Search the Community

The Cybersecurity and Infrastructure Security Agency (CISA) issued a Notice of Proposed Rulemaking (NPRM) for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. Under this rule, covered entities must report significant cyber incidents within 72 hours of discovery, along with ransom payments within 24 hours. CISA Director Jen Easterly emphasized the importance.. The post CISA Unveils Critical Infrastructure Reporting Rule appeared first on Security Boulevard. View the full article

Google’s infrastructure security teams continue to advance the state of the art in securing distributed systems. As the scale, capabilities, and geographical locations of our data centers and compute platforms grow, we continue to evolve the systems, controls, and technology used to secure them against external threats and insider risk. Building on the principles laid out in Building Secure and Reliable Systems, we are excited to announce a new series of technical whitepapers on infrastructure security. The series begins with two papers: Protecting the physical-to-logical space in a data center Enforcing boot integrity on production machines These papers are technical, but we designed them to be readable and accessible to non-experts. We hope they give you insight into the exciting work our teams are doing to keep our customers safe, and that the papers can be a valuable resource as you work to protect your own infrastructure from attacks... View the full article

Microsoft Azure hardware’s security posture is foundational to the security promises we make to our customers. The supply chain of Microsoft Azure servers relies on a multifaceted and complex ecosystem of partners across silicon production, assembly, systems integration, transit, and operationalization in data centers. Multiple interaction points across this supply chain pose significant threats to the security and integrity of an Azure server landing in production. These risks include firmware tampering, hardware tampering, installation of malicious code or spyware, weakened security controls, and many more. We at Microsoft believe it is critical to build mechanisms to proactively detect and remediate such issues during the early phases of product development or before servers dock in a data center. Hardware Root-of-Trust (RoT) devices such as Cerberus and Trusted Platform Module are the cornerstone for establishing foundational trust on hardware components in our cloud. This ensures the authenticity and integrity of these components and their firmware with traceability all the way back to silicon manufacturing. The best way to accomplish our objective is to verify “provenance” of our servers throughout their lifecycle from factory to production using hardware RoT device identities. During the silicon manufacturing process, the device identity is securely extracted and annotated to uniquely identify trusted devices. This mitigates the risk of “rogue” devices finding their way into the Azure fleet undetected (Figure 1). Lenovo is one of our leading supplier partners that are pushing the boundaries of secure supply chain with us. To further protect these hardware RoT identities on which we anchor the chain of trust, we leverage the power of enclaves and the Confidential Consortium Framework with Microsoft Azure confidential ledger to integrity-protect our supplier provenance database. Learn more about our firmware integrity protections. Azure confidential ledger integrity protects existing databases and applications by acting as a point-in-time source of truth which provides cryptographic proofs in verification scenarios. Specifically, stored data is not only immutable and tamper-proof in the append-only ledger but is also independently verifiable. It is also beneficial as a repository of audit trails or records that need to be kept intact and selectively shared with certain personas. Data logged in the ledger remains immutable, privacy-enhanced, and protected from insider threats within an organization or even the cloud provider. In this scenario, Azure confidential ledger provides industry-leading tamper-evidence capabilities to determine if any unauthorized manipulations have occurred with these sensitive device identities. At different points in time, verification checks are executed against the Azure confidential ledger to ensure that the data is consistent and pristine. Using this technology also mitigates tampering risks from highly privileged Azure operators. Figure 1: Azure confidential ledger protects provenance verification using hardware root-of-trust identities. Azure confidential ledger is used to light up a critical infrastructure security scenario—Project Odyssey. Project Odyssey aims to cryptographically verify the provenance of hardware RoT devices (attached to servers) as they undertake their journey from OEM floors to Microsoft Azure data centers and throughout their production lifecycle. As part of the manufacturing workflow, suppliers upload a signed manifest of hardware RoT identities into a trusted ‘provenance database’ that uses tamper-evident Azure confidential ledger integration. As the devices are assembled into components, blades, and racks, their identities can be verified at each step of the supply chain process. After long journeys by air, land, and sea, the assembled racks arrive at Microsoft Data Centers where they undergo additional checks to ensure that they were not tampered with during transit. Finally, when a server is ready for production, it undergoes attestation where its hardware RoT identity can be re-verified before allowing it to join the production environment and host customer workloads. Servers are expected to undergo this process periodically ensuring that the hardware components stay compliant throughout their lifecycle, thereby ensuring that malicious and unauthorized swapping of blades and motherboards is detected, and non-compliant servers can be tagged for eviction, investigation, and remediation. This is only one piece of our overall hardware security story. Microsoft Azure has developed comprehensive security requirements to enable security capabilities such as secure boot, secure update, attestation, recovery, encryption, and telemetry to ensure Azure hardware is resilient to such attacks through robust capabilities around prevention, detection, and response. Read more about how we secure Microsoft Azure’s hardware and firmware. At Microsoft, a core part of our culture is leveraging the work of each other to deliver industry-leading security to our customers with a defense in-depth approach. Azure hardware device provenance and supply chain security is a fundamental building block of our foundational security stack. Through cryptographic provenance verification of Azure hardware via Project Odyssey and additional defense-in-depth protections of hardware device identities using Azure confidential ledger, we are setting the gold standard in cloud hardware supply chain security to benefit our customers. “Lenovo’s key priority is to verify and ensure the end-to-end security and traceability for Microsoft cloud hardware. By implementing this process in both our component and system integration factories, not only can we trust that the hardware we receive from downstream ODM/OEM suppliers is secured and trusted, but we can add the Lenovo fingerprint data to the chain of trust, which helps assure Microsoft that the hardware received by data centers is fully secured and trustworthy. Integrating this solution into the Lenovo global supply chain workflow was exceptionally smooth thanks to the thorough documentation and examples that the Microsoft team maintains on an ongoing basis. Assuring the integrity and traceability of data in Azure confidential ledger allows Lenovo to focus on process and product quality, without needing to spend extra development cycles working on an in-house security solution.”—James McFadden, Executive Director, Supply Chain Quality & Engineering, Lenovo. Learn more Read about how Microsoft Azure confidential ledger protects the integrity of your data. Read about Microsoft Azure’s hardware and firmware security. The post Microsoft Azure confidential ledger: Enhancing customer trust in Azure’s hardware supply chain appeared first on Azure Blog. View the full article

From pure voice to data, and now with the connectivity provided to devices and machines, telco systems make it possible to deliver digital services to society. Thanks to telecom systems, we can keep in touch with each other and reach the information sources we need at any time and anywhere. As we have become increasingly reliant on these systems, we also need to be vigilant about telecom security. Telecom infrastructure security: Why does it matter? First and foremost, telecom systems hold sensitive data. These networks carry information about millions of customers, including personal information, such as user identity. Second, we rely on telco networks when providing essential public services, ensuring our physical and digital security, and running our economy. This is why cyber or physical attacks on telecom infrastructure can have significant impact and substantial negative outcomes for a country: They can cause disruption to networks, affecting operations or equipment,They can lead to access to and malicious use of sensitive information,Attackers could gain administrative access to networks and systems, which gives them the power to manipulate those systems. Increasing cyber-attacks on telecom The fact that sensitive user information is carried over telecom networks at a massive scale attracts malicious actors. Attackers typically aim to: Disrupt or downgrade services, for instance with Distributed Denial of Service (DDoS) attacks,Inflict privacy, confidentiality and integrity breaches, for instance by tracking users and devices,Obtain user identity information. The telco sector has seen an upwards trend on cyber attacks over the years. Today, telco is among the mostly targeted sectors. Average weekly attacks on organisations have reached over a thousand. Around 40% of businesses in the United Kingdom say they have had a cyber attack in 2022. There were around 50% more attacks on telco in 2021 compared to the previous year. Cyber attacks have been targeted at disrupting running services in particular. DNS attacks are predominantly observed on telecom networks, with over 80% of telecom networks having reported them at least once. DDoS attacks are also common. For instance, the European Union reported (ENISA report) a significant rise in DDoS attacks against general availability of services in 2021 compared to the levels in 2020. More strict regulations on the sector As a result, governments consider telecom networks and systems as critical national infrastructure. Rules and regulations get tougher and more strict each year for operators and service providers to follow and safeguard their systems. Among others, such regulations cover the following: Definitions of critical functions in a telecom system, such as those that enable network service operations, and the requirements to follow in order to secure those functions. Securing the infrastructure itself, which runs those network functions. Protecting any software and system that monitors a telecom network, and analyses user and control plane traffic. Stringent data protection laws to safeguard subscriber identity and data. Increasing cyber attack risks and the resulting regulations have therefore led to more and more investment in security solutions. As a result, the global IT and telecom security market is expected to grow rapidly to around over $80 billion USD by 2030. Increasing attack surface Our telecom infrastructure continuously evolves with newly added technologies and features. Hardware and software improve over time, and new standards are defined to bring higher quality services to users. With these improvements, new telecommunication solutions with more capabilities can be provided to subscribers and business customers. However, this innovation cycle also brings about challenges. Let’s go through these challenges briefly. 5G supports connectivity from many more types of devices, increasing the attack surface from devices and adjunct networks. Various types of devices Large numbers and a variety of devices are now getting connected to networks, including IoT devices, like smart home hubs, security cameras, storage devices, etc. These networks then get connected to the telecom infrastructure. This means that there are now various origins of attack from devices and adjunct networks, as these devices and/or networks may be compromised. Virtualisation of infrastructure control and management Telecom infrastructure is increasingly adopting virtualisation, so that mobile networking software can be run as virtual software instances. This provides operators with more flexibility, scalability, fault tolerance, control, cost-reduction, and energy efficiency benefits in running their networking services. However, virtualisation also results in a broader attack surface, as operators must now safeguard the infrastructure software, besides the running software instances. Telecom infrastructure is now virtual, powered by cloud management systems, and running 5G workloads. Networks as a service 5G vendor software workloads that provide control and management functions are now more modular and run as microservices on containers and virtual machines as cloud-native network functions (CNF) and virtual network functions (VNF). Furthermore, a vast ecosystem of software vendors now provide assisting technologies that also run as micro-services on virtual instances. 5G workloads and application services run as virtual instances in containers and virtual machines (VM). The software supply chain where all this software is sourced from must be secured, including software libraries, instance images, and the tooling that creates them. Private mobile networks Enterprises now look into setting up their own private mobile networks, and many more deploy them at their sites. This means that measures must be taken to secure these networks owned by enterprises, to keep them secure and protected from cybersecurity risks. Private mobile network deployments will become common-place in various industry sectors, connecting devices to business applications running on edge clouds. A broader software ecosystem Open source and the flexibility provided by infrastructure virtualisation have been catalysts for a widening ecosystem of software vendors, offering solutions for various telco use cases. Open source provides transparency, which makes it inherently more secure. However, a wider ecosystem also broadens the attack surface on telco, if software is not managed correctly. There is a need for compliance to security standards, and a scalable system that ensures that the sheer volume of software used by telco has no vulnerabilities. The need for secure telco software The increasing attack surface and the need for extra measures to safeguard telco infrastructure make security an imperative. Telco runs on software, from the edge to its network core. In addition, the services provided by telecom companies also run as software workloads, either for the operators themselves or for the tenants of an operator. All in all, software is everywhere in the stack. The general best practice is to adopt a cybersecurity approach in your organisation, with two key pillars that can help you provide a secure foundation for your systems: conducting effective vulnerability management and operating system hardening. Vulnerability management Application images Virtual application images may have common vulnerability exposures (CVE). These CVEs may be at the OS, the virtualisation software, or the running instances. It is essential to have confined execution spaces to run applications. This ensures that if a workload is compromised, their access to the rest of the system is restricted, and other instances are not affected. For instance, xApps that work with RAN Intelligence Controllers in O-RAN systems are ideal candidates to be run in controlled execution environments. Software dependency tree Software dependencies pose another big challenge when keeping packages up to date and secure. Most packages have numerous dependencies; it is hard to track each and every package. On the average, there are around 70 dependencies per package, according to Snyk 2022 State of Open Source Security report. In this complex chain of software dependencies, CVEs spread easily. A software piece may be consumed by many others – when it has a common vulnerability exposure (CVE), this affects many others. When a CVE is detected, it takes a lot of time to fix it: around 100 days on average, according to Synk’s 2022 report. Once the vulnerability has been detected and fixed, there are further complications: A patch is needed for every single vulnerability; support is needed to continuously patch against renewed vulnerabilities. Fixing a patch only once is not enough; multiple versions of the patch may need to be applied over time. This requires a versioning system in place for software patches. Fixing vulnerabilities should not interfere with system operations, as these systems run services offered to customers with certain SLAs. Assigning the task of fixing vulnerabilities to a system/personnel manually is tedious and not scalable. It is tricky to manually fix all vulnerabilities that may emerge, as there is a vast ecosystem of software sources. Security certifications and compliance In the complicated software landscape offering solutions with often overlapping and conflicting constraints, it is necessary to have robust security systems that can withstand the latest threats with standardised defence mechanisms in place. Ubuntu supports a wide range of security frameworks. There are various frameworks developed by national bodies, aiming to have standard and vendor-agnostic protocols and schemes that embody the latest industry standards and best practices in software security. When your operating system complies with such standards, you can be sure that your system is equipped with the latest security features and cryptographic measures. You then also have the ability to demonstrate to your telco customers that your system complies with commonly known and trusted security standards. Hardening the operating system and auditing it at scale for every deployment is tedious and error prone. There are many hundreds of individual steps in the process, which is time consuming. What operators need is the ability to not only ensure security hardening and auditing for their operating system, but also automate the process. The OS as a trusted source for software To help organisations implement a scalable security policy and get their software from a secure source, Canonical launched Ubuntu Pro, a comprehensive subscription for security, compliance and support. Ubuntu Pro offers comprehensive security coverage for open source. CVEs are dealt with by Canonical’s security team, so your team does not have to keep track of patches – they simply need to apply them. The complex chain of software package dependencies and propagation of CVEs across application packages is no longer an issue. Ubuntu Pro handles the complexity, and overcomes this challenge on behalf of the operator. Ubuntu Pro provides these patches for 10 years, for packages in Ubuntu’s Main and Universe repositories, and automation tools like Landscape and Livepatch. Ubuntu Pro also comes with security certifications and hardening features. Canonical provides Ubuntu Security Guide (USG), a security and hardening tool for remediation and auditing at scale, which includes profiles for industry hardening standards. With different cybersecurity frameworks in place, organisations get OS hardening and compliance profiles like CIS, DISA/STIG, and FIPS 140-2. With USG, the operator gets a single command for hardening and a single command for audit reports. Summary The ever increasing security risks and attacks on the telco sector call for automated, scalable, and trusted solutions that can safeguard telecom infrastructure. With the evolving telecommunications standards comes growing attack surfaces on infrastructure and the running workloads. On the way to achieving a fully cloud-native telco delivered with open source 5G, Ubuntu Pro is your trusted source of secure open source software. It provides the largest scope of secure and trusted open source applications, delivered with long-term security coverage guarantees. With Ubuntu Pro, your telecom infrastructure can be kept secure from common vulnerabilities, thanks to the regular and fast updates and patches. It delivers operating system hardening and auditing with automated tooling, and compliance for a wide range of standards. Check out our webinar on telecom security to learn more about Ubuntu Pro’s security features. Contact us Canonical provides a full stack for your telecom infrastructure. To learn more about our telco solutions, visit our webpage at ubuntu.com/telco. Further reading Reduce the cost of your 5G infrastructureHow to secure your databaseHow to ensure business continuity with IT infrastructure support View the full article

The way organizations provision infrastructure has significantly changed as they move from dedicated servers to capacity on-demand in the cloud. Homogeneous blueprints of infrastructure owned by IT have grown inefficient and outdated. In the cloud, infrastructure resources must be readily available across a variety of providers. While infrastructure automation underpins the move to the cloud and the overall modernization of application delivery, this shift exposes organizations to a diverse new set of security challenges. According to the 2023 HashiCorp State of the Cloud Strategy Survey, security ranked as the #1 enabler of multi-cloud success. Security is important — everyone knows how crucial it is to stay on top of the rapidly changing cloud security landscape. But to do so, organizations must address shortcomings in their traditional provisioning processes ... View the full article

Quali today announced enhancements to its Torque automated infrastructure platform to add support for security scans and Open Policy Agent (OPA) software being advanced under the auspices of the Cloud Native Computing Foundation (CNCF). OPA enables organizations to implement cybersecurity policies as code. The challenge many organizations have encountered is that not many developers have […] View the full article

The security of the infrastructure that runs your applications is one of the most important considerations in choosing a cloud vendor. Google Cloud’s approach to infrastructure security is unique. Google doesn’t rely on any single technology to secure its infrastructure. Rather, it has built security through progressive layers that deliver defense in depth…

It’s no longer a matter of organizations deciding whether to embrace remote and hybrid work but finding the best way to do so. A recent study showed most employees are happier having the option to work from home, and 80 percent say they’re as productive or more productive when they do. One of the most popular options for organizations who want to offer remote work options is virtual desktop infrastructure or VDI. What is VDI? Virtual desktop infrastructure (VDI) is an IT infrastructure that virtualizes desktops—to give employees access to enterprise data and applications from anywhere and from most personal and professional devices. Organizations host applications and data on servers, and through VDI, enable their employees to work remotely via remote desktops. VDI is popular for enabling remote work because, with the right configuration, it’s highly secure and relatively inexpensive compared to on-premises options. What are some of the security benefits of cloud-based VDI migration? Migrating to a cloud-based VDI solution allows organizations to take advantage of built-in security features that mitigate and eliminate the risks associated with traditional desktop virtualization. Azure Virtual Desktop in combination with the Azure public cloud, for example, offers comprehensive security features, like Azure Sentinel and Microsoft Defender for Endpoint, that are built-in before deployment. This helps enable an organization to follow critical VDI security best practices from the start of their virtualization journey. What are some VDI security best practices? Conditional access applies access controls based on signals like group membership, type of device, and IP address to enforce policies. Multifactor authentication requires that users consistently verify their identities to access sensitive data. Audit logs are used to gain insight into user and admin activities. Endpoint security like Microsoft Defender for Endpoints offers built-in protection against malware and other advanced threats for all your endpoints. Application restriction mitigates security threats by limiting what applications certain users are allowed to access using software like Windows Defender Application Control. Following these VDI security practices helps organizations secure user identities, data, and access to their VDI. They’re the reason a comprehensive VDI solution, like Azure Virtual Desktop, doesn’t just mitigate security risks associated with virtualization, but increases overall security. Of course, there are numerous factors and potential issues for an organization to consider in choosing to implement a VDI solution. Most of these issues stem from hosting virtual desktops on-premises, as traditional VDIs do. What are some concerns for an organization considering a traditional VDI? First, there’s the cost. Traditionally, implementing VDI is an involved, complicated process. It often requires employees with specialized roles to deploy, manage, and scale an organization’s VDI as needed. Cloud-based VDI solutions like Azure Virtual Desktop are managed and scaled by the cloud VDI solution provider themselves, which lowers cost considerably. Second and most importantly, there are the security concerns that come with adopting a hybrid model through traditional VDI. After the deployment of a VDI, IT managers must consider the security of home and corporate networks when developing security protocols. Employees using different types of devices to access data also opens networks to new vulnerabilities, as these new devices can be more vulnerable to cyberattacks. Most of these vulnerabilities are eliminated when you use a cloud-based VDI with built-in security features and endpoint protection. How do you choose a secure VDI for your organization? Meeting these implementation and security challenges often poses a barrier to organizations fully embracing a hybrid work model. IT decision makers must consider the challenges along with the benefits of enabling remote work when choosing a VDI solution for their organization. Adopting a comprehensive, cloud-based virtual desktop solution, like, mitigates and eliminates many of these security concerns. Also referred to as desktop-as-a-service, cloud-based VDI solutions host their virtual desktops on the cloud using a subscription model instead of on-premises, locally operated and maintained servers. Not only does this lower the cost and time of implementing VDI by decreasing the amount of labor needed to maintain it, it also ensures that the cloud-based virtual desktop solution provider shares responsibility with its customers for security. With the right provider, this can prove to be an enormous benefit. Learn more To explore the possibility of implementing Azure Virtual Desktop at your organization, read the 17-page e-book, Delivering Secure Remote and Hybrid Work with Azure Virtual Desktop, to learn more about how to: Increase your end-to-end security through VDI migration. Implement and maintain VDI security best practices. Scale resources on demand for your employees without the limitations of on-premises data centers using Azure Virtual Desktop. Lower your costs by running multiple virtual desktop user sessions on a single virtual machine. View the full article

As the UK’s essential services and economy are slowly becoming more dependent on large-scale data storage and processing services to operate, the government is seeking views on strengthening the industry’s cyber and physical security systems... View the full article