Are You Crypto-Agile to Respond Quickly to Changing Cyberthreats?

Gonzalo Álvarez Marañón    29 October, 2020

A business is considered agile if it is able to respond quickly to market changes, adapt to maintain stability. However, without cryptography there is no security and without security there is no business. So, ultimately, the agility of a business will be conditioned by its crypto-agility.

And what does a business need to be crypto-agile? To be able to adopt an alternative to the encryption method in use when the this proves to be vulnerable, with the minimum impact on the organisation’s infrastructure. The faster and more automated the process of replacing a cryptographic algorithm (or its parameters), the greater the crypto-agility of the system.

In Cryptography No Algorithm Is Totally “Safe”, At Most It Is “Acceptable”.

The definition of security in cryptography is incidental. When it is claimed that an algorithm is considered secure, what it actually means is that no security risk is currently known when used in accordance with the appropriate guidelines. The key word here is “currently”, because what is considered secure today will most likely not be secure tomorrow. And this is due to advances in computing (do I hear quantum computer?), advances in cryptanalysis, advances in hardware and advances in mathematics. In other words, an algorithm is considered safe if it is computationally unfeasible to break it today.

The discovery of vulnerabilities in cryptosystems and the removal of the affected algorithms becomes inevitable over time. That’s why you need to be crypto-agile: to be able to update the encryption methods used within the protocols, systems and technologies you use as soon as new vulnerabilities are discovered… or even before they appear!

And it is not just vulnerabilities that need to be considered. In the Real World™, cryptography must comply with regulations and standards, which in many cases will require changes in encryption algorithms and communications protocols.

How to Find Crypto-Agility

The worst time to evaluate your cryptography is after a compromise has occurred with everyone running around like a headless chicken. Being crypto-agile implies complete control over the cryptographic mechanisms and processes in your organisation. Gaining this control is not easy because, as Gartner points out in his report Better Safe Than Sorry: Preparing for Crypto-Agility:

  • Cryptographic algorithms break “suddenly”, at least from the end-user’s point of view. Despite the fact that there are chronicles of a death foretold, like the one in SHA-1, there are organisations that do not even know about it until the incident occurs, when it is too late to change the algorithm for another one that does not impact the organisation.
  • Most organisations do not know their cryptography: the type of encryption they use, what applications they use or how they use it.
  • Developers often remain blind to the details of cryptographic function libraries, so they program cryptographic dependencies while ignoring the flexibility of the libraries. This can make patching or response difficult or unpredictable in case of an incident.
  • Open source algorithms are generally considered safe because anyone can audit them, but reviews of their real application are rare.

In this context, every organisation should prepare for the worst. How? According to Gartner, this preparation involves:

  • Include by design the crypto-agility in the development of applications or in the workflow of acquisition of applications from third parties.
    • Any software created internally must comply with the cryptographic security standards accepted by the industry, such as Suite B or FIPS 140-3; or with current regulations and standards, such as the GDPR.
    • It is advisable to use development frameworks, such as JCA or .NET, which abstract cryptography, facilitating the replacement of some algorithms by others without altering the code. Likewise, there are other languages and libraries that favour the reuse and rapid replacement of cryptographic code, which should be given priority over less flexible alternatives.
    • When purchasing third-party applications, make sure that the provider follows the above guidelines. All software and firmware should include the latest cryptographic algorithms and techniques that are considered safe.
  • Compiled an inventory with the applications that use cryptography and identify and evaluate their dependence on the algorithms. Pay special attention to identity and access management systems, public key infrastructures (PKI) in use in your organisation and how keys are managed. This work will make it easier for you to assess the impact of a cryptographic breach and allow you to determine the risk to specific applications and prioritise incident response plans.
  • Include cryptographic alternatives and an algorithm exchange procedure in your incident response plans. For instance, the identification and replacement of algorithms, extension or modification of key lengths, and re-certification of some types of applications. For hardware devices, ask the manufacturer how they handle key and algorithm changes. Be prepared in case you need to decrypt private data with an obsolete key or algorithm to re-encrypt it with a new key or algorithm if compromise happens. And do not forget to include IoT devices in your inventory, because some come with pre-loaded keys and little cryptographic flexibility and are deployed in the field for many years.

Vulnerabilities, regulations, quantum computers, … Cryptographic change is lurking around every corner. Applying these improvements will increase your crypto-agility to react quickly to cyberthreats.

Approaching Cybersecurity in Industry 4.0: The Age of Connected Machines

Gabriel Álvarez Corrada    27 October, 2020

Don’t run away yet! This era is not about machines enslaving humanity (at least, not yet…) but about the introduction of elements (IOT devices, cloud environments, IA, Big Data, SIEM, IDS…) into industrial control systems (ICS) that improve their operation, maintenance, effectiveness, efficiency… and their safety. But… what is Industry 4.0?

Source: Industria Conectada 4.0, Report: The digital transformation of Spanish Industry https://www.industriaconectada40.gob.es/SiteCollectionDocuments/informe-industria-conectada40.pdf

Industry 4.0: It refers to the fourth industrial revolution, which is based on the real-time availability of all relevant product information, provided by an accessible network throughout the value chain, as well as the ability to modify the optimal value flow at any time”. 

This is achieved through digitalisation and the union of all the productive units of an economy. This requires the fusion of technologies such as Internet of Things (IOT), computing and cloud, big data and cybersecurity, as well as the complementary ones: mobile, analytics, M2M, 3D printing, robotics and community/sharing”. (Source: https://www.industriaconectada40.gob.es/

Already in 2015 the current chairman of Telefónica, José María Álvarez-Pallete, in the Ministry of Industry, Energy and Tourism had a clear vision: 

“This fourth industrial revolution arises from the union of industry and the physical world with the world of telecommunications and software, […] the fusion between the “normal” world and the logical world and it represents a qualitative leap in the organization of industrial models. Everything will be connected, absolutely everything“. 

Within the digital enablers of Industry 4.0 there are two transversal and essensial ones for the digital transformation and its path towards the industry of the future: 

  • Connectivity, the basis of the new connected industry and that which guarantees the availability of relevant information in real time. 
  • Cybersecurity, as a result of the above: the interconnection increases the exposure area and therefore the risk. 

It is on this road to digitisation and the connection of industrial processes that cybersecurity becomes necessary in operating technologies (OTs). 

 What are OT systems? 

Todo ello con el objetivo de mejorar la competitividad y rentabilidad de la empresa, mejora de la eficiencia de uso de recursos, acortar plazos de entrega, personalizar producción, etc.  

We understand OT to be those technologies and control processes related to production, traditionally isolated and now connected to corporate networks: devices are now connected to the corporate IT network, so that the company’s management can make agile decisions based on the aggregated processed data from the production plants. All this with the aim of improving the company’s competitiveness and profitability, improving efficiency in the use of resources, shortening delivery times, personalising production, etc. 

As connectivity increases, the area of exposure to potential cyberattacks increases too. To this increase in exposure area we can add the lack of maturity, regarding cybersecurity, of OT processes. 

A clear example would be a remote station consuming a specific resource. Maintaining and operating the station would possibly have a high cost, including the need for onsite people and controls to certify its correct handling, maintenance and operation. However, the operation of the same station from a node that would gather the operation of several stations through a secure connection and a software solution would drastically reduce the cost. 

In addition, this software can allow the automation and configuration of certain processes and parameters that allow a more intelligent consumption of resources (efficiency) as well as a sharp the production, improving its effectiveness. 

Corporate Cybersecurity (IT) Versus Industrial Cybersecurity (OT) 

Corporate cybersecurity is concerned with the protection of that company information which is processed, stored and transported by interconnected systems. The important thing is the data based on three parameters: 

  • Confidentiality: protecting information from unauthorised access and improper disclosure. 
  • Integrity: protection against unauthorised modifications. 
  • Availability: protection against interruptions in access. 

In the industrial environment (OT) the important thing is the process. It must be considered that industrial processes interact with the physical world, unlike what happens in the corporate environment. Therefore, the impact of an incident can have physical consequences, that is, in the “physical world”, not only in the “logical world” as we saw in the previous quotation. 

Beyond the economic or image damage, there can be personal injury, environmental damage, production interruptions, plant shutdowns, or what would be more worrying: alterations in the quality of the final products. In this case: 

  • Integrity is the most important thing: that data is not altered because it would be difficult to detect and correct. 
  • Availability: as soon as non-availability is detected; action can be taken to restart the process. 
  • Confidentiality is important but, in general, less than the previous ones. 

In 2016, Industroyer malware affected Kiev, leaving the city with no power at all. Once it reached the industrial system, this malware took control of switches and circuit breakers using typical industrial communication protocols. 

The malware is so modular that modifications can be implemented quickly to affect other types of systems. The fact that the protocols did not implement security by default meant that, once the infection was executed in the IT systems, control over the industrial devices was “simple”. By the way, for the devices affected by the attack there was a security patch months before, who remembered to update? 

This classic example reflects the need to consider cybersecurity in IT and OT environments. Once the security of control systems, such as a PC or SCADA system, had been breached, the malware had a clear path to spread. The industrial protocols and devices had no additional security measures in place and were even out of date. Several fundamental measures for combating cyberattacks in industrial environments can be inferred from this reflection: 

  • Define security measures in the IT field that are aimed at protecting industrial systems and devices 
  • Define security measures in the OT area to protect devices and protocols that may not have security implemented by default. Widely used protocols, such as Modbus (simple, public, but without defined security in the link layer or in the application layer), require measures to mitigate this lack of default security 
  • Implement good practices defined in standards such as NIST’s “Cybersecurity Framework”, ISA / IEC 62443 or the National Industrial Safety Scheme (ENSI). 

More details on OT security 

OT security generally covers the security controls around Process Control Systems (PCS), Distributed Control Systems (DCS) and Supervisory Control and Data Acquisition (SCADA) Environments, which are also collectively referred to as Industrial Control Systems (ICS) environments. 

The OT (or ICS) environment uses common computer systems and devices, such as authentication servers, IP-based network switches and firewalls, as well as PC workstations that run the engineering software to manage the ICS devices. 

Finally, it is important to highlight the volume of vulnerabilities we are talking about and the impact of the cyber-incidents generated. According to the Spanish National Institute of Cybersecurity, INCIBE, 207 security warnings related to the industrial sector were registered in 2019. The vulnerabilities registered through these warnings were mostly (over 75%) of high or very high criticality (more information at https://www.incibe-cert.es/blog/seguridad-industrial-2019-cifras). 

Industry 4.0 is here to stay until it is overtaken by 5.0, but the cybersecurity challenges it poses make it necessary to take action and develop new solutions to ensure a safe use of this breakthrough. 

Oh, I forgot… What is industrial cybersecurity then? According to the Industrial Cybersecurity Centre (CCI), “industrial cybersecurity is the set of practices, processes and technologies designed to manage the risk of cyberspace arising from the use, processing, storage and transmission of information used in industrial organizations and infrastructures, using the perspectives of people, processes and technologies”. (Source: https://www.cci-es.org/

Bonus track 

Industrial devices are closely related to critical sectors because of their impact on a country, such as the health, railway or maritime sectors. But in addition to the impact on the business and image of those affected, how and in how many ways could the damage caused by an industrial device that modified the composition of food or drink to make it harmful to humans or to leave an entire country without electricity or heating in the middle of winter be quantified? What if they were devices related to hospitals or nuclear or military devices? What impact would this have on the productive fabric or on the health of citizens? 

All these aspects in each sector deserve separate comments. But that is another story we will see in other posts.

Cybersecurity Weekly Briefing October 17-23

ElevenPaths    23 October, 2020

New banking trojan called Vizom

IBM Security Trusteer’s research team has published a report analysing the new “Brazilian family” banking Trojan called Vizom. This malicious software uses similar techniques to other banking trojans, such as overlaying a screen that is generated when the victim logs in and performs banking transactions with the aim of exfiltrating such information, keylogger functions, as well as taking screenshots. Likewise, Vizom stands out for the way it infects and implements on victims’ devices, due to the fact that it is obfuscated as legitimate video-conferencing software, which guarantees that the operating system runs its malicious DLLs, allowing the infiltration in legitimate directories of devices that use Windows. The entry vector used by threat agents is by sending malicious emails in which a malicious file is attached. Another aspect to highlight is the mechanism used to create persistence. To do this Vizom modifies the browser shortcuts so that, no matter which browser is used, the legitimate Vivaldi browser is executed in the background, which is actually a malicious process. In this way, the stolen information is exfiltrated and transmitted to its Command & Control.

More: https://securityintelligence.com/posts/vizom-malware-targets-brazilian-bank-customers-remote-overlay

Google corrects 0-day vulnerability

Google has released a security update that fixes five bugs in its Google Chrome browser, including a 0-day vulnerability that is being actively exploited. This latest vulnerability (CVE-2020-15999) is a memory corruption bug in the FreeType font rendering library, which is included by default in Chrome. According to Ben Hawkes, leader of Google’s Project Zero team, the threat agents would be exploiting this flaw in the library to carry out attacks against Chrome users. It is recommended to update the Google Chrome browser to version 86.0.4240.111. In addition to this, the bug in 2.10.4 version of FreeType has been corrected.

More: https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html

Ransomware incident in Sopra Steria

Yesterday early afternoon, Le Mag IT media reported a ransomware incident at Sopra Steria that would have affected the company’s active directory, managing to encrypt part of the consultant’s information systems. The company confirmed in an official statement that the attack was detected on the night of October 20th and that measures were taken to limit the risk of it spreading. Sopra Steria has also said that it is in close contact with its clients and partners, as well as with the competent authorities. There is still no official confirmation about the ransomware family that would have caused the incident. However, the journalist Tristan Brossat assured in the early afternoon that it would be Erica Ransomware, while the media that has spread the news, Le Mag IT, has updated the information on the incident informing that this attack would be related to Ryuk Ransomware. More information on the extent to of this incident and the possible causes is expected to be published in the coming hours.

More: https://www.lemagit.fr/actualites/252490877/Sopra-Steria-frappe-par-un-ransomware

Privilege escalation vulnerabilities in Citrix Gateway Plug-in

Citrix has updated its security newletter with two new vulnerabilities (CVE-2020-8257 and CVE-2020-8258) in the Citrix Gateway Plug-in for Windows systems. Cymptom’s security researchers have analysed these vulnerabilities and published proofs of concept. If exploited, these vulnerabilities could result in a local user escalating their privileges to SYSTEM. The Citrix Gateway client installs a service that runs as SYSTEM, which runs a script on PowerShell every 5 minutes. The flaw is that the call to PowerShell is not made to the full path, allowing the attacker to add a malicious powershell.exe file. Both vulnerabilities can be mitigated with access control lists (ACLs) by setting more restrictive permissions to local Citrix folders. Citrix recommends updating the Citrix Gateway Plug-in to a corrected version as soon as possible.

More: https://cymptom.com/gateway2hell-multiple-privilege-escalation-vulnerabilities-in-citrix-gateway-plug-in/2020/10/

How IoT and Big Data is elevating Energy Management

Patrick Buckley    23 October, 2020

Increasingly, energy management is becoming a topic of great social importance. In today’s post, I will explain how IoT (Internet of Things) together with technology Artificial Intelligence (AI), is improving energy management solutions for both the energy provider and the consumer. 

Industrial Consumers – Building Management Systems 

Industrial consumers are often faced with an ultimatum. How can they drive forward growth strategies without having to comprise on their commitment to environmental sustainability? The answer is by implementing Smart Building Management Systems.

Large industrial consumers may struggle to monitor network wide energy consumption trends due to their large scale of operations and complex structure. IoT technology offers large enterprises the ability to monitor energy usage easily and efficiently. 

Smart Building Management Systems use IoT powered sensors to collect data across complex infrastructure networks. Using AI capabilities, this data is analysed automatically allowing inefficacies in usage patterns to be easily identified and targeted. This real-time reporting allows for smarter energy management decisions, reduced energy bills and a lower carbon footprint for the organisation.

 IoT powered sensors also have the capability to coordinate with existing energy systems and supply networks. Energy usage can be adjusted automatically according to environmental conditions. This could be factors such as room occupancy, temperature and level of natural light. In this way, building occupants may not even notice a reduction in energy consumption in their environment. As IoT powered smart Building Management Systems are rolled out across extensive networks the potential reductions in network overall energy consumption is enormous, benefiting the enterprise both socially and finically. 

Efficient Grid Management 

The use of IoT sensors along distribution channels allows energy providers to easily monitor demand and consumption patterns. This allows providers to easily adjust supply along power lines. This can be done dynamically in accordance with real-time demand. The risk of oversupply in networks is therefore reduced, resulting in a decrease in energy wastage.

Due to the real-time nature of IoT sensor reporting, providers can understand in great detail the consumption habits of consumers. This information can be understood geographically, helping providers to plan targeted network expansions and upgrades, leading to a higher quality network infrastructure.

AI also plays a key role here. It is not feasible for technicians to manually adjust power requirements as often as demand changes. Through the compilation of consumption data, smart grid management systems can automatically adjust voltage along power lines. This allows suppliers to predict consumption changes so the grid is always prepared to supply the energy requirements of customers.

Smart Meters, the future for domestic consumers

IoT powered smart meters constantly collect energy consumption data and send it to both to service providers and customers. This allows suppliers to understand, in great detail, the consumption habits of their consumers. Suppliers can therefore adjust network capacities accordingly.

For the domestic consumer, sophisticated integrated IoT systems allow the consumer to understand the energy consumption of every device in the home. This helps to identify power-hungry appliances, reducing energy wastage. It is also helpful to the domestic consumer to understand, through detailed reporting, how a household may be able to save money on energy bills by changing consumption habits.

Conclusion

The use of IoT sensors and AI is the future of energy management. Large industrial consumers have the most to gain here. A network-wide smart energy management solution will provide lucrative savings for any large organisation, whilst allowing them to fulfil promises of environmentally sustainable practice. Domestic consumers also win through lower energy bills. IoT technology allows energy providers to be far more dynamic and flexible in their supply planning. 

To keep up to date with Telefónica’s Internet of Things area, visit our web site or follow us on TwitterLinkedIn YouTube

Innovation and New Cybersecurity Tools: Security Innovation Days 2020 (Day 3)

ElevenPaths    23 October, 2020

This was the 8th edition of the Security Innovation Days 2020 so far. Three intense days in which innovation in cybersecurity and the digital transformation have been the essence of the event. For the last one, we reserved the main course and the identity mark of this event: the presentation of the last projects and tools in which our teams have been working.

Introduction

The day started once again with an introduction by Monica Carrillo and Pedro Pablo Pérez, who for the third day in a row became the perfect master of ceremonies. New products, services, tools and, in short, the latest developments in innovation to offer our clients what they exactly need.

Pedro Pablo Pérez ready to enter the set
Pedro Pablo Pérez ready to enter the set

Telefónica Innovation Ventures

The session started in style, with an important announcement that had been made official just a few hours before. Guenia Gawendo, Head of Telefónica Innovation Ventures, and Raúl Riesco, Head of Public Administration and Strategic Investments at ElevenPaths, were in charge of presenting the new project of Telefónica Tech Ventures, an investment vehicle of Telefónica and promoted by ElevenPaths that aims to detect new opportunities related to disruptive innovation in cybersecurity.

Guenia Gawendo during her speech
Guenia Gawendo during her speech

Magnet

Afterwards, as the first presentation focused properly on new developments, the CTO team, represented by Gonzalo Fernández and David López Meco, presented the Magnet project, an initiative developed entirely during this complicated 2020 and which offers security and connectivity for SMEs. The proof that it is possible to develop products remotely.

The CTO team, represented by Gonzalo Álvarez and David López Meco
The CTO team, represented by Gonzalo Álvarez and David López Meco

ElevenLabs

We got to the highlight of the day, our team from the Innovation and Laboratory Area presented the latest tools, with its director, Sergio De Los Santos, accompanied by a dream team: Jose TorresHelene AguirreJosé A. CascallanaGabriel ÁlvarezFélix Brezo and David Vara.

An area that has grown a lot over the last year, adding our innovation centres throughout Spain: TEGRA, C4IN and SOTH, as well as our beloved Chief Security Ambassadors (CSAs), spread over 5 countries.

If you want to discover more about the tools presented, here you can find more information:

  • Deeder, tool for signing contracts through instant messaging platforms
  • Aldara, the intelligent tool for social networks
  • Aristeo: in progress from C4IN (C 4.0 with Cidaut
  • Ameba
  • TheTHE, tool for Threat Hunting equipment
  • IDoT, Identity of Things

More developments from the Innovation and Laboratory team:: AMSIExtChainLock or DoH (DNS over HTTPS).

Jose Torres and Sergio de los Santos during their online intervention
Jose Torres and Sergio de los Santos during their online intervention

Netskope Sponsor

Contamos también con la visión de nuestro partner Netskope sobre la nueva era de la ciberseguridad, en la que SASE y el cloud serán piezas clave. Una gran ponencia a cargo de Samuel Bonete, Regional Sales Manager para Iberia. Un placer poder contar con vosotros.

We also counted on the vision of our partner Netskope about the new era of cybersecurity, in which SASE and the cloud will be key players. A great presentation by Samuel Bonete, Regional Sales Manager for Iberia. A pleasure to be able to have you.

Samuel Bonete, Regional Sales Manager Iberia of Netskope
Samuel Bonete, Regional Sales Manager Iberia of Netskope

Goodbye

We could not call it Security Innovation Day without the presence of our Chairman Chema Alonso, who told the history and evolution of ElevenPaths and how we have reached this New Era and his new projects as CDCO of Telefónica.

A luxury closure signed by our Chairman, Chema Alonso
A luxury closure signed by our Chairman, Chema Alonso

Thank you very much to all the assistants, we are very happy with the welcome and the participation in this peculiar edition. See you next year!

Here is the complete video of the third day:

If you want to know more about the Security Innovation Days 2020, check out the following articles:

Cybersecurity and Business in the New Era: Security Innovation Days 2020 (Day 1)
New Capabilities for the Future of Cybersecurity: Security Innovation Days 2020 (Day 2)
ElevenPaths Approaches the Cyber Security Paradigm Shift and the New Era’ s Digital Transformation in the SID 2020
Security Innovation Days 2020: The New Era

New Capabilities for the Future of Cybersecurity: Security Innovation Days 2020 (Day 2)

ElevenPaths    22 October, 2020

Second day of the Security Innovation Days 2020, focusing on the new capabilities we have acquired as a cybersecurity company from Telefónica Tech. A few weeks ago, we announced the purchase of two leading companies, each of them in their own field, which would help us to complete our offer. First it was Govertis, specialists in consultancy and GRC (Governance, Risk and Compliance), and then iHackLabs, experts in training and coaching professionals.

In addition to presenting these acquisitions we discussed how threat intelligence is generated and managed and how our experts are organised to protect our clients 24/7. If you missed the live event, here is a complete summary, get ready to learn about The New Era of Cybersecurity!

Introduction

Once again, Mónica Carrillo, together with Pedro Pablo Pérez, gave an introduction to the day, previewing what we were going to find over the next hour and a half: new security, intelligence and operations solutions and the highlight of the day: new capabilities focused on people.

Intelligent Threat Generation

The first lecture was by Miguel Ángel de Castro, Lead Analyst of ElevenPaths, who normally presents more technical content but for all audiences in this kind of events. The presentation focused on the strategies we use to generate quality threat intelligence and how it is used to improve incident response, highlighting our collaboration with the Cyber Threat Alliance and, of course, a live demo, a distinguishing mark of our innovation events.

E-Signature

Digital signature and biometrics solutions are becoming increasingly common and important in companies of all sectors. Even more due to the situation we are experiencing worldwide.

For this presentation we had Daniel Ramos, Business Development Manager of ElevenPaths, who began introducing the new features of SealSign, our digital signature and biometric signature tool, together with Nick Dawson, Director & Global Head of B2B Solutions Sales at Samsung Electronics. Nick connected to our event from Seoul to explain how our technology is being used from Samsung, integrating it into their devices.

Special Operations: Threat Hunting

In order to talk about special operations, no one better than Martina Matarí, Team Lead of the Threat Hunting team and Roberto Carlos Pérez González, Manager of Managed Services. Both our experts explained how we are adapting to the digital transformation by modifying the services and operations that our clients demand.

Their presentation was joined by a special guest: Daniel Aparicio, Manager of Cybersecurity Architecture and Operations at Ferrovial, a client with which Telefónica has a longstanding relationship in cybersecurity, a real luxury to be able to count with his presence.

Skills and People on The Rise: Boosting Cybersecurity Training

We reached the key point of this day: new skills acquired within people. On the same day, October 21st, the launch of Cyberacademy+ was announced, an academy that will enable the training and education of almost 3,000 ElevenPaths employees and later on, our clients’ professionals.

Elena Lim, Head of Cyberacademy+ together with José Manuel Ávalos, Business Development Manager at Cyberacademy+, presented ElevenPaths’ commitment to people. The demand for professionals and the cyberthreats is constantly increasing, so training in this area is more necessary than ever. Through the iHackLabs training platform and new tools and courses that we are developing internally, we will be able to cover that gap between what companies need and what is currently offered in this sector.

Skills and People on The Rise: Boosting Cybersecurity Consultancy

It was then the turn of Alejandro Ramos, Global Director of Security Operations, who introduced another of the capabilities we have lately acquired: the branch of consulting and GRC thanks to the integration of Govertis. And no one better than Eduard Chaveli, remotely from Valencia and founder of this company which has 20 years of experience and will contribute a lot to our current offer.

In the interview in which Alejandro asked Eduard questions ,we were able to learn in more detail all of what they are going to offer us and how they are going to allow us to offer our clients such important and necessary branch of security. Welcome to ElevenPaths!

If you want to know more about the Security Innovation Days 2020, check out the following articles:

Cybersecurity and Business in the New Era: Security Innovation Days 2020 (Day 1)
Innovation and New Cybersecurity Tools: Security Innovation Days 2020 (Day 3)
ElevenPaths Approaches the Cyber Security Paradigm Shift and the New Era’ s Digital Transformation in the SID 2020
Security Innovation Days 2020: The New Era

Cybersecurity and Business in the New Era: Security Innovation Days 2020 (Day 1)

ElevenPaths    21 October, 2020

First day of the Security Innovation Days 2020 completed with more than 1500 people connected from all over the world. If you missed the first day of our cybersecurity innovation event, don’t you worry, here is a complete overview so you can relive this first business-focused approach and how cybersecurity is key to the digital transformation process of companies in all sectors.

Introduction – Keynote Telefónica Tech

The event began with an introduction by the presenter and host of the event, Monica Carrillo, in which she explained how this year’s event was going to work: three days completely online in which our experts and several of our partners will present the new era of cybersecurity, The New Era.

A very special eighth edition for several reasons:

  • Virtual meeting: for obvious reasons, the 2020 edition is 100% online, allowing colleagues, clients and people interested in cybersecurity from all over the world to attend.
  • Three days: we have a lot to tell, so we have decided to move from a single day to three, separating the presentations by topics and facilitating attendance.
  • Telefónica Tech: this is the first edition that we are celebrating as part of the Telefónica Tech holding, a few weeks before the first anniversary of the announcement.

After the introduction, our CEO Pedro Pablo Pérez took the floor, exposing the main characteristics of ElevenPaths and how it is included within Telefónica Tech’s holding, and who better than Telefónica Tech’s own CEO, José Cerdán, (through a connection from the set to Telefónica District), to explain the digital capacities of the holding and how cybersecurity is offered to the client, together with Cloud, Internet of Things (IoT) and Big Data.

Pedro Pablo highlighted the four pillars on which the creation of ElevenPaths as a company is based: trust, growth, efficiency and motivation, which are very much aligned with the global strategy of Telefónica group and will allow us to grow by maximizing value and also the delivery of value to our clients at the highest quality.

In short, ElevenPaths is the reliable partner that any company needs to face the digital transformation in a secure way.

Gold Sponsor: Zscaler

The first presentation was by one of the event’s sponsors: Zscaler. Jay Chaudhry, CEO and founder, explained his value proposal as a strategic partner of ElevenPaths, collaborating to make his clients’ projects stronger than ever.

He began by stressing the importance of the short and medium-term future, a future in which cybersecurity will be of great importance. He predicted that next decade would be full of disruption and opportunity, and we could not agree more: Welcome to The New Era.

New Perimeter

We went down to business: it was the turn of our product experts, the ones who are closest to market developments and trends. They explained what the new perimeter of cybersecurity is and what it covers.

Alberto Sempere, Global Product and Partnerships Director of ElevenPaths led the presentation, which focused on several of the most important issues of the present, and especially the future of cybersecurity. To explain each of the topics, the Cloud managers, Miguel Ángel Pérez Acevedo, Global Cloud Security and Spanish Product Marketing Manager of ElevenPaths, Vicente Segura, Industrial Cybersecurity, IoT and IoT Security Manager of Telefónica and David Prieto, Risk, Compliance, Identity and Services Manager of ElevenPaths, came by the set with a demo of our SealSign service.

Trends that are a reality nowadays and will make a difference in the coming months.

International CISOs Round Table

We got to one of the highlights of the day, an international round table with CISOs from various clients who gave their point of view on cybersecurity. The following guests took part in it:

Gold Sponsor: Palo Alto Networks

At the end of the day, the opportunity arrived for another of our partners and gold sponsors of the event, Palo Alto Networks.

Its CTO and founder, Nir Zuk, exposed his vision of the future of cybersecurity and how we are working together to achieve our goals.

Goodbye

That was the summary of the first day so far, with very interesting talks and which undoubtedly leaves us wanting more. There are still two days left in which we will present the latest tools we have been working on, our proposal around talent and people and the latest skills we have acquired in consulting and training.

Here is the complete video of the first session. Welcome to The New Era.

If you want to know more about the Security Innovation Days 2020, check out the following articles:

New Capabilities for the Future of Cybersecurity: Security Innovation Days 2020 (Day 2)
Innovation and New Cybersecurity Tools: Security Innovation Days 2020 (Day 3)
ElevenPaths Approaches the Cyber Security Paradigm Shift and the New Era’ s Digital Transformation in the SID 2020
Security Innovation Days 2020: The New Era

Encryption That Preserves The Format To Ensure The Privacy Of Financial And Personal Data

Gonzalo Álvarez Marañón    20 October, 2020

Your personal information swarms through thousands of databases of public and private organizations. How do you protect its confidentiality so that it does not fall into the wrong hands? At first glance, the solution seems obvious: just encrypt it. Unfortunately, in cryptography things are never that simple. Encrypting information like this without further ado poses several drawbacks. Let’s see it with an example.

Disadvantages of Encrypting Confidential Data

Imagina que un comercio online o tu entidad financiera quieren cifrar tu número de tarjeta de crédito que guardan en su base de datos. Podrían recurrir a la solución estándar de cifrado: usar AES, por ejemplo, en modo CTR con una clave de 128 bits y con un vector de inicialización aleatorio. Si tu número de tarjeta es 4444 5555 1111 0000, el resultado de cifrarlo con AES-128-CTR se muestra en la siguiente tabla, codificado de diferentes maneras habituales:

Imagine that an online shop or your financial institution wants to encrypt your credit card number which they keep in their database. They could use the standard encryption solution: use AES, for example, in CTR mode with a 128-bit key and a random initialisation vector. If your card number is 4444 5555 1111 0000, the result of encrypting it with AES-128-CTR is shown in the table below, encoded in different common ways

Clear text4444 5555 1111 0000
Text encrypt in Base64U2FsdGVkX1/Kgcb0V8G++1DWcwyu47pWXflP2CiVda51Ew==
Text encrypt in hexadecimal53616c7465645f5f3601f1e979348111d342c038e9275492a1966fd8659f61a89869
Uncoded encrypted textSalted__ݺ▒Ii<½║'{☺Éqc»▬@Çþ¶ÔÈ×C♂♦

As you can see, the format of the coded text has nothing to do with the format of the original clear text.

  • Change in length: coded text is much longer than clear text. It would violate the standard-length limits for credit cards imposed by the database.
  • Change in format: no one would recognize this sausage as a credit card number. If a cyber attacker steals the database, he doesn’t have to be very clever to realise that what he is stealing is not a ready-to-use credit card.
  • Change in character set: no validation would pass for the content of the record because it contains characters that are not numbers, let alone in its uncoded form, which looks like a teenager’s WhatsApp. Encrypted text would cause problems in the data scheme.

This transformation of the clear text into a monstrous chain will break many systems.

  • You will not be able to store it in databases that are not prepared to accept this new format.
  • You will not be able to transmit it through the usual payment gateways.
  • You will have to decrypt it every time you use it.
  • You will not be able to search for a specific card number in the database to consult its operations.

Is that not enough? Well, the problems don’t end up there. If during a database query the encrypted value is decrypted to be read and then re-encrypted, AES in CTR mode will use a new random initialisation vector, so the final encryption will not look anything like the previous encrypted value. As proof, in this new table you have the same card value encrypted with the same key, but with a different initialization vector:

Clear text4444 5555 1111 0000
Text encrypted in Base64U2FsdGVkX18OyY1wEH1Co2mFw3nXazm9e6yCGqLLAyTbug==
Text encrypted in hexadecimal53616c7465645f5f09c2cb2e14abda1d21bea9d22e3653e8310e6e8551a94bbf1467
Encoded encrypted textSalted__Ñ╬T7¶Í«é¿r═§yG»¬³hºƒð7→{╩e

Nothing similar, right? As a consequence, forget about using the encrypted data as a unique key to identify a row in a database because they will change from encryption to encryption.

In short, encrypting data that is in very strict format, such as a credit card, poses several seemingly insurmountable practical limitations. But then, if the change in format prevents encryption, how to comply with the latest regulations, such as GDPR, PCI DSS or PSD2, and how to preserve data confidentiality without impairing database functionality?

What Solution Does Cryptography Provide?

The answer cryptographers have given to this dilemma is known as Format-Preserving Encryption (FPE). FPE extends the classic encryption algorithms, such as AES, so that the encrypted texts retain their original length and format. Moreover, in the particular case of a credit card, the encrypted value can even be made to pass the Luhn check. See how the above credit card number would look encrypted using FPE:

Clear text4444 5555 1111 0000
Encrypted text with FPE1234 8765 0246 9753

With FPE, a credit card is encrypted in a chain that still looks like a credit card and passes all controls.

Thanks to FPE, data no longer causes errors in databases, message formats or legacy applications. And what is the biggest advantage of FPE? You can process and analyse the data while it is encrypted because it will still comply with the validation rules.

Of course, there are many highly formatted data beyond credit card numbers that can be successfully be protected by FPE:

  • IMEI number
  • Bank account number
  • Phone number
  • Social security number
  • Post code
  • ID number                                            
  • E-mail address
  • Etc.

These identifiers are routinely used by all types of industries: e-commerce, financial, health, etc. The question is: how secure are these encryption methods?

FPE in Real World

In 2013 NIST adopted in its SP 800-38G recommendation three algorithms to encrypt data while preserving the format, called FF1, FF2 and FF3 respectively. If you are curious about the name, it derives from the use of a long-standing encryption scheme: Feistel cipher; hence the algorithms based on it are called Feistel-based Format-preserving encryption or FF. FF2 did not even see the light of day, as it was broken during the approval process. As for FF3, in 2017 weaknesses were already found, which have been strengthened in the subsequent FF3-1 version. For the time being, FF1 and FF3-1 are still holding it together.

However, the FPE algorithms still have limitations:

  • FPE algorithms are deterministic: identical clear texts will result in identical cipher texts when encrypted with the same key, unlike conventional encryption, which is usually randomised. However, for data with less demanding formats, such as an email address, randomness can easily be added, as an email address can be of any length, unlike, for example, a telephone number which will always have 9 digits.
  • FPE schemes do not provide data integrity (you have no guarantee whether the encrypted data has been changed) or sender authentication (you have no guarantee of who encrypted the data).

In the end, FPE continues as an open research problem, in which we will still see many advances both in cryptanalysis (breaking algorithms) and in the creation of new, more powerful ones.

ElevenPaths Approaches the Cyber Security Paradigm Shift and the New Era’ s Digital Transformation in the SID 2020

ElevenPaths    20 October, 2020
  • Telefónica Tech’s cyber security company is holding its 8th Security Innovation Days, this time in a virtual format and extending from one to three half-days, on October 20th, 21st and 22nd.
  • Among the new features of this edition is the new digital format via streaming and its corresponding accessibility for international clients and attendees. This will be the first edition in which ElevenPaths holds the event as a member of Telefónica Tech’s holding.
  • We can find José Cerdán, Pedro Pablo Pérez, Martina Matarí, Chema Alonso, Eduard Chaveli and Guenia Gawendo, among other speakers.

ElevenPaths, Telefónica’s cyber security company, is holding the 7th Security Innovation Days, a national and international reference event on innovation and security, under the slogan: The New Era.

In ElevenPaths we bet on the digital transformation to create a new era, The New Era, becoming an essential key player in the digital life of our clients. Only those organizations that understand that in the new era it is necessary to invest in material and human means, will be able to move in this new environment of “Digital Cyber Security Transformation”. 

At the end of last year we announced the appointment of Telefónica Tech. Therefore, ElevenPaths became Telefónica’s Cyber Security Company and a subsidiary of Telefónica Tech’s new holding company. With the aim of integrating the digital capabilities of The New Telefónica, we want to support our customers in the digitalization process by offering a comprehensive service for managing their security.  

Since the announcement of the new Telefónica Tech, ElevenPaths has grown in employees in almost 1,000 specialised cyber security professionals worldwide.

The Security Innovation Days 2020 will be held on October 20th, 21st and 22nd. This year we keep on counting with the support and participation of our partners in three categories: Gold, Silver and Bronze. In this edition our gold partners are Cytomic, Netskope, Palo Alto Networks and Zscaler. The silver partners are CheckPoint, Crowdstrike, Forcepoint, Fortinet, McAfee and RSA. And last, but not least the bronze partners are Akamai, Bitsight, Netscout and Proofpoint.

In addition, among the new features, the digital format in streaming and the accessibility for international clients and attendees stand out. This will be the first edition in which ElevenPaths holds the event as a member of Telefónica Tech holding. The registration of attendees will have no limited capacity and the format of the event will be live on a television set.

The event starts on October 20th with the opening of José Cerdán, CEO of Telefónica Tech holding, accompanied by Pedro Pablo Pérez, CEO of ElevenPaths who will bring up the recent digital ecosystem within the company. In this edition we will talk about the new perimeter in cyber security, the management of threats in an intelligent way (Threat Hunting) and the qualities of Operations of the future. From ElevenPaths, as a challenging company and provider of Managed Security services that integrates its own products and services, we do offer as well consulting services. For this reason, during the celebration of our Security Innovation Days 2020 we will have sessions dedicated to four main topics: buy, invest, make and partners.

Moreover, we will have several sessions where we will address the work of our ElevenLabs and review the cyber security tools of the future.

We will also be joined by Eduard Chaveli, Head of Strategic Consulting at ElevenPaths and CEO of Govertis. At the beginning of September ElevenPaths took over two leading companies in strategic consultancy and cyber security training: Govertis and Ihacklabs.

Guenia Gawendo will be joining us too, director of Telefónica Innovation Ventures. Telefónica, through its corporate venture capital vehicle, Telefónica Innovation Ventures (TIV), has made an investment in Nozomi Networks Inc, a leading company in security and industrial control systems. Present in 16 countries, allows real-time visualisation of cyber risk, as well as managing and improving the resilience of industrial operations. These projects are the result of investments made by Wayra, Telefónica’s open innovation area. Altogether, there are 300 companies seen and 40 invested in. Furthermore, during the VII Security Innovation Days, an international CISOS round table will be held by different companies. They will bring their business vision and the challenges presented within cyber security and digital transformation to clients and companies. In this round table we will counting with Eroski’s CISO, O2 Germany’s CISO and Caja de Los Andes’ CISO.

Press release

Click to access elevenpaths-sid_ndp-ENG-2020.pdf

Steps to move security solutions forward in the face of current world challenges

Alejandro Maroto    19 October, 2020

Palo Alto Networks founder Nir Zuk recently addressed the Telefónica Global Security Summit with some thoughts to share on the direction of security and implications of the COVID-19 pandemic. Many people are asking if the pandemic has changed the course of security priorities by creating new trends. So far the lessons learned are that the priorities have not deviated during the pandemic, in fact they have accelerated priorities that were already in the queue for action. Most notably an increase in mobility, software deployment vs hardware, work-from-anywhere and the migration of applications and functionalities to the cloud. All of these topics increase cybersecurity needs. Let’s consider the top three challenges we are seeing and some options for addressing them.

Challenge #1:  Migration to the cloud

 Moving to the cloud enables organizations to function with less manual and more programmatic security procedures. The ability to apply security earlier in the process, before applications are deployed, allows for a more secure architecture. In most situations there are not a lot of legacy applications in the cloud, giving companies a cleaner start down this path. 

Organizations are experimenting with different architectures for cloud infrastructure. Research into the state of cloud native security shows that 80% of security professionals feel their cloud environment is constantly shifting. Trying to figure out what or who is in your environment, let alone establishing a baseline for what is normal, can feel chaotic. In order to maintain Zero Trust for cloud, compliance and security teams need tools that can help continuously enforce policies.

With so many organizations constantly changing their cloud architectures, simply cataloging these different environments and ensuring that they adhere to any industry compliance regulations becomes increasingly time-consuming.

Solution: In order to maintain a Zero Trust approach, organizations should look for a cloud native security platform (CNSP) that can provide visibility into all types of workloads and offer policy engines that alert about any misconfigurations across multiple cloud service providers (CSPs). These integrated tools help security, compliance and development teams prevent configuration drift and quickly remediate issues across cloud environments.  

Palo Alto Networks’ Prisma Cloud provides a best-of-breed solution that provides security across all compute platforms through multi-cloud visibility helping manage regulatory compliance across multiple environments. Dashboards show ingested data from multiple sources within a single pane of glass, and alerts are automatically prioritized with context. Prisma Cloud then recommends fixes to help users quickly validate workloads and applications.

Challenge 2:  Re-architecting the WAN

Previously, WAN architecture flowed something like this: MPLS to the branch, Client VPNs to the remote user and IPsec to partners. The resulting configurations were costly for Service Providers to deploy and maintain and complex for Enterprises to manage. As a result, higher costs and lower margins impacted organizations providing managed solutions. Enterprises deploying their own solutions had to deal with a higher level of complexity to ensure applications across users were protected in a consistent fashion.

Solution: Cloud-based SASE architecture reduces the requirement to backhaul all data to a centralized data center before routing to the Internet.  Now traffic can go directly to the Internet via a worldwide private cloud network with security embedded throughout. 

Palo Alto Networks recently launched the industry’s first Next-Generation SD-WAN with numerous innovations, including ML-powered autonomous capabilities; new teleworker, retail and large campus appliances; and further advancements to our powerful secure access service edge (SASE) solution, featuring deeper integration with CloudGenix SD-WAN and Prisma Access cloud-delivered security.

As the only vendor in the industry with both its cloud-delivered security solution and SD-WAN solution recognized as Leaders by Gartner Magic Quadrant reports (Network Firewall and WAN Edge Infrastructure). As a result, we can confidently ensure that organizations who desire a SASE solution can get the best-of-breed cloud-delivered security and SD-WAN solution, seamlessly integrated with no compromises. 

Challenge #3: Automation of the SOC

Today’s Security Operations Centers are faced with an ever-increasing amount of data to analyze and manage in order to keep up with changing threat landscapes.  This is a huge impact on manpower and can often leave opportunities for security gaps. 

We should aspire to a world where humans are the exception as opposed to the rule. Similar to airplanes, which are able to fly themselves, but have humans on board in case they need to intervene. 

Solution: We can do this through use of SOAR or security orchestration, automation and response. With the use of machine learning, all data that is collected within the SOC environment can be analyzed in order to implement automation. This increases efficiency, reducing the workload for the humans and allowing them to focus on higher level tasks that require their attention.

Threat intel management has been an unsolved puzzle for a long time. Some security analysts and threat hunting teams still struggle to efficiently and confidently act on relevant indicators of compromise using disjointed threat intel feeds, tools and processes. Because of that, many analysts still spend time collecting feed data from various sources, manually entering it into centralized tools for reference, and eventually processing and pushing the relevant data to third-party enforcement tools for action. This laborious process drains precious resource time and increases mean time to response (MTTR). Faster, more scalable systems are badly needed by the already-stretched teams responsible for defending against highly sophisticated adversaries.

 As security orchestration, automation and response (SOAR) platforms are designed to connect disparate systems together and automate manual processes, extending SOAR to provide native threat intel management functionality is a natural progression that solves a lot of these issues. According to Gartner’s Market Guide for Security Orchestration, Automation and Response Solutions, “A large number of security controls on the market today benefit from threat intelligence. SOAR tools allow for the centralized collection, aggregation, deduplication, enrichment of existing data with threat intelligence and, importantly, conversion of intelligence into action”.