Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Identity and Access Management Market to Be Worth $24.55 bn by 2022

Identity and Access Management Market to Be Worth $24.55 bn by 2022

A rise in web-based applications and risk management solution  – such as policy-based compliance and audit management – combined with cost containment are set to drive the global identity and access management (IAM) market says Grand View Research.

Additional drivers projected to positively impact IAM include the growing popularity of connected devices, bring your own device (BYOD) and Internet of Things (IoT).

Such dynamics are prompting increased spending by large enterprises and government organizations, along with stringent regulatory compliances. Grand View calculates that this will be in the region of $24.55 billion by 2022.

This is all set to be very good news for the IAM technology market. The analyst believes that growing innovation with interoperable technologies are enabling providers in building advanced solutions including secure print authentication and EV charging station access.

Grand View estimates that cloud-based and hybrid solutions will extend their footprints in the industry with enhanced security and minimize error rates features. Commoditization of identity functions and the explosion of available applications are also expected to compel enterprises to seek more scalable options.

Looking at individual technology areas, the Grand View report predicts that cloud-based identity and access management market will witness ‘robust’ demand by 2022, growing at a CAGR of over 18% from 2015 to 2022. Rising demand for cloud-SSO is also a key factor supporting expansive adoption among enterprises. Public sector and utilities sector accounted for over 25% of the revenue in 2014 and is anticipated to exhibit significant growth over the next seven years.

The current leading players in the identity and access management market include IBM, NetIQ Corporation, Oracle, CA Technologies and HID Global Corporation.

Source: Information Security Magazine

Global Financial Leaders to Invest More Than $1bn in Blockchain Projects in Next 1-2 Years

Global Financial Leaders to Invest More Than $1bn in Blockchain Projects in Next 1-2 Years

Bitcoin’s longevity has been discussed as much as its legitimacy but it is set to become the sixth largest global reserve currency by 2030, according to research from Magister Advisors.

The survey from the M&A advisors to the technology industry claims to prove the  strategic significance of bitcoin and the Blockchain technology underpinning it, calculating that more than a million bitcoin transactions are now taking place daily, in excess of 10 times publicly reported data.

To date, Blockchain and bitcoin have captured equal attention but Magister predicts that Blockchain is set to impact far wider aspects of business and consumer life.  It noted that the majority of bitcoin transactions are currently taking place in developing economies, reflecting the appeal of the robustness of the technology in economies where an estimated two billion adults do not have bank accounts and especially in markets where corruption is endemic in financial services.  

By contrast Magister expects an estimated $1 billion to be spent by the top hundred financial institutions on Blockchain-related projects over the next 24 months. These leading banks are said to have portfolios of 10-20 bitcoin-related projects underway.

Magister Advisors sees the initial use of Blockchain is to typically not replace core infrastructure activities such as wire transfers, but to complement them, often by storing ‘meta-data’ in areas such as settlement and clearing.  Yet it asserts that Blockchain’s potential is much greater, given what it says is the flexibility and robustness of the technology, ranging from property registries to security infrastructure to direct payments. 

“Blockchain is without question the most significant advancement in enterprise IT in a decade, on a par with big data and machine learning,” commented Jeremy Millar, partner at Magister Advisors who led the research. “What JAVA is to the Internet, Blockchain is to financial services. We have now reached a fork in the road with bitcoin and Blockchain.  Bitcoin has proven itself as an established currency.  Blockchain, more fundamentally, will become the default global standard distributed ledger for financial transactions…Blockchain technology will underpin a growing number of routine transactions globally as trust grows.” 

That said, Millar accepted that initially banks would likely be unwilling to remove the core infrastructure that handles the process of clearance and settlement. “Ironically bitcoin has attracted negative publicity over its short life because attempts to rig it have been flagged by the Blockchain technology that underpins it,” he added. “It’s the inherent ability of the Blockchain infrastructure to expose these attempts that have impacted perceptions when in fact it should shore them up. This self-regulating capability in Blockchain will lend itself to array of applications where corruption has hitherto been a problem.”

Source: Information Security Magazine

SME Suppliers Falling Short of Security Expectations – Report

SME Suppliers Falling Short of Security Expectations – Report

Nearly 70% of procurement managers in large organizations believe SME suppliers could do more to protect sensitive client data, according to new research from KPMG.

The global consulting firm polled 175 UK procurement chiefs across several sectors and found reassuringly that standards are high when it comes to vetting suppliers.

A large majority (86%) said they would consider removing a firm if it suffered a data breach and nearly half (47%) claimed suppliers are contractually obliged to report such an incident.

Nearly all respondents (94%) agreed with the statement that standards were important when awarding a contract, with around two-thirds requiring their suppliers to demonstrate certification by Cyber Essentials, ISO, PCI DSS or another respected accreditation body.

If there is no accreditation to speak of, 41% of respondents claimed they would expect the supplier to foot the bill in the near future.

George Quigley, a partner in KPMG’s Cyber Security practice, argued that SMEs can find it difficult to understand the nature of the threat landscape and how they could be exposed to risk.

There are also challenges around “defining and identifying” which data is critical and therefore needs protecting.

“Finally budgets tend to be allocated to IT, rather than to cybersecurity more specifically, which generally means that only a fraction of the funds is invested in cybersecurity,” he told Infosecurity.

However, things are changing, Quigley argued.

“SME business partners are starting to look at certifications in order to gain some comfort that the potential SME supplier is dealing with security in an appropriate manner. All signs indicate that this trend is likely to continue,” he revealed.

“Cyber Essentials and ISO 27001 are perhaps the two most common certifications that are being requested. Overall, SMEs need to be able to articulate to their partners the threats that they face, the risks that they believe they are exposed to and the mitigants that they have in place to minimize that risk.”

Source: Information Security Magazine

US Government Launches New Cyber Security Strategy Plan

US Government Launches New Cyber Security Strategy Plan

US government CIO Tony Scott has announced a new plan designed to bolster cybersecurity among federal civilian agencies, following a series of damaging data breaches across departments.

The Cybersecurity Strategy Implementation Plan (CSIP) focuses on five objectives, Scott wrote in a blog post on Friday.

These are: identification and protection of high value assets and information; timely detection of and response to incidents; rapid recovery from incidents; recruitment and retention of the best infosecurity talent; and better use of new and existing technologies.

Scott continued:

“Across the Federal Government, a broad surface area of legacy systems with thousands of different hardware and software configurations contains vulnerabilities and opportunities for exploitation. Additionally, each Federal agency is responsible for managing its own IT systems, which, due to varying levels of cybersecurity expertise and capacity, generates inconsistencies in capability across government.

CSIP directs a series of actions to improve capabilities for identifying and detecting vulnerabilities and threats, enhance protections of government assets and information, and further develop robust response and recovery capabilities to ensure readiness and resilience when incidents inevitably occur.

The security enhancements don’t end at CISP.

Scott revealed that the Office of Management and Budget was also issuing guidance to agencies on the Fiscal Year 2015 – 2016 Federal Information Security Modernization Act (FISMA) and Privacy Management.

Crucially, the guidance will define for the first time what qualifies as a “major” incident and direct agencies to report such incidents to Congress within seven days.

The initiative follows the OMB’s 30-Day Cybersecurity Sprint—an attempt to quickly address some of the biggest security failings at the heart of government, which were exposed in the OPM hack.

That effort appears to have borne fruit, with a rise in the use of strong authentication by federal civilian agencies of 40% this year to over 80%.

However, Scott warned that security is a continuous process of evolution, with “no one-shot silver bullets.”

“Cyber threats cannot be eliminated entirely, but they can be managed much more effectively,” he added. “CSIP helps get our current Federal house in order, but it does not re-architect the house.”

Source: Information Security Magazine

Tech Contractors Pay $12m to Settle Claims they Failed to Screen Staff

Tech Contractors Pay $12m to Settle Claims they Failed to Screen Staff

Two technology contractors have agreed to pay the US government over $12 million in total to settle a civil court case alleging they allowed employees to work on a Defense Department contract without security clearance.

Services firms NetCracker Technology and CSC will pay $11.4m and $1.35m respectively, according to a Department of Justice release on Monday.

It reveals that the two were accused of contravening the False Claims Act by using staff who had not gone through required vetting procedures to work on a Defense Information Systems Agency (DISA) contract.

CSC was the prime contractor on the project to provide software to manage the Defense Department telecoms network between 2008 and 2013.

However, during that time, NetCracker is alleged to have knowingly used employees without security clearance, resulting in CSC “recklessly” submitting false claims for payment to DISA, the notice claimed.

A Washington Post report went further, claiming that some of the code written for the project was developed by Russian programmers and subsequently placed onto US government computer networks with no testing for backdoors or other possibly malicious elements.

“Companies that do business with the federal government have a responsibility to fully meet the terms of their contracts,” said Columbia US Attorney, Channing Phillips, in a statement.

“In addition to holding these two companies accountable for their contracting obligations, this settlement shows that the US Attorney’s Office will take appropriate measures necessary to ensure the integrity of government communications systems.”

The lawsuit itself was filed by whistleblower John Kingsley, a former NetCracker employee, under a special provision of the False Claims Act. He now receives over $2.3m for his efforts.

Security vetting for US government staff is seen as even more important in a post-Snowden world, with the fallout from just one rogue contractor having been hugely damaging for the Obama administration and the geopolitical reputation of the nation.

However, the massive data breach of the Office of Personnel Management (OPM)—thought to have been carried out by state-sponsored Chinese hackers—has shown that such requirements can also be an Achilles heel for the authorities.

Source: Information Security Magazine

Cyber-Career Gender Gap Widens Significantly

Cyber-Career Gender Gap Widens Significantly

The gap between US young men and women who would consider a career devoted to Internet security is five times what it was a year ago, research has revealed.

The survey, from Raytheon and the National Cyber Security Alliance (NCSA), shows that globally, the disinterest of young adults in cybersecurity careers is epidemic—especially among women, casting doubt on whether the future will see enough qualified professionals working to keep the Internet safe.

The annual study, Securing Our Future: Closing the Cyber Talent Gap, indicated that the widening gender gap among young adults oriented towards cybersecurity may signal that young women are being shut out.

“There will be serious implications for the world’s security, safety and economic stability if we don’t figure out how to foster a cybersecurity workforce capable of protecting our information from increasingly harmful cyber threats,” said Jack Harrington, vice president of cybersecurity and special missions for Raytheon’s Intelligence, Information and Services business. “We have our work cut out for us to encourage young adults to pursue this profession and to address the widening gender gap—particularly here in the US.”

Despite growing curiosity about cyber-careers, many young adults indicate their education and networking opportunities are not keeping pace with their needs. For example, only 60% of survey respondents say a computer was introduced to their classrooms by age nine. Additionally, women appear to be disadvantaged when it comes to networking opportunities, as men were twice as likely as women to have spoken with a cybersecurity professional, according to the study.

“Not only are we missing obvious [an] opportunity to remediate a global shortfall of cybersecurity workers, but we’re also seeing the problem compounded by leaving women behind when it comes to cybersecurity education, programs and careers,” said Valecia Maclin, program director of cybersecurity and special missions at Raytheon. “It’s critical that public and private partnerships focus on encouraging young girls to foster an interest in science, technology, engineering and math, so that more women are prepared to enter this burgeoning field and help create a diverse, talented workforce.”

Globally, 47% of men say they are aware of the typical range of responsibilities and job tasks involved in the cyber-profession, compared to only 33% of women. And, 62% of men and 75% of women said no secondary or high-school computer classes offered the skills to help them pursue a career in cybersecurity. Also, about half (52%) of women, compared to 39% of young men, said they felt no cybersecurity programs or activities were available to them.

In the US, 67% of men and 77% of women said no high school or secondary school teacher, guidance or career counselor ever mentioned the idea of a cybersecurity career.

“There seems to be latent interest in cyber careers, as half of young adults say believing in the mission of their employer is important and 63% say making money is important,” said Michael Kaiser, executive director of the NCSA. “Cybersecurity jobs offer a clear path to both—we just need to do a better job of spreading the word.”

Source: Information Security Magazine

China Preparing to Unify Cyber Warfare Capabilities – Report

China Preparing to Unify Cyber Warfare Capabilities – Report

China’s leaders could be about to unify the nation’s cyber warfare capabilities under a single command structure, in a move which may stoke further tensions with the US, according to a new report.

Unnamed “people familiar with the matter” told Bloomberg that the plans will be discussed at the Communist Party Fifth Plenum gathering—an event this week where the next five-year economic plan will be thrashed out.

Centralizing cyber warfare capabilities under the Central Military Commission (CMC) would create clearer lines of communication and better organize the nation’s enormous but diffuse hacking apparatus.

At present this is spread out across various PLA units, as well as the Ministry of State Security and Ministry of Public Security, according to the report.

Reorganizing the state’s cyber capabilities would make sense, as it’s believed some state actors could currently be acting on their own accord or with minimal oversight from their superiors.

But in so doing it could also create waves in Washington, which is already suspicious of its rival superpower bolstering its hacking teams yet further.

Although the two nations shook hands on an agreement not to engage in economically motivated state-sponsored cyber espionage against one another, Chinese hackers have shown no signs of moderating their activity, according to one threat intelligence firm.

The agreement also didn’t cover cyber activity carried out for traditional intelligence gathering and national security/nation state purposes.

If true, the move fits with president Xi Jinping’s wider move to remold the People’s Liberation Army into a 21st century fighting force.

Xi, who chairs the CMC, last month announced a reduction of 300,000 troops. He is also down on record as saying at a Politburo meeting last year that the military had to "change our fixed mindsets of mechanized warfare and establish the ideological concept of information warfare.”

An official Ministry of National Defense white paper from May argues that building improved cyber capabilities is a “critical security development domain.”

Some have argued, however, that a better organized Chinese cyber military could make it easier for the US to open lines of communication for the establishment of cyber rules of engagement.

Source: Information Security Magazine

#TalkTalk: 'Customer Bank Accounts are Safe'

#TalkTalk: 'Customer Bank Accounts are Safe'

TalkTalk CEO Dido Harding has gone on a media offensive over the weekend, allaying fears that hackers could drain customers’ bank accounts with the details they stole and claiming the firm’s cybersecurity is better than many of its competitors.

The chief executive of the UK ISP criticized media “scaremongering” following the major data breach last week.

“We are really frustrated with the number of sensationalist claims that are being made, not just about TalkTalk as a company but more importantly about customers losing millions and millions of pounds,” she told The Guardian.

“I think it’s actually very irresponsible because it’s whipping up fear about the digital world. Goodness knows I’ve been one of its biggest fans … and it’s not right that having lost your bank account number and sort code that people can take money from your bank account—they can’t.”

The true scale of the breach is still not yet known, although TalkTalk has now said it believes the number of customers affected is “materially lower” than at first feared.

She also argued that the firm’s security had “improved dramatically” over the past year, since serious failings were pointed out by researcher Paul Moore.

“On that specific vulnerability, it’s much better than it was, and we are head and shoulders better than some of our competitors and some of the media bodies that were throwing those particular stones,” said Harding.

TalkTalk has apparently called in BAE Systems to help with its investigation into the incident. The Metropolitan Police and National Crime Agency (NCA) are also conducting their own investigation, although no arrests have been made so far.

The ISP’s website is back up and running after being targeted in a denial of service attack apparently used by the hackers as a smokescreen while they attempted to compromise customers’ financial data.

An update posted on Saturday claimed that no account passwords had been accessed by the attackers.

However, it advised customers to change their passwords as a precaution, to stay vigilant and report anything suspicious.

A free year’s worth of credit monitoring from Noddle is also being offered by the ISP.

Source: Information Security Magazine

Essex Police Left Red-faced After Twitter Account ‘Hacked’

Essex Police Left Red-faced After Twitter Account ‘Hacked’

A police force in England was left red-faced on Friday after its Twitter account was hacked and used to post misleading cybersecurity advice.

Essex police has since removed the offending tweet, which claimed: “if you shop & bank online—make sure the site’s URL has ‘http://’ to protect your data.”

HTTP is an insecure protocol which will certainly not make online shopping or banking more secure.

As security blogger Graham Cluley wrote in a post on the incident, HTTPS is the more secure of the two, although even that is not a foolproof way to avoid scams.

“What you actually want to look for is HTTPS, which encrypts communications between your web browser and the website you’re trying to access. Hopefully you have noticed the little green padlock in your URL bar when you access sites that need to secure your information, such as your online bank or webmail accounts,” he explained.

“But there’s still nothing to stop bad guys from creating websites that use HTTPS—so don’t be fooled into believing that it is *proof* that a site is safe to log into.”

To make matters worse for the police force, the link posted alongside this bogus security message is said to have taken users to a site hosting an “offensive” picture.

In any case, the police force soon removed the offending tweet and implied that its account had been cracked or hacked by a malicious outsider.

It tweeted the following message:

“We apologise for previous tweet re #CyberAware; it was malicious & has been deleted – please do not click on the link that was in the tweet.”

Cluley argued that organizations of all sizes need to take the security of their social media accounts more seriously.

“Maybe they would be wise to enable Twitter’s two-factor authentication (known as Login Verification) to protect their account as well,” he added.

The past few days have shown that law enforcers are becoming a popular target for cyber mischief makers.

Last week, Lancashire Constabulary was forced to issue a warning to internet users after reports emerged of a spam phishing email purporting to come from the force.

Source: Information Security Magazine

Enterprise Application Acccess Controls Sorely Lacking

Enterprise Application Acccess Controls Sorely Lacking

Despite widespread and highly publicized security breaches, most companies still fail to require necessary security controls for accessing enterprise applications, including those applications behind the corporate firewall.

According to the Enterprise Application Security Market Research Report from King Research, survey respondents ranked a number of solutions as “highly useful,” including those that: enforce multifactor authentication (MFA) across all users at all times; hide app servers from all devices and unauthenticated users; ensure end-to-end encryption and integrity; and give complete control of who can connect to what, independent of app location, device type and user affiliation.

The highest-ranked solution is of course one that does all of the above, according to respondents.

Even so, those surveyed said that 60% of their organizations do not require MFA for non-employees to access enterprise applications. In addition, while 57% of respondents’ organizations allow bring-your-own-device (BYOD) for access to enterprise applications, 42% do not require non-employees to adhere to the corporate BYOD policies.

 “This survey is unique in gathering information around enterprise application access, stringent controls, and the usefulness of solutions InfoSec professionals believe would best protect their organizations from becoming tomorrow’s headline,” said Ross King, principal analyst of King Research. “For example, we found that more than half of respondents (57%) said they have long-term contractors who need access to company information, and these contractors may or may not reside on-premise. But when asked which authentication type is typically used when providing non-employees access to enterprise applications, nearly half (42%) responded that simple passwords are used.”

The survey also found that 63% of respondents said that 10% or more of their enterprise applications are behind the corporate firewall and are accessed by non-employees. Top security concerns, on a scale of 1 to 10, are server vulnerabilities (7.6), phishing (7.3), server misconfigurations (7.3) and denial of service attacks (6.9).

When asked to score criteria importance for selecting enterprise security products and services on a scale of 1 to 10, respondents scored “compliance” the highest with a near 7.6 score. The second most important criterion was “security advantage by using superior technology,” with a score of 7.5.

 “Executed properly, multifactor authentication is very secure,” said Anna Luo, senior director of marketing at Vidder, which sponsored the survey. “But highly stringent controls have proven to be too complex for users to adopt. This complexity is likely the reason why so many organizations do not have the controls needed in place, and why the research findings reveal that characteristics of software defined perimeter are seen as ’highly useful‘ in these areas.”

Source: Information Security Magazine