Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for February 2017

#RSAC: IT Pros Lack Confidence in Corporate Security

#RSAC: IT Pros Lack Confidence in Corporate Security

A startling number of IT professionals at this week’s RSA conference lack confidence in their own organization’s corporate security.

Centrify’s onsite survey of attendees to North America’s largest security confab asked how their companies secure applications and infrastructure in the age of access. Only slightly more than half (55%) stated they believe their company’s current technology investment ensures their company’s cybersecurity.

When pressed about which of the 15 different identity and access management (IAM) best practices they use, many fell short on implementing enough of them to warrant a confidence score.

Among those best practices, organizations are most likely to enforce single sign-on (68%), adaptive multi-factor authentication (43%), least privileged access (44%), no sharing of privileged accounts (36%) and secure remote access without a VPN (35%).

Organizations are least likely to enforce privileged session recording (13%), granular automatic deprovisioning across server and app accounts (12%), and privilege elevation management (8%).

Depending on the IAM best practices employed, respondents received an IAM maturity score—with level one being the least mature and level four being the most mature. Only 20% of respondents received a level four IAM maturity score, meaning they conduct audits with confidence.

IAM maturity translates into real results: A recent Forrester study commissioned by Centrify showed that those with the highest maturity levels are 50% less likely to experience a breach and more likely to spend 40% less on technology. The other 80% received a lower IAM maturity score, meaning they are much more likely to experience two times more breaches and $5 million more in costs.

“The lack of confidence in corporate cybersecurity directly correlates to most organizations having a low maturity score,” said Bill Mann, chief product officer, Centrify. “Our on-the-ground survey at RSA reinforces the study we recently commissioned with Forrester Consulting, and further validates that eighty% of organizations really need to employ better IAM practices to stop the breaches now.”

Additionally, the survey found 26% of respondents still share passwords, despite an increase in breaches, and 78% have been the victim of a phishing email.

Source: Information Security Magazine

#RSAC: Maximizing Security Beyond Next Gen

#RSAC: Maximizing Security Beyond Next Gen

Speaking at RSA Conference 2017 Wendy Moore, director of user protection at Trend Micro, presented a session on going beyond next gen to deliver security with maximum impact.

Moore said that there are key things that companies can look for in security solutions that can help them protect not only what they have today but also help them and support them as they change their IT philosophy moving forward.

“The modern enterprise is categorized by always trying to be more competitive in the market, more global in nature and trying to do things more rapidly. There’s been a lot of paradigm shifts when it comes to IT. Right now we are undergoing multiple paradigm shifts, and they are all happening at the same time, and what that’s doing is it’s creating a lot of difficulty for the IT manager/organization to get their arms around their most important information.”

We’re seeing shifts to the cloud, added Moore, and shifts to more virtualized server workloads, and more mobile devices – all of these changes are happening very quickly. 

As we move along with that, she said, security needs to think about how it will protect corporate information as we move to all of these new IT models.

“Gone are the days when you could have a secure perimeter around your organization,” Moore argued. “There are three key things that are happening that are making that perimeter go away, become more porous and really making perimeter security defenses not a strong way to do things”, which are:

  1. Cloud virtualization
  2. Complex networks
  3. Consumerization

In terms of moving beyond next gen security, we hear a lot about having a silver bullet that will help you solve all of your security needs, said Moore. However, in reality, there are a lot of things you need to look for in order to get a solution that will actually evolve with your organization and your IT delivery models.

First, you need a solution that is smart: a cross-generated blend of threat defense techniques.

Second is a solution that is optimized: designed for and integrated with leading platforms and applications.

Third is a solution that is connected: allowing for centralized visibility and control and automatic sharing of threat intelligence.

“Things have very much changed,” she added, “now the problem of unknown threats is what organizations are really struggling to deal with.”

To conclude, Moore highlighted the following as the next steps that companies need to take to maximize their security beyond next gen:

  • Evaluate if you are using everything your existing solutions have to offer
  • Identify gaps in each key domain: hybrid cloud, network and endpoint
  • Look for solutions that:
  1. Continue to evolve threat protection techniques to address new threats
  2. Cover entire threat protection lifecycle: protect, detect and respond
  3. Share threat intelligence amongst security layers

Source: Information Security Magazine

Trend Micro CTO Calls for EU Smart Device Security Standards

Trend Micro CTO Calls for EU Smart Device Security Standards

Trend Micro has warned that countless European organizations are under threat of attack because unsecured IoT devices, databases, servers and industrial control systems may be publicly searchable from the internet.

In its US Cities Exposed study released at RSA Conference yesterday, the firm claimed that millions of such systems are searchable via Shodan, putting organizations in all sectors as well as individuals at risk.

This means hackers could easily look for vulnerabilities or craft targeted attacks designed to compromise things like firewalls, webcams, network-attached storage (NAS) devices, routers, printers, phones, media players, web and email servers, databases and wireless access points.

NAS devices and databases could contain highly sensitive corporate IP and customer data, industrial control systems offer an opportunity to sabotage key equipment and compromised smart devices have already been used in serious DDoS attacks by the Mirai botherders, Trend Micro global CTO, Raimund Genes argued.

The problem is not just US-based but a global one, which means organizations in Europe also need to be aware that any exposed system represents an incursion point for attackers into the corporate network, he added.

IT teams can help to mitigate the risks via things like network segmentation, tighter access controls, log analysis, data encryption, incident response and threat intelligence, said Trend Micro.

But Genes also called on European policymakers to develop and enforce smart device security standards in the region.

“Products without a baseline of adequate security simply shouldn’t be allowed to be sold here. Politicians and regulators should wise-up to the scale of the threat we’re facing, and design something akin to the 'CE mark' – a seal of quality for internet-connected products,” he argued in a blog post.

Genes warned that although it will improve data protection standards, the coming European GDPR doesn’t address the threat posed by smart devices exposed to the public internet.

“Until there’s blood on the streets nothing will happen. But this is a major issue,” he concluded.

Source: Information Security Magazine

#RSAC: Hacking Blockchain

#RSAC: Hacking Blockchain

Speaking at RSA Conference 2017 Konstantinos Karagiannis, chief technology officer, Security Consulting, BT Americas said that the internet evolved without security in mind, and now we’re paying the price. However, with nascent blockchain technology, we have the opportunity to get security right through a proactive, deliberate approach.

Blockchain is a technology through which parties exchange data that gets lumped into a block of what Karagiannis explained as “transactions that are computationally impractical to reverse.” That block is identified with a hash which refers logically to the block before it, thus the chain. If a new block is validated by “miners”, it is added to the majority chain, but if an altered block is submitted, the hash gets changed and everything else is rejected. This model is designed to make transactions transparent and trustworthy. 

Karagiannis noted that chains get exponentially harder every four years, thus increasing the value of prior transactions. The best known blockchain to date is the digital currency Bitcoin, which increased in value because it is difficult to make. Yet the blockchain concept lends itself well to other applications, like managing digital assets such as music, confirming identity, proving verifiable data such as titles to a house and smart contracts.

Effective attacks on blockchain began as Bitcoin’s popularity increased. Citing examples such as 1 Return, Mt. Gox and Gatecoin, Karagiannis explained that “Attacks have not been against the concept, but the implementation.” To that point, the Bitcoin wallet site Coinbase is the most heavily insured of all Bitcoin purchase sites, but only for attacks against the back-end blockchain system. If there is a user-specific problem, such as a lost phone or compromised password, it’s the user’s problem. There is no FTIC backing up the investment. Karagiannis claimed Android phones are most susceptible due to poor security updating in all but newest devices.

His bigger concern, however, is if blockchain is being “built on a digital house of cards”, due to the use of public encryption keys that are exposed in transactions and susceptible to cracking by ECC (Error Correction Code) with quantum computing. While his ensuing physics lesson left most heads in the room spinning (including making a case of the use of Lamport signatures to stop gap this vulnerability), his bottom line was that “too many people are adopting block chain and NOT allowing for this issue,” raising the specter of having to start over at some point to get blockchain security right.  

His recommendations?

As soon as possible, organizations should review any blockchain applications in development or use to make sure blockchain is the appropriate technology, considering security, data permanance and other technology alternatives. This should include verifying if the application is an overlay to proven blockchain and protocol, or something new and experimental, which increases risk. 

He also recommended testing the application security, performing ethical hacking engagements to uncover flaws, and choosing vendors that have real blockchain experience, rather than those looking for proving grounds. 
Karagiannis concluded with a request to the broader blockchain community to contribute to the future security of blockchain technology through having developer resources “give something back” and supporting NIST’s call to arms to develop post quantum crypto solutions for PK. 

Source: Information Security Magazine

Social Media Impersonators Run Rampant and Undetected

Social Media Impersonators Run Rampant and Undetected

The overall number of social media impersonators increased 11-fold from December 2014 to December 2016, with the bad actors bent on collecting credentials and PII.

Impersonators are most commonly found on Facebook, Twitter, Google+, though impersonators were also found on Instagram, YouTube and LinkedIn.

ZeroFOX analyzed nearly 40,000 identified impersonator profiles to uncover trends over time and the commonly observed tactics, techniques and procedures (TTP) and payloads. It found that the tactics used by these fraudulent accounts are devious and diverse, ranging from traditional social engineering ploys to actually paying money to advertise the scam to reap higher rewards.

Nearly half of all nefarious social media impersonators disguise their payload as a fake coupon or giveaway using the brand to attract promotions seekers. And more than a third of all nefarious social media impersonators send their target to a phishing page to steal social media account credentials, credit cards and personal information.

Also, the report found that verified account impersonators are systemic across the networks, and were found on Facebook, Twitter and Instagram; while also using YouTube to promote them. Verified account impersonators are also advertising their payloads through promoted ads.

“The networks’ attempts to provide ‘verification’ to real corporate accounts has led to a new breed of impersonations and verification scams,” the report noted. “The broader impersonator landscape revealed many tactics meant to lure the user into buying competitor or counterfeit merchandise, providing personal information to unknowing fake recruiters, entering fabricated contests to steal personal information or money, engaging in fraudulent money-flips and more.”

In terms of avoiding detections, impersonators have a varied bag of tricks. For one, they regularly wipe accounts and leave them dormant to avoid detection between attack campaigns—later weaponizing them in new ways. Some impersonators create locked accounts to hide their malicious activities, allowing them to take the activity out-of-band through email, direct message, or phone and thus evade detection; they also often crop or modify company images to evade rudimentary image matching and hashing detections.

And finally, impersonators will often post a link to another social network with the malicious link and payload. This cross-network pivoting makes it difficult for the primary network to detect attacks.

“We’ve only scratched the surface when it comes to combatting impersonators. While we encountered traditional payloads such as phishing and malware, were found a larger set of threats unique to impersonation on social media,” the firm said in the report. “These included unseen scams, fraud, brand abuse and follower farming. This broader threat landscape extends beyond targeted threats and represents a more systemic issue of risks impacting enterprise security, privacy and reputation. If allowed to go unresolved, these threats impact the organization’s bottom line and damage fundamental customer trust in the organization. Therefore, we prescribe a new defense-in-depth approach tuned for social media to arm organizations with a tried and proven methodology for identifying and combatting impersonators.”

Source: Information Security Magazine

Cyber-Workforce Shortage to Increase to 1.8 Million Positions by 2022

Cyber-Workforce Shortage to Increase to 1.8 Million Positions by 2022

The serious talent shortage in the information security workforce shows no sign of waning: The Center for Cyber Safety and Education says that employers must look to millennials to fill the projected 1.8 million positions that are estimated to be unfilled by 2022. 

This is an increase of 20% from the 1.5 million worker shortfall forecast by the Center’s 2015 Global Information Security Workforce Study (GISWS).

“For years, we’ve known about the impending shortage of the information security workforce, as evidenced by our study year-over-year,” said David Shearer, CEO, (ISC)², which sponsored the report. “For the first time, we’re taking a deep dive into the millennial respondents, and we’re finding that they want different things in terms of job satisfaction and career paths. They truly are the future of cybersecurity, and I believe they hold the key to filling the well-publicized information security workforce gap.” 

One of the largest studies of the information security profession ever conducted, the 2017 GISWS was carried out from May through September 2016 by Frost & Sullivan, using a web-based survey. Since its first release in 2004, the GISWS provides a complete profile of the information security workforce, with a clear understanding of pay scales, skills gaps, training requirements, corporate hiring practices, security budgets, career progression and corporate attitudes toward information security that is of use to governments and corporations, hiring managers, and information security professionals.

Among the findings is the fact that millennials salaries are not the highest priority for millennials. However, they received higher salary increases than other generations. What they do want is career development, including: Sponsored mentorship and leadership programs; paid-for attendance at industry events; training programs; and employer-paid professional certifications and association memberships.

The report also found that millennial workers are more likely to change employers than other generations; and, they’re more likely to aspire to become security consultants than move into managerial roles within an organization.

“Millennials will and in many cases are already critical players who enable the success of our collective cyber defense,” said Angela Messer, executive vice president at report sponsor Booz Allen, and the firm’s cyber-innovation business leader and cyber-talent development champion. “To attract, retain and empower these millennials, it’s clear from the Global Information Security Workforce Study that our industry must be innovative not only in its tradecraft, but also in how we support this next generation of information security professionals. At Booz Allen, we provide opportunities for skills development by offering traditional training and covering certification or advanced degree program fees, as well as non-traditional learning opportunities, such as our Kaizen capture the flag platform and hacker space labs.”

The report also found that the UK is in a particularly bad spot. Two-thirds of UK companies have too few cybersecurity personnel, with 47% claiming the reason is a dearth of qualified applicants. But many organizations seem to be shooting themselves in the foot by refusing to hire and train inexperienced recruits. Some 93% said previous cybersecurity experience is an “important factor” in hiring, and just 6% said they recruit university graduates.

Source: Information Security Magazine

Only 3% of Orgs Can Address Top Threats Like Ransomware

Only 3% of Orgs Can Address Top Threats Like Ransomware

When it comes to how successful businesses will be at defending against the top attacks of the day, the results are sadly lackluster: Research reveals that only 3% of organizations have the technology and only 10% have the skills in place to address them.

According to a study from Tripwire, ransomware alone has the potential to inflict the most significant damage to organizations in 2017, yet not even half of those surveyed have the skills (44%) or the technology (43%) to effectively combat it.

 “The results of this study highlight that there are very few organizations equipped to deal with all of today’s major attack types. Most organizations can reasonably handle one or two key threats, but the reality is they need to be able to defend against them all,” said Tim Erlin, senior director of IT security and risk strategy for Tripwire. “As part of the study, we asked respondents which attack types have the potential to do the greatest amount of damage to their organization. While ransomware was cited as the top threat, all organizations were extremely concerned about phishing, insider threats, vulnerability exploitation and DDoS attacks.”

The study’s respondents were also asked about their skills and technology, specific to each of the attack types. Tripwire found that most felt confident in their skills to tackle phishing (68%) and DDoS attacks (60%), but less confident in their abilities to address insider threats (48%), vulnerability exploitations (45%) and ransomware (44%). Regarding technology, the findings once again revealed more confidence in addressing phishing (56%) and DDoS attacks (63%), with less than half of the companies having the technology to address ransomware (43%), insider threats (41%) and vulnerabilities (40%).

“We can see from these results that under half of organizations have either the technology or skills in place to address ransomware, insider threats and vulnerability exploitation, which is very concerning,” Erlin said. “These are all very real threats, which almost all organizations will face at some point in time. The unfortunate reality is that today’s determined cybercriminals will target organizations with [a] variety of different attack techniques until they are successful. Organizations need to work with security vendors that have the ability to help them address all of today’s major attack types, while also offering IT teams with training to help educate them on new trends.”

The findings of Tripwire’s study indicated that foundational security controls would help address these challenges. While two out of three respondents stated they use security standards or frameworks that include a set of foundational controls, 93% responded “yes” when asked if the adoption of foundational security controls would improve their readiness to protect against new security threats.

That said, the enforcement of foundational security controls is challenging, with 65% of respondents indicating they lack the ability to effectively enforce them.

In terms of targets, about 64% of respondents believe financial services will be hit hardest by cybercriminals in 2017. And while US respondents were more concerned about the health care sector (46%), European respondents were more concerned about telecommunications companies (59%)—which makes sense given the recent high-profile TalkTalk breach

Source: Information Security Magazine

#RSAC: Panel – Encryption and Back Doors: The Line Between Privacy & National Security

#RSAC: Panel – Encryption and Back Doors: The Line Between Privacy & National Security

A panel of security experts gathered at RSA Conference 2017 this week to discuss ‘Encryption and Back Doors: The Line Between Privacy and National Security’, exploring some of the main ethical, technical and business issues that currently surround the topic and what they mean for the future of the data protection community.

Getting proceedings underway, panel moderator Bree Fowler, technology writer, Consumer Reports, asked:

Can you shed a little light on the nuts and bolts of back doors and encryption, and how they work?

Will Acklery, CTO and co-founder, Virtru: Encryption I think we all know, but in terms of what a back door actually is, there a lot of different definitions. A lot of people consider one thing a back door and others something else, but I think there are really three criteria that make up a backdoor: intent, consent and access. The first around intent; excluding a vulnerability which was not intentional, rather focusing on whether somebody did something purposeful for unintended access to your data. The second is consent; making sure that if the capability is not disclosed to a user and it’s hidden, then that will basically check the box on the consent criteria. The third is access; if this capability can provide access to your data without you knowing it, it should be considered a back door. In a lot of ways it boils down to transparency. If there’s a capability in an application or a device and you are not aware of it, and you have to trust someone as a result and they can get access to your data, then that is considered a back door.

So are there legitimate reasons for [US] government to have access to back doors and what would be some examples?

Deborah Plunkett, principal, Plunkett Associates LLC: Listening to what has been publically stated by the previous administration, and to some extent the current administration, the US government certainly seems to be very much in favor of security and strong encryption, but the other side of that of course is the responsibility of the government to protect the populous, which includes being able to gain access to information that might be needed to keep the US safe. Really those two are a dichotomy; how can you have strong end-to-end encryption security and also have a mechanism by which, should they need it, the government has a way to get information? That is the million dollar question: first of all should there be a way, I think technically there could be a way, but should there be a way is another question. Technically if there is a way, how can it be done to install the right level of confidence and trust and to keep that information away from those who would use it to bad affect, that really is a challenge.

Have researchers been able to create a back door without problems? Technically is this possible right now, and is this something that scientists should be chasing from a practical perspective?

Will Acklery: There certainly have been back doors created in the past, but those technologies have not necessarily been immune to abuse. We have to be extraordinarily careful about the precedent that we set. There are some really powerful capacities that I think can be brought to bear to individuals so they have more choice, they have more transparency around whether they want to give someone access to their data under certain conditions.

So is there an opportunity to make a compromise and meet in the middle when it comes to back doors and encryption, even if it’s not from a technical standpoint?

Jedidiah Bracy, editor, The International Association of Privacy Professionals: For me, if we mandate back doors in the US, that means China, Russia, other countries around the world are going to want to do it as well. I think that would be impossible to manage.

Lastly, given the uncertainties surrounding policy that are coming up, are companies changing the way that they do business, or are they going to?

Jedidiah Bracy: You’re seeing much more of a push for default encryption; I don’t think it’s a coincidence that Apple was one of the first to do it and had a big battle with the FBI. WhatsApp has done it as well, and I think you’re going to see more companies moving towards it, especially companies who want to do business in places like Europe – it’s a business model decision.

Will Acklery: One call to action for any cryptographer here is to innovate on the algorithms that help with the user experience.

Source: Information Security Magazine

#RSAC: The War in Cyberspace: Why We Are Losing—and How to Fight Back

#RSAC: The War in Cyberspace: Why We Are Losing—and How to Fight Back

“We are in the fight of our digital lives, and we are not winning.”

These were the words of The Honourable Michael McCaul, House Homeland Security Committee, speaking at RSA Conference 2017 in San Francisco this morning.

In his session ‘The War in Cyberspace: Why We Are Losing – and How to Fight Back’ McCaul warned that our cyber rivals are overtaking our defenses.

“Nation states are using cyber tools to steal our country’s secret and copy our intellectual property,” he added, “faceless hackers are snatching our financial data and locking down our healthcare information; terrorists are abusing encryption and social media to crowdsource the murder of innocent people. Web-based warfare is becoming incredibly personal.”

What’s more, McCaul continued, the threat is worse than just espionage—our democracy itself is also at risk, made clear by Russian hackers causing discord ahead of last year’s presidential election. “Cyber intrusions have the potential to jeopardize the very fabric of our republic.”

So why aren’t we winning the cyber battle? McCaul pointed to five key factors that are leaving the security industry in the wake of the attackers:

1.    The issue of volume — the digital frontier is like the Wild West, with more cyber outlaws than cyber sheriffs.
2.    High speed of high-tech gives cyber-criminals an advantage — history shows us that offensive weapons always outpace defenses.
3.    Serious information sharing challenges — we have the cyber threat data, but sharing is still far too weak, we do not connect the dots and share information well enough.
4.    Deterrence is difficult — if no consequences for bad behavior, then bad behavior will continue. In the cyber world we have to show that there will be consequences.
5.    We face a paradox between national security and digital security — never more obvious than with the terror threat, with recruiting taking place over the internet and propaganda forced on a worldwide scale.

“We need to find a way to keep our country safe, whilst also keeping our data secure—but we’re still not there yet,” McCaul said.

So how do we get there? For McCaul, this starts with the right mindset: “In 1940 British Prime Minister responded to the Nazi invasion of Europe with a rousing speech in the House of Commons. He vowed that the British would fight on the sea, on the beaches, on the landing zones and in the streets—but never surrender. I don’t think we need a bunker mentality, but we do need to acknowledge that we are under siege.”

Another key element of turning the tide and starting to win the cyber war is fixing information sharing weaknesses. “More companies need to step up to the plate and start sharing data with each other,” he argued.

What’s more, we need a talented cyber workforce on the frontlines. “We are losing top cyber talent because morale is bad on the inside and money is better on the outside.”

Last, McCaul said that we need to be prepared for what lies ahead, and be ready for the era of quantum computing, and ensure we have the right cyber defenses in place for when it comes.
“Looking back on 2016, it was a watershed year for cyber space, and for many of the wrong reasons,” he concluded. “However, I think it made us all more realistic about the danger we face and clearer about what needs to be done. While the cyber threat landscape is bleak, we cannot let it outweigh what we already do know—we have the world’s greatest minds working to defend our networks.”

Source: Information Security Magazine

#RSAC: US Government Bug Bounty Programs Here to Stay Under Trump Administration

#RSAC: US Government Bug Bounty Programs Here to Stay Under Trump Administration

At the Bug Bounty lightning talks event in San Francisco on February 13, Katie Moussouris and Lisa Wiswell discussed the Hack the Pentagon initiative and the future of bug bounty programs in the US government.

At the event, hosted by Passcode and Uber, Wiswell—the woman behind Hack the Pentagon, and employee of the US Department of Defense’s Defense Digital Service—explained that there was an understandable amount of nervousness inside the Pentagon when the bug bounty cybersecurity program was launched in collaboration with HackerOne. They did, however, understand that bug bounty programs are a “successful security mechanism.”

The first bug bounty program in the history of the federal government unsurprisingly rattled the DoD as its entire existence is based on defense, Wiswell explained. “Historically, we’ve focused a lot on compliance and have sacrificed real security in doing so.” 

Despite the early concerns, she described the pilot as a “tremendous success.”

Moussouris, CEO at Luta Security, helped the Department of Defense launch Hack the Pentagon after convincing Microsoft to launch its first bug bounty program in 2013. She added that it is essential to have the right resources to be able to fix the bugs that are found in a program like that. “If you launch a bug bounty program, you have to be ready for the flood of hacker love. If you don’t have the right resources to fix bugs, don’t do a bug bounty program,” she cautioned.

Moussouris explained that what motivated hackers to get involved with Hack the Pentagon was novelty. “There was a great amount of patriotic motivation too,” said Wiswell, adding that hackers have continued to support and be loyal to the program.

When questioned about whether bug bounty programs will continue under the Trump Administration, Moussouris was confident that the undisputed success of the programs to date would ensure continued investment in programs in the future. “The fact that the first bug bounty program run by the US government was the Department of Defense is significant. If they’re willing to enlist the help of hackers, that sends a great message to the rest of the US government and governments around the world.”

Wiswell was equally confident about the continuation of the program under the Trump Administration. “Bug bounty programs are here to stay [in the Department of Defense]. It’s a proven concept and gets great bang for the buck. It’s important to find low cost ways to do security and be more secure,” she said.

Hack the Pentagon was so successful that Wiswell admitted that she now spends a huge amount of her time consulting to other departments in the US government on how to implement and run successful bug bounty programs. Moussouris experienced a similar ‘consultancy’ phase for different departments at Microsoft after rolling out the first program.

Source: Information Security Magazine