Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for August 2016

#Oktane16: CSO Panel Discusses Cloud & Mobile Security

#Oktane16: CSO Panel Discusses Cloud & Mobile Security

In a world of constant innovation, shifts to the cloud and mobile infrastructures are now an every-day reality for companies everywhere, but with threats of cyber-attacks an ever-present risk looming over enterprises of all sizes, there’s never been more pressure on businesses to implement good cloud and mobile security.

This was the topic of discussion in a recent panel at Oktane16 in Las Vegas, featuring an impressive line-up of security leaders from some of the industry’s most prestigious companies.

Kicking things off, panel host and Okta chief security officer David Baker asked how organizations should tackle the risks surrounding decentralization and BYOD within the work place.

“There’s no silver bullet,” said Craig Rosen, AppDynamics, “we know that data is moving into the application stack, we also know the user experience is now a lot better thanks to mobile apps. I think it can be done with constraints, but I’m not one to say that everybody should be allowed to do everything they want to do, there has to be some level of checks and balances.”

Dropbox’s Patrick Heim shared a similar view, adding that companies need to separate decentralization from mobility to gain an understanding of the broader risks.

“It’s about figuring out a way of not suppressing it – you have to put guard rails around it – but to try and make it safe, don’t squash it. Implement security technologies and polices that are rational and risk-based, and try to make it safe,” he added.

So, what are the real risks of the public cloud? asked Baker.

Josh Feinblum from Rapid7 explained that, in his view, the risks come with consolidating everything into one place.

“There’s no inherent risk with using the public cloud,” argued Slack’s Geoff Belknap, “it comes from approaching it with the mindset that it’s a direct replacement for the data center. If you approach public cloud as if it’s the same as your data center, you will make mistakes. If you approach it thoughtfully and think about authentication, about how you manage change and how it’s different, I think you will find a lot of the simple mistakes you can make can be addressed by automation.”

For Heim, the risks still boil down to bad authentication, chiefly in the form of poor password use.

“That’s what it comes down to, people get distracted by a long list of potential risks but the number one issue has to do with people using the same password across multiple sites, and that leads to compromises of accounts.”

To conclude, Baker asked the panelists what they see as their biggest challenge at the moment.

The main challenge is finding people with the right type of skill sets to understand and translate vulnerabilities within the company, said Rosen.

“A lot of the time we do get ‘heads down’ and technical. We have to work a lot more to educate in that discipline to translate things, because that’s critical.”

For Heim, it's pinpointing what the right vulnerabilities are.

“There’s so much noise, there are so many vulnerabilities to chase around and distractions coming from management.  It’s maintaining the prioritization of what are really and truly the risks the company is facing, how do I know we are asking the right questions to uncover those, how do I know I have the right resources assigned. Most importantly, how do ignore everything below a certain line,” he added.

Source: Information Security Magazine

Rising Use of Encryption Gives Malware a Perfect Place to Hide

Rising Use of Encryption Gives Malware a Perfect Place to Hide

Nearly half of cyber-attacks this year have used malware hidden in encrypted traffic to evade detection.

In an ironic twist, A10 Networks has announced the results of an international study with the Ponemon Institute, revealing that the risk to financial services, healthcare and other industries stems from growing reliance on encryption technology.

A growing number of organizations are turning to encryption to keep their network data safe. But SSL encryption not only hides data traffic from would-be hackers, but also from common security tools. The encryption technology that is crucial to protecting sensitive data in transit, such as web transactions, emails and mobile apps, can also allow malware hiding inside that encrypted traffic to pass uninspected through an organization’s security framework.

At the same time, a full 80% of organizations do not inspect their SSL traffic, making it even easier for hackers to bypass existing defenses by using SSL-encrypted traffic to hide their attacks. For many security managers, the costs of inspecting this rising tide of encrypted traffic outweigh the benefits.

Almost half of respondents (47%) cited a lack of enabling security tools as the primary reason for not inspecting decrypted web traffic—closely followed by insufficient resources and degradation of network performance (both 45%). Yet 80% of survey respondents say their organizations have been victims of a cyberattack or malicious insider during the past year. And nearly half say that the attackers used encryption to evade detection.

Overall, roughly two-thirds admit that their company is unprepared to detect malicious SSL traffic, even though 50% of malware hides there. Moreover, the threat is expected to get worse as the volume of encrypted data traffic continues to grow.

“IT decision makers need to think more strategically,” said Chase Cunningham, director of cyber operations at A10 Networks. “The bad guys are looking for ROI just like the good guys, and they don’t want to work too hard to get it. Instead of focusing on doing everything right 100% of the time, IT leaders can be more effective by doing a few things very strategically with the best technology available. It’s the cybersecurity equivalent of the zombie marathon—as long as you can avoid being the slowest in outrunning the zombies, you minimize risk.”

Other results included that the fact that only 42% of inbound web traffic and 32% of outbound traffic is encrypted; and of the public-sector organizations that had been attacked in the last 12 months, 43% believed those attacks used encryption to evade detection. Three-quarters (75%) of IT experts surveyed admit malware could steal employee credentials from their networks.

Photo © dencg

Source: Information Security Magazine

US Senators Urge Obama to Address Financial Cyber-risk at G20

US Senators Urge Obama to Address Financial Cyber-risk at G20

US senators are urging President Obama to address the topic of cybersecurity at the upcoming Group of 20 Summit in China.

Sherrod Brown of Ohio, a senior Democrat on the Senate Banking Committee, Gary Peters (D-Mich.) and four other Democratic senators say they want a commitment to a "coordinated strategy to combat cyber-crime at critical financial institutions,” according to a letter obtained by Reuters.

The concern stems from the recent attacks using SWIFT, the secure messaging service that banks use to transfer money around the world. Earlier this year, banks fell for various bogus requests for nearly $1 billion from Bangladesh's central bank and an account held at the Federal Reserve Bank of New York; in the end, the industry was left reeling from the theft of $81 million, funneled to shadowy casinos in the Philippines for laundering. There have been other SWIFT-based attacks as well, in Vietnam and in Ecuador, according to reports.

The letter, sent to the White House ahead of the Sept. 4-5 summit, added, "Our financial institutions are connected in order to facilitate global commerce, but cyber criminals—whether independent or state-sponsored—imperil this international system in a way few threats have.”

"We strongly urge you to work with your counterparts and prioritize this discussion at the G20 leaders level in September," it said of the summit to be held in Hangzhou, China, adding that "executive leadership circles across the globe" needed to pay more attention to the risks.

Ineffective third-party cyber-risk management is at the heart of the matter, one industry-watcher says.

“While cybercrime definitely merits discussion at the G20 Summit, what can’t get lost is the impetus for the discussion—the SWIFT attack—was a failure in third-party cyber risk management,” Fred Kneip, CEO, CyberGRX, told Infosecurity. “Collaboration and information-sharing at all levels are the keys to effectively mitigating the persistent and potentially damaging threats posed by cybercriminals. It only takes one vulnerability for increasingly sophisticated attackers to gain access and ride in on a trusted connection, so the G20 discussion needs to include how to effectively share information about third-party cyber risk, including preventing risk from the extended enterprise—outsourcers, customers, vendors, service providers and affiliates.”

Photo © ID1974/Shutterstock.com

Source: Information Security Magazine

Researcher: It's Official, 69 Million Dropbox Accounts Leaked

Researcher: It's Official, 69 Million Dropbox Accounts Leaked

Just days after forcing mandatory password resets for some users, it has come to light that Dropbox was indeed breached, with almost 69 million accounts made public, according to independent analysis.

Earlier reports and rumors whispered that more than 60 million usernames and passwords were stolen directly from Dropbox by hackers in 2012—but the online file-sharing service has insisted that no breach occurred. Compromises of accounts that happened back then were a result of password re-use, the company said, and of hackers brute-forcing the accounts using passwords from other breached services, like LinkedIn or MySpace.

In other words, the blame rested squarely with users’ poor password hygiene.

Now though, independent security white hat Troy Hunt, the force behind the Have I Been Pwned? searchable database of compromised data, said that he’s verified that a large, wide-ranging attack began in mid-2012, resulting in the heist and leaking of 68,648,009 Dropbox account credentials online.

Hunt verified the breach using a known Dropbox account (his wife’s). She uses a password manager and had a strong, random, 20-character password that was unique to the service. A quick matching and hashing process revealed that password to be available online.

“This isn’t ‘cracking’ in the traditional sense because I'm not trying to guess what her password was, rather it's a confirmation that her record in Dropbox is the hash of her very strong, very unique never-used-anywhere-else password,” he explained in a post. “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing.”

A few days ago, Dropbox emailed those that had been using its service since at least 2012 to notify them of a mandatory password reset, as “a preventative measure.” Half of the account passwords were secured by bcrypt and are unlikely to be easily cracked, but others were secured by the outdated and brute-force-ready SHA-1.

“[My wife’s] password was never going to be cracked,” said Hunt. “Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public.”

Hunt congratulated the service on being proactive, and other researchers concur. "Dropbox began taking proactive action to protect their users nearly a week before information about this leak became public,” Josh Feinblum, vice president of information security at Rapid7, said via email. “Their customer-first approach was refreshing and likely mitigated a great deal of risk to their users. Their response to a challenging event is a great model for other cloud companies to follow if faced with a similar situation. It's our belief that the open dialogue about security that companies like Dropbox are promoting about risk, mitigation, and action will help to strengthen the security and technology communities."

Ed Macnair, CEO at CensorNet, added that the incident should be a warning to those that use online services to take precautions, like enabling two-factor authentication.

"What’s concerning about this breach is the fact that Dropbox is a prime candidate for shadow IT,” he said in an emailed note. “Need to finish an urgent piece of work at home? Just upload it to Dropbox and you’re set—no need to tell IT. While there’s some clear benefits to letting employees do this, there are also some major drawbacks—60 million account details somewhere on the internet being one.”

Photo © 360b/Shutterstock.com

Source: Information Security Magazine

Reported UK Data Breaches Soar 88% in a Year

Reported UK Data Breaches Soar 88% in a Year

The volume of data breach incidents reported to the Information Commissioner’s Office (ICO) has almost doubled in the space of a year, according to a new Freedom of Information (FoI) request.

The figure rose from 1,089 in the period April 2014-March 2015 to 2,048 in virtually the same period a year later, according to Huntsman Security.

Health, local government and education were the worst performing sectors in terms of the volume of breaches disclosed, accounting for 64% of the total in 2015-16.

However, financial organizations were the worst hit by ICO fines. Despite accounting for fewer than 6% of incidents they were on the receiving end of 33% of the watchdog’s financial penalties during the period, which hints at the severity of these breaches.

In three-quarters of the total number of cases, no action was taken by the ICO, either suggesting that the incidents themselves were fairly innocuous or that the watchdog needs to grow some sharper teeth.

It’s believed that incoming commissioner Elizabeth Denham may be less forgiving of organizations in this regard than her predecessor.

Data disclosed in error accounted for the vast majority of reported breaches (67%), followed by security incidents (30%).

However, there are signs that some organizations are still failing to report all of the breaches that occur on their watch – whether that’s deliberate or a result of poor technology and processes combined with an overwhelming volume of security incidents to deal with.

UK utilities firms reported just two breaches over an entire year, for example, despite representing a high risk target.

“The most likely reason for the ICO not being notified of breaches is that organizations simply aren’t aware of them; after all, it’s still very easy for an issue to remain unknown for weeks or even months before it’s noticed,” Huntsman Security head of product management, Piers Wilson, told Infosecurity.

“At the same time, any organization purposefully keeping breaches secret would have to balance any short-term benefit against the ultimate cost, in terms of reputation, share price and loyalty, of being found out. Of course, the ultimate proof will be when the GDPR, or similar legislation, comes into effect. A consistent, sharp increase in reported breaches could tell its own story.”

Source: Information Security Magazine

#Oktane16: Innovation Needs More than an Idea, it Needs an Attitude

#Oktane16: Innovation Needs More than an Idea, it Needs an Attitude

Innovation needs more than a brilliant idea, concept or technology, it needs a certain attitude that can convince others and overcome criticism.

These were the words of author Malcolm Gladwell, keynote speaker at Oktane16 in Las Vegas this week.

Innovation and forward-thinking are at the vanguard of progression and evolution in the cybersecurity world. Whilst, by his own addition, Gladwell is no tech expert, he believes that there are a set of key qualities an individual needs to be a successful innovator and bring about change in any arena.

Highlighting his argument with reference to a doctor who, in the 1950s, brought about revolutionary change in the treatment of childhood leukemia in the face of public scrutiny, Gladwell explained that in innovation social risk taking is just as important as operational risk taking, citing three main aspects.

“The first is urgency,” he said. “If you look at successful innovators you see an attitude of urgency again and again; to do something NOW.”

The second, continued Gladwell, is disagreeableness – not needing the approval of others to do what you think is right:

“You must be tough enough to stand up to all the naysayers and critics who tell you what you’re doing is a mistake.”

“We are wired as human beings to seek out the approval of those around us; the easiest thing in the world is to be an innovator when the wind is at your back and the public doesn’t mind. The hardest thing is to be an innovator when everyone else around you is saying what you’re doing is crazy.”

Lastly, the simplest but the most important, is to have a volatility mind-set – don’t believe in the status quo and don’t expect the world to look the same in the morning as it did last night.

“The truth is, there is no continuity, there is no stability in the way people behave or in the things that we know or the way things play out.”

To close, Gladwell said:

“Innovators discover something they think is right, and nothing will stop them following through with that – if you want to make the world a better place, I think that’s the attitude to have.”

Source: Information Security Magazine

#Oktane16: Okta’s New Offering Securely Connects Apps & Services to Any API

#Oktane16: Okta’s New Offering Securely Connects Apps & Services to Any API

Today, at Oktane16 in Las Vegas, Okta announced the launch of its new identity-driven API access management product, which secures APIs for businesses that are building products, sharing data with partners and enabling third-party developer ecosystems.

Okta API Access Management will, for the first time, allow IT leaders and developers to centrally maintain one identity and one set of permissions for any employee, customer or partner, across every point of access. Unlike legacy point solutions, this will be managed based on the user, and fully integrated with The Okta Identity Cloud.

“This is a huge step forward for our company and ecosystem. It opens a whole new realm of possibilities. This is an entirely new world for us,” said keynote speaker Todd McKinnon, CEO at Okta.

Speaking to Infosecurity at the event David Baker, Okta’s chief security officer, explained that API management systems are now very important tools for organizations as they accelerate the ability to go to market.

“It allows a company to have fewer people, to move a lot faster and to reach scale much, much quicker; that’s important because that’s how technology is changing,” he said.

Pitney Bowes is a global technology company that uses Okta’s new offering to secure its Pitney Bowes Commerce Cloud.

“Okta has a different focus on the business to consumer relationship, they show an understanding and depth which is important,” said James Fairweather, senior vice-president of technology at Pitney Bowes, who joined McKinnon on stage.

“Okta gives us an unprecedented level of agility, connecting all our digital experiences for the foreseeable future. There’s just one customer identity to manage, and that’s the beauty of it,” he added.

Source: Information Security Magazine

#Oktane16: Okta Forms New Partnership with Google

#Oktane16: Okta Forms New Partnership with Google

Speaking at the opening of Oktane16 in Las Vegas Okta CEO Todd McKinnon announced the firm’s new, strategic partnership with web giant Google.

The aim of the partnership is to help enterprises and their people accelerate their digital transformation to a multi-cloud, mobile centric architecture, allowing them to securely deploy and manage ‘best of breed’ applications such as Google Apps. Enterprises will be able to leverage The Okta Identity Cloud to connect to complex, legacy, on-premises technology and manage the identity lifecycle.

“Innovation is positive change that drives your business forward; it’s a defining characteristic of our age – new technology represents new opportunities for change,” said McKinnon.

“Every business is trying to close the innovation gap between what is technically and realistically possible, so they don’t get ‘Ubered’. Enterprises want to leverage Google’s best-in-breed applications and multi-cloud infrastructure to get their best work done,” he added.

The collaboration with Google will make it easy for customers in the large enterprise segment to securely bring on Google Apps so businesses can spend their time innovating instead of securing complex deployments.

Joining McKinnon on stage Diane Greene, senior vice-president for Google’s cloud business, explained that technology is advancing at an ever-increasing speed, thus enterprises want to work with innovators in order to take full advantage.

“Everybody is suddenly moving to the cloud; people realize that the cloud is the most secure place to be. Nobody can afford not to be in the most secure place,” she said

“Working with Okta as our preferred identity partner for Google Apps deployments in the enterprise, we’ll provide organizations with an easy, secure path to transformation, bringing on the Google enterprise infrastructure, applications and devices they need to succeed.”

The partnership sees Okta build on existing partnerships with Google for Work and Android for
Work.

Source: Information Security Magazine

Google Signs on for US-EU Privacy Shield

Google Signs on for US-EU Privacy Shield

Google has become the latest American tech giant to sign on to the US-EU Privacy Shield.

"We are committed to applying the protections of the Privacy Shield to personal data transferred between Europe and the United States,” Google’s Caroline Atkinson, head of Global Public Policy, noted in a blog. “As a company operating on both sides of the Atlantic, we welcome the legal certainty the Privacy Shield brings. Restoring trust—in international data flows and in the Transatlantic Digital Agenda—is crucial to continued growth in the digital economy.”

Microsoft, Salesforce.com and Workday got on board with the joint initiative between the US Department of Commerce and European Commission earlier this month.

The framework is the result of a court-ruled invalidation last year of the Safe Harbor agreements previously in place—and an effort to standardize protections around transatlantic data flows. Under European data privacy principles, companies operating in the EU are not allowed to send personal data to countries with less stringent privacy regulations. The US is considered to be one such country. To overcome this commercial difficulty, the two sides had developed the Safe Harbor agreement: Provided that the US company concerned agrees to abide by certain privacy guarantees, it was able to receive personal data from EU sources.

But the Edward Snowden revelations on the NSA Prism surveillance program prompted many European politicians and private citizens to question whether the Safe Harbor arrangement was actually compatible with EU privacy dictates. And so, after being in place for 15 years, it was declared to be invalid in October 2015, with Privacy Shield agreed upon in February 2016 and approved in July.

Privacy Shield will see the US create an ombudsman position within the State Department to field complaints from EU citizens about US spying, and prevents indiscriminate mass surveillance of Europeans' data. The idea is to ensure that the $250 billion dollars of transatlantic trade in digital services can continue unhindered, by wrapping assurances from the US about the handling of cross-border data transfers. It also provides for enforcement actions.

Photo © Gil C/Shutterstock.com

Source: Information Security Magazine

Orgs' Security Hygiene Plummets Amid Ransomware Spikes

Orgs' Security Hygiene Plummets Amid Ransomware Spikes

Despite the rise of social engineering-based scourges like ransomware, just 39% of workers believe they take all appropriate steps to protect company data accessed and used in the course of their jobs.

This is a sharp decline in security hygiene, down from 56% in 2014, according to a survey from the Ponemon Institute.

Moreover, while 52% of IT respondents believe that policies against the misuse or unauthorized access to company data are being enforced and followed, only 35% of end-user respondents say their organizations strictly enforce those policies.

Yaki Faitelson, co-founder and CEO of survey sponsor Varonis Systems, noted, “Human error will always be a weak link in security. Insiders compromise security maliciously or accidentally and outside attackers continue to hijack the credentials and systems of employees, administrators, contractors, and executives. The only way to stem this tide is to implement controls on data access, monitor all activity and implement the most advanced user behavior analytics and alerting technologies throughout the organization.”  

A previous report from Ponemon found a sharp rise in the loss or theft of data, an increase in the percentage of employees with access to sensitive data, and the belief among participants that insider negligence is now the No. 1 concern for organizations trying to prevent these losses.

In the new survey, when asked about the most likely causes of the compromise of insider accounts, 50% of IT practitioners and 58% of end users say negligent insiders. “Insiders who are negligent” was by far the most frequent response for both IT and end users, more than twice as common as “external attackers” and more than three times as common as “malicious employees.”

End users are also far more likely to attribute data breaches to insider mistakes than IT or security professionals. Seventy-three percent of end users say data breaches are very frequently or frequently due to insider mistakes, negligence or malice, while only 46% of IT respondents draw the same conclusions.

Yet in an indication of where logical thinking breaks down when it comes to security attitudes, the new data also reveals that this awareness isn’t translating into action. About 61% of respondents who work in IT or security roles view the protection of critical company information as a very high or high priority—but just 38% of respondents who are considered end users of this data believe the same. When asked to agree or disagree that the protection of company data is a top priority for their CEO and other C-level executives, only 35% of end users agreed, while 53% of IT professionals believe it is a top priority for senior executives.

Asked about their organization’s attitude on productivity vs. security, 38% of IT practitioners and 48% of end users say their organizations would accept more risk to the security of their corporate data in order to maintain productivity.

"At a time when one would expect general improvement in end-user hygiene due to increased awareness of cyberattacks and security breaches, this survey instead found an alarming decline in both practices and attitudes,” said Larry Ponemon, chairman and founder of Ponemon Institute. “If an organization’s leadership does not make data protection a priority, it will continue to be an uphill battle to ensure end users’ compliance with information security policies and procedures. Major differences between the IT function and end users about appropriate data access and usage practices make it harder to reduce security risks related to mobile devices, the cloud and document collaboration.”

Photo © Oakochan

Source: Information Security Magazine