Handling sensitive information is a responsibility shared by so many organizations. Ensuring the security of data, whether in transit or at rest, is not only critical for maintaining the trust of end users and customers, but is often a regulatory requirement. One of the most reliable ways to secure data within network infrastructure is by implementing FIPS 140-3-certified cryptographic solutions. This certification, which was developed by the National Institute of Standards and Technology (NIST), serves as a benchmark for robust encryption practices, enabling organizations to meet high security standards and ensure regulatory compliance.

Let’s explore what it means to have FIPS 140-3 certification, why it matters, and its key applications in network infrastructure.

What is FIPS 140-3 Certification?

The Federal Information Processing Standard (FIPS) 140-3 certification is a stringent, government-endorsed security standard that sets guidelines for cryptographic modules used to protect sensitive data. It includes requirements for securing cryptographic functions within hardware, software, and firmware. The certification process rigorously tests cryptographic solutions for security and reliability, ensuring that they meet specific criteria in data encryption, access control, and physical security.

There are four levels of FIPS 140-3 certification, each adding layers of protection to help secure information in various environments:

• Level 1: Ensures basic encryption standards.
• Level 2: Adds tamper-evident protection and role-based authentication.
• Level 3: Provides advanced tamper-resistance and strong user authentication.
• Level 4: Offers the highest level of security, including physical defenses against tampering.

FIPS 140-3 certification ensures that an organization’s network infrastructure meets high standards for cryptographic security. This is important for protecting sensitive information against cyber threats as well as fulfilling regulatory requirements.

Out-of-band (OOB) management is essential for maintaining control over critical network infrastructure, especially during outages or cyberattacks. This separate management network enables administrators to remotely access, troubleshoot, and recover production equipment. However, managing network devices outside the main data path also brings unique security challenges, as these channels often carry sensitive control data and system access credentials.

Implementing FIPS 140-3-certified encryption within OOB systems can help organizations secure this vital access path to ensure that management data can’t be intercepted or manipulated by unauthorized actors. Here’s how FIPS 140-3 certification can enhance the security, reliability, and compliance of your out-of-band management.

What is FIPS 140-3 Certification?

FIPS (Federal Information Processing Standard) 140-3 is a high-level security standard developed by the National Institute of Standards and Technology (NIST). It specifies rigorous requirements for cryptographic modules used to protect sensitive data. FIPS 140-3 certification covers everything from data encryption to user authentication and physical security. For out-of-band management, FIPS 140-3 certification ensures that cryptographic components in hardware, software, and firmware meet stringent data security standards.

By implementing FIPS-certified solutions, organizations can ensure their OOB management is resilient against modern cyber threats, protecting both the control channels and the sensitive data they carry. Here are seven security benefits of implementing FIPS 140-3 for out-of-band management.

On July 19, 2024, CrowdStrike, a leading cybersecurity firm renowned for its advanced endpoint protection and threat intelligence solutions, experienced a significant outage that disrupted operations for many of its clients. This outage, triggered by a software upgrade, resulted in crashes for Windows PCs, creating a wave of operational challenges for banks, airports, enterprises, and organizations worldwide. This blog post explores what transpired during this incident, what caused the outage, and the broader implications for the cybersecurity industry.

What happened?

The incident began on the morning of July 19, 2024, when numerous CrowdStrike customers started reporting issues with their Windows PCs. Users experienced the BSOD (blue screen of death), which is when Windows crashes and renders devices unusable. As the day went on, it became evident that the problem was widespread and directly linked to a recent software upgrade deployed by CrowdStrike.

Timeline of Events

1. Initial Reports: Early in the day, airports, hospitals, and critical infrastructure operators began experiencing unexplained crashes on their Windows PCs. The issue was quickly reported to CrowdStrike’s support team.
2. Incident Acknowledgement: CrowdStrike acknowledged the issue via their social media channels and direct communications with affected clients, confirming that they were investigating the cause of the crashes.
3. Root Cause Analysis: CrowdStrike’s engineering team worked diligently to identify the root cause of the problem. They soon determined that a software upgrade released the previous night was responsible for the crashes.
4. Mitigation Efforts: Upon isolating the faulty software update, CrowdStrike issued guidance on how to roll back the update and provided patches to fix the issue.

What caused the CrowdStrike outage?

The root cause of the outage was a software upgrade intended to enhance the functionality and security of CrowdStrike’s Falcon sensor endpoint protection platform. However, this upgrade contained a bug that conflicted with certain configurations of Windows PCs, leading to system crashes. Several factors contributed to the incident:

1. Insufficient Testing: The software update did not undergo adequate testing across all possible configurations of Windows PCs. This oversight meant that the bug was not detected before the update was deployed to customers.
2. Complex Interdependencies: The incident highlights the complex interdependencies between software components and operating systems. Even minor changes can have unforeseen impacts on system stability.
3. Rapid Deployment: In the cybersecurity industry, quick responses to emerging threats are crucial. However, the pressure to deploy updates rapidly can sometimes lead to insufficient testing and quality assurance processes.

We need to remember one important fact: whether software is written by humans or AI, there will be mistakes in coding and testing. When an issue slips through the cracks, the customer lab is the last resort to catch it. Usually, this can be done with a controlled rollout, where the IT team first upgrades their lab equipment, performs further testing, puts in place a rollback plan, and pushes the update to a less critical site. But in a cloud-connected SaaS world, the customer is no longer in control. That’s why they sign waivers stating that if such an incident occurs, the company that caused the problem is not liable. Experts are saying the only way to address this challenge is to have an infrastructure that’s designed, deployed, and operated for resilience. We discuss this architecture further down in this article.

How to recover from the CrowdStrike outage

CrowdStrike gives two options for recovering:

• Option 1: Reboot in Safe Mode – Reboot the affected device in Safe Mode, locate and delete the file “C-00000291*.sys”, and then restart the device.
• Option 2: Re-image – Download and configure the recovery utility to create a new Windows image, add this image to a USB drive, and then insert this USB drive into the target device. The utility will automatically find and delete the file that’s causing the crash.

The biggest obstacle that is costing organizations a lot of time and money is that with either of these recovery methods, IT staff need to be physically present to work on each affected device. They need to go one by one manually remediating via Safe Mode or physically inserting the USB drive. What makes this more difficult is that many organizations use physical and software/management security controls to limit access. Locked device cabinets slow down physical access to devices, and things like role-based access policies and disk encryption can make Safe Mode unusable. Because this outage is affecting more than 8.5 million computers, this kind of work won’t scale efficiently. That’s why organizations are turning to Isolated Management Infrastructure (IMI) and the Isolated Recovery Environment (IRE).

How IMI and IRE help you recover faster

IMI is a dedicated control plane network that’s meant for administration and recovery of IT systems, including Windows PCs affected by the CrowdStrike outage. It uses the concept of out-of-band management, where you deploy a management device that is connected to dedicated management ports of your IT infrastructure (e.g., serial ports, IPMI ports, and other ethernet management ports). IMI also allows you to deploy recovery services for your digital estate that is immutable and near-line when recovery needs to take place.

IMI does not rely at all on the production assets, as it has its own dedicated remote access via WAN links like 4G/5G, and can contain and encrypt recovery keys and tools with zero trust.

IMI gives teams remote, low-level access to devices so they can recover their systems remotely without the need to visit sites. Organizations that employ IMI are able to revert back to a golden image through automation, or deploy bootable tools to all the computers at the site to rescue them without data loss.

The dedicated out-of-band access to serial/IPMI and management ports gives automation software the same abilities as if a physical crash cart was pulled up to the servers. ZPE Systems’ Nodegrid (now a brand of Legrand) enables this architecture as explained next. Using Nodegrid and ZPE Cloud, teams can use either option to recover from the CrowdStrike outage:

• Option 1: Reboot in Pre-Execution Environment Software – Nodegrid gives low-level network access to connected Windows as if teams were sitting directly in front of the affected device. This means they can remote-in, reboot to a network image, remote into the booted image, delete the faulty file, and restart the system.
• Option 2: Re-image – ZPE Cloud serves as a file repository and orchestration engine. Teams can upload their working Windows image, and then automatically push this across their global fleet of affected devices. This option speeds up recovery times exponentially.
• Option 3: – Run Windows Deployment server on the IMI device at the location and re-image servers and workstations if a good backup of the data has been located. This backup can be made available through the IMI after the initial image has been deployed. The IMI can provide dedicated secure access to the InTune services in your M365 cloud, and the backups do not have to transit the entire internet for all workstations at the time, speeding up recovery many times over.

All of these options can be performed at scale or even automated. Server recovery with large backups, although it may take a couple of hours, can be delivered locally and tracked for performance and consistency.

But what about the risk of making mistakes when you have to repeat these tasks? Won’t this cause more damage and data loss?

Any team can make a mistake repeating these recovery tasks over a large footprint, and cause further damage or loss of data, slowing the recovery further. Automated recovery through the IMI addresses this, and can provide reliable recording and reporting to ensure that the restoration is complete and trusted. 

What does IMI look like?

Here’s a simplified view of Isolated Management Infrastructure. You can see that ZPE’s Nodegrid device is needed, which sits beside production infrastructure and provides the platform for hosting all the tools necessary for fast recovery.

What you need to deploy IMI for recovery:

1. Out-of-band appliance with serial, USB, ethernet interfaces (e.g., ZPE’s Nodegrid Net SR)
2. Switchable PDU: Legrand Server Tech or Raritan PDU
3. Windows PXE Boot image

Here’s the order of operations for a faster CrowdStrike outage recovery:

• Option 1 – Recover

1. 1. IMI deployed with a ZPE Nodegrid device that will start Pre-Execution Environment (PXE) which are Windows boot images that the Nodegrid will push to the computers when they boot up
   2. Send recovery keys from Intune to IMI remote storage over ZPE Cloud’s zero trust platform easily available in cloud or air-gapped through Nodegrid Manager
   3. Enable PXE service (automated across entire enterprise) and define the PXE recovery image
   4. Use serial or IP control of power to the computers, or if possible Intel vPro or IPMI capable machines, to reboot all machines
   5. All machines will boot and check in to a control tower for PXE, or be made available to remote into using stored passwords on the PXE environment, Windows AD, or other Privileged Access Management (PAM)
   6. Delete Files
   7. Reboot

• Option 2 – Lean re-image

1. 1. IMI deployed with a Windows Pre-Execution boot image running PXE service
   2. Enable access to cloud and Azure Intune to the IMI remote storage for the local image for the PC
   3. Enable PXE service (automated across entire enterprise) and define the PXE recovery image
   4. Use serial or IP control of power to the computers, or if possible, Intel vPro or IPMI capable machines, to reboot all machines
   5. Machines will boot and check in to Intune either through the IMI or through normal Internet access and finish imaging
   6. Once the machine completes the InTune tasks, InTune will signal backups to come down to the machines. If these backups are offsite, they can be staged on the IMI through backup software running on a virtual machine located on the IMI appliance to speed up recovery and not impede the Internet connection at the remote site
   7. Pre-stage backups onto local storage, push recovery from the virtual machine on the IMI

• Option 3 – Windows controlled re-image

1. 1. Windows Deployment Server (WDS) installed as a virtual machine running on the IMI appliance (offline to prevent issues or online but under a slowed deployment cycle in case there was an issue) 
   2. Send recovery keys from Intune to IMI remote storage over a zero trust interface in cloud or air-gapped
   3. Use serial or IP control of power to the computers, or if possible, Intel vPro or IPMI capable machines, to reboot all machines
   4. Machines will boot and check in to the WDS for re-imaging
   5. Machines will boot and check in to Intune either through the IMI or through normal Internet access and finish imaging
   6. Once the machine completes the InTune tasks, InTune will signal backups to come down to the machines. If these backups are offsite, they can be staged on the IMI through backup software running on a virtual machine located on the IMI appliance to speed up recovery and not impede the Internet connection at the remote site
   7. Pre-stage backups onto local storage, push recovery from the virtual machine on the IMI

Deploy IMI to avoid the next outage

Get in touch for help choosing the right size IMI deployment for your organization. Nodegrid and ZPE Cloud are the drop-in solution to recovering from outages, with plenty of device options to fit any budget and environment size. Contact ZPE Sales now or download the blueprint to help you begin implementing IMI.

The Digital Operational Resilience Act (DORA) is a regulatory initiative within the European Union that aims to enhance the operational resilience of the financial sector. Its main goal is to prevent and mitigate cyber threats and operational disruptions. The DORA Act outlines regulatory requirements for the security of network and information systems “whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats” (DORA Act website).

Who and What Are Covered Under the DORA Act?

The DORA Act is a regulation that covers all financial entities within the European Union (EU). It recognizes the critical role of information and communication technology (ICT) systems in financial services. DORA applies to financial services including payments, securities, credit rating, algorithmic trading, lending, insurance, and back-office operations. It establishes a framework for ICT risk management through technical standards, which are being released in two phases, the first of which was published on January 17, 2024. The DORA Act will go into effect in its entirety on January 17, 2025.

With cyberattacks constantly in the news cycle, it’s no surprise that governing bodies are putting forth standards for operational resilience. But without combing through this lengthy piece of legislation, what should IT teams start thinking about from a practical standpoint? Here are 5 takeaways on what the DORA Act means for the financial sector.

DORA Act: 5 Takeaways for the Financial Sector

1. Shore-up your cybersecurity measures

The DORA Act emphasizes strengthening cybersecurity measures within the financial sector. It requires financial institutions, such as banks, stock exchanges, and financial infrastructure providers, to implement robust cybersecurity controls and protocols. These include adopting advanced authentication mechanisms, encryption standards, and network segmentation to protect sensitive financial data and critical infrastructure from cyber threats. Part of this will also require organizations to apply system patches and updates in a timely manner, which means automated patching will become necessary to every organization’s security posture.

2. Implement resilience systems

Operational resilience is a key focus area of the DORA Act, aiming to ensure the continuity of essential financial services in the face of cyber threats, natural disasters, and other operational disruptions. Financial institutions are required to develop comprehensive business continuity plans, establish redundant systems and backup facilities, and conduct regular stress tests to assess their ability to withstand and recover from various scenarios. Implementing a resilience system helps with this, as it provides all the infrastructure, tools, and services necessary to continue operating during major incidents.

3. Conduct regular scans for vulnerabilities

The DORA Act mandates financial institutions to implement robust risk management practices to identify, assess, and mitigate cyber risks and operational vulnerabilities. This includes conducting regular assessments, vulnerability scans, and penetration tests, and developing incident response procedures to quickly address threats. This is all part of taking a proactive approach to identify and mitigate cyber incidents, and reduce the impact that adverse events have on financial stability and consumer confidence.

4. Collaborate and share information with industry peers

The DORA Act encourages financial institutions to share cybersecurity threat intelligence, incident data, and best practices with industry peers, regulators, and law enforcement agencies. The ability to monitor systems and collect data will be crucial to this approach, and will require systems that can rapidly (and securely) deploy apps/services during ongoing incidents. This will help financial institutions to better understand emerging threats, coordinate responses to cyber incidents, and strengthen collective defenses against threats and operational disruptions.

5. Segment physical and logical systems to pass regular audits

Through the DORA Act, regulators are empowered to conduct regular assessments, audits, and inspections of systems. This will ensure that financial institutions are implementing adequate controls and safeguards to protect against cyber threats and operational disruptions. A crucial part to this will involve physical and logical separation of systems, such as through Isolated Management Infrastructure, as well as implementing zero trust architecture across the organization. These will help bolster resilience by eliminating control dependencies between management and production networks, which will also help to streamline audits.

Get the blueprint to help you comply with the DORA Act

DORA’s requirements are meant to help IT teams better protect sensitive data and the integrity of financial systems as a whole. But without a proper network management infrastructure, their production networks are too sensitive to errors and vulnerable to attacks. ZPE has created the blueprint that covers these 5 crucial takeaways outlined in the DORA Act. The architecture outlined in this blueprint has been trusted by Big Tech for more than a decade, as it allows them to deploy modern cybersecurity measures, physically and logically separated systems, and rapid recovery processes. Download the blueprint now.

This article was written by James Cabe, CISSP, a 30-year cybersecurity expert who’s helped major companies including Microsoft and Fortinet.

Ransomware gangs target the innocent and vulnerable. They hit a Chicago hospital in December 2023, a London hospital in October the same year, and schools and hospitals in New Jersey as recently as January 2024. This is one of the biggest reasons I’m committed to stopping these criminals by educating organizations on how to re-think and re-architect their approach to cybersecurity.

In previous articles, I discussed IMI (Isolated Management Infrastructure) and IRE (Isolated Recovery Environments), and how they could have quickly altered outcomes for MGM, Ragnar Locker victims, and organizations affected by the MOVEit vulnerability. Using IMI and IRE, organizations find that the key to not only speedy recovery, but also to limiting the blast radius and attack persistence, is isolation.

Why is isolation (not segmentation) key to ransomware recovery?

The NIST framework for incident response has five steps: Identify, Protect, Detect, Respond, and Recover. It’s missing a crucial step, however: Isolate. Stay tuned for a full breakdown of this in my next article. But the reason this is so critical is because attacks move at machine speed, and are very pervasive and persistent. If your management network is not fully isolated from production assets, the infection spreads to everything. Suddenly, you’re locked out completely and looking at months of tedious recovery. For healthcare providers, this jeopardizes everything from patient care to regulatory compliance.

Isolation is integral to building a resilience system, or in other words, a system that gives you more than basic serial console/out-of-band access and instead provides an entire infrastructure dedicated to keeping you in control of your systems — be it during a ransomware attack, ISP outage, natural disaster, etc. Because this infrastructure is physically and virtually isolated from production (no dependencies on production switches/routers, no open management ports, etc.), it’s nearly impossible for attackers to lock you out.

So, what really should you do if you’re ransomware’d? Let’s walk through an example attack on a healthcare system, and compare the traditional DR (Disaster Recovery) response to the IMI/IRE approach.

Ransomware in Healthcare: Disaster Recovery vs Isolated Recovery

Suppose you’re in charge of a hospital’s network. MDIoT, patient databases, and DICOM storage are the crown jewels of your infrastructure. Suddenly, you discover ransomware has encrypted patient records and is likely spreading quickly to other crown jewel assets. The risks and potential fallout can’t be understated. Millions of people are depending on you to protect their sensitive info, while the hospital is depending on you to help them avoid regulatory/legal penalties and ensure they can continue operating.

The problem with Disaster Recovery

Though the word ‘recovery’ is in the name, the DR approach is limited in its capacity to recover systems during an attack. Disaster Recovery typically employs a couple things:

• Backups, which are copies of data, configurations, and code that are used to restore a production system when it fails.
• Redundancy, which involves duplicating critical systems, services, and applications as a failsafe in the event that primaries go down (think cellular failover devices, secondary firewalls, etc.).

What happens when you activate your DR processes? It’s highly likely that you won’t be able to, and that’s because the typical DR setup relies on the production network. There’s no isolation.

Think about it this way: your backup servers need direct access to the data they’re backing up. If your file servers get pwned, your backup servers will, too. If your primary firewall gets hacked, your secondary will, too. The problem with backup and redundancy systems — and any system, for that matter — is that when they depend on the underlying infrastructure to remain operational, they’re just as susceptible to outages and attacks. It’s like having a reserve parachute that depends on the main parachute.

And what about the rest of your systems? You just discovered the attack has encrypted your servers and is quickly bringing operations to a crawl. How are you going to get in and fight back? What if you try to log into your management network, only to find that you’re locked out? All of your tools, configurations, and capabilities have been compromised.

This is why CISA, the FBI, US Navy, and other agencies recommend implementing Isolated Management Infrastructure.

IMI and IRE guarantee you can fight back against ransomware

You discover that the ransomware has spread. Not only has it encrypted data and stopped operations, but it has also locked you out of your own management network and is affecting the software configurations throughout the hospital. This is where IMI (Isolated Management Infrastructure) and IRE (Isolated Recovery Environment) come in.

Because IMI is physically separate from affected systems, it guarantees management access so teams can set up communication and a temporary ‘war room’ for incident response. The IRE can then be created using a combination of cellular, compute, connectivity, and power control (see diagram for design and steps). Docker containers should be used to bring up each step.

Image: The infrastructure and incident response protocol involved in the Isolated Recovery Environment. These products were chosen from free or open source projects that have proven to be very useful in each of these stages of recovery. These can be automated in pieces for each phase, and then be brought down via Docker container to eliminate the risk of leakage or risk during each phase.

Without diving too far into the technicalities, the IRE enables you to recover survivable data, restore software configurations, and prevent reinfection. Here are some things you can do (and should do) in this scenario, courtesy of the IRE:

Establish your war room

You can’t fight ransomware if you can’t securely communicate with your team. Use the IRE to create offline, break-the-glass accounts that are not attached to email. This allows you to communicate and set up ticketing for forensics purposes.

Isolate affected systems

There’s no use running antivirus if reinfection can occur. Use the IRE to take offline the switch that connects the backup and file servers. Isolate these servers from each other and shut down direct backup ports. Then, you can remote-in (KVM, iKVM, iDRAC) to run antivirus and EDR (Endpoint Detection and Response).

Restore data and device images

The key is to have backup data at its most current, both for patient data and device/software configurations. Because the IRE provides an isolated environment, and you’ve already pulled your backups offline, you can gradually restore data, re-image devices, and restore configurations without risking reinfection. The IRE ensures devices “keep away” from each other until they can be cleansed and recovered.

Things You’ll Need To Build The IMI and IRE

Network Automation Blueprint

We’ve created a comprehensive blueprint that shows how to implement the architecture for IMI and IRE. Don’t let the name fool you. The Network Automation Blueprint covers everything from establishing a dedicated management network, to automating deployment of services for ransomware recovery. Get your PDF copy now at the link below.

Gen 3 Console Servers To Replace End-of-Life Gear

It’s nearly impossible to build the IMI or deploy the IRE using older console servers. That’s because these only give you basic remote access and a hint of automation capabilities. You’ll still need the ability to run VMs and containers. Gen 3 console servers let you do all of the things for IMI and IRE, like full control plane/data plane separation, hosting apps, and deploying VMs/containers on-demand. They’ve also been validated by Synopsys and have built-in security features I’ve been talking about for years. Check out the link below for resources about Gen 3 and how we’ll help you upgrade.

Get in touch with me!

I’d love to talk with you about IMI, IRE, and resilience systems. These are becoming more crucial to operational resilience and ransomware recovery, and countries are passing new regulations that will require these approaches. Get in touch with me via social media to talk about this!

• James Cabe – CISSP on LinkedIn
• @how2cloud on X – James Cabe

Comparing best network performance monitoring tools

Disclaimer: This comparison was written by a 3rd party in collaboration with ZPE Systems using data gathered from publicly available data sheets and admin guides, as of 10/20/2023. Please email us if you have corrections or edits, or want to review additional attributes: Matrix@zpesystems.com

SolarWinds Network Performance Monitor (NPM)

The Network Performance Monitor (NPM) is part of the SolarWinds Orion platform of integrated products. This mature and richly featured monitoring software is delivered as a cloud-based service and can observe SaaS (software as a service), cloud, hybrid cloud, and on-premises infrastructure. With advanced features like deep packet inspection (DPI), WAN optimization monitoring, automatic network mapping, and automated diagnostic tools, SolarWinds NPM is meant to be a complete, enterprise-grade observability solution. As part of the Orion platform, it’s also extensible with other products from the SolarWinds ecosystem, such as a Network Configuration Manager. As an enterprise solution, SolarWinds NPM comes with a high price tag that grows even larger as additional monitoring agents are added, limiting the scalability. Another important factor to consider is that SolarWinds recently suffered a high-profile hack that compromised thousands of customers, so there are security risks involved in trusting the Orion supply chain. Additionally, despite a large library of integrations, SolarWinds is a closed ecosystem that doesn’t work well with 3rd-party tools or custom scripts.​

Kentik

Kentik is an end-to-end network observability platform for cloud, multi-cloud, hybrid cloud, SaaS, and data center infrastructure. In addition to network performance monitoring, the platform includes monitoring solutions for SaaS application performance and SD-WAN performance. Other observability features include SaaS uptime monitoring, AI-driven insights and alerts, network security monitoring, and QoE (Quality of Experience) monitoring. Kentik also recently launched a Kubernetes network monitoring solution called Kentik Kube that provides end-to-end cluster visibility. Overall, Kentik is a powerful network observability platform that includes many of its most innovative features in its “Essentials” and “Pro” pricing packages, providing a lot of bang for your buck. The downside is that you can’t subscribe to features individually and must purchase a whole package, meaning you could end up paying for features you don’t need. Because Kentik is not a large vendor, its customer service may be slow to respond in some cases. Additionally, although Kentik does have a large library of integrations, it is not a vendor-neutral platform.

ThousandEyes

ThousandEyes is a digital experience monitoring platform primarily focused on network and application synthetic testing, end-user performance monitoring, and ISP Internet monitoring for SaaS, cloud, and on-premises networks. Additionally, ThousandEyes is part of the Cisco family and can be used to monitor and optimize Cisco SD-WAN architectures. Across its family of observability products, ThousandEyes includes features like wireless network visibility, SaaS performance visualizations, cloud application outage detection, and SD-WAN performance forecasting. The major advantage of the ThousandEyes platform is that it provides true end-to-end visibility of the entire service delivery chain, including end-user device performance and third-party provider availability. One downside is the endpoint agent-based monitoring solution requires on-premises VMs to run, which can be cumbersome to maintain and limits scalability. The pricing is expensive compared to similar solutions, and you may have to combine products to get all the features you need. Additionally, ThousandEyes is not a vendor-neutral platform and has a relatively small library of integrations.

Conclusion

Each of the solutions on this list has advantages that make it well-suited to certain environments, as well as limitations to consider. Solarwinds NPM is part of a large ecosystem of observability and management solutions that includes advanced features like DPI, but it’s suffering from a major security incident and has a closed ecosystem. Kentik packs a lot of innovative, AI-driven monitoring capabilities into its platform offerings, but its pricing tiers are inflexible, and it doesn’t have the large, enterprise-grade support team of its larger competitors. ThousandEyes provides end-to-end visibility of the entire service delivery chain and works seamlessly with Cisco DNA software, but it has a steep learning curve and a limited library of integrations.

How to run the best network performance monitoring tools

Most network performance monitoring tools – even cloud-based SaaS offerings – communicate with endpoint agents using software deployed on VMs (virtual machines) running on-premises in each business location. Running these VMs on fully provisioned servers or PCs is expensive, but deploying them on NUCs is highly insecure, especially as organizations scale out with distributed branches and edge computing sites. What’s needed is a consolidated hardware solution that combines critical branch, edge, and data center networking functionality with vendor-neutral VM and application hosting, such as the Nodegrid platform from ZPE Systems. Nodegrid’s serial switches and network edge routers run the open, Linux-based Nodegrid OS, which can host your choice of third-party software – including Docker containers – for network performance monitoring, SD-WAN, security, automation, and more. Nodegrid’s versatile, modular hardware solutions also provide out-of-band (OOB) management access to critical remote infrastructure and monitoring solutions, giving teams a lifeline to recover from outages and ransomware attacks. Nodegrid uses innovative, enterprise-grade security features like Secure Boot, self-encrypted disk, and two-factor authentication (2FA), and its onboard software is frequently patched for vulnerabilities to defend against a breach. Deploying Nodegrid at each business site consolidates your network to reduce hardware overhead, streamlining management and enabling easy scalability.

Deploy the best network performance monitoring tools with Nodegrid

Reach out to ZPE Systems to see a demo of how the best network performance monitoring tools run on the Nodegrid platform.
Contact Us

The Intel NUC, or “Next Unit of Computing,” is a small, appliance-like minicomputer that’s widely used across a variety of industries and applications. They’re tiny and relatively inexpensive, so you’ll often find them inside IoT devices and ruggedized cases. They’re also frequently deployed as jump boxes or service delivery appliances. However, Intel NUCs create added security risks, technical debt, and management headaches. Plus, Intel recently announced the discontinuation of all NUC product lines. This post describes some of the most common Intel NUC use cases, explains the security and management issues that caused its discontinuation, and provides superior replacement options.

Intel NUC use cases

While Intel NUCs have a dedicated fanbase among home enthusiasts, they’re primarily used by professional IT teams. Some popular Intel NUC use cases include:

• Reducing carbon footprints: As investors place more importance on an organization’s environmental, social, and governance (ESG) practices, it becomes necessary to improve sustainability and reduce greenhouse gas emissions. Replacing inefficient PC towers with Intel NUCs can help reduce carbon footprints and improve ESG ratings.
• Security and surveillance systems: An Intel NUC can run a wide range of security applications for things like entry control and surveillance cameras, eliminating the need for dedicated servers. Some IoT (Internet of Things) security devices have embedded Intel NUCs for greater mobility and efficiency.
• Application delivery: Some service providers use Intel NUCs as platforms to deploy their software on-site to reduce hardware overhead costs. For example, a provider can install a NUC in their customer’s server room to deliver artificial intelligence (AI) or Software-as-a-Service (SaaS) applications.
• Jump boxes: Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) often deploy Intel NUCs at customer sites to act as “jump boxes” used to remotely access client infrastructure without taking up rack space.
• Rugged computing: When services are needed out in the field, such as in military or construction applications, a traditional laptop may not be heavy-duty enough to withstand operating conditions. Some organizations solve this problem by running their services on Intel NUCs installed inside rugged cases designed for the environment.
• Customized appliance computing: For specialized applications requiring a high degree of physical customization, such as law enforcement surveillance systems, an Intel NUC is often used because it’s small enough to fit nearly any case.

Intel NUC EOL products

Intel recently announced it’s discontinuing all NUC products, with specific dates for end-of-sale, end-of-support, and end-of-security-support varying by product. ASUS agreed to take over manufacturing and support of NUC product lines, but it’s unclear what the transition will look like or how ASUS will develop the NUC in the future.

Click here to view a list of all Intel NUC end-of-life SKUs as well as direct replacement options.

Why is Intel EOL-ing the NUC?

Despite all the exciting enterprise use cases listed above, the Intel NUC was never intended to be used as an appliance. It has numerous security and management limitations that make it challenging for Intel (and ASUS, in the future) to support the NUC for enterprise applications, including:

• There’s no dedicated platform to deploy or secure NUC applications
• Each Intel NUC is managed and accessed individually with no centralized management
• Intel NUCs create a lot of technical debt because they require a lot of coding, API knowledge, and other specialized skills to work with
• NUC operating systems are usually left out of patch schedules, leaving vulnerabilities critically exposed
• There is usually no ability to recover a non-responsive NUC remotely, requiring expensive on-site visits any time there’s a network hiccup or OS crash
• NUCs often don’t have the onboard hardware Roots of Trust (e.g., TPM) needed to secure them properly
• The hardware NUCs are embedded in often have unclear or undocumented supply chains
• There’s no ability for bidirectional authentication to the cloud with unique certificates
• The production data and applications are on the same plane as management processes, leaving management ports exposed

Intel NUCs are a quick and inexpensive way to deploy applications, jump boxes, and digital services, which is what makes them so popular in enterprises. However, due to a lack of security features and centralized management, NUCs are also popular with cybercriminals looking for an easy target to exploit. With Intel discontinuing all NUC product lines, it’s the perfect opportunity to look for a replacement option that delivers the same cost-efficient flexibility but with enterprise-grade security and management features built in.

Intel NUC replacement options from ZPE Systems

Nodegrid is a family of all-in-one networking, application delivery, and infrastructure management devices from ZPE Systems. Nodegrid was built with security in mind, taking a three-pronged approach that includes:

1. Hardware security – Onboard security features like TPM 2.0 and self-encrypted disk (SED) protect your device even if it falls into the wrong hands.
2. Software security – Nodegrid protects its software using features such as BIOS protection and Signed OS, and it can host third-party security applications for an even stronger defense.
3. Management security – Nodegrid keeps the management plane isolated from the data plane and uses strong zero-trust authentication methods to protect your management interfaces.

Nodegrid reduces management headaches without reducing security or functionality. ZPE provides enterprise-level support for all Nodegrid products with a responsive engineering team and 24-hour CVE (common vulnerabilities and exposures) patching. Nodegrid also lowers the technical debt and can meet teams at their skill level. You can deploy Nodegrid and use it to manage solutions that are already in place without any specialized programming or API knowledge.

Plus, Nodegrid uses out-of-band (OOB) management and serial connectivity to ensure continuous remote access to the control plane, making it a superior choice to an Intel NUC jump box for MSPs and MSSPs. With OOB connection options like 5G/4G LTE, teams can remotely troubleshoot and recover systems, services, and applications, even during major network outages. Management of all Nodegrid-connected infrastructure is unified by a single platform for streamlined control at any scale.

Due to its size, cost, and open, Linux-based operating system, Nodegrid is just as flexible and efficient as an Intel NUC while delivering the centralized management, robust security, and responsive support needed in enterprise deployments.

Nodegrid product comparison

The entire family of Nodegrid edge solutions provides reliable OOB management and flexible service delivery capabilities protected by enterprise-grade security features. The Nodegrid Mini SR, Bold SR, and Gate SR are direct replacements for EOL Intel NUC models but offer so much more. Nodegrid is an entire Services Delivery Platform designed to streamline operations at any scale.

To see first-hand why Nodegrid edge solutions are a superior choice for Intel NUC use cases, request a demo from ZPE Systems today.

Schedule a Demo

Intel NUC replacement SKUs

Want to learn more about replacing your Intel NUC with Nodegrid?

Ready to replace your Intel NUC with a Nodegrid alternative? Call ZPE Systems today at 1-844-4ZPE-SYS or contact us online.

Contact Us

This article was written by James Cabe, CISSP, whose cybersecurity expertise has helped major companies including Microsoft and Fortinet.

MOVEit over SolarWinds — The largest and most successful ransomware attack ever recorded is happening. Right now. It’s attacking healthcare and financial institutions with high rates of success, and recently stole sensitive data of 4 million more healthcare patients. It uses something called CL0P ransomware, and the threat actor is a well-known criminal group with the name FIN11. Many organizations are finding it difficult to stop the attack because they have no way to access infected devices, take them offline, patch, or even replace them. So, what exactly is going on?

How did the ransomware attack start?

The ransomware attack began with several Accellion FTA customers, including those in industries like healthcare, legal, finance, retail, and telecom. Companies such as Jones Day Law, Kroger, Singtel, and many others had no idea that they had been attacked, because the initial breach was quiet and headless.

Their only indication came after receiving a threatening email aimed at extortion. 

In this email, the group threatened to publish stolen data on the “CL0P^_- LEAKS” .onion website, according to an investigation from Accellion. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023.

According to the investigation, four zero-day security holes were exploited in the attacks:

• CVE-2021-27101 – SQL injection via a crafted Host header
• CVE-2021-27102 – OS command execution via a local web service call
• CVE-2021-27103 – SSRF via a crafted POST request
• CVE-2021-27104 – OS command execution via a crafted POST request

And, the published victim data appears to have been stolen using a “WEB SHELL”. These web shells give remote administrative access to the web server and create a jumping off point to attack the rest of the internal network. Mandiant, a well-known cyber investigation arm of Google, added, “The exfiltration activity has affected entities in a wide range of sectors and countries” (Threatpost). Exfiltration is the unauthorized removal of important or damaging data from an organization.

However the biggest problem is that these web shells are what researchers call “PERSISTENCE”. This means that an attacker can remain in your network indefinitely to continue damaging and attacking your resources. Researchers call these “APTs,” or Advanced Persistent Threats.

Why is the ransomware attack still going strong?

The ransomware attack is still going strong because there’s no patch available. According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Accelion’s appliance that is the backbone of a solution known as Progress Software’s MOVEit Transfer service. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505, which is the group responsible for the Dridex trojan and Locky ransomware, conducted zero-day-exploit-driven campaigns against Accellion FTA devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.

What most organizations want to know is: How do you quickly respond to issues like these? How can you be properly prepared to respond to an issue you didn’t cause or didn’t expect?

Patching is a good response. However, it takes an average of 205 days to patch a recently known zero-day exploit like the MOVEit vulnerability. While patching alone is typically the ideal response, it isn’t automatic nor can it be done quickly.

Another approach involves removing the offending software or appliance, or cutting off access to the software or appliance. But once you remove this access, how do you continue normal operations, and how can you easily bring the software/appliance back online? Without adequate infrastructure in place, physically deploying to each site is not practical, especially for distributed organizations.

CISA and the FBI encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of CL0P ransomware and other ransomware incidents. The Mitigations section describes many approaches, including patching, removing software/appliance access, and implementing a recovery plan. But all of these take too much time and too many resources, which leaves organizations vulnerable as they scramble to create an adequate response.

The great news is, organizations can cover all their bases without having to reinvent the wheel. This approach is recommended in one of CISA’s recent directives, and gives organizations somewhat of a silver bullet that allows them to quickly defeat ransomware and remain prepared for any future attack.

What approach does CISA recommend to address ransomware attacks?

CISA’s recent directive (23-02), which addresses the vulnerability of Internet-exposed management interfaces, calls for organizations to create an isolated management infrastructure (IMI) via out-of-band connectivity. This is a drop-in solution that the military, telcos, and hyperscalers/cloud companies use to respond to widespread ransomware and other issues impacting security and resilience. This approach — which ZPE Systems has perfected in the last decade with the help of Big Tech — gives organizations a completely separate control plane through which they can monitor and manage their entire IT infrastructure in a safe and dedicated fashion.

What is isolated management infrastructure?

Isolated management infrastructure consists of the hardware and software that create a management network that’s fully separate from other production and management networks. The key to this is in out-of-band connectivity, which is defined as connectivity other than TCP/IP. Out-of-band can include direct USB, serial, or even non-routed zero-trust connections to crown-jewel assets.

Essentially, the IMI gives an organization complete oversight and control of their widespread IT infrastructure, in a way that is secure and accessible only to their IT teams.

In this diagram, the production infrastructure (blue ring) sits at each distributed location. The out-of-band infrastructure for LAN (OOBI-LAN) is the green ring and surrounds the production infrastructure with one layer of isolated management. The OOBI-WAN (orange ring) is what provides a second layer of isolated management, which teams can access from a central or remote location, to gain access to the OOBI-LAN and ultimately the production infrastructure.

Knowing these assets and providing access across the organization can be easy and does not have to disrupt current operations. 

How can IMI stop the FIN11 ransomware attack?

In the ongoing FIN11 ransomware attack, Internet-facing applications are targets of the zero-day exploit. This means that no amount of security solutions can pre-mitigate the attack (i.e., there’s nothing you can do to stop it). This is where IMI shines.

Remember the OOBI-LAN/OOBI-WAN diagram? Here’s a zoomed-in view of the isolated management infrastructure sitting beside the production infrastructure. The IMI connects via serial, Ethernet, and USB to production gear, and provides the necessary functions (routing, storing golden images, hosting jumpbox tools, etc.) to recover from attack. But how?

IT teams can use OOBI-WAN to remotely access their OOBI-LAN and production gear. They can pull affected devices offline and bring them in for forensics, which takes place in an Isolated Recovery Environment (IRE). This means these assets and networks are still reachable by analysts and responders, but isolated from other vulnerable assets. This allows an organization to quickly and even automatically deploy tools and resources inside of this environment through devices like ZPE Systems’ Nodegrid.

To combat the FIN11 attack, organizations don’t need to unplug cables or shut their devices off. They can instead deploy their IMI as the framework for closing the attack surface while maintaining access and critical data to aid in recovery.

Get the blueprint for isolated management infrastructure

Don’t wait until the next attack to shore up your defenses. ZPE Systems has worked with Big Tech for ten years developing the isolated management infrastructure. It’s now available inside the Network Automation Blueprint, and walks you through how to implement your own IMI. Download the blueprint now to stay ready for any attack.

Get in touch with me!

True security can only be achieved through resilience, and that’s my mission. If you want help shoring up your defenses, building an IMI, and implementing a Resilience System, get in touch with me. Here are links to my social media accounts:

• James Cabe – CISSP on LinkedIn
• @how2cloud on X – James Cabe

This post discusses how to take advantage of IoT in the finance industry by overcoming security challenges with automation, secure platforms, and vendor-neutral orchestration

IoT in the finance industry: security challenges and solutions

There were over 10.54 million global IoT cybersecurity attacks in December 2022 alone. In the finance industry, a breach can result in significant consequences, including regulatory fines and irreparable reputational damage, which means IoT security must be a top priority. Let’s discuss the specific security challenges of using IoT in the finance industry.

Challenge #1: Keeping IoT devices up-to-date

IoT typically uses low-touch, set-it-and-forget-it devices, so they’re deployed around the network’s edge and receive little interaction from operators or technical staff. For example, IoT devices collect sensitive financial data from ATMs, self-service payment kiosks, and smartphone applications with little-to-no human oversight. That makes it easy for network teams to forget about operating system (OS) and software updates, especially when dozens or thousands of IoT devices are in use.

In fact, a recent report found that teams wait an average of 205 days to patch their infrastructure. This is a frightening statistic given that out-of-date software is rife with vulnerabilities just waiting to be exploited by cybercriminals looking for valuable financial data.

Solution: Automated patch management

Automating patches is the best way to ensure they’re installed on time. For example, many IoT device management systems provide dashboards where admins can see IoT device versioning information at-a-glance, manually deploy or roll-back updates, or create automated schedules/triggers to deploy those updates without manual intervention. However, most of these platforms only work within specific vendor ecosystems, which limits your capabilities. The best practice is to use a vendor-neutral IoT device management platform that can dig its hooks into multi-vendor IoT devices. This will ensure that critical IoT devices like credit card payment readers are kept secure and up-to-date.

A vendor-neutral IoT device management platform with automated patch management ensures that all devices are kept up-to-date and no vulnerabilities fall between the cracks.

Challenge #2: Securing remote management interfaces

Network admins typically work from a centralized location, which means they remotely access and manage IoT deployments at the branch and edge using jump boxes or serial consoles. If these remote management devices and interfaces aren’t adequately secured, malicious actors could use them to access IoT data and move laterally to other sensitive resources on the network. However, many admins deploy jump boxes without onboarding them with IT, which means they’re not added to security monitoring software and don’t have enterprise policies or controls applied. Serial consoles, on the other hand, often lack the advanced security features and integrations needed to protect them from cybercriminals.

Solution: Secure management hardware and software

The newest generation of serial consoles includes robust hardware security features and supports advanced authentication methods to safeguard remote management interfaces from compromise. A 3rd generation – or Gen 3 – serial console has onboard security features like a self-encrypted disk (SED), secure boot, BIOS protection, and geofencing, so malicious actors can’t access a stolen device. In addition, it supports SAML 2.0 authentication (via integrations with providers like Okta and Ping) and other advanced authentication methods to prevent unauthorized access to its software.

A Gen 3 serial console solution uses robust onboard security features and third-party security integrations to protect management hardware and interfaces.

Challenge #3: Complying with data privacy regulations

In a highly-regulated industry like finance, organizations must keep track of which people and devices can access sensitive data and ensure that permissions are granted on a least-privilege basis. Typically, achieving this level of granular control requires applying strict Zero Trust Security policies to every device and user accessing the network, including IoT devices at the edge. However, extending enterprise security policies and controls to the edge is difficult in a distributed, heterogeneous environment due to vendor lock-in.

For example, some branch networking solutions don’t support integrations with third-party identity management tools, forcing you to use their built-in access management settings. That means admins must manually recreate their Zero Trust data access policies in the router settings at every single branch and ensure they’re kept up-to-date.

Solution: Vendor-neutral Zero Trust Security orchestration

A centralized Zero Trust Security orchestration platform allows admins to deploy and manage security policies and controls across the network from a single place. A vendor-neutral platform can extend policy enforcement and other vital security controls to any device or application on the network. For example, you can apply the same Zero Trust data policies to all branch routers in the entire architecture to ensure consistent enforcement.  Such a platform makes compliance easier because financial organizations gain greater control over data access privileges and monitoring for IoT devices deployed anywhere in the world.

A vendor-neutral Zero Trust Security orchestration platform simplifies IoT data compliance by providing a centralized control panel to deploy and manage security policies across the entire distributed network architecture.

Challenge #4: Quickly resolving IoT security incidents

When malicious actors compromise an IoT device, financial organizations must act quickly to avoid regulatory fees and reputational damage. However, these devices are often deployed in remote, hard-to-reach locations with no technical or security staff nearby, such as in rural or island communities. That means problems require an expensive, time-consuming truck roll to resolve. Even with a team on-site, manual root cause analysis (RCA) and recovery efforts take a lot of time and effort, increasing both the duration and the expense of incidents.

Solution: Secure OOB with automation and AIOps support

The solution to this IoT security challenge involves out-of-band serial consoles and automation.

• Out-of-band (OOB) serial consoles create a dedicated control plane to manage, troubleshoot, and recover remote devices and infrastructure. Admins access this control plane via alternative network interfaces that don’t rely on the production network at all. This means teams can still reach remote IoT devices even if the ISP goes down or the LAN is compromised by ransomware. The best practice is to use a Gen 3 serial console with advanced security features, as discussed above.
• Automation and AIOps streamline the incident resolution process by automating RCA and recovery workflows. A Gen 3 OOB serial console solution can integrate or even directly host third-party automation and AIOps tools, ensuring teams always have remote access to their recovery toolkit during an outage or breach.

A secure, Gen 3 OOB serial console ensures 24/7 remote access to edge IoT deployments and supports automation and AIOps for faster security incident resolution.

Challenge #5: Gaining holistic security coverage

A distributed financial services network with many branches, ATMs, edge sites, and IoT devices has a large attack surface, so it requires several different security solutions to cover all potential vulnerabilities. Gaining complete security coverage over every IoT device in every location means deploying many appliances, each of which needs to be installed, patched, and managed, adding a lot of complexity to network and security operations and further increasing the attack surface. The need to orchestrate so many moving pieces increases the risk that security teams will make mistakes and prevent organizations from operating efficiently.

Solution: Unified, vendor-neutral security orchestration

A vendor-neutral security orchestration platform unifies a company’s security solutions and workflows under a single management umbrella. For example, the Nodegrid platform from ZPE Systems can dig its hooks into other vendors’ security appliances and virtual solutions, giving security analysts a holistic overview of the entire architecture from a single centralized portal. Teams can use Nodegrid to orchestrate firewalls, identity and access management (IAM), patches, secure access service edge (SASE), and more.

Nodegrid’s hardware can even directly host third-party security applications for a streamlined, consolidated branch deployment. You can use the Nodegrid platform to build a complete DCIM (data center infrastructure management), network management, and automation orchestration solution, streamlining operations with a truly unified experience.

A vendor-neutral security orchestration platform provides holistic security coverage while reducing complexity, which prevents human error and increases operational efficiency.

IoT in the finance industry and security challenges

Deploying IoT in the finance industry comes with security challenges, including patch management, unsecured management interfaces, policy enforcement, incident resolution, and complexity. The Nodegrid platform provides finance industry solutions to help you overcome each of these challenges, including:

• An open hardware and software platform for IoT patch management, so admins can view, update, and roll-back software versions from a single dashboard.
• Secure management hardware and software protected by robust onboard security features and integrated with SAML 2.0 and advanced authentication methods.
• The ability to host and run Zero Trust Security applications for identity and access control (IAM), Zero Trust Network Access (ZTNA), and more.
• Gen 3 OOB serial console solutions with 5G support that can integrate or directly host third-party automation and AIOps tools.

A truly vendor-neutral platform that unifies security, network, and infrastructure management behind a single pane of glass for holistic coverage.

Ready to Learn More?

To learn more about deploying IoT in the finance industry and overcoming security challenges with Nodegrid, contact ZPE Systems.

Contact Us