3 Takeaways for the KRACK WPA2 Vulnerability

WiFi Security and WPA2

Over the last 48 hours security researchers have discovered new weaknesses in the WPA2 Wi-Fi security protocol which could allow hackers to steal sensitive info or even inject malware into networks and network devices, with mobile devices being particularly vulnerable due to the proliferation of native apps which may not implement app-level encryption.  

As stated on KrackAttacks, the weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. 

The attack works by focusing on the four-way handshake used by WPA2 to confirm that client and access point have the correct network password and to negotiate a new encryption key to be used to encrypt all subsequent traffic. 

To prevent the attack, users must update affected products as soon as security updates become available. 

1. There is no silver bullet for cyber threat prevention; nothing is secured forever. Vulnerabilities will always await discovery and be subject to exploitation. Developers call them “bugs”, but we must all learn to speak the same language, and adopt a holistic layered approach.

2.  SANS Institute describes the term layered security as “a defensive strategy featuring multiple defensive layers that are designed to slow down an attacker”. The military uses similar tactics called “deep defense” or “defense in depth,” where their goal is to slow an attack, causing enemy casualties. In the digital world, this means causing delays for the attackers and detecting them before they can do serious damage. In some cases, a properly implemented layer may act as a strong enough deterrent to cause the attacker to look for an easier target.

3. Although an attacker may gain wireless access into your network, a layered security approach will ensure that the hole discovered can’t be exploited. By adhering to best practices like keeping systems patched and updated, implementing user roles and group policy, having end-to-end network segmentation in place to limit the spread of malware and free reign of bad actors, utilizing multi-factor authentication (MFA), securing data with data at rest and in-flight encryption, and taking advantage of app-level encryption where possible. 

If you’d like to discuss the threat landscape and how things like this WPA2 crack happen, best practices for adopting a holistic security approach, or the unique challenges inherent to your business, please reach out to me directly. We’re here to help. 

Intel Debuts New Scalable Processors

What An IT Salesperson Actually Does

It’s about that time again when everyone is talking cores, threads, and gigahertz.  Intel is starting to roll out their newest line of Xeon processors, which are being referred to as “scalable processors” powered by the new Skylake-SP core.

The existing architecture had limitations around the number of cores and threads that Intel has been trying to solve for several years.  Rather than simply adding iterative improvements to existing processors, this latest processor family from Intel has been re-architected from the ground up to improve performance, efficiency, and security.

Outside of changes to the architecture, Intel has also moved away from the E# naming convention in favor of a metal-based tiers: Bronze, Silver, Gold, and Platinum. Whether this new convention adds clarity or complexity is yet to be seen. I know what you’re thinking: “I have to learn a whole new naming convention all over again?!” But have no fear! Here is a quick breakdown of the new tiers, as well as a cheat sheet for deciphering full model numbers under the new system:

  • Platinum (8100 series)
    • Use Cases: Mission-critical applications such Enterprise resource planning (ERP), In-memory Analytics, Online Analytical Processing (OLAP), High-Frequency Trading (HFT), Machine Learning, Virtualization, Containers.
    • CPU Cores: Up to 28
    • Socket Configurations: 8+
    • Memory: Up to 12TB
  • Gold (6100/5100 series)
    • Use Cases: OLTP, Analytics, Machine Learning, Hadoop/SPARK workloads, server-side Java, Virtual Desktop Infrastructure (VDI), High-Performance Computing (HPC), Virtualization, Containers.
    • CPU Cores: Up to 22
    • Socket Configurations: Up to 4
    • Memory: Up to 6TB
  • Silver (4100 series)
    • Use Cases: SMB workloads, Web front end, network & storage applications for organizations who are anticipating growth.
    • CPU Cores: Up to 12
    • Socket Configurations: Up to 2
    • Memory: Up to 1.5TB
  • Bronze (3100 series)
    • Use Cases: SMB workloads and basic storage servers.
    • CPU Cores: Up to 12
    • Socket Configurations: Up to 2
    • Memory: Up to 1.5TB

Unlike the ring architecture used on previous processors, Intel has developed a new mesh interconnect architecture which allows a shorter path for data to travel by increasing the number of pathways.  Intel states that the new processors are 1.65 times faster than its previous generation.  Another big improvement for performance and efficiency in the new Intel Xeon processors is the increase in the number of supported PCIe 3.0 lanes to a whopping 48 PCIe 3.0 lanes per processor!

Security has been a focus of this release.  Key Protection Technology, which makes it more difficult to retrieve encryption keys by keeping the operations for encrypting and decrypting directly on the processor rather than offloading them to memory, is another great feature of this latest technology. For a complete overview of the new system, Intel has created a comprehensive guide you can find here. We look forward to seeing these advances in tech in action!

Myriad Holds Bake-Off for “No Kid Hungry”

Cook Off

If there’s one thing the team at Myriad Supply loves more than helping our clients, it’s helping underserved communities throughout the world through charitable giving. In the past, we’ve worked with organizations such as Project Sunshine, New York Cares, and City Harvest. Last week, Team Myriad held a bake-off competition where all proceeds went to No Kid Hungry. 

Thirteen million children—nearly one in six students—in the US struggle with hunger. Three out of four teachers say their students regularly come to class hungry. No Kid Hungry is devoted to ensuring that children have enough to eat, improving their levels of concentration and ability to learn. Kids who eat breakfast miss less school, achieve better grades, and are more likely to graduate high school.  

No Kid Hungry creates programs like free breakfast programs to help students start the day off right, the “Cooking Matters” program where they give families the tools they need to cook healthy meals and stretch their food budgets, and food programs over the summer to make sure children still get meals while school is out. 

Last week, members of the Myriad team put their cooking skills to the test. With nearly fifteen cooks, Team Myriad brought their A-game. The competition heated up quickly with a spread that had everything from chocolate-and-vanilla trifle, vanilla meringue, garden vegetable gazpacho with olive oil and jalapeno garnish, and blueberry and goat cheese pie. The winning dish? Deion Stalling’s jambalaya. (Unfortunately for us, the recipe is top secret!)

Taste testers contributed a cash donation for the opportunity to sample the treats and vote on a winner. In the end, we’re proud to announce that Myriad donated close to $400 to No Kid Hungry—and had a lot of fun while doing it, too!

cookoff1

cookoff2

cookoff3

How Do You Protect Your Business When the Threat Landscape Is Always Evolving?

Security Ransomware

Staying ahead of the curve when it comes to security attacks can be a challenge many find to be nearly impossible to achieve. But why is it so difficult? Every day, attacks targeting juggernauts of industry are featured in breaking news. An example is the recent “Wannacry” ransomware attack, which affected thousands of computers all over the world—from Europe to Asia to North America, locking users out of their computers and demanding ransoms. What’s concerning about these attacks is not only the frequency of them, but how they quickly inspire imitators.  

New attacks using combinations of execution code to bypass defense systems are popping up. Even more concerning, ransomware/botnet attacks are now hijacking ICS to re-route ambulances causing life-threatening consequences. And the hard truth is this won’t stop; new malware will be written with multiple code execution paths that are designed to set off benign processes while under scan and then execute malicious code once your anti-virus deems it to be safe. 

You might be indignantly thinking why? My anti-virus is supposed to stop all threats—my vendor said so! Why is it so difficult to defend my organization? 

The short answer is that it doesn’t have to be. Having implemented and reverse engineered many security solutions, I can say honestly that you cannot adopt or rely upon a single strategy or single solution to defend your posture. It takes a holistic and tiered approach to be able to defend and take on attacks from different vectors. 

A long time ago, I was once on the offensive side acting out DDoS attacks while playing a game called “Counter-Strike.” Why is this relevant? It seems hard to believe, but this game helped me adopt a philosophy on cybersecurity that I will never forget and will use for the rest of my career. I hope you can take this philosophy to heart, and that it will also help you protect your business as well as yourself from being hacked. 

Know your risk. 

Designing a secure infrastructure starts with knowing your greatest risks and weaknesses. Think like a hacker. What is the most critical asset? What type of attacks are you vulnerable to? What would someone do to exploit it that risk? Knowing is the first step. 

Identify your risk. 

In the following tiers: Reputation, Operational, and Intellectual Property. Once you’ve identified your risk in these arenas, plan a defensive strategy accordingly.  

Defend. 

Your strategy should lead to you knowing your network better than anyone else. You are the first and last line of defense. Security solutions are simply technology, but without configuring that technology to its strictest potential, you will not win. Do not allow any attacker to exploit your posture. Conduct vulnerability assessments and risk audits. Conducting threat assessments regularly is a critical step in continually developing your security plan.

Myriad & Girl Develop It March Campaign Kicks Off today!

Just a reminder that the March 2015 Myriad & Girl Develop It Campaign kicks off today! Join us on Twitter to help raise money for GDI and enter to win a Dell XPS 13 Ultrabook!

Here’s how it’s going to work:

  • We’ll post a question to Twitter each day starting today relating to women in tech
  • For every correct answer using our hashtag #MyriadGives, we’ll donate $1 to GDI*
  • We’ll also donate $1 to GDI for every retweet (RT) of our question*
  • Every time anyone answers correctly and/or retweets our question we’ll enter them into a drawing at the end of the month for a new Dell XPS 13 Ultrabook!
  • Each day, tweets and replies are due at 11:59 EST.
  • Contest ends at 11:59pm EST on 3/30/15. Winner will be announced via Twitter (@MyriadSupply) at 12pm EST 3/31/15.

Questions? Email us at giving@myriadsupply.com. Good luck & thanks for helping us raise money & awareness for GDI!

 

*Myriad will donate up to $10,000 total. Each Twitter handle may reply to one tweet and Retweet once per day.

Myriad & GDI team up to support women interested in web and software development

Friends of Myriad –

It is with great excitement that we announce our partnership with the nonprofit organization Girl Develop It!

GDI’s mission is to help teach women around the globe how to code and develop software, thus empowering more women to enter the tech field. With only 25% of computer related jobs in the United States being held by women, we at Myriad believe that there is a clear gap that needs to be bridged. While the tech world is one that promotes innovation and creativity, it can be woefully gender restrictive when it comes to who is sitting at the keyboard developing that next great project. Myriad believes that by encouraging more women of all ages to pursue education and careers in web and software development, we’ll all benefit from seeing an increase in talent and diversity in the tech world. With this partnership we’re aiming to help GDI in their efforts to do just that.

So how are we going to help? Throughout all of March (which also happens to be Women’s History Month) we’ll be doing the following:

  • We’ll post a question to Twitter starting on 3/2/15 relating to women in tech
  • For every correct answer, using our hashtag #MyriadGives, we’ll donate $1 to GDI*
  • We’ll also donate $1 to GDI for every retweet (RT) of our question*
  • Every time anyone answers correctly and/or retweets our question we’ll enter them into a drawing at the end of the month for a new Dell XPS 13 Ultrabook! (If you haven’t heard about the awesome XPS 13, see the Gizmodo.com review here.)

We invite you all to join in to help support GDI in their mission, and have a little fun while you’re doing it! Find us on Twitter and make sure to check in for the first question on Monday, March 2nd.

Sincerely,

Hilary DeCourcey

Head of Charitable Giving

VP of Purchasing & Client Support

#MyriadGives

*Terms and conditions for the donation and drawing will be posted on 3/2/15.