their own keeping track of changes in the environment: others may choose to continue with a service provider who can do that, or continue to work with PwC.