Picca - Cyber Security

NIS2

Er din virksomhed omfattet af NIS2?

Det nye NIS2 direktiv er vedtaget af EU-Kommissionen og skal i fremtiden sikre et højere niveau af IT/OT-sikkerhed på net og informationssystemer på tværs af europæiske lande. NIS2 direktivet skal opfyldes af virksomheder og selskaber indenfor "kritisk infrastruktur", herunder vand- og energiforsyning, fødevareproducenter mv.

NIS2 direktivet omfatter en lang række virksomheder og selskaber, der grundet lovgivningen er tvunget til yderligere investering i IT/OT-sikkerhed og risikovurdering. Den øgede sikkerhed vil dog kunne mindske store produktions- og omsætningstab gennem fremtidige angreb.

Direktivet kræver en mere systematisk håndtering af indrapportering med IT-sikkerhedshændelser. Kravene afhænger af sektor og virksomhedsstørrelse. Direktivet vil træde i kraft fra foråret 2023 - 18 måneder efter det endeligt er vedtaget.

Piccas IT-sikkerhedseksperter rådgiver og hjælper til, at din virksomhed og dit anlæg lever op til kravene i NIS2.

X

ICONS Cyber Security Advisories

SSA-568427: Weak Key Protection Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families

The vulnerability, with a critical CVSS score of 9.3, has been assigned CVE-2022-38465.

Possible attack scenarios:

Attack 1: Extract confidential configuration data. With access to the TIA Portal project or the project stored on the PLC (including memory card), an attacker could extract confidential configuration data.

These data are cryptographic keys and passwords which are used for certificate-based communication like https, OPC UA, or secure Open User Communication and for the protection of the PLC (access level passwords).

Attack 2: Attacks against legacy PG/PC, HMI communication With Man-in-the-Middle attacks, attacker could read, modify, and selectively forward data between the PLC and its connected HMIs and Engineering Statio

Siemens recommends that users immediately update SIMATIC S7-1200 and S7-1500 PLCs and corresponding versions of the TIA Portal project to the latest versions. TIA Portal V17 and related CPU firmware versions

include the new PKI system protecting confidential configuration data based on individual passwords per device and TLS-protected PG/PC and HMI communication.

Link to Siemens SSA-568427 vulnerability documentation:

https://cert-portal.siemens.com/productcert/html/ssa-568427.html

X

Backup

Hos Picca har vi mange års erfaring med backup-løsninger og du er derfor altid garanteret den højeste ekspertise. Vi tilbyder automatisk online backup til dit SRO-anlæg via Veeam og Acronis med on-site backup eller remote backup.

Fremover kan du glemme alt om bekymringer og ondt i maven. Vi håndterer din krypterede virksomhedsdata gennem topsikrede servicefaciliteter, samtidig spares dine driftsomkostninger ved outsourcing backup-løsning ift. hardware, vedligehold, licenser osv.

Din backup er naturligvis tilgængelig for dig 24/7 døgnet rundt, hvis denne skulle blive nødvendig.

X

Deceptor / Honeypots

Deceive | Expose | Eliminate

FortiDeceptor is designed to deceive, expose, and eliminate external and internal threats early in the attack kill chain and proactively block these threats before any significant damage occurs.

Fortinet Security Fabric provides unified, end-to-end protection with Fortinet Next Generation Firewalls to tackle advanced persistent threats. Adding FortiDeceptor as part of a Breach Protection strategy helps evolve your defenses from reactive to proactive with intrusion-based detection layered with contextual intelligence. It automates the blocking of attackers targeting IT devices and OT system controls. FortiDeceptor automatically lays out a layer of decoys and lures, helping you conceal your sensitive and critical assets behind a fabricated Deception Surface to confuse and redirect attackers while revealing their presence on your network.

Advanced ThreatDeception

DECEIVE external and internal threats with deceptive VM instances aka decoys managed from a centralized location. Deploy a Deception Surface of real Windows, Linux, VPN, Medical, IoT/OT, SCADA, and SAP VMs with services that are indistinguishable from real assets, e.g. production servers and lures embedded into devices designed to uncover the attackers.

EXPOSE hacker activity with early and accurate detection and actionable alerts enabled through tracing and correlation of an attacker’s Tactics, Tools, and Procedures (TTPs) and active notification via Web UI, Email, SNMP traps, logs, and events via FortiSIEM and FortiAnalyzer.

ELIMINATE threats by automating threat response with FortiGates, FortiNAC, FortiEDR, FortiSOAR, and third party security solutions via Fortinet Security Fabric.

Decoy VM Support

Combination of Windows 7, Windows 10, Windows 10 (customizable BYOL), Windows Server 2016 and 2019 (customizable BYOL), Linux, VPN Server, Medical (PACS, Infusion pump), POS, ERP, IoT (Router, Printer and Camera), SAP and/or SCADA

Decoy Services

SSL VPN, SSH, SAMBA, SMB, RDP, HTTP/S, SQL, GIT, DICOM, Telnet, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIAN-AST, IEC104, EtherNet/IP, DNP3, JET-DIRECT, RTSP, UPnP, CDP and TCP port listener

Click here for full size animated gif

X

Remote Access / VPN

Securing the Remote Workforce

The IPsec and SSL VPNs integrated into every FortiGate NGFW offer an extremely flexible deployment model. Remoteworkers can either take advantage of a clientless experience or gain access to additional features through a thick clientbuilt into the FortiClient endpoint security solution.

Power users and super users would benefit from deploying a FortiAP or aFortiGate NGFW for additional capabilities.Fortinet solutions are designed to be easy to use from initial purchase through end of life.

FortiGate NGFWs and FortiAPwireless access points include zero-touch deployment functionality. Appliances deployed at remote sites can be preconfigured before they ship, allowing for automatic set up onsite, which ensures business continuity and support fortelework.

The Fortinet Security Fabric takes advantage of a common Fortinet operating system and an open application programminginterface (API) environment to create a broad, integrated, and automated security architecture. With the Fortinet Security

Fabric, all of an organization’s devices, including those deployed remotely to support telework, can be monitored and managed from a single pane of glass. From a FortiGate NGFW or a FortiManager centralized management platform deployed at the headquarters environment, the security team can achieve full visibility into all connected devices, regardless of their deployment situation.

In the event of a natural disaster or other event that disrupts normal business operations, an organization must be capable of rapidly transitioning to a fully remote workforce. Table 1 shows the number of concurrent VPN users that each model of the FortiGate NGFW can support.

Beyond offering encryption of data in transit, via a VPN, Fortinet solutions offer a number of other features that can help an organization to secure its remote workforce. These features include:

• Multifactor authentication: FortiToken and FortiAuthenticator enable dual factor authentication of remote employees.
• Data loss prevention (DLP): FortiGate and FortiWiFi provide DLP functionality for remote workers, which is essential for teleworking executives with frequent access to sensitive company data.
• Advanced threat protection: FortiSandbox offers analysis of malware and other suspicious content within a sandboxed environment before it reaches its destination.
• Wireless connectivity: FortiAPs provide secure wireless access at remote work locations with full integration and configuration management in a single pane of glass.

Use Cases for Supporting Remote Work

Not every employee in an organization requires the same level of access to company resources when working remotely. Fortinet provides tailored telework solutions for every remote worker:

1. Basic teleworker:

The basic teleworker only requires access to email, internet, teleconferencing, limited file sharing, and function-specific capabilities (finance, HR, etc.) from their remote work site. This includes access to Software-as-a-Service (SaaS) applications in the cloud, such as Microsoft Office 365, as well as a secure connection to the corporate network. Basic teleworkers can connect to the organization using FortiClient integrated VPN client software and verify their identity with FortiToken for multifactor authentication. Note that power users and super users would revert to the basic teleworker profile when they roam from their remote work location.

2. Power user:

Power users are employees that require a higher level of access to corporate resources while working from a remote location. This may include the ability to operate in multiple, parallel IT environments and includes employees such as system administrators, IT support technicians, and emergency personnel.

For these power users, deployment of a FortiAP access point at their alternate work site provides the level of access and security that they require. This enables secure wireless connectivity with a secure tunnel to the corporate network.

FortiAPs can be deployed with zero-touch provisioning (ZTP) and will be managed by the FortiGate NGFWs in the office. Should a corporate phone need to be deployed, it can simply plug into the FortiAP for connectivity back to the main office.

3. Super user:

A super user is an employee that requires advanced access to confidential corporate resources, even when working from an alternate office location. They frequently processe extremely sensitive and confidential information.

This employee profile includes administrators with privileged system access, support technicians, key partners aligned to the continuity plan, emergency personnel, and executive management.
For these super users, their alternate work site should be configured as an alternate office location. While they require the same solutions as basic telecommuters and power users, they also require additional functionality. FortiAP can be integrated with a FortiGate NGFW or FortiWiFi appliance for secure wireless connectivity with built-in DLP.

Achieve Full Security Integration

FortiClient strengthens endpoint security through integrated visibility, control, and proactive defense and enables organizations to discover, monitor, and assess endpoint risks in real time.

FortiGate NGFWs utilize purpose-built cybersecurity processors to deliver top-rated protection, end-to-end visibility and centralized control, as well as high-performance inspection of clear-texted and encrypted traffic.

FortiWiFi wireless gateways combine the security benefits of FortiGate NGFWs with a wireless access point, providing an integrated network and security solution for teleworkers.

FortiToken confirms the identity of users by adding a second factor to the authentication process through physical or mobile application based tokens.

FortiAuthenticator provides centralized authentication services including SSO services, certificate management, and guest management.

FortiAP delivers secure, wireless access to distributed enterprises and remote workers and can be easily managed from a FortiGate NGFW or via the cloud.

FortiManager provides single-pane-of-glass management and policy controls across the extended enterprise for insight into networkwide, traffic-based threats. This includes features to contain advanced attacks as well as scalability to manage up to 10,000 Fortinet devices.

FortiAP delivers secure, wireless access to distributed enterprises and remote workers and can be easily managed from a FortiGate NGFW or via the cloud.

FortiAnalyzer provides analytics-powered cybersecurity and log management to enable improved threat detection and breach prevention.

Fortinet sandboxing solutions offer a powerful combination of advanced detection, automated mitigation, actionable insight, and flexible deployment to stop targeted attacks and subsequent data loss. Available as a cloud service that is included in most FortiGuard subscriptions.

Click here for full size animated gif

X

Network Access Control (NAC)

How Network Access Control Secures Your Network

NAC network security provides visibility over everything connected to the network, as well as the ability to control those devices and users, including dynamic, automated responses. It plays a role in strengthening overall network security infrastructure.

A properly functioning solution can prevent access to noncompliant users or devices, place them in quarantine, or restrict access to a small number of network resources, separated from the rest of the network. A network access control policy generally supports the following:

1. Authentication and authorization of users and devices

2. User and device profiling

3. Denial of unsecured devices

4. Quarantine of unsecured devices

5. Restricting access to unsecured devices

6. Policy lifecycle management

7. Overall security posture assessment

8. Incident response through policy enforcement

9. Guest networking access

Network Access Control Benefits and Use Cases

IoT and BYOD:

The adoption of IoT devices is growing exponentially, especially in high-risk markets such as healthcare and retail where even a few years ago there were far fewer network-connected devices. Converging with this trend is BYOD (Bring Your Own Device), which over more than a decade has brought an influx of new mobile devices connecting to corporate networks. Both technologies create substantial new security risks and open new threat vectors, and unsecured devices dramatically increase the risk of intrusion, breach, and a catastrophic cyberattack. The right NAC solutions ensure compliance for all devices connecting to networks, checking that proper controls are in place before corporate network resources are accessible.

There are now billions of non-traditional compute, IP-enabled devices that are connecting to public networks. (This means basically everything on the network that isn't a laptop or mobile phone, from IP cameras, to VoIP phones, printers, HVAC controls, temperature sensors, badge readers, digital displays, bluetooth sensors, and many more examples.)

Incident Response:

The role of NAC in incident response is often significant. Network access control solutions can be configured to automatically enforce security policies, share contextual information, and isolate unsecure devices from accessing other parts of a network.

Contractors:

Contractors, partner employees, and other guest workers need specialized access only to those parts of the corporate network that enable a good user experience and allow them to do their jobs. NAC plays a key role in maintaining access privileges while ensuring guest users have smooth connectivity and a good overall experience.

Medicine:

Healthcare is an industry rapidly embracing the Internet of Medical Things (IoMT) and now many new networked devices are coming online to support advances in medicine and medical care. But as more medical devices access the corporate network, it is critical to employ NAC computer solutions that can help protect devices and massive troves of sensitive personal data, including medical records. This can help improve healthcare security overall and keep medical facilities and other healthcare institutions free from ransomware and other prevalent threats.

Compliance:

Regulatory compliance isn’t optional, and organizations can receive serious fines and create myriad other problems if access controls aren’t implemented or aren’t demonstrably effective. NAC solutions have long been thought of as risk mitigation technology—which they certainly are—but the right ones can also help enforce compliance controls under regulations such as HIPAA, SOX, or PCI-DSS, and ensure smooth compliance audits.

Click here for full size animated gif

X

SIEM

ICONS SIEM architecture, how it works

ICONS's Security Information and Event Management ( SIEM ) offers real-time log/event collection from level 0-5 in the Purdue model,both IT and OT environments.

ICONS SIEM offers automated actions called playbook, when an alert is raised on ICONSSIEM server it connect back to the collector installed at the customer site, the collector informs SIEM Agent(s) to execute the playbook, anything can be executed, IPBan, MAC address blocking on firewall, switch and Access Point or Windows related actions on clients and servers.

1. Collector receives logs from devicesLogs/events from any device that is capableof generating logs

2. Logs is compressed and encryptedCollector compress and encryptedlogs for minimum footprint on internet bandwidth, encrypting is neededfor optimal security

3. Logs is sent to ICONS SIEM serverICONS SIEM serverreceives logs from a customer collector(s), communicationto/from collector andICONS SIEMis certificate authentication, furthermore public IP is verified in both ends

4. ICONS SIEM server analyze and correlate logsLogs/events is analyze and correlatein the core engine of ICONS SIEM server,external threat intelligenceis also used

5. When alert is raised, ICONS SIEM send playbook to collectorICONS SIEM can perform active actions called playbook, playbook is script based and has no limitation, executing script on firewall or Powershell based

6. Collector send playbook to ICONS SIEM Agent installed on client/serverThe collector send playbook to SIEM Agent installed on Windows/Linux, the agent can perform different type of action, like shutdown the device, disable networking or start antivirus scanning

Take control with your own Dashboard

ICONS offers a full featured multi-tenancy SIEM solutionthat companies can manage. ICONS SIEMfeatures including dashboards, analytics, incidents, configuration management database (CMBD), and administration are accessed via an intuitive, web-based GUI.

Single-pane-of-glass management and control

• Customizable role-based access control lets organizations determine what each user can access

• Active asset discovery assists with building out an integrated CMBD for better asset management

• Performance and availability monitoring, such as CPU, memory, storage, and configuration changes extend the functionality of the platform and deliver additional contextual data

Better incident detection with reduced incident impact

• ICONS identifies external and internal threats faster. Plus, it enables threat hunting and compliance monitoring

• Incident detection time is reduced with a patented and distributed correlation engine to detect incidents

• Out-the-box content includes pre-designed parsers, dashboards, and reporting to cover the most commonly found devices, delivering quick value

• ICONS SIEM Analytics helps hunt for threats and indicators of compromise (IOC)

• Insider threats are identified with ICONS SIEM UEBA, using an agent on endpoints to collect telemetry on behavior

• Overall, the mean time to respond (MTTR) is reduced

Click here for full size animated gif

X

ICONS - Cyber Security

Contact information

NIS2

ICONS Cyber Security Advisories

Backup

Deceptor / Honeypots

Remote Access / VPN

Network Access Control (NAC)

SIEM

NIS2

ICONS Cyber Security Advisories

Backup

Deceptor / Honeypots

Remote Access / VPN

Network Access Control (NAC)

SIEM

Kontakt