chief marketing officer - quantalytics€¦ · the q-nac, built with packetfence, provides highly...

RichardAveryChiefMarketingOfficer

646.775.2761

Quantalytics,Inc.646.449.7810ravery@quantalytics.com

Copyright©2019Quantalytics,Inc.Allrightsreserved.

ITNetworksCybersecurityforTheWaterandWasteIndustries

InformationTechnology(IT)NetworksinTheWaterandWasteindustriesareaspecialclassofITnetworks.Theymustbereliable,andideally,un-hackable.Securityisthereforeparamount. ThedisclosureinWikileaksoftheCIA's"Vault7"onMarch7,2017,revealedthattheCIA'sentirehackinganddataexfiltrationtoolcollectionhadbeenstolen.Amongthetools,beyondawidenumberof0Day(ZeroDay)exploits,areprogramssuchas"HammerDrill",whicharedesignedtoinfectsoftwaredistributedonCDs,DVDs,andUSBthumbdrives,whicharesomeofthevehiclesusedtoperformsoftwareandfirmwareupgradesfordevicesonITnetworks. AsinourOTnetworkprotection,ourguidingdesignphilosophyissummedupas"Trustnoone.Verifyeverything."Webelieveinprovidingtransparency,andwebelieveinkeepingaverycloseeyeoneverythinginanITNetwork. Todothis,werecommendthefollowingQuantalyticsappliancesbeusedforITnetworks: Q-Box.TheQ-BoxprovidesmonitoringofdevicesontheITnetwork,viaNagios,andintrusiondetectionviaSnort.Intheeventasuspectedintrusionisdetected,theQ-Boxhasbothxplicoandntop-ngforrealtimepacketcaptureandforensicanalysis. Becauseofthecriticalimportanceofmonitoringandintrusiondetection,werecommendusingtwo(2)Q-Boxesforauto-failover,andforloadbalancingasneeded. Q-Hpot.TheQ-HpotisahoneypotsolutionspecificallyforITnetworks.AbasictenantofdefenseindepthistocamouflagetheITnetworkassetssoastohidethemfromtheattacker("NetworkObfuscation").TheQ-HpotcancreatethousandsofclonesofobjectsinanITnetwork.TheQ-Hpotmimicshumanactivity.TheonlyconstraintispurelythenumberofIPaddressesavailabletoassigntoeachattacksurface.BycamouflagingandhidingtheITnetworkassets,oneshiftstheoddsinfavorofthedefender,asopposedtonotcamouflagingtheITnetworkassets.

RichardAveryChiefMarketingOfficer

646.775.2761

Quantalytics,Inc.646.449.7810ravery@quantalytics.com

Copyright©2019Quantalytics,Inc.Allrightsreserved.

Q-Vul.TheQ-VulisavulnerabilityscannerbuiltusingOpenVAS.Evenifthereisnopatchavailable,orworse,apatchbutnotimewindowavailabletoapplyit,theQ-VulwilllettheITNetwork'smanagerswatchextra-carefullythevulnerabledeviceornetworkservice.Whilethiscannotpreventanattack,itprovidesameanstotrytofindwork-aroundstoblockone,aswellasknowledgeofsecurityweaknessesthatmanagementcanusetopressmanufacturerstoprovideafix. Q-Log.TheQ-LogisalogaggregationandreportingtoolbuiltusingtheELKStack(Elastic,Logstash,andKirbana).Everythinggenerateslogs.Thekeyistoisolateandreportthecriticalissuesquickly,andthentoprobedeeperasneeded.TheQ-Logmakesitpossibletoprocesslogdata,andrenderalertsquicklywhenthereisanomalousactivity. Q-NAC(NetworkAccessControl).TheQ-NAC,builtwithPacketFence,provideshighlygranularaccesscontroltotheITNetwork,andwithinit,tothevariousdevicesandnetworkservices.TheQ-NACprovidescompleteaudittrailsinordertohelpquicklyidentifydevicesthathavegonerogue,orarenotallowedatall,suchasaplugbot.(Aplugbotisasmalldevicepluggedintoanetwork,orwirelessly,connected,thatcreatesaCommand&Control("C&C")backdoor.) Adevicethathasgoneroguemeansthatithasbeencompromised,andisbeingcontrolledandusedbythehackers.MostdevicesonITNetworkshavenointernaldefenseswhatsoeveragainstbeingcompromised.Comparedtothepoweroftoday'shackingtools,thelackofinternaldefensesmakesthemvery,veryeasytocompromise.Thesedevicesinclude,forexample,All-in-Oneprinters,andahugevarietyofIoTdevicesthatarefoundonITnetworkssuchasIPCamerasandDVRsusedinsurveillancesystems. AllQuantalyticsappliancesareinternallyhardenedagainsthackersasanadditionalprecaution.AmongthestepswehavetakenaredeployingModSecurty,aWebApplicationFirewall,TinyHoneyPotforinternalobfuscation,Fail2bantoblockbruteforceloginattempts,IPTables,andClamAVforanti-virusprotection.Two-factorauthenticationisavailableasanoption.