Why Dyre Is Different and What It Means for Enterprises

By Bob West, Chief Trust Officer, CipherCloud

Bob WestThe Dyre Trojan, which salesforce.com warned its customers about earlier this month, shows that cyber criminals have found a brand new way to target cloud applications.

It is the first known malware tool to deliberately target an enterprise cloud provider and use trusted cloud file sharing services like Dropbox to install itself on client systems. The malware hammers home exactly why companies need to pay close attention to both server-side and client-side security when using cloud services.

Dyre, or Dyreza, was first spotted in the wild in June attempting to steal the banking credentials of customers of major banks such as Citibank, RBS and NatWest. More recently, it appears to have been tweaked to specifically target customers of salesforce.com.

In design and function at least, Dyre is somewhat similar to other Remote Access Trojans (RAT) like Zeus. It typically arrives disguised as a harmless download or attachment that unsuspecting users are tricked into installing on their computers. It then lurks quietly on the system waiting for the user to type in a target URL, like Natwest.com or salesforce.com. Dyre then quickly intercepts the user’s browser session and routes it through a server controlled by the attacker.

Dyre employs a tactic called “browser hooking” to strip SSL protections from supposedly secure sessions. So someone entering their login credentials to access a saleforce.com account or their bank account is actually handing over their username, password and other session data in clear text to the attacker without realizing it.

The version of Dyre that targeted customers of salesforce.com appears designed only to harvest user logins, probably so the credentials can later be sold for use by other cyber criminals. An attacker can potentially use the illegally obtained credentials to take over the associated accounts and carry out all the actions of the authorized users of those accounts without anyone realizing anything until it is too late.

Cyber thieves have used this kind of account hijacking to drain hundreds of millions of dollars from the bank accounts of numerous small businesses, municipal governments and school districts over the past several years.

With Dyre, the threat has moved for the first time to cloud applications.

In this particular instance, the attackers used Dyre to go after customers of salesforce.com. But make no mistake – the malware can be used just as easily to harvest data from customers of other cloud applications as well.

Cyber criminals have clearly figured out that there is a lot of potentially profitable data that can be harvested by going after cloud customers. But instead of trying to infiltrate cloud server-side protections they appear to be going after vulnerable client systems belonging to the end users of enterprise cloud applications.

Many of those infected by Dyre were lured by spear-phishing emails containing a link to a malicious document hosted on Dropbox. Those who downloaded the document thinking it was safe because it was on a reliable site like Dropbox, infected their systems with Dyre. Because Dyre uses some sophisticated packaging and obfuscation techniques, it has been able to avoid detection by most AV tools until recently.

Salesforce.com, is one of the most successful and most trusted cloud services used by businesses. There’s really not a whole lot that salesforce.com or any other cloud provider can do in a situation like this beyond urging customers to follow security best practices. The vulnerability lies more on the client side and not in the cloud.

In an alert, salesforce.com urged customers to ensure that the antivirus tools on their client systems were fully updated and capable of detecting Dyre. The company also asked companies to consider implementing IP range restrictions to ensure that only users from a corporate network or VPN were allowed access to the Salesforce Platform. In addition, salesforce.com recommended that enterprises consider employing two-factor authentication as an additional security measure for users attempting to login from an unfamiliar device or location.

Customers of cloud applications can also mitigate their exposure to Dyre by using cloud encryption gateways for customer-side encryption that protects data. Businesses with particularly sensitive data in the cloud should also consider encrypting the client email addresses and other identifiers, such as Social Security Numbers, that are used for login and authentication to cloud applications.

SSL Vulnerabilities in Your Mobile Apps: What Could Possibly Go Wrong?

By Patriz Regalado, Product Marketing Manager, Venafi

The majority of people and consumers don’t usually think about security and data privacy when they log into their mobile banking app, take a photo of the check, and make a mobile deposit directly into their account. Nor do they think about security as they conveniently purchase their movie tickets on a Fandango mobile app.  People will automatically assume the company has issued a secure app, especially if the app comes from a reputable G2000 company and they downloaded it from the Apple or Google Play app store—or even directly from their employer.  What could possibly go wrong?

mobile_phone_app_security_600x300Well, evidently there’s a lot that can go wrong.  SSL vulnerabilities in the Android and iOS ecosystems and the man-in-the-middle (MITM) attacks they enable are exposing consumers’ banking credentials, health information, and other personal information.  What’s even scarier is that SSL vulnerabilities are prevalent in many of today’s most popular mobile apps as was recently uncovered by university researchers. The study found Android vulnerabilities that enabled the researchers to hack personal information such as usernames and passwords, social security numbers, and steal check images from popular mobile apps with the following success rates:

  • 92% for  Gmail
  • 83% for Chase
  • 92% for H&R Block
  • 86% for Newegg
  • 85% for WebMD
  • 83% for Hotels.com
  • 48% for Amazon

FireEye also recently published data that reported security flaws in the most commonly downloaded Android apps and found that a significant number of the apps are susceptible to MITM attacks.  FireEye reported that as of July 2014, out of the 1,000 most downloaded apps in the Google Play store, 73% of the apps that use SSL/TLS to communicate with a remote server do not check certificates.  And of the 10,000 random apps in the Google Play store, 40% do not check server certificates, exposing data they exchange with their servers to potential theft.

It wasn’t too long ago that MITM attacks emerged as a major threat to web-based, online transactions, and now we see that MITM attacks are increasingly becoming more widespread for mobile apps.  Mobile apps, just like websites, use the same method to secure communications—SSL/TLS.  However, SSL certificate validation is not trivial. Mobile apps often do not implement SSL validation correctly, making them vulnerable to active MITM attacks.  For example, an attacker can substitute a legitimate SSL certificate with one under his control and view data exchanged between the mobile device and remote server or manipulate private information submitted by the user.

Enterprises that are developing or are otherwise responsible for mobile apps deployed to their end users—consumers, customers, or clients—should fix these security vulnerabilities.  It’s up to IT security teams to ensure that user convenience never trumps the security of private consumer data.



Enabling Secure Collaboration and Compliance by Mitigating Increasing Information Risks (Part 2 of 2)

By Robert F. Brammer, Ph.D., Chief Strategy Officer at Brainloop, Inc.

In my previous post, I addressed three major trends that play an immense role in cybersecurity initiatives. These trends include the growth of digital business, information risks, and regulatory requirements. In this post, I’ll focus on issues related to collaboration and compliance. Since executives and Boards must address these issues, what are some key factors to include in the business policies, processes, and systems?

First, ensure that your strategy and policies are clear with respect to collaboration and compliance. These statements should address those areas requiring external and internal collaboration and the regulatory environment in which you operate. They should also address those information risks that are most significant for the organization. Since all of these topics evolve rapidly, you should conduct regular executive and Board-level reviews of these plans and policies.

Second, ensure that you have the appropriate staff, organization, and business processes to implement the above plans and policies. Management and staff development for these issues is vital and particularly challenging since the environment is so dynamic. A recent survey by Gartner summarizes these issues well. However, this organizational development will be essential to realize the 80% new business models in the next five years described in the above Accenture survey. Many organizations are developing enterprise-wide governance, risk management, and compliance (GRC) programs. GRC programs include governance (the processes by which executives and boards manage the enterprise), risk management (the processes by which management addresses risks to the enterprise), and compliance (the processes with which the enterprise complies with applicable laws and regulations). As enterprises become increasingly information-intensive, the protection of information assets is becoming more important in all three primary aspects of GRC programs.

Finally, enterprise systems must perform a broad range of business-critical functions, including the implementation of the above policies and business processes necessary to enable digital business agility, to protect sensitive corporate information, and to enable regulatory compliance. The challenge for CIOs is to design and operate these systems balancing requirements for functionality, performance, and costs while providing necessary security and compliance with corporate policies and regulatory requirements. End users will focus on functionality and performance, the CFO will focus on the costs, while the GRC program must ensure proper security and compliance. There is a growing market for systems to implement the policies and procedures of a GRC program, but the definitions of policies and procedures must precede selecting a GRC platform.

It is clear that we will continue to see the growth on importance in secure collaboration and regulatory compliance in the development of digital business. The ancient curse, “May you live in interesting times” certainly applies to today’s business environment.

About the Author

Dr. Robert F. Brammer is the Chief Strategy Officer, Americas for Brainloop, Inc., a leading provider of SaaS solutions for secure collaboration and regulatory compliance. He also serves as the President and CEO for Brammer Technology, LLC and recently retired as vice president and chief technology officer for Northrop Grumman’s Information Systems Sector.

Worse than Heartbleed?

Jim Reavis, Cloud Security Alliance

Today at 10am EST a vulnerability in the command shell Bash was announced (http://seclists.org/oss-sec/2014/q3/649 and http://seclists.org/oss-sec/2014/q3/650). Bash is a local shell, it doesn’t handle data supplied from remote users, so no big deal right? Wrong.

A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs. Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file.

In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.

To test if your system is vulnerable just try this on bash:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you’re vulnerable it’ll print:

this is a test

If you’ve updated Bash you’ll only see

this is a test

There is more information available at the following links:


And patches for Bash (most versions in the last 15 or so years) are available:


Enabling Secure Collaboration and Compliance by Mitigating Increasing Information Risks (Part 1 of 2)

By Robert F. Brammer, Ph.D., Chief Strategy Officer at Brainloop, Inc.

The growth of digital business, information risks, and regulatory requirements are major global business trends that have an immense impact on cybersecurity. These trends are prevalent throughout a broad range of industries – including the financial, aerospace and defense, and retail sectors, among many others – and present many opportunities and threats.

Realizing the potential benefits from digital business requires significant transformation involving greater collaboration with customers, suppliers, partners, and regulators. Performing this collaboration in a timely, cost-effective, and secure way in compliance with necessary laws and regulations is a necessary competency for many organizations.

Protection of information assets is a dynamic and significant topic for many enterprises. For example, Lloyd’s Risk Index for 2013 lists cyber risk as #3 on its list of 50 corporate risk priorities among business, economic, political, environmental, and natural hazard risks. While cyber threats from external organizations are very serious, many types of information risks also arise from lack of training and awareness of regulations and business practices or from errors in implementation.

Risk and compliance are increasingly important areas for corporate executives and board members in many industries, notably including those discussed here.

The Global Growth of Digital Business and Distributed Collaboration

Five years ago, Forrester and Adobe published a report on the future of business collaboration. In that report they state “Today’s collaboration requirements are only a midpoint on a trend line toward a highly distributed, digitally connected, partner-fueled, and customer-driven future.” In the past five years, the world has accelerated significantly toward that future.

Last year the McKinsey Global Institute published a report in which they predict that within a decade there will be more than 2 billion people with Internet access and that we will see $5T-$7T of economic impact from automation of knowledge work. Another recent McKinsey paper stated, “Digitization is rewriting the rules of competition.” The authors also observe, “For businesses, digitization is transforming even physical flows of people into virtual flows, enabling remote work through tools for global collaboration.”

In January, Accenture published a survey of “500 C-level executives from 10 economies (both developed and emerging) about the key influence on their corporate strategy over the next five years.” There are two results to cite here. First, “the ability of technology and innovation to reshape industry norms and boundaries was most commonly cited as the most important structural shift that businesses will face over the next five years.” Second, “60 percent plan to pursue growth in, or in collaboration with, other industries, and “80 percent are planning growth via new business models.”

Similar analyses and examples like the incredible growth of new technology-driven companies like Google and Facebook all show the accelerating pace of digital business and the importance of connected collaboration in the business environment.

The Global Growth of Information Risks

A recent report by the World Economic Forum contains this conclusion:

“Despite years of effort, and tens of billions of dollars spent annually, the global economy is still not sufficiently protected against cyberattacks — and it is getting worse. The risk of cyberattacks could materially slow the pace of technology and business innovation with as much as $3 trillion in aggregate impact.”

These cyber threats are very diverse. Incidents within the past 12 months arising from diverse external threats include:

  • The Heartbleed incident exploiting vulnerabilities in the Internet infrastructure
  • The Target breach exploiting supply chain vulnerabilities
  • CryptoLocker (and further generations of ransomware) exploiting software default and human behavior
  • The JP Morgan breach exploiting web server vulnerabilities

As noted earlier, many other types of information risks arise from lack of training and awareness of regulations and business practices or from errors in system or process implementation. For example, the most recent Verizon Data Breach Report notes that “miscellaneous errors” (e.g., sending email messages with sensitive information to incorrect recipients) cause more than 25% of data breaches. The report states collaboration with external partners about sensitive information can often lead to problems without proper management attention: “…business processes involving sensitive info are particularly error prone. It’s also noteworthy that this pattern contains more incidents caused by business partners than any other.”

By 2020, threats to critical infrastructure will be even more significant than what we face today. With industries accelerating digitization to improve services and reduce costs, there are many new cyber threats to sectors, such as electric power, oil and gas, national security, and transportation. These threats are not only to financial and information security, but to operations and safety. Examples such as Stuxnet and Shamoon have damaged operations in significant ways. These cases are modest compared to what could happen this decade.

The Global Growth of Regulatory Compliance Requirements

The US regulatory environment has grown steadily in the past several decades. While measuring the scale and economic benefits is uncertain and controversial, some metrics give insight into this growth. Data from the Mercatus Center at George Mason University shows that the total word count for federal regulations now exceeds 100 million. Moreover, the growth of this total has exceeded the growth of the US GDP since this analysis began in 1997. The US Office of Management and Budget produces an annual report on the costs and benefits of regulation but acknowledges the large uncertainties and omissions in their estimates. However, there is no doubt that costs in the US alone are in the $100’sB annually. Compliance elsewhere is also significant, notably in the European Union.

There are many types of sensitive personal and corporate information protected by thousands of regulations. These include regulations for personal health and financial information, export control, intellectual property, Board proceedings, public company filings, mergers and acquisition plans, etc.

The growth in the size of corporate compliance staffs and in their compensation illustrates the increasing importance of regulatory compliance. Failures have led to significant fines and imprisonment. As a result, many new Chief Compliance Officers have direct reporting relationships to top executives and their boards. Because demonstrating regulatory compliance often requires providing sensitive corporate information to government and service provider organizations, the increase in secure compliance and collaboration platforms is another indicator of the growth of this area.

Policies for control of sensitive information are particularly important for organizations with complex supply chains. These supply chains may include raw materials, finished parts, and outsourced business processes. As diverse as today’s supply chains are, they all involve sensitive information whose handling requires policies that recognize current cyber threats, regulatory requirements, and the needs to protect intellectual property. For example, Registration, Evaluation, Authorization, and Restriction of Chemicals (REACH) is a European Union Regulation for controlling production and use of chemicals and their potential impacts on health and environment. Companies involved in registering a chemical have the obligation to share data about it with government agencies and other specified organizations. Data in the registration documents is valuable intellectual property, and enterprise policies must ensure proper protection.

Addressing the Combined Impact of These Trends on Strategic Business Planning and Operations

Together these trends add up to the following conclusions:

  • The growth and trajectory of key areas of information technology – cloud, mobility, social media, big data, etc. are having inescapable impacts on business plans and operations. These are now C-Level and Board issues with significant operational impact.
  • Information risks have also become C-Level and Board issues. For example, the recent Target breach was a key factor in the resignations of the CEO and other executives and in litigation filed against several Directors for lack of proper oversight.
  • While the global net value of regulatory compliance may be debatable, the requirements for enterprise compliance are not. The growth of digital business with larger information risks will lead to further types of regulation.

Since executives and Boards must address these issues, what are some key factors to include in the business policies, processes, and systems? We’ll discuss this and more in the second part of this blog series coming soon.

About the Author

Dr. Robert F. Brammer is the Chief Strategy Officer, Americas for Brainloop, Inc., a leading provider of SaaS solutions for secure collaboration and regulatory compliance. He also serves as the President and CEO for Brammer Technology, LLC and recently retired as vice president and chief technology officer for Northrop Grumman’s Information Systems Sector.

New CSA Survey Reveals Emerging International Data Privacy Challenges; Discrepancies Illustrate the Demand for Data Protection Harmonization

By Evelyn de Souza,Data Privacy and Compliance Leader, Cisco Systems

According to a new survey from Cloud Security Alliance sponsored by Cisco, there is a growing and strong interest in harmonizing privacy laws towards a universal set of principles. Findings include overwhelming support for a global consumer bill of rights, global themes regarding data sovereignty, and the OECD principles as facilitating the trends of IoT, Cloud and Big Data.

Data privacy considerations are often overlooked in the development phase of cloud, IoT and Big Data solutions and put in the “too hard” basket. Historically, data privacy experts and the Information Security industry at large have focused deviations between different regions, instead of the similarities, which could encourage more effective collaboration.

The Cloud Security Alliance tested the existence of universal data privacy and data protection concepts and the extent to which these can be drivers for global co-operative efforts around Cloud, IoT and BigData. We hand-picked over 40 of the most influential cloud security leaders worldwide for their insights on existing international data protection standards and demands. The Data Protection Heat Index Survey Report was structured in four parts and the findings were highly indicative of a positive role that privacy and data protection principles can play in the development of cloud, IoT and big data solutions.

Data Residency and Sovereignty
Many organizations struggle with issues around data residency and sovereignty. However, there was a common theme of respondents identifying “personal data” and Personally Identifiable Information (PII) as the data that is required to remain resident in most countries.

Lawful Interception
Responses indicated a universal interpretation of the concept of lawful interception with responses such as: “The right to access data through country-specific laws if the needs arises, i.e. data needs to be made available for a cybercrime investigation.”

User Consent
73 percent of respondents indicated that there should be a call for a global consumer bill of rights and furthermore saw the United Nations as fostering that. This is very significant given the harmonization taking place in Europe with a single EU Data Privacy Directive for 28 member states. As well as with the renewed calls for a U.S. Consumer Bill of Privacy Rights in the United States and cross-border privacy arrangements in Australia and Asia.

Privacy Principles
Finally we explored whether OECD privacy principles that have been very influential in the development of many data privacy regulations also facilitate popular trends in cloud, IoT and big data initiatives or cause room for tension. The responses were very much in favor of facilitating the various trends.

The Data Protection Heat Index survey findings indicate a shared interest in incorporating emerging privacy principles into new solutions versus trying to retrofit existing solutions. The survey report includes an executive summary from Dr. Ann Cavoukian, Former Information and Privacy Commissioner of Ontario, Canada and commentary from other industry experts on the positive role that privacy can play in developing new and innovative cloud, IoT and Big Data Solutions. Download the Data Protection Heat Index survey report. Please tell us what you think by posting your comments below.

Where do you see opportunities for broader industry co-operation around data protection and data privacy?

Evelyn de Souza is a Data Privacy and Compliance Leader at Cisco Systems, where she focuses on developing industry blueprints to help organizations embrace the cloud securely and ensure data privacy in an agile manner. She currently serves as the Chair of the newly formed Cloud Security Alliance (CSA) data governance and privacy working group. Evelyn previously co-chaired the CSA Cloud Controls Matrix working group and played an integral role in guiding its development and evolution.



The Cloud Perception-Reality Gap Lives On in CSA Survey

by Krishna Narayanaswamy, Netskope Chief Scientist

Screen Shot 2014-09-22 at 3.47.15 PMI thought we had moved beyond the cloud app perception-reality gap.

Shadow IT has been a topic of much conversation in the media, at conferences, and among our customer and partner communities for the past several years. Gartner highlighted the issue when the analyst firm declared cloud access security brokers as the #1 information security priority for this year. And vendors have been reporting for over a year on the many hundreds of cloud apps they observe per enterprise. This is a known issue.

But if you read “Cloud Usage: Risks and Opportunities Report,” which was released by the Cloud Security Alliance on Friday, you may think you’re reading a report from last decade. The report details results from a survey conducted by the Cloud Security Alliance to 165 IT and security practitioners across a variety of industries and geographies.

Among the many surprising responses, three findings particularly struck me:

  • How many cloud apps do people think they have? According to the report, more than half (54 percent) of respondents believe that they have ten or fewer cloud apps. Ten or fewer! I use ten cloud apps in my first fifteen minutes at work each day. OK, that’s a slight exaggeration, but not by much. A full 87 percent of respondents believe they have 50 apps or fewer. When we perform a Cloud Risk Assessment for our customers and prospects, we ask this question. The most common answer is 50, and the average we find is 508 apps. That’s a ten-fold difference.
  • How much sensitive content is shared? According to the report, nearly half (48 percent) of respondents believe that less than 5 percent of their sensitive content in the cloud has been shared with unauthorized individuals or individuals outside of the organization. I think that’s low. In our cloud, we see that there are three shares for every content upload within cloud storage, and 49 of the 55 app categories we track have apps that enable sharing. That’s a lot of sharing.
  • How many apps are connected to the corporate directory? According to the report, 44 percent of respondents believe that 5 or fewer apps are integrated with their corporate directory. I guess that’s not surprising given #1, but if you believe that the reality is that organizations have 508 apps on average, that’s less than one percent. Given all of the recent data breaches, including ones involving cloud-based remote access technologies, you’d think that organizations would either want to authenticate users as they log into cloud apps or enforce policies to steer users to similar apps that are integrated with the corporate directory. After all, many of these apps are business-critical and house sensitive data.

Many of our customers and prospects have become a lot more aware of shadow IT, but based on this survey, it looks like we still have work to do to educate organizations about the magnitude of the issue, and what steps can be taken to discover and safely enable those apps. Get the full report here.

Call for Volunteers: Critical Areas of Focus in Cloud Computing/Guidance v4

By J.R. Santos, CSA Global Research Director

screensToday at our annual CSA Congress in San Jose, we are announcing a formal recruitment effort for volunteers to help develop the next Critical Areas of Focus in Cloud Computing Guidance, version 4.

This is among the most important guidance documents the CSA makes available to cloud users, as it plays an important role in helping users establish a stable, secure baseline for cloud operations. It also provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely.

This next iteration of the Guidance will extend the content included in previous versions with practical recommendations and requirements that can be measured and audited. As a CSA industry expert author, you will have the opportunity to present a working product that is measured and balanced between the interests of cloud providers, cloud brokers, auditors, and tenants.

This adoption of cloud is intended to include new technologies in big data, mobile, IoT, SDN, and interoperability and portability in the cloud. Guidance, version 4 will also incorporate lessons learned from CSA working groups and other various CSA activities into one comprehensive C-level best practice.

Most importantly, Guidance, version 4 will serve as the gateway to emerging standards being developed in the world’s standards organizations, and is designed to serve as an executive-level primer to any organization seeking a secure, stable transition to hosting their business operations in the cloud.

Sound challenging and interesting? Then join us! We welcome your time, ideas and energy in making the next Critical Areas of Focus in Cloud Computing Guidance a continued benchmark document that looks to the future in helping managers adopt the cloud paradigm safely and securely.

If you would like to contribute, please fill out the following on-line form at https://cloudsecurityalliance.org/research/guidance-v4-volunteer/.

After the form is complete, someone from the CSA Research Team will contact you with next steps.

CSA Hackathon On! Launches Today at CSA Congress 2014

Today at 9 am PT, we officially kicked off our second Hackathon, where we are inviting the most determined of hackers to break CSA’s Software Defined Perimeter.

As background, the Software Defined Perimeter (SDP) is a new security concept being standardized by the Cloud Security Alliance (CSA). SDP combines time proven security concepts (such as need-to-know access) with new technologies (like Mutual TLS with DHE) into an integrated package. 

This new approach to security mitigates network-based attacks by dynamically creating perimeter networks anywhere in the world—including in a cloud, on the DMZ, and in the data center. SDP is designed for a wide range of applications from protecting Internet-facing web sites to enabling secure hybrid cloud networking.

For the purpose of this Hackathon, an SDP in one public cloud will be used to protect a high value file server in a different public cloud. And, since this challenge simulates an insider attack, participants will be provided with the IP addresses of the Target server as well as the SDP components protecting it.

The first participant to successfully capture the target information on the protected server will receive $10,000 in cold hard cash – and in the currency of their choice for those bitcoin fans! All participants will also be entered into a drawing to win $500.

The rules – well, that would be silly – hackers don’t play by the rules, now do they? There are none!

Spectators and hackers can use CSA’s Twitter feed to monitor event progress and ask questions from anywhere in the world, anytime.

To get started, visit https://hacksdp.com and scroll down to the Getting Started section for instructions.

What are you waiting for? Get Hacking!

Financial Survey Now Open: How Cloud Is Being Used in Financial Sector

By J.R. Santos, Global Research Director

moneyToday at CSA Congress 2014 here in San Jose, we are announcing the opening of an important survey we hope that you will take part in. The ‘How Cloud is Being Used in the Financial Sector’ survey aims to accelerate the adoption of secure cloud services in the financial industry, by enabling the adoption of best practices.

Some quick background on the group. At CSA Congress 2013, we introduced the Financial Services Working Group in an effort to provide knowledge and guidance on how to deliver and manage secure cloud solutions in the financial industry. A secondary objective of the group is to foster cloud awareness within the sector and related industries. The group’s efforts are designed to complement, enrich and customize the work of other CSA working groups to provide a sector specific guidance.

This inaugural survey from the group aims to identify the following:

  • The industry’s main concerns regarding the delivery and management of cloud services in financial sector
  • Industry needs and requirements (both technical and regulatory)
  • The adequate strategic security approaches to ensure protection of business processes and data in the cloud
  • Potential gaps in existing CSA research and from the financial services standpoint.

We hope your will take a few moments to take part in this important survey. The 21 question survey is available at https://cloudsecurityalliance.org/surveys/fswgsurvey/ and will be open until October 26, 2014. The results will be published in late fall.

We would like to thank co-chairs Mario Maawad and Juan Losa, with Maria Louisa Rodriguez, Toni Felguera, and the volunteer members of the Financial Services Working Group for putting this survey in place.

Data Breaches and the Multiplier Effect of Cloud Services

By Eduard Meelhuysen, Managing Director, EMEA, Netskope

NS-Data-Breach-EU-IG-00We have had a number of conversations lately with our customers and partners about cloud security, with a particular focus on data protection in light of a growing number of data breaches. Against a backdrop of the iCloud hack and data breach revelations at major global corporations, the massive growth of cloud services is giving many IT and security professionals pause as they consider the impact that growth will have on data breaches in their organisations.

The cloud introduces new dynamics in enterprise IT, including massive cloud app growth, much of it outside of the purview of IT; mobile access to cloud apps; and cloud-specific capabilities like sharing, which make it easy for content to get out of an enterprise’s control.

Each of these dynamics could be considered a multiplier, or something that increases the probability of a data breach. To take the pulse of the market and quantify this idea, we asked the Ponemon Institute, a foremost expert in data breach research, to conduct a study on the topic. In support of our formal launch of Netskope in the Europe, Middle East, and Africa region, we are releasing “Data Breach: The Cloud Multiplier Effect.”

The report pulls from a survey of 1,059 IT and security practitioners across Austria, Belgium, Denmark, France, Germany, Greece, Ireland, Italy, Netherlands, Poland, Russian Federation, Slovakia, Spain, Sweden, Switzerland and the United Kingdom, and measures not only the multiplier effect that cloud services have on the probability and economic impact of a data breach, but also takes stock of perceptions of cloud vendor enterprise-readiness.

The report reveals several telling findings about the state of cloud security in EMEA, including:

  • The presence of cloud services can increase the probability and economic impact of a data breach involving the loss or theft of customer information by as much as three times.
  • A breach involving the loss or theft of 100,000 customer records would cost an organisation €13.6M, based on previously established cost metrics. Probability-adjusted, the expected economic impact comes to €1.63M. When asked about the increased use of cloud services, respondents projected a new probability that brought that estimate to nearly €5M.
  • 85 percent of respondents don’t believe their cloud provider would notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information.
  • 77 percent of respondents fear their cloud service provider would not notify them immediately if they had a data breach involving the loss or theft of customer data.
  • 57 percent of respondents believe their cloud service providers don’t use enabling security technologies to protect and secure sensitive and confidential information.
  • 72 percent believe their cloud service providers aren’t in full compliance with privacy and data protection regulations and laws.

This may sound like doom and gloom, but there’s actually never been a better time to safely adopt cloud services in your organisation. Based on our and our customers’ experience, here are three ideas for safely enabling cloud services while mitigating the risk and magnitude of data breaches and other security threats.

First, discover what cloud apps are in your environment and find out how enterprise-ready they are. This is a big step toward understanding and mitigating risk of a data breach because you know what you’re dealing with and can triage the most important apps first. These important apps may include: 1. Systems of record or business-critical apps, including your salesforce automation, renewal and billing, and salary and performance tracking systems, to name a few; or 2. Apps that contain sensitive data, such as a big data app that you use to crunch medical clinical trial results, a business intelligence app that has your company’s non-public financial information, or a software development app that contains your source code, roadmap, and quality assurance bug queue. Did you know that, in addition to being apps that contain sensitive data, each of these is an example of an app that enables sharing?

Second, beyond discovering apps and understanding their risk, it’s critical to know how those apps are being used and what data are being uploaded to and reside in them. Answering questions such as “Is anyone uploading personally-identifiable health information to the cloud?,” “Is anybody downloading personally-identifiable information to a mobile device?,” and “Who’s sharing sensitive content outside of my organisation?” will give you a significant leg up on the problem. Once you can answer these types of questions, you can address the risk, whether by having a conversation with users or line-of-business owners, granularly blocking activities like sharing outside of the company, or encrypting certain data when they are uploaded to the cloud.

Finally, get support. We have tremendous resources in organisations like the Cloud Security Alliance. Also, reach out to your vendors such as Netskope and our partners. We have a treasure trove of best practices and advice from customers who have experienced similar challenges.

Data breaches are serious business, and if you believe the respondents in this study, the cloud can have a tremendous multiplying effect on them. However, between understanding your cloud app environment and reaching out for a little help from your friends, you can mitigate the cloud risk multiplier for your organisation and take advantage of all of the productivity benefits that the cloud provides.

Call for Volunteers:  Antibot Working Group Seeks Experts to Help Develop Botnet Essential Practices Guide for Cloud Providers

By J.R. Santos, Global Research Director

botnetToday at the CSA Congress 2014, we have announced a call for volunteers to help create the first CSA Botnet Essential Practices Guide for Cloud Providers. Botnets have long been a favored attack mechanism of malicious actors, with server-based bot activity increasing as a means of taking advantage of vastly greater upload bandwidths and higher compute performance.  With cloud computing rapidly becoming the primary option for server-based computing and hosted IT infrastructure, the CSA Anti-Bot Working Group was established in 2013 to help articulate solutions to prevent, respond to and mitigate damage from botnets occurring on cloud infrastructure.

Cloud providers have historically been viewed as one of the sources leveraged for botnet activity that has impacted outside businesses.  Cloud providers can benefit from implementing a standard framework of best practices to protect their infrastructure from potential disruption associated with botnet malware, both in terms of resource usage as well as consumer perception.

The guide, currently underway, includes a series of recommended approaches to minimizing the impact of compromised systems within the cloud infrastructure from affecting co-located customers and external entities.  This guidance will be important in enabling cloud providers to take a comprehensive lifecycle approach to botnet prevention, and avoid being used as an instrument of malice to other organizations or entities.

To volunteer, fill out the following online form: https://cloudsecurityalliance.org/research/anti-bot/basecamp/

After you fill out this form, someone from our Research Team will contact you with next steps.


Learning to Love Your Security Audit

By Mike Pav, VP of Engineering, Spanning

yoda_largeMost folks treat a security or compliance audit like a visit from the storm troopers: a big uncomfortable disruption to your daily life (if a visit from the Empire can indeed be considered “uncomfortable”). But it does not need to feel that way.

At Spanning, we started out with a “do the right thing” (thanks Spike Lee) mentality built into our DNA, and it has made all the difference in terms of how we view our security audit efforts. While security, privacy, reliability and availability are non-functional requirements, making them a part of your everyday conversations is critical for sailing through audits.

I’ve learned to love our audits for two main reasons:

  1. Since we prepare for them in advance – before we even know they’re coming – we constantly have the opportunity to make our business better.
  2. The audit process will either help us find ways to improve even further or we’ll get a stamp of approval that validates all the hard work we’ve done to be compliant.

You can use your audit process to help you become stronger and operate with less friction, but it takes real effort, practice, and planning. There are some things we started doing right from the start, even before we decided to move down the path of having our software-as-a-service products audited for SSAE16, and I’d recommend them to anyone who gets that pit in their stomach at the thought of an audit. I’ll discuss these steps in-depth at my talk in San Jose, California this Friday at the IAPP Privacy Academy and CSA Congress. If you’re planning to attend the event, be sure and come by the Little Big Stage on Friday at 11:30 am and listen to my  “How I Learned to Love My Audit: Lessons in SaaS Data Protection” presentation to learn the processes necessary to “audit-proof” your business; maybe the next time the storm troopers show up, you’ll feel like Yoda.

If you’re not yet registered, there is still time to receive discounted registration pricing. Save $200 off non-member pricing by using Promo Code: 20CSA14. And, be sure to stop by the Spanning booth (#201) and see our audit-friendly cloud-to-cloud backup solution for Google Apps and Salesforce.

Gartner Predicts Rise of the Digital Risk Officer

By Michael Piramoon, Director of Analyst Relations, Accellion

Accellion-Blog-DRO-FINALThe number of devices connected to enterprise networks is skyrocketing. One reason is mobile computing. Mobile workers in the US now carry on average 3 mobile devices, according to a recent survey by Sophos. Fifteen years ago, each of those workers would have connected to the network through a single desktop computer. The number of devices storing business data and connected to the network per employee has tripled (or quadrupled for those employees who still have desktop computers in addition to their mobile devices). And unlike the devices of a decade or more ago, many of these devices have been selected and configured by employees themselves, regardless of whether or not the organization has officially adopted a Bring Your Own Device (BYOD) policy.

Another reason for the increase in devices is the ongoing rapid adoption of special-purpose networked devices, a trend that Gartner and others now refer to as the Internet of Things (IoT). Gartner defines the IoT as “the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.” Examples include surveillance cameras, environmental monitoring systems, and factory automation systems. Gartner says that there were 0.9 billion of these devices in 2009, but by 2020 there will be 26 billion—a 30-fold increase.

All those devices and connections create risk for data confidentiality and integrity, which is why Gartner is now predicting the rise of a new executive role, the Digital Risk Officer. According to Gartner:

More than half of CEOs will have a senior “digital” leader role in their staff by the end of 2015, according to the 2014 CEO and Senior Executive Survey by Gartner, Inc. Gartner said that by 2017, one-third of large enterprises engaging in digital business models and activities will also have a digital risk officer (DRO) role or equivalent.

By 2020, 60 percent of digital businesses will suffer major service failures due to the inability of the IT security team to manage digital risk in new technology and use cases. IT, operational technology (OT), the Internet of Things (IoT) and physical security technologies will have interdependencies that require a risk-based approach to governance and management. Digital risk management is the next evolution in enterprise risk and security for digital businesses that are expanding the scope of technologies requiring protection. . . .

The advent of the Digital Risk Officer is another sign of just how vast are the changes taking in place in enterprise IT. Connected corporations are becoming hyperconnected as the number of devices multiplies. Services are moving to the cloud, and access is moving from cubicle-tethered desktops to smartphones and tablets. Networks, many now running at speeds of 10G or faster, are supporting more devices and more types of data than ever before.

As Gartner points out, when access is everywhere, risk is everywhere. BYOD and the IoT can make enterprises more agile and productive, but they also introduce new vulnerabilities and security hazards. The next data breach could come from a smartphone, tablet, or networked sensor (many of which were designed without security in mind).

But risk management isn’t the only challenge facing enterprise management teams grappling with the implications of their hyperconnected infrastructures. Keeping security in mind, they should look for ways to re-engineer services and processes to take full advantage of the connectivity and agility enabled by BYOD and IoT. The goal should be to create not only IT services that are more extensive and secure, but also a workforce that is more productive and enthusiastic.



The Lesson from Shadow IT? Workers Want Easy-to-Use Services for Getting Work Done

By Hormazd Romer, Senior Director of Product Marketing, Accellion

Accellion-Blog-Shadow-IT-FINALThe phrase “Shadow IT” refers to products and services used by employees without the knowledge or approval of the IT department.

Shadow IT is everywhere: it can be found in just about any department of any organization. When Frost & Sullivan surveyed line of business (LOB) and IT managers, they found that 80% of respondents admitted using non-approved SaaS applications for their work. Moreover, the survey found:

Non-approved applications represent a sizable proportion of all SaaS apps used in a company. According to respondents, the average company utilizes around 20 SaaS applications; of these, more than 7 are non-approved. That means you can expect that upwards of 35 percent of all SaaS apps in your company are purchased and used without oversight.

Popular categories of shadow IT applications include business productivity, social media, file sharing, storage, and backup, according to the survey.

Why are employees using shadow IT? Frost & Sullivan found that these employees just want to get their jobs done. Many shadow IT users felt that the applications they selected met their needs better than those selected by the IT department. In some cases, the employees were already familiar with the applications they selected, and they felt further swayed when the applications were free. In many organizations, there was confusion about who had the authority to select an application: was it the department or IT? Lacking clear guidance from management, employees decided to act for themselves.

If this ad hoc provisioning seems to be meeting employees’ needs, why not just let it continue? Unfortunately, enterprises must stop shadow IT, because it creates enormous security risks and can lead to data breaches and regulatory fines.

How can an enterprise—especially an enterprise in a highly regulated industry such as financial services or healthcare—possibly keep track of all its confidential files if employees are posting files to an ad hoc collection of unmonitored public-cloud file sharing services? How can the finance department of any public company claim it is complying with Sarbanes-Oxley requirements for managing the distribution of financial data, if it has no idea how its files are being distributed?

Files leaked through shadow IT can make the shadow itself especially long, dark, and gloomy, once data breaches are publicized and regulatory penalties accrue.

Enterprises need to take action.

First, they should establish clear policies about who can select which type of application. If IT is in charge, this should be made clear. If departments have leeway to select certain types of applications, that, too, should be made clear. Next, enterprises should educate employees about the risks of public-cloud services that might leak files or admit malware to the network.

Finally, enterprises should select and provision SaaS services that are as powerful and easy-to-use as those being used in shadow IT. Employees are turning to applications to get their work done. Enterprises would be wise to select applications and services that let their employees do just that.


Cloud Security Alliance Congress 2014 – What’s in it for YOU?

Many people ask me, why should I attend the CSA Congress 2014 conference over others that seem to monopolize the month of September?  This is of course a question asked by those who have never attended a CSA Congress before.

Those who attended last year’s event made a point of sharing with me, and others on the leadership team, what made the event worth the trip to sunny Orlando (the home of Congress until this year).  I feel fortunate that these individuals took the time to speak with me about their experience and I can pass that along to you.  They expressed first and foremost that we really made a great effort to bring together an incredible line up of experts that delivered significant, meaningful content to their business or role – many found it difficult to decide which session to attend!  They cited that the sessions were excellent in providing practical, real-world knowledge that they could take home and readily apply to their own environment. Our Congress event also provided many individuals with an outstanding opportunity to make new connections and business relationships as well.

Well, we could only top that by adding a new dimension to our Congress event and that would be to team up with an organization whose focus is top of mind when it comes to the implementation of cloud technology – privacy and data protection.

This year we have teamed up with the International Association of Privacy Professionals (IAPP), to offer more than 80 sessions covering all aspects of privacy and cloud security.  Nowhere else will cloud, IT and privacy professionals be able to meet and learn from each other, and gain visibility to practical, implementable solutions delivered by leading industry experts.  This year’s event will also feature educational sessions on the latest security practices by leading subject matter experts from the world’s most prominent cloud providers including Google, Amazon AWS, Salesforce.com and Microsoft.

A roll call of preeminent industry thinkers will keynote the event including:

  • Judith Donath, Harvard Berkman Faculty Fellow and Author of The Social Machine: Designs for Living Online
  • Taher Elgamal, Chief Technology Officer, Security of Salesforce.com
  • Billy Hawkes, Data Protection Commissioner of Ireland
  • Bruce Schneier, Security Technologist; Fellow, Berkman Center, Harvard Law School; and CTO, Co3 Systems
  • Paul Milkman, Senior Vice President, Technology Risk Management and Security, TD Bank

If you haven’t done so already, check out our agenda and speaker line up at https://cloudsecurityalliance.org/events/csa-congress-2014/

There is a reason why Cloud Security Alliance Congresses continue to be the industry’s premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security.

I would like to invite you to join us at this year’s event and experience the benefits of the event for yourself. I certainly hope that you will seek me out to share your opinion on the experience, and that it goes beyond your expectations.

There is still time to receive discounted registration pricing. Save $200 off nonmember pricing, use Promo Code: 20csa14

We hope you will join us.


Jim Reavis, CEO, Cloud Security Alliance


Dyre need to secure what matters

By Rajneesh Chopra, VP of Product Management, Netskope

Netskope_vulnerability_blogWith the iCloud hack in the backdrop raising issues around authentication, another problem has come to the fore – this one affecting Salesforce and going by the name Dyre (alternatively Dyreza). More details are available here – http://goo.gl/s8BSdY.

The first signals of Dyre being circulated on the Internet were seen by researchers back in June 2014. The vector for spreading this malware has been a phishing email in which the user was lured to click on a link to ostensibly download a file – typically an .exe or a .scr file that is zipped. Once installed, the malware applies a browser hooking technique to intercept traffic before it is encrypted, thereby enabling it to redirect that traffic to a different website than the user intends.

Hackers have set up web pages that look just like that of the intended website and are able to harvest users’ login credentials when they provide them. Since all traffic over an extended period of time is sent to the page put up by the hacker, even information from two-factor auth tokens is available to these malicious actors to use to access targeted cloud apps in real-time. The known variants of the attacks still seem to be bit basic and will most likely be refined further in the future.

Our research team has been monitoring for potential infections related to this malware; none of our customers has yet been affected. What we have seen is growing activity related to getting access to cloud apps through vulnerabilities. This is entirely unsurprising; attackers will go where valuables reside. Since enterprises are increasingly using the cloud for variety of reasons – some officially sanctioned by corporate IT and many others not so much – this can put important business data at risk.

With a huge number of devices accessing a growing number of cloud resourced apps from locations no longer within a tightly managed environment, the need for constant monitoring and thoughtful control of these apps is must-have for the enterprise today. Although the observed phishing emails contained links to files in LogMeIn’s Cubby.com file storage service, there is nothing special about Cubby.com; this could have been any of the thousands of  apps that provide file sharing; there are nearly 200 cloud storage apps that we track in the Netskope Cloud Confidence Index™, but one out of five apps across nearly every category we track enables some type of sharing.

It is worth noting that this is not per se a vulnerability in Salesforce nor a flaw in the 2-factor authentication that Salesforce rightly encourages its customers to follow. It’s more about enterprises being responsible for their own users and their own data even when using a cloud app – what CSA calls out as a shared responsibility model. Even encrypting the content stored in app would not protect the data since the authenticated user would have access to the unencrypted data as per policy.

By monitoring all cloud apps that store content – not just a handful of sanctioned ones – and tracking what activities are performed, would an enterprise get a true picture of usage and risk and then looking for anomalous activity? The answer is yes. For example, on a run rate basis, a few users may have been using Cubby.com from a couple of geolocations, but if you suddenly started seeing an increasing number of downloads of zipped files containing .exe and .scr files from this app, that would be considered anomalous behavior and spur you to take immediate action.

The context of who accessed an app from which device and location at what time with what credentials would not only be useful in identifying the infection, but also pinpoint where the remediation needs to be targeted. In addition, you can extend Salesforce’s guidance to customer admins and restrict access from only IP address that are a trusted source for all of your apps that provide content sharing. This would thwart any access attackers may attempt on Salesforce, or any other app, from their own servers.

To determine the current risk and how to best eliminate it in order to safely enable the productive use of cloud apps in your enterprise, contact us for a complimentary cloud risk assessment.

In-house Counsel Should Take BYOD Risks Seriously

By Nina Seth, Senior Product Marketing Manager, Accellion

Accellion-Blog-In-House-Counsel-BYOD-FINALIn many organizations, decisions about mobile technology are made primarily or exclusively by the IT and IT security departments working together.

All too often, there’s one department that’s left out of these discussions:  the organization’s own legal team, and In-house Counsel. This omission is unfortunate. Legal counsel is familiar with laws, including the latest rulings about electronic discovery and data privacy, and others issues pertaining to liability and risks. Enterprises would be wise to consult in-house counsel when establishing employee policies about data confidentiality, BYOD, and use of mobile devices. There’s another reason, too, for consulting in-house counsel when mobile security policies are being formulated. In the unfortunate case that mobile technology leads to a data breach or regulatory violation, in-house counsel will likely end up spearheading the response. If the company’s legal team has the opportunity to offer guidance before a possible breach or violation occurs, then the opportunity for legal surprises is minimized.

In a series of articles for InsideCounsel Magazine (here and here), attorney and legal security expert Matt Nelson explains why inside counsel should be involved in mobile security decisions from the start. He makes the following points about legal issues and a mobile workforce:

  • Whether a company adopts a BYOD policy and allows employees to use personal devices for work or rejects BYOD requests and issues all employees company-sanctioned mobile devices, the legal liability is roughly the same. Employees are going to mix personal data and business data on their mobile devices regardless. Enterprise IT organizations should plan accordingly and deploy security solutions that protect business data, regardless of who owns the device.
  • Data stored on mobile devices may be discoverable (that is, required by a court to be presented as evidence by a specific deadline). The IT organization may need to have technology for tracking and retrieving material information stored on mobile devices, including devices owned by employees. Nelson cites a recent case from Illinois: For example, in In re Pradaxa Product Liability Litigation, the Southern District of Illinois recently fined defendants $931,000 to encourage them “to respect this court and comply with its orders.” Central to the order was defendants’ failure to preserve text messages on employees’ mobile phones.
  • Data on mobile devices is at risk. Mobile malware is proliferating, and lost devices usually compromised. Nelson describes an experiment in which Symantec left 50 mobile phones in public locations in 5 different cities to see how the phones would fare when discovered by strangers. In 96% of the cases, people who found phones tried to access their data. Only half of the people who found the phones attempted to return them. The experiment demonstrated that enterprises cannot assume that lost devices will be returned or left untampered with. On the contrary, a lost device is likely going to result in a data breach, even if it’s only a minor one.

Nelson’s advice for enterprises? IT teams should bring their In-house Counsel and legal teams to the table when defining security policies. Also any mobile security solutions should provide IT administrators and legal counsel with the ability to monitor, track, and retrieve data on mobile devices. In addition, mobile security solutions should guard against mobile malware and protect data on devices that are lost or stolen.

In my judgment, Nelson makes a solid case.